Ieri ho usato combofix eseguendo la scansione, posto il log:
ComboFix 13-03-24.03 - Gabry 25/03/2013 0.19.20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.767.296 [GMT 1:00]
Eseguito da: c:\documents and settings\Gabry\Documenti\Download\ComboFix.exe
AV: AVG update module *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\user\Preferiti\Thumbs.db
c:\recycler\S-1-5-18\$fc9e16af965d53aae896795a20f982be\@
c:\recycler\S-1-5-18\$fc9e16af965d53aae896795a20f982be\n
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
.
.
((((((((((((((((((((((((( Files Creati Da 2013-02-24 al 2013-03-24 )))))))))))))))))))))))))))))))))))
.
.
2013-03-24 22:48 . 2013-03-24 22:48 -------- d-----w- c:\documents and settings\Gabry\Dati applicazioni\{4E42D881-E4CB-4819-8B25-77DE46AE4BE1}
2013-03-24 19:52 . 2013-03-24 19:52 -------- d-----w- c:\documents and settings\Papà\Impostazioni locali\Dati applicazioni\MFAData
2013-03-24 18:48 . 2013-03-24 18:48 -------- d-----w- c:\documents and settings\Papà\Impostazioni locali\Dati applicazioni\Identities
2013-03-24 18:47 . 2013-03-24 20:48 -------- d-----w- c:\documents and settings\Papà\Dati applicazioni\Roxi
2013-03-24 18:47 . 2013-03-24 18:47 -------- d-----w- c:\documents and settings\Papà\Dati applicazioni\Uzma
2013-03-24 18:47 . 2013-03-24 18:47 -------- d-----w- c:\documents and settings\Papà\Dati applicazioni\Iguc
2013-03-24 18:47 . 2013-03-24 18:47 -------- d-----w- c:\documents and settings\Papà\Dati applicazioni\{4E42D881-E4CB-4819-8B25-77DE46AE4BE1}
2013-03-18 22:07 . 2013-03-18 22:07 -------- d-----w- c:\programmi\Dropbox
2013-03-18 22:05 . 2013-03-24 19:48 -------- d-----w- c:\documents and settings\Papà\Dati applicazioni\Dropbox
2013-03-17 12:08 . 2013-03-17 12:08 -------- d-----w- c:\documents and settings\Papà\Impostazioni locali\Dati applicazioni\Mozilla
2013-03-17 12:07 . 2013-03-17 12:07 -------- d-----w- c:\programmi\File comuni\Symantec Shared
2013-03-17 12:06 . 2013-03-17 12:08 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Norton
2013-03-10 10:51 . 2013-03-10 10:51 -------- d-----w- c:\documents and settings\Davide\Impostazioni locali\Dati applicazioni\Mozilla
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-13 10:05 . 2013-01-09 16:03 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-13 10:05 . 2013-01-09 16:03 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-09 15:06 . 2013-01-09 15:07 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-01-09 15:06 . 2013-01-09 15:07 859072 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-01-09 15:06 . 2013-01-09 15:07 779704 ----a-w- c:\windows\system32\deployJava1.dll
2013-01-09 15:06 . 2013-01-09 15:07 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-03-08 09:02 . 2013-03-08 09:02 263064 ----a-w- c:\programmi\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-01-07 . E980B5F3397EFC252D62DF5352571C2C . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\3e0a4c22d71c08ec1d0e24b6814350aa\SP3QFE\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\3e0a4c22d71c08ec1d0e24b6814350aa\SP3GDR\tcpip.sys
.
[-] 2011-01-07 . D00F73D11221805D21F3357AF10426DA . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}]
2013-01-28 14:49 281760 ----a-w- c:\programmi\File comuni\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zune Launcher"="c:\programmi\Zune\ZuneLauncher.exe" [2011-08-05 159456]
"AVG_UI"="c:\programmi\AVG\AVG2013\avgui.exe" [2012-12-11 3147384]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2011-01-07 128512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"20689"="c:\docume~1\ALLUSE~1\LOCALS~1\Temp\msiehqywo.com" [2012-06-02 98375]
.
c:\documents and settings\Papà\Menu Avvio\Programmi\Esecuzione automatica\
Dropbox.lnk - c:\documents and settings\Gabry\Dati applicazioni\Dropbox\bin\Dropbox.exe [N/A]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-12-03 07:35 946352 ----a-w- c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-03 21:51 37296 ----a-w- c:\programmi\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserChoice]
2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 11:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWPersistentQueuedReporting]
2007-02-26 00:01 437160 ----a-w- c:\programmi\File comuni\Microsoft Shared\DW\DWTRIG20.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 23:47 31016 ----a-w- c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-10-19 15:18 17875120 ----a-r- c:\programmi\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 08:04 252848 ----a-w- c:\programmi\File comuni\Java\Java Update\jusched.exe
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [15/10/2012 3.48.52 55776]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [21/09/2012 3.46.00 177376]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [14/09/2012 3.05.20 35552]
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [07/01/2011 7.39.23 5632]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [07/01/2011 7.39.24 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [07/01/2011 7.39.24 5632]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [22/10/2012 13.02.46 179936]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [21/09/2012 3.45.54 19936]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [02/10/2012 3.30.38 159712]
R2 avgwd;AVG WatchDog;c:\programmi\AVG\AVG2013\avgwdsvc.exe [22/10/2012 13.05.08 196664]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [07/01/2011 7.17.36 9472]
S2 AVGIDSAgent;AVGIDSAgent;c:\programmi\AVG\AVG2013\avgidsagent.exe [15/11/2012 23.34.30 5814904]
S4 SkypeUpdate;Skype Updater;c:\programmi\Skype\Updater\Updater.exe [19/10/2012 16.14.08 160944]
.
Contenuto della cartella 'Scheduled Tasks'
.
2013-03-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-01-09 10:05]
.
2013-01-21 c:\windows\Tasks\ROC_REG_JAN.job
- c:\documents and settings\All Users\Dati applicazioni\AVG January 2013 Campaign\ROC.exe [2013-01-21 21:16]
.
2013-01-21 c:\windows\Tasks\ROC_REG_JAN_DELETE.job
- c:\documents and settings\All Users\Dati applicazioni\AVG January 2013 Campaign\ROC.exe [2013-01-21 21:16]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\programmi\File comuni\DVDVideoSoft\plugins\freeytvdownloader.htm
IE: Free YouTube to MP3 Converter - c:\programmi\File comuni\DVDVideoSoft\plugins\freeytmp3downloader.htm
IE: {{EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - c:\programmi\File comuni\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Gabry\Dati applicazioni\Mozilla\Firefox\Profiles\03a0n3qj.default\
FF - ExtSQL: 2013-02-02 20:06; {ACAA314B-EEBA-48e4-AD47-84E31C44796C}; c:\programmi\File comuni\DVDVideoSoft\plugins\ff
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
HKLM-Run-Cmaudio - cmicnfg.cpl
Notify-RailNotification - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-{0A0CADCF-78DA-33C4-A350-CD51849B9702}.KB2487367 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Extended\setup.exe
AddRemove-{0A0CADCF-78DA-33C4-A350-CD51849B9702}.KB2656351 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Extended\setup.exe
AddRemove-{0A0CADCF-78DA-33C4-A350-CD51849B9702}.KB2736428 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Extended\setup.exe
AddRemove-{0A0CADCF-78DA-33C4-A350-CD51849B9702}.KB2742595 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Extended\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2604121 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2656351 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2729449 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2736428 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2737019 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2742595 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2013-03-25 00:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_137_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_137_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
Ora fine scansione: 2013-03-25 00:27:53
ComboFix-quarantined-files.txt 2013-03-24 23:27
.
Pre-Run: 115.829.297.152 byte disponibili
Post-Run: 116.003.434.496 byte disponibili
.
- - End Of File - - F17AB6076C92D8CC0CD6ACE9E3ED0739