ComboFix 09-11-23.06 - Francesco 24/11/2009 21.02.41.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.2038.1646 [GMT 1:00]
Eseguito da: c:\documents and settings\Francesco\Documenti\Download\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {00000002-0002-0000-14EF-9D7C08000A00}
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Francesco\Dati applicazioni\Desktopicon
c:\documents and settings\Francesco\Dati applicazioni\Desktopicon\config.ini
C:\Thumbs.db
c:\windows\SW_Win2000X24.DLL
c:\windows\winhelp.ini
.
((((((((((((((((((((((((( Files Creati Da 2009-10-24 al 2009-11-24 )))))))))))))))))))))))))))))))))))
.
2009-11-24 19:32 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-24 19:32 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-24 19:01 . 2009-07-21 13:40 404737 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\TEMP\UPDATE\TMP_UPDATE\update.exe
2009-11-24 19:01 . 2009-06-03 15:26 345345 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\TEMP\UPDATE\TMP_UPDATE\update.dll
2009-11-24 19:01 . 2009-04-17 16:19 85761 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\TEMP\UPDATE\TMP_UPDATE\updaterc.dll
2009-11-24 19:01 . 2009-03-03 11:15 9985 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\TEMP\UPDATE\TMP_UPDATE\updguirc.dll
2009-11-24 19:01 . 2009-02-24 12:16 117505 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\TEMP\UPDATE\TMP_UPDATE\updgui.dll
2009-11-24 19:01 . 2008-10-20 07:38 126721 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\TEMP\UPDATE\TMP_UPDATE\scewxmlw.dll
2009-11-24 18:25 . 2009-11-24 18:32 -------- d-----w- c:\documents and settings\Francesco\Impostazioni locali\Dati applicazioni\Temp
2009-11-24 18:12 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-24 18:12 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-24 18:12 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-24 17:54 . 2009-11-24 17:54 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-24 17:54 . 2009-11-24 17:54 -------- d-----w- c:\programmi\NOS
2009-11-24 17:53 . 2009-11-24 17:53 -------- d-----w- c:\documents and settings\Francesco\Dati applicazioni\Skype
2009-11-24 17:53 . 2009-11-24 17:53 -------- d-----r- c:\programmi\Skype
2009-11-24 17:52 . 2009-11-24 17:52 -------- d-----w- c:\programmi\eMule
2009-11-23 22:40 . 2009-11-24 17:52 -------- d-----w- c:\programmi\XP TCPIP Repair
2009-11-21 13:09 . 2009-11-21 13:09 -------- d-----w- c:\documents and settings\Francesco\Dati applicazioni\Malwarebytes
2009-11-21 13:08 . 2009-11-24 19:32 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2009-11-21 13:08 . 2009-11-21 13:08 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-11-05 12:57 . 2009-11-05 12:57 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\QuickTime
2009-10-27 22:11 . 2009-10-27 22:11 -------- d-----w- c:\documents and settings\Francesco\Dati applicazioni\Avira
2009-10-27 21:43 . 2009-10-27 21:43 -------- d-----w- c:\programmi\Avira
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-24 18:33 . 2009-04-12 15:15 -------- d-----w- c:\programmi\Google
2009-11-24 18:20 . 2009-09-22 19:32 -------- d-----w- c:\programmi\ewido anti-spyware 4.0
2009-11-24 17:53 . 2009-09-05 11:50 -------- d-----w- c:\programmi\PlotBaseGrafica
2009-11-24 17:53 . 2009-09-05 11:49 -------- d-----w- c:\programmi\duple1
2009-11-24 17:53 . 2009-04-13 13:50 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Skype
2009-11-24 17:53 . 2009-09-17 18:13 -------- d-----w- c:\documents and settings\Francesco\Dati applicazioni\dvdcss
2009-11-24 17:53 . 2009-05-02 18:23 -------- d-----w- c:\programmi\Spybot - Search & Destroy
2009-11-24 17:52 . 2009-04-25 07:32 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-11-22 14:39 . 2009-07-24 16:37 -------- d-----w- c:\documents and settings\Francesco\Dati applicazioni\vlc
2009-11-18 13:14 . 2009-04-19 19:14 -------- d-----w- c:\documents and settings\Francesco\Dati applicazioni\LimeWire
2009-11-07 11:49 . 2009-06-18 16:57 -------- d-----w- c:\documents and settings\Francesco\Dati applicazioni\Nokia Multimedia Player
2009-10-31 21:45 . 2009-08-21 12:04 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\NOS
2009-10-27 21:43 . 2009-05-25 11:50 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Avira
2009-10-25 08:54 . 2004-08-30 20:00 69790 ----a-w- c:\windows\system32\perfc010.dat
2009-10-25 08:54 . 2004-08-30 20:00 437644 ----a-w- c:\windows\system32\perfh010.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASRock IES"="" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\programmi\BillP Studios\WinPatrol\winpatrol.exe" [2007-08-06 292152]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-08 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-08 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-08 131072]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-07-23 16804864]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2009-04-03 15360]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\LimeWire\\LimeWire.exe"=
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\programmi\Avira\AntiVir Desktop\avmailc.exe [24/11/2009 19.12.34 francesco 194817]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\programmi\Avira\AntiVir Desktop\sched.exe [24/11/2009 19.12.35 francesco 108289]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\programmi\Avira\AntiVir Desktop\avwebgrd.exe [24/11/2009 19.12.34 francesco 434945]
R2 VMCService;Vodafone Mobile Connect Service;c:\programmi\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [04/07/2008 11.52.18 francesco 14336]
S2 gupdate;Servizio di Google Update (gupdate);c:\programmi\Google\Update\GoogleUpdate.exe [24/11/2009 19.24.57 francesco 135664]
S2 pvyzbakpr;System Universal;c:\windows\system32\svchost.exe -k netsvcs [03/04/2009 3.54.54 francesco 14336]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [03/04/2009 3.54.54 francesco 14336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
pvyzbakpr
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\programmi\File comuni\LightScribe\LSRunOnce.exe"
.
Contenuto della cartella 'Scheduled Tasks'
2009-11-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-11-24 18:24]
2009-11-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-11-24 18:24]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.tiscali.it
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\programmi\Avira\AntiVir Desktop\avsda.dll
FF - ProfilePath - c:\documents and settings\Francesco\Dati applicazioni\Mozilla\Firefox\Profiles\91i4yz7c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/ig
FF - plugin: c:\documents and settings\Francesco\Impostazioni locali\Dati applicazioni\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\programmi\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programmi\Google\Update\1.2.183.13\npGoogleOneClick8.dll
---- FIREFOX POLICIES ----
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti:
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pvyzbakpr]
"ServiceDll"="c:\windows\system32\inhrj.dll"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
- - - - - - - > 'lsass.exe'(784)
c:\programmi\Avira\AntiVir Desktop\avsda.dll
.
Ora fine scansione: 2009-11-24 21:06
ComboFix-quarantined-files.txt 2009-11-24 20:05
ComboFix2.txt 2009-11-21 14:57
ComboFix3.txt 2009-11-21 14:25
Pre-Run: 196.707.889.152 byte disponibili
Post-Run: 196.836.261.888 byte disponibili
- - End Of File - - 6281AED7376F24D80A14D26A3DAC0E2B
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:10 francesco., on 24/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Programmi\Nero\Nero 7\InCD\InCDsrv.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Programmi\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Avira\AntiVir Desktop\avmailc.exe
C:\Programmi\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\ComboFix\hidec.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\mbr.cfxxe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.tiscali.itR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Programmi\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: Servizio di Google Update (gupdate) (gupdate) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programmi\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Programmi\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
--
End of file - 4335 bytes
Malwarebytes' Anti-Malware 1.41
Versione del database: 3224
Windows 5.1.2600 Service Pack 2
24/11/2009 20.56.08 francesco
mbam-log-2009-11-24 (20-56-01).txt
Tipo di scansione: Scansione completa (C:\|E:\|)
Elementi scansionati: 138430
Tempo trascorso: 13 minute(s), 42 second(s)
Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 1
Cartelle infette: 0
File infetti: 3
Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)
Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)
Chiavi di registro infette:
(Nessun elemento malevolo rilevato)
Valori di registro infetti:
(Nessun elemento malevolo rilevato)
Elementi dato del registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.
Cartelle infette:
(Nessun elemento malevolo rilevato)
File infetti:
C:\Documents and Settings\Francesco\Dati applicazioni\Desktopicon\eBayShortcuts.exe (Adware.ADON) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\Francesco\Dati applicazioni\Desktopicon\eBayShortcuts.exe.vir (Adware.ADON) -> No action taken.
C:\System Volume Information\_restore{FA6F408C-6608-49A5-BC58-0D04B73E1510}\RP42\A0003450.exe (Adware.ADON) -> No action taken.
