Accidenti che programmi!!! Questo combo lo posso lasciare sul computer insieme all'antivirus oppure è meglio disinstallarlo, cancellarlo? E cosa vuol dire (Attention Firefox polices is in force)?
Ok, eccovi il responso.
ComboFix 09-01-01.02 - Utente 2009-01-03 12.41.02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.2047.1462 [GMT 1:00]
Eseguito da: c:\documents and settings\Utente\desktop\combofix.exe
Interruttori di comando utilizzati :: /killall
* Creato nuovo punto di ripristino
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat
----- BITS: Sites possivelmente infetados -----
hxxp://77.74.48.105.
((((((((((((((((((((((((( Files Creati Da 2008-12-03 al 2009-01-03 )))))))))))))))))))))))))))))))))))
.
2009-01-02 23:43 . 2009-01-02 23:43 <DIR> d-------- c:\programmi\Trend Micro
2009-01-02 17:12 . 2009-01-02 17:12 <DIR> d-------- c:\programmi\Lavasoft
2009-01-02 17:11 . 2009-01-02 17:11 <DIR> d-------- c:\programmi\File comuni\Wise Installation Wizard
2009-01-02 16:36 . 2009-01-02 16:37 <DIR> d-------- c:\documents and settings\Utente\Dati applicazioni\vlc
2009-01-02 16:35 . 2009-01-02 16:37 <DIR> d-------- c:\programmi\VideoLAN
2008-12-29 17:22 . 2009-01-02 16:32 <DIR> d-------- c:\programmi\PhotoFiltre
2008-12-29 17:16 . 2008-12-29 17:16 1,686,727 --a------ c:\programmi\pf-setup-en.exe
2008-12-29 15:55 . 2008-12-29 16:09 <DIR> d-------- c:\documents and settings\Utente\Dati applicazioni\IcoFX
2008-12-29 15:54 . 2008-12-29 15:54 <DIR> d-------- c:\programmi\IcoFX 1.6
2008-12-26 18:11 . 2008-12-26 18:11 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\TVU Networks
2008-12-26 18:09 . 2008-12-26 18:10 <DIR> d-------- c:\programmi\TVUPlayer
2008-12-26 18:09 . 2008-12-26 18:09 <DIR> d-------- c:\documents and settings\Utente\LocalLow
2008-12-26 16:17 . 2008-12-26 16:17 2,359,350 --a------ c:\windows\foto_mare_05.bmp
2008-12-25 00:46 . 2008-12-26 14:18 <DIR> d-------- c:\programmi\Artweaver 0.5
2008-12-25 00:46 . 2008-12-25 00:46 <DIR> d-------- c:\documents and settings\Utente\Dati applicazioni\Artweaver
2008-12-22 13:00 . 2008-12-22 13:01 9,276,316 --a------ c:\programmi\Artweaver.exe
2008-12-21 11:17 . 2008-12-21 11:17 22 --a------ c:\windows\kodakpcd.Utente.ini
2008-12-15 20:06 . 2009-01-02 17:12 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Lavasoft
2008-12-11 23:05 . 2008-10-03 11:02 247,326 --------- c:\windows\system32\dllcache\strmdll.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 11:44 162,154,528 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-01-03 11:44 --------- d-----w c:\documents and settings\Utente\Dati applicazioni\Skype
2009-01-03 11:42 1,901,228 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-01-03 11:35 --------- d-----w c:\documents and settings\Utente\Dati applicazioni\uTorrent
2009-01-03 07:02 --------- d-----w c:\programmi\Mozilla Thunderbird
2009-01-02 15:30 --------- d-----w c:\programmi\Winamp
2009-01-02 15:28 --------- d-----w c:\documents and settings\Utente\Dati applicazioni\skypePM
2008-12-20 13:49 --------- d-----w c:\documents and settings\Utente\Dati applicazioni\DVD Flick
2008-12-17 02:03 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Microsoft Help
2008-12-16 20:29 --------- d-----w c:\programmi\Acronis
2008-12-01 22:04 --------- d-----w c:\programmi\Servizi in linea
2008-11-27 15:52 --------- d-----w c:\documents and settings\Utente\Dati applicazioni\Creative
2008-11-25 18:32 --------- d--h--w c:\programmi\InstallShield Installation Information
2008-11-25 18:32 --------- d-----w c:\programmi\Creative
2008-11-25 18:31 --------- d--h--w c:\programmi\Creative Installation Information
2008-11-25 18:30 --------- d-----w c:\programmi\File comuni\Creative
2008-11-25 18:25 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Creative
2008-11-15 14:23 --------- d-----w c:\programmi\eMule
2008-11-15 13:32 --------- d-----w c:\programmi\E-mule
2008-11-11 20:43 --------- d-----w c:\programmi\Easy Video Downloader
2008-11-11 20:30 --------- d-----w c:\programmi\DVD Flick
2008-10-26 09:56 1,772,231 ----a-w c:\programmi\Ares_Installer.exe
2008-10-19 11:45 1,495,112 ----a-w c:\programmi\install_flash_player.exe
2008-08-29 09:43 32,768 --sha-w c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\MSHist012008082920080830\index.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2008-09-29 21755688]
"CTSyncU.exe"="c:\programmi\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-04-28 692224]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]
"GrooveMonitor"="c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"NeroFilterCheck"="c:\programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"CloneCDTray"="c:\programmi\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"RemoteControl"="c:\programmi\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"LanguageShortcut"="c:\programmi\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152]
"nod32kui"="c:\programmi\Eset\nod32kui.exe" [2007-11-22 949376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TrueImageMonitor.exe"="c:\programmi\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-04-09 2595792]
"AcronisTimounterMonitor"="c:\programmi\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-04-09 909208]
"Acronis Scheduler2 Service"="c:\programmi\File comuni\Acronis\Schedule2\schedhlp.exe" [2008-04-09 136472]
"ZoneAlarm Client"="c:\programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2008-10-16 c:\windows\system32\advpack.dll]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"QK10PY91Lj"="c:\documents and settings\All Users\Dati applicazioni\renenwjy\dglkrktm.exe" [2008-10-17 61440]
c:\documents and settings\Utente\Menu Avvio\Programmi\Esecuzione automatica\
Ritaglio schermata e avvio di OneNote 2007.lnk - c:\programmi\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Kodak EasyShare software.lnk - c:\programmi\Kodak\Kodak EasyShare Software\bin\EasyShare.exe [2005-03-10 757760]
Kodak software updater.lnk - c:\programmi\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\
0lsdelete
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\VistaCodecPack\\filters\\ac3config.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
R0 mv61xx;mv61xx;c:\windows\system32\DRIVERS\mv61xx.sys [2008-08-29 143360]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-11-22 15424]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\atl01_xp.sys [2007-11-22 38656]
.
.
------- Supplementare di scansione -------
.
uStart Page =
hxxp://google.mini20.comIE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
TCP: {71558ED0-82CD-4EE8-B50A-B6D321DD9EF1} = 193.238.136.35,193.238.136.40
c:\windows\Downloaded Program Files\stg_drm.ocx - O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}
file:///C:/Programmi/Mahjong%20Escape%20-%20Ancient%20Japan/Images/stg_drm.ocx
c:\windows\Downloaded Program Files\armhelper.ocx - O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54}
file:///C:/Programmi/Mahjong%20Escape%20-%20Ancient%20Japan/Images/armhelper.ocx
FF - ProfilePath - c:\documents and settings\Utente\Dati applicazioni\Mozilla\Firefox\Profiles\
0nesgpr5.default\
FF - prefs.js: browser.search.defaulturl -
hxxp://slirsredirect.search.aol.com/sli ... ie7&query=FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL -
hxxp://slirsredirect.search.aol.com/sli ... pab&query=FF - component: c:\documents and settings\Utente\Dati applicazioni\Mozilla\Firefox\Profiles\
0nesgpr5.default\extensions\{da30eff8-ccc6-4162-a20d-67402a26a215}\components\FFAlert.dll
FF - component: c:\programmi\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Utente\Dati applicazioni\Mozilla\Firefox\Profiles\
0nesgpr5.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\programmi\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\programmi\VistaCodecPack\rm\browser\plugins\nprpjplug.dll
ATTENTION: FIREFOX POLICES IS IN FORCE FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.00.19.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-01-03 12:44:16
Windows 5.1.2600 Service Pack 3 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
- - - - - - - > 'lsass.exe'(1052)
c:\windows\system32\relog_ap.dll
c:\windows\system32\imon.dll
c:\programmi\Eset\pr_imon.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\rundll32.exe
c:\programmi\File comuni\Acronis\Schedule2\schedul2.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\drivers\KodakCCS.exe
c:\programmi\File comuni\Microsoft Shared\VS7DEBUG\mdm.exe
c:\programmi\ESET\nod32krn.exe
c:\windows\system32\nvsvc32.exe
c:\programmi\CyberLink\Shared files\RichVideo.exe
c:\programmi\File comuni\Acronis\Fomatik\TrueImageTryStartService.exe
c:\programmi\File comuni\Ahead\Lib\NMIndexingService.exe
c:\programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Ora fine scansione: 2009-01-03 12:45:58 - macchina è stato riavviato
ComboFix-quarantined-files.txt 2009-01-03 11:45:55
Pre-Run: 235.733.127.168 byte disponibili
Post-Run: 235,924,701,184 byte disponibili
WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
196 --- E O F --- 2008-12-18 23:04:16
Ciao e ancora grazie.