ecco il report del Combofix - invece, nn sono riuscita a desattivare completamente l'antivirus - quindi nn so se sarà di aiuto.
Quando sono in modo "amministratore" mi compare un nuovo trojan : Bloodhound.MalPE.
ComboFix 11-10-20.02 - Administrator 20/10/2011 14.04.46.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.3582.2476 [GMT 2:00]
Eseguito da: c:\documents and settings\Christine\Desktop\abc.exe
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
.
((((((((((((((((((((((((( Files Creati Da 2011-09-20 al 2011-10-20 )))))))))))))))))))))))))))))))))))
.
.
2011-10-19 13:47 . 2011-10-19 13:47 388096 ----a-r- c:\documents and settings\Christine\Dati applicazioni\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-10-19 13:46 . 2011-10-19 13:46 388096 ----a-r- c:\documents and settings\cpr-dea-admin\Dati applicazioni\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-10-19 13:46 . 2011-10-19 13:46 -------- d-----w- c:\programmi\Trend Micro
2011-10-18 17:43 . 2011-10-18 17:43 -------- d-----w- c:\documents and settings\cpr-dea-admin\Dati applicazioni\Malwarebytes
2011-10-18 15:13 . 2011-10-18 15:13 -------- d-----w- c:\documents and settings\Christine\Dati applicazioni\Malwarebytes
2011-10-18 14:36 . 2011-10-18 14:36 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Malwarebytes
2011-10-18 14:36 . 2011-10-18 14:36 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2011-10-18 14:36 . 2011-10-18 14:36 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2011-10-18 14:36 . 2011-08-31 15:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-18 14:01 . 2011-10-18 14:01 -------- d-----w- C:\found.000
2011-10-18 13:53 . 2011-10-18 13:53 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Mozilla
2011-10-18 11:49 . 2011-10-18 11:49 -------- d-----w- c:\programmi\CCleaner
2011-10-18 07:40 . 2011-10-18 07:57 -------- d-----w- C:\FUS3_G01
2011-10-17 11:34 . 2011-10-17 11:34 -------- d-s---w- c:\documents and settings\Christine\UserData
2011-10-11 19:56 . 2011-10-18 07:32 -------- d-----w- C:\kin
2011-10-07 10:39 . 2011-10-07 10:39 -------- d-----w- C:\Carna
2011-10-07 10:38 . 2011-10-18 07:57 -------- d-----w- C:\bin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-20 11:58 . 2010-01-19 15:55 0 ----a-w- c:\documents and settings\Christine\Impostazioni locali\Dati applicazioni\WavXMapDrive.bat
2011-10-20 11:48 . 2010-01-18 17:41 0 ----a-w- c:\documents and settings\cpr-dea-admin\Impostazioni locali\Dati applicazioni\WavXMapDrive.bat
2011-08-22 07:25 . 2011-08-22 07:25 371272 ----a-r- c:\documents and settings\Christine\Dati applicazioni\Microsoft\Installer\{AA59DDE4-B672-4621-A016-4C248204957A}\SkypeIcon.exe
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2009-02-18 13:10 40960 ----a-w- c:\programmi\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2009-02-18 13:10 40960 ----a-w- c:\programmi\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-21 13594624]
"nwiz"="nwiz.exe" [2008-11-21 1657376]
"NVHotkey"="nvHotkey.dll" [2008-11-21 90112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-21 86016]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-10-07 2498560]
"SigmatelSysTrayApp"="c:\programmi\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"Apoint"="c:\programmi\DellTPad\Apoint.exe" [2007-07-02 159744]
"ChangeTPMAuth"="c:\programmi\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2009-02-26 184320]
"WavXMgr"="c:\programmi\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2009-03-06 145408]
"SecureUpgrade"="c:\programmi\Wave Systems Corp\SecureUpgrade.exe" [2009-03-06 656696]
"EmbassySecurityCheck"="c:\programmi\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2009-03-06 95544]
"ccApp"="c:\programmi\File comuni\Symantec Shared\ccApp.exe" [2005-04-18 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-05-25 85088]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"dellsupportcenter"="c:\programmi\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"LogitechQuickCamRibbon"="c:\programmi\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"TomcatStartup 2.5"="c:\programmi\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-11-12 245760]
.
c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\
Logitech . Registrazione prodotti.lnk - c:\programmi\Logitech\Logitech WebCam Software\eReg.exe [2008-11-7 517384]
.
c:\documents and settings\cpr-dea-admin\Menu Avvio\Programmi\Esecuzione automatica\
OpenOffice.org 1.1.3.lnk - c:\programmi\OpenOffice.org1.1.3\program\quickstart.exe [2004-9-10 61440]
.
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio rapido di HP Image Zone.lnk - c:\programmi\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Bluetooth Manager.lnk - c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
Digital Line Detect.lnk - c:\programmi\Digital Line Detect\DLG.exe [2010-1-18 50688]
HP Digital Imaging Monitor.lnk - c:\programmi\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\Christine\\Documenti\\Download\\Azureus.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\Programmi\\Logitech\\Vid HD\\Vid.exe"=
"c:\\Programmi\\Wolfram Research\\Mathematica\\5.2\\math.exe"=
"c:\\Programmi\\Wolfram Research\\Mathematica\\5.2\\Mathematica.exe"=
"c:\\Programmi\\Wolfram Research\\Mathematica\\5.2\\MathKernel.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Hummingbird\\Connectivity\\9.00\\Exceed\\exceed.exe"=
.
R1 SafDskNT;SafeHouse;c:\windows\system32\drivers\SafDskNT.sys [05/03/2009 1.03.14 77824]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\programmi\Broadcom\ASFIPMon\AsfIpMon.exe -service --> c:\programmi\Broadcom\ASFIPMon\AsfIpMon.exe -service [?]
R2 HumDisplayServer;Hummingbird Exceed Display Management;c:\programmi\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe [24/07/2003 0.19.51 53248]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [02/11/2006 13.32.32 97536]
S0 cerc6;cerc6; [x]
S3 SavRoam;SAVRoam;c:\programmi\Symantec AntiVirus\SavRoam.exe [25/05/2005 10.13.00 127072]
.
--- Altri Servizi/Drivers In Memoria ---
.
*Deregistered* - EraserUtilDrv11113
.
Contenuto della cartella 'Scheduled Tasks'
.
2011-10-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-861567501-1801674531-1004Core.job
- c:\documents and settings\Christine\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2011-07-29 18:34]
.
2011-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-861567501-1801674531-1004UA.job
- c:\documents and settings\Christine\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2011-07-29 18:34]
.
.
------- Scansione supplementare -------
.
FF - ProfilePath - c:\documents and settings\cpr-dea-admin\Dati applicazioni\Mozilla\Firefox\Profiles\ptp0qnvu.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programmi\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\programmi\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter:
jqs@sun.com - c:\programmi\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2011-10-20 14:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'winlogon.exe'(920)
c:\windows\System32\TdmNetworkProvider.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'winlogon.exe'(980)
c:\windows\System32\TdmNetworkProvider.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(600)
c:\windows\system32\nview.dll
c:\windows\system32\NVWRSIT.DLL
c:\programmi\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\msvdm.dll
.
- - - - - - - > 'explorer.exe'(4180)
c:\windows\system32\nview.dll
c:\windows\system32\NVWRSIT.DLL
c:\programmi\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
c:\windows\system32\msvdm.dll
.
Ora fine scansione: 2011-10-20 14:09:51
ComboFix-quarantined-files.txt 2011-10-20 12:09
ComboFix2.txt 2011-10-20 11:53
.
Pre-Run: 5'685'518'336 byte disponibili
Post-Run: 5'683'564'544 byte disponibili
.
- - End Of File - - 38806B142D5351EA5D55DD24C75F978A