Luke57 ha scritto:Ciao, scarica Combofix direttamente sul desktop dal link seguente:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- disconnetti da internet
- disattiva il tuo antivirus
- esegui ComboFix.exe
- non installare la RECOVERY CONSOLE quando ti verrà chiesto
- non interferire con la scansione del programma
- a scansione ultimata vai in C:\ e copia/incolla qui sul forum il log contentuto nel file
Combofix.txt
CIAO
Innanzitutto vorrei chiedere scusa a Shel, ho messo due post perchè pensavo fossero due problemi separati
Ho fatto come hai detto tu Luke ecco il risultato che mi da :
ComboFix 09-05-06.05 - Elvira 27/03/2010 11.08.13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.3071.2469 [GMT 1:00]
Eseguito da: c:\documents and settings\Elvira\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
- MODALITÀ CON FUNZIONALITÀ RIDOTTE -
.
((((((((((((((((((((((((( Files Creati Da 2010-02-27 al 2010-03-27 )))))))))))))))))))))))))))))))))))
.
2010-03-27 07:44 . 2010-03-27 07:44 -------- d-----w c:\windows\LastGood
2010-03-26 22:22 . 2010-03-26 22:22 -------- d-----w c:\windows\system32\KB905474
2010-03-26 22:17 . 2010-03-26 22:17 -------- d-----w c:\programmi\MSXML 4.0
2010-03-26 15:14 . 2009-12-09 10:07 2192896 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2010-03-26 15:14 . 2009-12-09 10:07 2148864 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2010-03-26 15:14 . 2009-12-09 10:07 2027520 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2010-03-26 14:54 . 2009-12-04 18:22 455424 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2010-03-26 14:02 . 2008-06-14 17:32 272768 -c----w c:\windows\system32\dllcache\bthport.sys
2010-03-26 14:02 . 2008-06-14 17:32 272768 ------w c:\windows\system32\drivers\bthport.sys
2010-03-25 15:43 . 2009-08-06 18:23 215920 ----a-w c:\windows\system32\muweb.dll
2010-03-25 15:43 . 2009-08-06 18:23 274288 ----a-w c:\windows\system32\mucltui.dll
2010-03-25 14:13 . 2010-03-25 14:13 -------- d-----w C:\Program Files
2010-03-25 10:31 . 2010-03-25 10:31 -------- d-----w c:\documents and settings\LocalService\Dati applicazioni\SACore
2010-03-25 10:23 . 2010-03-25 10:29 -------- d-----w c:\programmi\FindyKill
2010-03-25 10:14 . 2010-03-25 10:14 -------- d-----w c:\programmi\CCleaner
2010-03-25 09:35 . 2010-03-25 09:35 -------- d-----w c:\documents and settings\Elvira\Dati applicazioni\Malwarebytes
2010-03-25 09:35 . 2010-01-07 15:07 38224 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-25 09:35 . 2010-03-25 09:35 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2010-03-25 09:35 . 2010-01-07 15:07 19160 ----a-w c:\windows\system32\drivers\mbam.sys
2010-03-25 09:35 . 2010-03-25 09:35 -------- d-----w c:\programmi\Malwarebytes' Anti-Malware
2010-03-25 09:21 . 2010-03-25 09:21 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\SiteAdvisor
2010-03-25 09:18 . 2009-11-11 10:14 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2010-03-25 09:18 . 2009-11-11 10:14 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2010-03-25 09:18 . 2009-11-11 10:14 79816 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2010-03-25 09:17 . 2009-07-16 11:32 120136 ----a-w c:\windows\system32\drivers\Mpfp.sys
2010-03-25 09:17 . 2010-03-25 09:18 -------- d-----w c:\programmi\File comuni\McAfee
2010-03-25 09:17 . 2010-03-25 09:17 -------- d-----w c:\programmi\McAfee.com
2010-03-25 09:17 . 2010-03-26 13:25 -------- d-----w c:\programmi\McAfee
2010-03-25 09:16 . 2009-11-11 10:14 34248 ----a-w c:\windows\system32\drivers\mferkdk.sys
2010-03-25 08:06 . 2010-03-25 08:06 130 ----a-w C:\fix.reg
2010-03-24 23:09 . 2010-03-24 07:40 231804 ----a-w c:\documents and settings\Elvira\Impostazioni locali\Dati applicazioni\qlvqav_nav.dat
2010-03-24 23:09 . 2010-03-25 10:24 3854 ----a-w c:\documents and settings\Elvira\Impostazioni locali\Dati applicazioni\qlvqav_navps.dat
2010-03-24 23:09 . 2010-03-25 10:24 3367 ----a-w c:\documents and settings\Elvira\Impostazioni locali\Dati applicazioni\qlvqav.dat
2010-03-24 21:27 . 2010-03-24 21:27 -------- d-----w c:\programmi\Panda Security
2010-03-24 21:10 . 2010-03-24 22:54 -------- d-----w c:\documents and settings\Elvira\Dati applicazioni\QuickScan
2010-03-24 20:19 . 2010-03-25 12:38 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\McAfee
2010-03-24 19:59 . 2010-03-24 20:59 -------- d-----w c:\programmi\ESET
2010-03-24 16:00 . 2010-03-25 10:08 -------- d--h--w c:\documents and settings\Elvira\Dati applicazioni\drivers
2010-03-20 13:15 . 2010-03-25 17:00 -------- d-----w c:\programmi\Easy Catalog
2010-03-15 09:39 . 2008-05-02 10:49 62976 -c----w c:\windows\system32\dllcache\cdrom.sys
2010-03-15 09:39 . 2008-05-02 13:25 466944 -c----w c:\windows\system32\dllcache\imapi2fs.dll
2010-03-15 09:39 . 2008-05-02 13:25 466944 ------w c:\windows\system32\imapi2fs.dll
2010-03-15 09:39 . 2008-05-02 13:25 318464 -c----w c:\windows\system32\dllcache\imapi2.dll
2010-03-15 09:39 . 2008-05-02 13:25 318464 ------w c:\windows\system32\imapi2.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-27 07:44 . 2001-08-31 18:00 69568 ----a-w c:\windows\system32\perfc010.dat
2010-03-27 07:44 . 2001-08-31 18:00 437272 ----a-w c:\windows\system32\perfh010.dat
2010-03-25 17:00 . 2009-06-01 12:23 23568 ----a-w c:\documents and settings\Elvira\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-03-25 16:56 . 2009-09-19 21:47 -------- d-----w c:\programmi\Microsoft Silverlight
2010-03-25 12:07 . 2009-06-01 12:23 -------- d-----w c:\programmi\Mozilla Thunderbird
2010-03-25 11:33 . 2009-06-01 12:24 -------- d-----w c:\programmi\Windows Live
2010-01-30 18:43 . 2009-06-01 13:06 -------- d-----w c:\programmi\Google
2009-12-31 16:50 . 2008-04-13 12:15 353792 ----a-w c:\windows\system32\drivers\srv.sys
2009-12-31 11:32 . 2009-12-31 11:08 18030130 ----a-w c:\programmi\vlc-1.0.3-win32.exe
2009-06-21 08:01 . 2009-06-21 07:51 26165144 ----a-w c:\programmi\AdbeRdr910_it_IT.exe
.
------- Sigcheck -------
[-] 2009-06-01 12:33 510464 90F406811EE1EEE294792D00E21CA16C c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-01 39408]
"Mobile Partner"="c:\programmi\3 Internet\3 Internet.exe" [2009-06-03 110592]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2010-03-25 209153]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-30 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13750272]
"CameraFixer"="c:\windows\CameraFixer.exe" [2005-12-06 20480]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"mcagent_exe"="c:\programmi\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-07 1176808]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-02-13 16857600]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-04-30 1657376]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\File comuni\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\programmi\McAfee\SiteAdvisor\McSACore.exe [25/03/2010 10.20.09 93320]
R2 SeaPort;SeaPort;c:\programmi\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [19/05/2009 11.36.18 240512]
R2 uvnc_service;uvnc_service;c:\programmi\UltraVNC\winvnc.exe [01/06/2009 13.46.40 1519168]
R3 camfilt2;camfilt2;c:\windows\system32\drivers\camfilt2.sys [19/07/2009 18.36.20 98432]
R3 PAC7302;Hercules Classic Link;c:\windows\system32\drivers\PAC7302.SYS [19/07/2009 18.36.20 457984]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys --> c:\windows\system32\drivers\pavboot.sys [?]
S2 gupdate1c9e2b9dc08b99a;Servizio di Google Update (gupdate1c9e2b9dc08b99a);c:\programmi\Google\Update\GoogleUpdate.exe [01/06/2009 14.07.04 133104]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{012f3b38-748a-11de-8b5f-0021851af9d8}]
\Shell\AutoRun\command - E:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{675ed55a-503e-11de-8b0a-0021851af9d8}]
\Shell\AutoRun\command - E:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ad9c72b-4ed6-11de-8b02-0021851af9d8}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ad9c72c-4ed6-11de-8b02-0021851af9d8}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
.
Contenuto della cartella 'Scheduled Tasks'
2010-03-27 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-01 13:06]
2010-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-06-01 13:07]
2010-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-06-01 13:07]
2010-03-25 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-03-25 11:22]
2010-03-25 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-03-25 11:22]
2010-03-27 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-03-26 21:18]
.
.
------- Scansione supplementare -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {DC140413-1533-4B67-B532-013BC3F035B4} = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Elvira\Dati applicazioni\Mozilla\Firefox\Profiles\652ua3z7.default\
FF - prefs.js: browser.startup.homepage - www.google.it
FF - component: c:\documents and settings\Elvira\Dati applicazioni\Mozilla\Firefox\Profiles\652ua3z7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\programmi\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\programmi\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Elvira\Dati applicazioni\Mozilla\Firefox\Profiles\652ua3z7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\programmi\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programmi\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\programmi\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\programmi\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\programmi\Windows Live\Photo Gallery\NPWLPG.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-27 11:08
Windows 5.1.2600 Service Pack 3 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
- - - - - - - > 'explorer.exe'(2440)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Ora fine scansione: 2010-03-27 11.09.16
ComboFix-quarantined-files.txt 2010-03-27 10:09
Pre-Run: 461.448.622.080 byte disponibili
Post-Run: 461.537.284.096 byte disponibili
199 --- E O F --- 2010-03-26 22:23
grazie mille per la collaborazione!!!!
Ciao a tutti (in particolare Shel e Luke )