Ecco il log
ComboFix 10-05-05.0B - Proprietario 06/05/2010 16.14.17.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.511.175 [GMT 2:00]
Eseguito da: c:\documents and settings\Proprietario\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
La copia infetta di c:\windows\system32\drivers\acpiec.sys è stata trovata e disinfettata
ipristinata copia da - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Creati Da 2010-04-06 al 2010-05-06 )))))))))))))))))))))))))))))))))))
.
2010-05-06 12:52 . 2010-05-06 12:52 -------- d-----w- c:\documents and settings\Proprietario\Impostazioni locali\Dati applicazioni\Runscanner.net
2010-05-06 11:44 . 2010-05-06 11:44 -------- d-----w- c:\programmi\a-squared HiJackFree
2010-05-06 09:39 . 2010-05-06 11:23 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2010-05-06 09:39 . 2010-05-06 09:45 -------- d-----w- c:\programmi\Spybot - Search & Destroy
2010-05-04 22:09 . 2010-05-04 22:09 -------- d-----w- c:\documents and settings\Proprietario\Impostazioni locali\Dati applicazioni\Temp
2010-05-04 22:09 . 2010-05-04 22:09 -------- d-----w- c:\documents and settings\NetworkService\Impostazioni locali\Dati applicazioni\Google
2010-05-04 22:07 . 2010-05-04 22:08 -------- d-----w- c:\programmi\CCleaner
2010-05-04 22:04 . 2010-05-04 22:04 -------- d-----w- c:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\Google
2010-05-04 22:00 . 2010-05-04 22:00 388096 ----a-r- c:\documents and settings\Proprietario\Dati applicazioni\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-03 20:55 . 2010-05-05 17:34 -------- d-----w- c:\documents and settings\Proprietario\Impostazioni locali\Dati applicazioni\Google
2010-05-03 20:52 . 2010-05-05 19:36 -------- d-----w- c:\programmi\Google
2010-04-28 00:09 . 2010-04-28 00:09 -------- d-----w- c:\documents and settings\Proprietario\Dati applicazioni\OpenOffice.org
2010-04-22 00:13 . 2010-04-14 10:29 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-22 00:13 . 2010-04-14 10:29 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-22 00:13 . 2010-04-14 10:29 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-22 00:13 . 2010-04-14 10:29 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-22 00:13 . 2010-04-14 10:29 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-22 00:13 . 2010-04-14 10:29 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-22 00:13 . 2010-04-14 10:29 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-22 00:13 . 2010-04-14 10:29 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-22 00:13 . 2010-04-14 10:29 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-22 00:13 . 2010-04-14 10:29 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-05 16:53 . 2001-08-31 15:00 79826 ----a-w- c:\windows\system32\perfc010.dat
2010-05-05 16:53 . 2001-08-31 15:00 479776 ----a-w- c:\windows\system32\perfh010.dat
2010-05-02 15:06 . 2009-03-15 18:34 -------- d-----w- c:\programmi\PokerStars.IT
2010-04-30 17:07 . 2009-11-16 18:29 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2010-04-30 17:07 . 2009-12-14 16:33 6153352 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-29 13:39 . 2009-11-16 18:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 13:39 . 2009-11-16 18:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-22 19:06 . 2009-03-09 19:28 -------- d-----w- c:\programmi\McAfee.com
2010-04-22 00:25 . 2009-03-09 19:28 -------- d-----w- c:\programmi\McAfee
2010-04-22 00:24 . 2009-03-09 19:15 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\McAfee
2010-04-22 00:24 . 2009-03-09 19:28 -------- d-----w- c:\programmi\File comuni\McAfee
2010-03-10 06:15 . 2004-08-19 13:39 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:16 . 2004-08-19 13:39 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-03 21:15 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 19:05 . 2004-08-19 13:34 2149888 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 19:05 . 2004-08-19 15:34 2028032 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 10:03 . 2010-03-06 22:12 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33 . 2004-08-19 13:39 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-03 21:07 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\programmi\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 339968]
"SoundMan"="SOUNDMAN.EXE" [2009-02-16 67584]
"SynTPLpr"="c:\programmi\Synaptics\SynTP\SynTPLpr.exe" [2003-04-24 110592]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2003-04-24 610304]
"mcui_exe"="c:\programmi\McAfee.com\Agent\mcagent.exe" [2010-04-01 1180976]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Sitecom Wireless Utility.lnk - c:\programmi\Sitecom\Common\RaUI.exe [2009-3-9 1527808]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\File comuni\\McAfee\\McSvcHost\\McSvHost.exe"=
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [22/04/2010 2.13.20 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\programmi\McAfee\SiteAdvisor\McSACore.exe [09/03/2009 21.32.45 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\programmi\File comuni\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [22/04/2010 2.13.00 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\programmi\File comuni\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [22/04/2010 2.13.00 271480]
R2 mfefire;McAfee Firewall Core Service;c:\programmi\File comuni\McAfee\SystemCore\mfefire.exe [22/04/2010 2.13.54 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\programmi\File comuni\McAfee\SystemCore\mfevtps.exe [22/04/2010 2.13.23 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [22/04/2010 2.13.19 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [22/04/2010 2.13.19 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [22/04/2010 2.13.20 88480]
S2 gupdate;Servizio di Google Update (gupdate);c:\programmi\Google\Update\GoogleUpdate.exe [05/05/2010 0.04.44 135664]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [22/04/2010 2.13.20 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [22/04/2010 2.13.20 83496]
--- Altri Servizi/Drivers In Memoria ---
*Deregistered* - mfeavfk01
.
Contenuto della cartella 'Scheduled Tasks'
2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-05-04 22:04]
2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-05-04 22:04]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://google.it/
IE: Google Sidewiki... - c:\programmi\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {{C4046502-6524-4d87-896C-878F57D1FF07} - c:\programmi\PokerStars.IT\PokerStarsUpdate.exe
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-05-06 16:27
Windows 5.1.2600 Service Pack 3 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
http://www.gmer.netdevice: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82EB3EE4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf869af28
\Driver\ACPI -> ACPI.sys @ 0xf85edcb8
\Driver\atapi -> atapi.sys @ 0xf8561852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
- - - - - - - > 'winlogon.exe'(920)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(980)
c:\windows\system32\WININET.dll
.
Ora fine scansione: 2010-05-06 16:33:54
ComboFix-quarantined-files.txt 2010-05-06 14:33
Pre-Run: 38.010.097.664 byte disponibili
Post-Run: 38.397.128.704 byte disponibili
- - End Of File - - 11822064E18BE9352B8D4F503A565959