metto il log di combofix...per qnt riguarda l'esecuzione in mod provvisoria di internet è una scelta che posso fare prima di avviare windows tramite la scritta:"apri windows in mod provvisoria con rete"
poi nn ho trovato come faccio a cercare quelle chiavi
grazie
ComboFix 08-10-04.07 - Diego 2008-10-07 17.19.00.2 -
FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.614 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Diego\Desktop\ComboFix.exe
ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!.
.
((((((((((((((((((((((((( Files Creati Da 2008-09-07 al 2008-10-07 )))))))))))))))))))))))))))))))))))
.
2008-10-07 15:36 . 2008-10-07 15:36 <DIR> d--hs---- C:\FOUND.010
2008-10-07 15:18 . 2008-08-30 12:11 40,960 --a------ C:\WINDOWS\system32\drivers\VIRAGTLT.SYS
2008-10-07 15:17 . 2008-10-07 15:17 <DIR> d-------- C:\VEXPLITE
2008-10-05 14:55 . 2008-10-05 14:55 <DIR> d-------- C:\Programmi\Trend Micro
2008-10-05 11:51 . 2008-10-05 11:51 <DIR> d-------- C:\Documents and Settings\Diego\Dati applicazioni\Yahoo!
2008-10-05 11:51 . 2008-10-05 11:51 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Yahoo! Companion
2008-10-05 11:49 . 2008-10-05 11:49 <DIR> d-------- C:\Programmi\Yahoo!
2008-10-05 11:39 . 2008-10-05 11:39 <DIR> d-------- C:\Programmi\Malwarebytes' Anti-Malware
2008-10-05 11:39 . 2008-10-05 11:39 <DIR> d-------- C:\Documents and Settings\Diego\Dati applicazioni\Malwarebytes
2008-10-05 11:39 . 2008-10-05 11:39 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Malwarebytes
2008-10-05 11:39 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-05 11:39 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-04 18:03 . 2004-08-19 15:39 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-10-04 18:03 . 2004-08-19 15:39 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll
2008-10-04 17:59 . 2008-10-04 17:59 <DIR> d--hs---- C:\FOUND.009
2008-09-29 13:28 . 2008-09-29 13:28 <DIR> d-------- C:\Programmi\PhotonFX
2008-09-24 17:06 . 2008-09-24 17:06 <DIR> d--hs---- C:\FOUND.008
2008-09-23 08:01 . 2008-09-23 08:01 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-13 10:02 . 2008-09-13 10:02 <DIR> d--hs---- C:\FOUND.007
2008-09-11 15:21 . 2008-09-11 15:21 244 --ah----- C:\sqmnoopt06.sqm
2008-09-11 15:21 . 2008-09-11 15:21 232 --ah----- C:\sqmdata06.sqm
2008-09-11 13:20 . 2008-09-11 13:20 244 --ah----- C:\sqmnoopt05.sqm
2008-09-11 13:20 . 2008-09-11 13:20 232 --ah----- C:\sqmdata05.sqm
2008-09-11 09:07 . 2008-09-11 09:07 244 --ah----- C:\sqmnoopt04.sqm
2008-09-11 09:07 . 2008-09-11 09:07 232 --ah----- C:\sqmdata04.sqm
2008-09-11 09:03 . 2008-09-11 09:03 <DIR> d--hs---- C:\FOUND.006
2008-09-07 15:27 . 2008-09-07 15:27 244 --ah----- C:\sqmnoopt03.sqm
2008-09-07 15:27 . 2008-09-07 15:27 232 --ah----- C:\sqmdata03.sqm
2008-09-07 10:42 . 2008-09-07 10:42 244 --ah----- C:\sqmnoopt02.sqm
2008-09-07 10:42 . 2008-09-07 10:42 232 --ah----- C:\sqmdata02.sqm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:31 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:31 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
2008-04-25 10:18 0 ----a-w C:\Documents and Settings\Diego\Dati applicazioni\wklnhst.dat
2007-08-05 11:00 92,064 ----a-w C:\Documents and Settings\Diego\mqdmmdm.sys
2007-08-05 11:00 9,232 ----a-w C:\Documents and Settings\Diego\mqdmmdfl.sys
2007-08-05 11:00 79,328 ----a-w C:\Documents and Settings\Diego\mqdmserd.sys
2007-08-05 11:00 66,656 ----a-w C:\Documents and Settings\Diego\mqdmbus.sys
2007-08-05 11:00 6,208 ----a-w C:\Documents and Settings\Diego\mqdmcmnt.sys
2007-08-05 11:00 5,936 ----a-w C:\Documents and Settings\Diego\mqdmwhnt.sys
2007-08-05 11:00 4,048 ----a-w C:\Documents and Settings\Diego\mqdmcr.sys
2007-08-05 11:00 25,600 ----a-w C:\Documents and Settings\Diego\usbsermptxp.sys
2007-08-05 11:00 22,768 ----a-w C:\Documents and Settings\Diego\usbsermpt.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15360]
"swg"="C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-25 68856]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-10-13 1694208]
"msnmsgr"="C:\Programmi\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-07 94208]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-06-07 114688]
"AzMixerSel"="C:\Programmi\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 53248]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-19 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-19 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-19 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-19 455168]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2005-08-11 200704]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2005-03-15 2893824]
"eRecoveryService"="C:\Programmi\Acer\eRecovery\Monitor.exe" [2005-08-18 352256]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-17 579584]
"TkBellExe"="C:\Programmi\File comuni\Real\Update_OB\realsched.exe" [2006-07-10 180269]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2007-12-27 98304]
"parentalcontrol"="C:\Programmi\parentalcontrol\parentalcontrol.exe" [2006-08-31 36544]
"RealSPEED"="C:\Programmi\RealSPEED\RealSPEED.Exe" [2002-10-14 329216]
"VIRIT LITE MONITOR"="C:\VEXPLITE\MONLITE.EXE" [2008-10-07 249856]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 C:\WINDOWS\system32\HdAShCut.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 219136]
C:\Documents and Settings\Diego\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma.lnk - C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Reader Speed Launch.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mkdmp3enc"= C:\PROGRA~1\Acer\ACERAR~1\Kernel\Burner\MKDMP3Enc.ACM
"VIDC.HFYU"= huffyuv.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.xvid"= xvid.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^LG SyncManager.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\LG SyncManager.lnk
backup=C:\WINDOWS\pss\LG SyncManager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Diego^Menu Avvio^Programmi^Esecuzione automatica^IcStarter.exe]
path=C:\Documents and Settings\Diego\Menu Avvio\Programmi\Esecuzione automatica\IcStarter.exe
backup=C:\WINDOWS\pss\IcStarter.exeStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Diego^Menu Avvio^Programmi^Esecuzione automatica^OpenOffice.org 2.0.lnk]
path=C:\Documents and Settings\Diego\Menu Avvio\Programmi\Esecuzione automatica\OpenOffice.org 2.0.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-09-03 15:18 94208 C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-06-07 19:59 77824 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
--a------ 2005-08-19 01:28 462848 C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
--a------ 2006-04-17 18:42 190024 C:\Programmi\MessengerPlus! 3\MsgPlus.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 17:24 1694208 C:\Programmi\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\Programmi\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2005-08-11 11:48 143360 C:\Programmi\Acer\Acer Arcade\PCMService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-08-31 17:40 22879528 C:\Programmi\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StayAlive]
--a------ 2002-09-14 20:03 203264 C:\Programmi\RealSPEED\StayAlive.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2004-10-08 14:43 688218 C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2004-10-08 14:44 98394 C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
--a------ 2008-02-18 12:58 206184 C:\Programmi\TomTom HOME 2\HOMERunner.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2005-08-09 15:17 14743552 C:\WINDOWS\RTHDCPL.EXE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\Acer\\Acer Arcade\\PCMService.exe"=
"C:\\WINDOWS\\System32\\dpvsetup.exe"=
"D:\\eMule\\emule.exe"=
"C:\\Programmi\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Programmi\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Programmi\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Programmi\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programmi\\MSN Messenger\\livecall.exe"=
"D:\\eMule_AdnzA.exe"=
"C:\\Programmi\\Skype\\Phone\\Skype.exe"=
R0 VIRAGTLT;VIRAGTLT;C:\WINDOWS\system32\drivers\VIRAGTLT.SYS [2008-08-30 40960]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 4096]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-07 78208]
R2 int15.sys;int15.sys;C:\Programmi\Acer\eRecovery\int15.sys [2005-01-13 69632]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 7296]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 4010]
R2 viritsvclite;Virit eXplorer Lite;C:\VEXPLITE\viritsvc.exe [2008-10-07 57344]
S3 axsaki;axsaki;C:\WINDOWS\system32\DRIVERS\axsaki.sys [ ]
S3 axskbus;axskbus;C:\WINDOWS\system32\DRIVERS\axskbus.sys [ ]
S3 DMSKSSRh;DMSKSSRh;C:\DOCUME~1\Diego\IMPOST~1\Temp\DMSKSSRh.sys [ ]
S3 lgusbsmodem;LGE Mobile USB Modem;C:\WINDOWS\system32\DRIVERS\lgusbsmodem.sys [2006-02-07 42436]
S3 tapvpn;TAP VPN Adapter;C:\WINDOWS\system32\DRIVERS\tapvpn.sys [2006-12-16 27136]
*Newly Created Service* - INT15.SYS
.
Contenuto della cartella 'Scheduled Tasks'
2008-10-06 C:\WINDOWS\Tasks\AFD0276B91B7D8D3.job
- c:\docume~1\diego\datiap~1\elsepl~1\Thunkdeafgreat.exe []
.
.
------- Supplementare di scansione -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.it/webhp?sourceid=navclient&hl=it&ie=UTF-8
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-Internet Settings,ProxyServer = 192.168.60.254:3328
R1 -: HKCU-Internet Settings,ProxyOverride = <local>
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 -: Add to Windows &Live Favorites -
http://favorites.live.com/quickadd.aspxO15 -: Trusted Zone: *.1
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-10-07 17:21:19
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\i2omgmnt]
"ImagePath"="system32\drivers\i2omgmnt.sys"
--
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mnmddex]
"ImagePath"="system32\drivers\mnmddex.sys"
--
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\SynTP2k]
"ImagePath"="system32\drivers\SynTP2k.sys"
.
Ora fine scansione: 2008-10-07 17:21:55
ComboFix-quarantined-files.txt 2008-10-07 15:21:54
ComboFix2.txt 2008-10-05 10:03:46
Pre-Run: 13.118.636.032 byte disponibili
Post-Run: 13,100,974,080 byte disponibili
228 --- E O F --- 2008-09-13 09:56:53