ComboFix 10-02-28.04 - ALESSIA 01/03/2010 19.40.21.4.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.2046.1499 [GMT 1:00]
Eseguito da: c:\documents and settings\ALESSIA\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Avira Firewall *enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
.
((((((((((((((((((((((((( Files Creati Da 2010-02-01 al 2010-03-01 )))))))))))))))))))))))))))))))))))
.
2010-03-01 17:32 . 2010-03-01 17:32 -------- d-----w- c:\programmi\Trend Micro
2010-03-01 16:22 . 2010-03-01 16:22 -------- d-----w- C:\FOUND.007
2010-03-01 14:38 . 2010-03-01 14:38 -------- d-----w- C:\FOUND.006
2010-03-01 13:55 . 2010-03-01 13:55 -------- d-----w- C:\FOUND.005
2010-03-01 12:24 . 2010-03-01 12:24 -------- d-----w- C:\FOUND.004
2010-03-01 11:23 . 2010-03-01 11:23 -------- d-----w- c:\programmi\CCleaner
2010-03-01 10:56 . 2010-03-01 10:56 -------- d-----w- c:\documents and settings\GENNARO\Dati applicazioni\DivX
2010-02-28 09:37 . 2010-02-28 09:37 -------- d-----w- C:\FOUND.003
2010-02-27 11:48 . 2010-02-27 11:48 -------- d--h--w- c:\windows\msdownld.tmp
2010-02-26 08:26 . 1998-09-02 08:28 38160 ----a-w- c:\windows\system32\LMRTREND.dll
2010-02-26 08:26 . 1998-08-27 04:51 182032 ----a-w- c:\windows\system32\dxtmsft3.dll
2010-02-26 08:26 . 1998-09-02 08:28 63488 ----a-w- c:\windows\system32\unam4ie.exe
2010-02-26 08:26 . 2010-02-26 08:26 4608 ----a-w- c:\windows\system32\w95inf32.dll
2010-02-26 08:26 . 2010-02-26 08:26 2272 ----a-w- c:\windows\system32\w95inf16.dll
2010-02-26 08:26 . 1998-09-02 08:02 194320 ----a-w- c:\windows\system32\qcut.dll
2010-02-26 08:26 . 1998-08-17 09:21 11776 ----a-w- c:\windows\system32\mciqtz.drv
2010-02-25 20:08 . 2010-02-25 20:08 -------- d-----w- c:\documents and settings\ALESSIA\Impostazioni locali\Dati applicazioni\Temp
2010-02-24 14:11 . 2009-03-09 14:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2010-02-24 14:10 . 2009-03-16 13:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-02-24 14:10 . 2009-03-16 13:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2010-02-24 14:10 . 2009-03-16 13:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2010-02-24 14:10 . 2007-04-04 17:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2010-02-21 18:51 . 2010-02-22 17:30 17 ----a-w- c:\windows\popcinfo.dat
2010-02-21 09:49 . 2010-02-21 09:49 0 ----a-w- c:\windows\popcreg.dat
2010-02-21 09:09 . 2010-02-21 09:09 -------- d--h--r- c:\documents and settings\ALESSIA\Dati applicazioni\SecuROM
2010-02-20 16:10 . 2010-02-20 16:10 -------- d-----w- c:\windows\Logs
2010-02-20 16:09 . 2010-02-20 16:09 -------- d-----w- c:\programmi\Telltale Games
2010-02-20 15:25 . 2010-02-20 15:25 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\FarmFrenzy-PizzaParty
2010-02-19 19:53 . 2010-02-19 19:53 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\FarmFrenzy3_Arctica
2010-02-19 19:45 . 2010-02-19 19:45 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\AlawarWrapper
2010-02-18 22:45 . 2010-02-22 17:30 88 ----a-w- c:\windows\popcinfot.dat
2010-02-18 19:31 . 2010-02-18 19:31 -------- d-----w- c:\documents and settings\ALESSIA\Dati applicazioni\PopCapv1002
2010-02-18 19:29 . 2010-02-18 19:29 -------- d-----w- c:\programmi\PopCap Games
2010-02-18 17:27 . 2010-02-18 17:27 -------- d-----w- c:\programmi\Alawar
2010-02-16 17:49 . 2010-02-16 17:49 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\PopCap Games
2010-02-14 16:53 . 2010-02-14 16:53 -------- d-----w- C:\FOUND.002
2010-02-13 09:31 . 2010-02-13 09:31 -------- d-----w- c:\documents and settings\ALESSIA\Dati applicazioni\DivX
2010-02-12 19:08 . 2010-02-12 19:08 -------- d-----w- c:\documents and settings\NetworkService\Impostazioni locali\Dati applicazioni\Google
2010-02-10 10:37 . 2010-02-10 10:37 -------- d-----w- c:\programmi\MSXML 6.0
2010-02-09 19:13 . 2010-02-09 19:13 -------- d-----w- c:\programmi\Microsoft CAPICOM 2.1.0.2
2010-02-09 19:09 . 2010-02-09 19:09 -------- d-----w- c:\windows\ServicePackFiles
2010-02-09 15:39 . 2010-02-09 15:39 -------- d-----w- c:\documents and settings\ALESSIA\Dati applicazioni\Avira
2010-02-09 13:33 . 2010-02-09 15:38 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-09 13:33 . 2009-05-08 13:13 97608 ----a-w- c:\windows\system32\drivers\avfwot.sys
2010-02-09 13:33 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-02-09 13:33 . 2009-02-24 12:06 69632 ----a-w- c:\windows\system32\drivers\avfwim.sys
2010-02-09 13:33 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-02-09 13:33 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-02-09 13:33 . 2010-02-09 13:33 -------- d-----w- c:\programmi\Avira
2010-02-09 13:33 . 2010-02-09 13:33 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Avira
2010-02-09 11:53 . 2009-08-06 18:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-09 11:53 . 2009-08-06 18:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-09 10:22 . 2010-02-09 10:22 -------- d-----w- c:\documents and settings\ALESSIA\Dati applicazioni\pdf995
2010-02-07 14:47 . 2010-02-07 14:48 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Alwil Software
2010-02-06 18:53 . 2010-02-06 18:53 -------- d-----w- c:\windows\system32\LogFiles
2010-02-06 18:35 . 2004-09-07 19:00 25600 ----a-w- c:\documents and settings\LocalService\Dati applicazioni\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-02-06 17:38 . 2010-02-06 17:38 -------- d-----w- c:\documents and settings\ALESSIA\Dati applicazioni\vlc
2010-02-04 16:54 . 2010-02-04 16:54 -------- d-----w- c:\documents and settings\ALESSIA\Impostazioni locali\Dati applicazioni\Identities
2010-02-04 16:03 . 2010-02-04 16:03 -------- d-----w- c:\documents and settings\ALESSIA\Impostazioni locali\Dati applicazioni\Adobe
2010-02-04 15:14 . 2010-02-04 15:14 -------- d-----w- c:\documents and settings\ALESSIA\Dati applicazioni\Vodafone
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-01 16:26 . 2006-08-30 23:34 12 ----a-w- c:\windows\bthservsdp.dat
2010-03-01 10:55 . 2008-05-31 20:40 94200 ----a-w- c:\documents and settings\GENNARO\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-02-12 18:56 . 2010-02-12 18:56 -------- d-----w- c:\programmi\Google
2010-02-12 18:56 . 2010-02-12 18:56 -------- d-----w- c:\programmi\File comuni\DivX Shared
2010-02-12 18:56 . 2010-02-12 18:56 -------- d-----w- c:\programmi\DivX
2010-02-11 08:13 . 2006-08-30 23:13 85070 ----a-w- c:\windows\system32\perfc010.dat
2010-02-11 08:13 . 2006-08-30 23:13 490898 ----a-w- c:\windows\system32\perfh010.dat
2010-02-10 10:50 . 2008-08-10 20:11 94200 ----a-w- c:\documents and settings\ALESSIA\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-02-10 10:40 . 2010-02-10 10:40 -------- d-----w- c:\programmi\MSBuild
2010-02-10 10:40 . 2010-02-10 10:40 -------- d-----w- c:\programmi\Reference Assemblies
2010-01-24 16:45 . 2010-01-24 16:45 -------- d-----w- c:\programmi\Microsoft Silverlight
2010-01-24 16:08 . 2010-01-24 16:08 -------- d-----w- c:\documents and settings\GENNARO\Dati applicazioni\Vodafone
2010-01-24 16:08 . 2010-01-24 16:08 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\InstallShield
2010-01-24 16:07 . 2010-01-24 16:07 -------- d-----w- c:\documents and settings\LocalService\Dati applicazioni\Vodafone
2010-01-24 16:07 . 2010-01-24 16:07 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Vodafone
2010-01-24 15:53 . 2010-01-24 15:53 -------- d-----w- c:\documents and settings\GENNARO\Dati applicazioni\dvdcss
2009-12-31 16:14 . 2004-09-07 19:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:34 . 2006-01-09 18:59 671232 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:34 . 2004-09-07 19:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-17 07:58 . 2004-09-07 19:00 346112 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-09-07 19:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 10:18 . 2005-09-29 19:27 2146304 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-09 10:18 . 2005-09-29 19:28 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 14:41 . 2004-09-07 19:00 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2008-06-02 11:41 . 2008-06-02 11:41 382352 ----a-w- c:\programmi\jxpiinstall.exe
2008-05-31 23:32 . 2008-05-31 23:29 24064656 ----a-w- c:\programmi\AdbeRdr812_it_IT.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2004-10-13 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-17 64512]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AzMixerSel"="c:\programmi\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 53248]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"ntiMUI"="c:\programmi\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-09-07 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-09-07 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-07 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-07 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-12 7577600]
"nwiz"="nwiz.exe" [2006-06-12 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-06-12 86016]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-10 352256]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 3080704]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-07-20 593920]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2006-06-23 225280]
"LogitechCameraAssistant"="c:\programmi\Acer\OrbiCam\CameraAssistant.exe" [2006-06-26 331776]
"LogitechVideo[inspector]"="c:\programmi\Acer\OrbiCam\InstallHelper.exe" [2006-06-26 14:55 73728]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-08-16 503808]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-09-07 15360]
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Microsoft Office.lnk - c:\programmi\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [09/02/2010 14.33.06 97608]
R2 AntiVirFirewallService;Avira Firewall;c:\programmi\Avira\AntiVir Desktop\avfwsvc.exe [09/02/2010 14.33.03 388865]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\programmi\Avira\AntiVir Desktop\avmailc.exe [09/02/2010 14.33.03 194817]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\programmi\Avira\AntiVir Desktop\sched.exe [09/02/2010 14.33.05 108289]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\programmi\Avira\AntiVir Desktop\avwebgrd.exe [09/02/2010 14.33.04 434945]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [09/02/2010 14.33.06 69632]
R3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [19/06/2006 12.20.24 1097728]
S2 gupdate1caac1519369f42;Servizio di Google Update (gupdate1caac1519369f42);c:\programmi\Google\Update\GoogleUpdate.exe [12/02/2010 19.56.33 133104]
S2 VMCService;Vodafone Mobile Connect Service;"c:\programmi\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe" --> c:\programmi\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [?]
.
Contenuto della cartella 'Scheduled Tasks'
2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-02-12 18:56]
2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-02-12 18:56]
.
.
------- Scansione supplementare -------
.
uStart Page =
hxxp://global.acer.comuInternet Settings,ProxyOverride = local
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\programmi\Avira\AntiVir Desktop\avsda.dll
TCP: {6C4CF94C-7B81-4C15-9EDB-E0E9CDF0ABE9} = 212.216.112.112
TCP: {81DE70BC-95E0-4FB7-873C-4B3EC2AFB8AD} = 212.216.112.112
FF - ProfilePath - c:\documents and settings\ALESSIA\Dati applicazioni\Mozilla\Firefox\Profiles\jrb4no1r.default\
FF - plugin: c:\programmi\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\programmi\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
HKLM-Run-MobileConnect - c:\programmi\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-03-01 19:44
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
http://www.gmer.netdevice: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89818838]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba98cfc3
\Driver\ACPI -> 0x89818838
\Driver\atapi -> atapi.sys @ 0xba6db7b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
SecurityProcedure -> ntkrnlpa.exe @ 0x80582be6
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
SecurityProcedure -> ntkrnlpa.exe @ 0x80582be6
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> 0x8995b330
PacketIndicateHandler -> NDIS.sys @ 0xba5fba0b
SendHandler -> NDIS.sys @ 0xba60fb31
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0DF937C1
malicious code @ sector 0x0DF937C4 !
PE file found in sector at 0x0DF937DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
[HKEY_USERS\S-1-5-21-250300247-1244742074-3286369238-1006\Software\SecuROM\License information*]
"datasecu"=hex:10,e1,e7,ed,2d,e8,d0,4f,f1,a4,f3,2a,46,c4,3e,89,b8,aa,d3,3c,a4,
63,2d,70,1c,0b,03,ad,cb,4f,f5,a0,58,42,1b,bb,57,9d,af,6e,e4,85,be,9f,40,38,\
"rkeysecu"=hex:25,f3,69,14,e1,43,2f,e2,55,85,c7,3f,0e,29,b4,32
.
mi è comparso un messaggio che mi dice pev.exe danneggiato, il log è
--------------------- Dlls caricate dai processi in esecuzione ---------------------
- - - - - - - > 'lsass.exe'(1460)
c:\programmi\Avira\AntiVir Desktop\avsda.dll
- - - - - - - > 'explorer.exe'(5092)
c:\programmi\Avira\AntiVir Desktop\avsda.dll
.
Ora fine scansione: 2010-03-01 19:45:15
ComboFix-quarantined-files.txt 2010-03-01 18:45
ComboFix2.txt 2010-03-01 14:56
Pre-Run: 2.890.891.264 byte disponibili
Post-Run: 3.004.825.600 byte disponibili
- - End Of File - - 45BB5EF1CA9176922FE7D3B8A1EF7D40