Salve a tutti, ieri pomeriggio Avast ha trovato e cancellato alcuni file
infetti. Al successivo riavvio di windows, mi segnalava la presenza di win32
qandr. Trovando vecchi post su google, ho letto che si tratta di un rootkit
ed era consigliato il tool di Sophos, che ha trovato un eseguibile sospetto
nella cartella Esecuzione Automatica, dopodichè ho utilizzato Hijackthis,
che ha trovato un paio di voci sospette, tra cui quella trovata da Sophos,
quindi le ho fixate.
Da precisare, che windows per avviarsi impiegava moltissimo tempo: non
riusciva a caricare il menu start e i programmi in esecuzione automatica.
Una volta avviato (dopo circa 30 minuti) la cpu era impegnata al 50% da
svchost. Ho fatto varie scansioni con avast e online (f-secure, bitdefender)
ma non hanno trovato nulla. Dopo che ho fixato le voci sospette con
Hijackthis, al riavvio impiegava moltissimo tempo, ma una volta avviato la
cpu è libera.
Stamane ho utilizzato il tool Combofix, che è stato velocissimo
(evidentemente non ha trovato nulla). Il problema è cmq rimasto: windows (XP
sp2) ha impiegato moltissimo tempo per avviarsi.
Se qualcuno può darmi qualche suggerimento....
Allego il log di Combofix e di Hijackthis
****************************************
.
((((((((((((((((((((((((((((((((((((( Altre
iminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\extrabyte\Dati applicazioni\avdrn.dat
c:\documents and settings\extrabyte\Menu Avvio\Windows Live Messenger .lnk
c:\programmi\The Bat!
c:\programmi\The Bat!\hunspell.dll
c:\programmi\The Bat!\Images\default.msl
c:\programmi\The Bat!\Images\Default\42.gif
c:\programmi\The Bat!\Images\Default\angel.gif
c:\programmi\The Bat!\Images\Default\angry.gif
c:\programmi\The Bat!\Images\Default\bag.gif
c:\programmi\The Bat!\Images\Default\beer.gif
c:\programmi\The Bat!\Images\Default\blink.gif
c:\programmi\The Bat!\Images\Default\cat.gif
c:\programmi\The Bat!\Images\Default\cheerful.gif
c:\programmi\The Bat!\Images\Default\coffee.gif
c:\programmi\The Bat!\Images\Default\cool.gif
c:\programmi\The Bat!\Images\Default\crazy.gif
c:\programmi\The Bat!\Images\Default\cry.gif
c:\programmi\The Bat!\Images\Default\cwy.gif
c:\programmi\The Bat!\Images\Default\devil.gif
c:\programmi\The Bat!\Images\Default\dog.gif
c:\programmi\The Bat!\Images\Default\getlost.gif
c:\programmi\The Bat!\Images\Default\getlost2.gif
c:\programmi\The Bat!\Images\Default\gift.gif
c:\programmi\The Bat!\Images\Default\gpig.gif
c:\programmi\The Bat!\Images\Default\grin.gif
c:\programmi\The Bat!\Images\Default\gun.gif
c:\programmi\The Bat!\Images\Default\h2g2.gif
c:\programmi\The Bat!\Images\Default\happy.gif
c:\programmi\The Bat!\Images\Default\headshot.gif
c:\programmi\The Bat!\Images\Default\hmm.gif
c:\programmi\The Bat!\Images\Default\hrhr.gif
c:\programmi\The Bat!\Images\Default\kissing.gif
c:\programmi\The Bat!\Images\Default\knifed.gif
c:\programmi\The Bat!\Images\Default\laughing.gif
c:\programmi\The Bat!\Images\Default\love.gif
c:\programmi\The Bat!\Images\Default\lunch.gif
c:\programmi\The Bat!\Images\Default\movie.gif
c:\programmi\The Bat!\Images\Default\music.gif
c:\programmi\The Bat!\Images\Default\no.gif
c:\programmi\The Bat!\Images\Default\omg.gif
c:\programmi\The Bat!\Images\Default\oops.gif
c:\programmi\The Bat!\Images\Default\phone.gif
c:\programmi\The Bat!\Images\Default\poo.gif
c:\programmi\The Bat!\Images\Default\pouty.gif
c:\programmi\The Bat!\Images\Default\sad.gif
c:\programmi\The Bat!\Images\Default\shocked.gif
c:\programmi\The Bat!\Images\Default\shower.gif
c:\programmi\The Bat!\Images\Default\sick.gif
c:\programmi\The Bat!\Images\Default\sideways.gif
c:\programmi\The Bat!\Images\Default\smile.gif
c:\programmi\The Bat!\Images\Default\stfu.gif
c:\programmi\The Bat!\Images\Default\teeth.gif
c:\programmi\The Bat!\Images\Default\tungue.gif
c:\programmi\The Bat!\Images\Default\ufo.gif
c:\programmi\The Bat!\Images\Default\vomit.gif
c:\programmi\The Bat!\Images\Default\w00t.gif
c:\programmi\The Bat!\Images\Default\weird.gif
c:\programmi\The Bat!\Images\Default\whistle.gif
c:\programmi\The Bat!\Images\Default\wink.gif
c:\programmi\The Bat!\Images\Default\wtf.gif
c:\programmi\The Bat!\Images\Default\yes.gif
c:\programmi\The Bat!\Images\Default\zzz.gif
c:\programmi\The Bat!\licence.txt
c:\programmi\The Bat!\licence_home.rtf
c:\programmi\The Bat!\readme.txt
c:\programmi\The Bat!\Speller\accent.tlx
c:\programmi\The Bat!\Speller\correct.tlx
c:\programmi\The Bat!\Speller\Ssceam.tlx
c:\programmi\The Bat!\Speller\Ssceam2.clx
c:\programmi\The Bat!\Speller\userdic.tlx
c:\programmi\The Bat!\SSCE5532.dll
c:\programmi\The Bat!\TBMapi.dll
c:\programmi\The Bat!\The_bat.chm
c:\programmi\The Bat!\thebat.exe
c:\programmi\The Bat!\thebat.tip
c:\windows\system32\drivers\2585901173.sys
c:\windows\system32\fjhdyfhsn.bat
c:\windows\unins000.exe
c:\windows\system32\drivers\asyncmac.sys was missing
ipristinata copia da - c:\windows\system32\dllcache\asyncmac.sys
.
((((((((((((((((((((((((( Files Creati Da 2010-03-19 al
010-04-19 )))))))))))))))))))))))))))))))))))
.
2010-04-19 06:21 . 2004-08-03 20:05 14336 -c--a-w-
c:\windows\system32\dllcache\asyncmac.sys
2010-04-18 20:16 . 2009-06-18 10:55 18816 ------w-
c:\windows\system32\SAVRKBootTasks.sys
2010-04-18 19:27 . 2010-04-18 19:27 -------- d-----w- c:\programmi\Sophos
2010-04-18 18:55 . 2010-04-18 21:10 -------- d-----w- c:\documents and
settings\extrabyte\Dati applicazioni\QuickScan
2010-04-18 18:55 . 2010-04-13 13:58 670696 ----a-w- c:\documents and
settings\extrabyte\Dati
applicazioni\Mozilla\Firefox\Profiles\thk3bqz9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-04-18 18:55 . 2010-04-13 13:58 833960 ----a-w- c:\documents and
settings\extrabyte\Dati
applicazioni\Mozilla\Firefox\Profiles\thk3bqz9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-04-18 18:37 . 2010-04-18 18:53 -------- d-----w-
c:\windows\system32\CatRoot_bak
2010-04-18 16:14 . 2004-08-03 20:59 34688 -c--a-w-
c:\windows\system32\dllcache\lbrtfdc.sys
2010-04-18 16:14 . 2004-08-03 20:59 34688 ----a-w-
c:\windows\system32\drivers\lbrtfdc.sys
2010-04-18 16:14 . 2004-08-03 21:00 8192 -c--a-w-
c:\windows\system32\dllcache\i2omgmt.sys
2010-04-18 16:14 . 2004-08-03 21:00 8192 ----a-w-
c:\windows\system32\drivers\i2omgmt.sys
2010-04-18 16:14 . 2004-08-03 21:00 8192 -c--a-w-
c:\windows\system32\dllcache\changer.sys
2010-04-18 16:14 . 2004-08-03 21:00 8192 ----a-w-
c:\windows\system32\drivers\changer.sys
2010-03-25 19:05 . 2010-03-25 19:05 152576 ----a-w- c:\documents and
settings\extrabyte\Dati applicazioni\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-25 19:05 . 2010-03-25 19:05 79488 ----a-w- c:\documents and
settings\extrabyte\Dati applicazioni\Sun\Java\jre1.6.0_17\gtapi.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M
port )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-19 05:20 . 2010-02-15 21:39 -------- d-----w- c:\documents and
settings\All Users\Dati applicazioni\Motive
2010-04-18 19:04 . 2010-04-18 19:04 12 ----a-w- c:\documents and
settings\Default User\Dati applicazioni\kcmdte.dat
2010-04-18 18:56 . 2009-08-17 16:35 -------- d-----w- c:\programmi\Google
2010-04-18 18:47 . 2009-08-17 16:26 -------- d-----w- c:\documents and
settings\extrabyte\Dati applicazioni\The Bat!
2010-04-18 18:07 . 2010-04-18 18:07 12 ----a-w- c:\documents and
settings\NetworkService\Dati applicazioni\kcmdte.dat
2010-04-18 16:08 . 2010-04-18 16:08 12 ----a-w- c:\documents and
settings\extrabyte\Dati applicazioni\kcmdte.dat
2010-04-18 11:08 . 2009-08-17 16:24 -------- d-----w- c:\documents and
settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2010-04-13 15:58 . 2009-08-17 17:08 -------- d-----w- c:\documents and
settings\extrabyte\Dati applicazioni\vlc
2010-03-28 07:59 . 2001-08-31 11:00 47592 ----a-w-
c:\windows\system32\perfc010.dat
2010-03-28 07:59 . 2001-08-31 11:00 345010 ----a-w-
c:\windows\system32\perfh010.dat
2010-03-25 19:06 . 2009-09-09 20:16 -------- d-----w- c:\programmi\Java
2010-03-15 11:47 . 2009-08-17 15:37 28736 ----a-w- c:\documents and
settings\extrabyte\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-02-27 13:34 . 2009-11-20 13:51 -------- d-----w- c:\documents and
settings\extrabyte\Dati applicazioni\Skype
2010-02-27 13:31 . 2009-11-20 13:53 -------- d-----w- c:\documents and
settings\extrabyte\Dati applicazioni\skypePM
2010-02-23 12:14 . 2010-02-23 12:14 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-02-23 12:14 . 2010-02-23 12:14 286720 ------w- c:\windows\Setup1.exe
2010-02-19 18:38 . 2010-02-15 21:39 -------- d-----w- c:\programmi\Alice ti
aiuta
2010-02-19 18:37 . 2010-02-19 18:37 -------- d-----w- c:\programmi\Motive
2010-02-19 09:15 . 2010-02-19 09:15 -------- d-----w- c:\documents and
settings\extrabyte\Dati applicazioni\Motive
2010-02-18 08:12 . 2009-08-23 20:50 -------- d-----w- c:\documents and
settings\extrabyte\Dati applicazioni\dvdcss
2010-02-15 21:39 . 2010-02-15 21:39 2232 ----a-w-
c:\windows\java\Packages\Data\FLNJBF1R.DAT
2010-02-15 21:39 . 2010-02-15 21:39 155995 ----a-w-
c:\windows\java\Packages\5VF97ZTF.ZIP
2010-02-15 21:39 . 2010-02-15 21:39 2678 ----a-w-
c:\windows\java\Packages\Data\4D3XZHJB.DAT
2010-02-15 21:39 . 2010-02-15 21:39 2678 ----a-w-
c:\windows\java\Packages\Data\29FVH73N.DAT
2010-02-15 21:39 . 2010-02-15 21:39 2678 ----a-w-
c:\windows\java\Packages\Data\U7DN37J1.DAT
2010-02-15 21:39 . 2010-02-15 21:39 2678 ----a-w-
c:\windows\java\Packages\Data\NJPBDZFH.DAT
2010-02-15 21:39 . 2010-02-15 21:39 2678 ----a-w-
c:\windows\java\Packages\Data\LJ1FXNZD.DAT
2010-02-01 20:42 . 2010-02-01 20:40 32 ----a-w-
c:\programmi\DumpTimererror.log
.
((((((((((((((((((((((((((((((((((((( Punti Reg
ricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Nota i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\programmi\Windows Live\Messenger\msnmsgr.exe" [2009-07-26
3883856]
"SpybotSD TeaTimer"="c:\programmi\Spybot - Search & Destroy\TeaTimer.exe"
[2009-03-05 2260480]
"Google Update"="c:\documents and settings\extrabyte\Impostazioni
locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" [2009-08-17 133104]
"swg"="c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
[2009-08-19 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-26 13574144]
"nwiz"="nwiz.exe" [2008-06-26 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-26 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Motive SmartBridge"="c:\progra~1\ALICET~1\SMARTB~1\MotiveSB.exe"
[2006-04-21 438359]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-10-11
149280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione
automatica\
Adobe Gamma Loader.exe.lnk - c:\programmi\File
comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2009-8-25 113664]
Alice ti aiuta.lnk - c:\programmi\Alice ti aiuta\bin\matcli.exe [2010-2-19
217088]
Avvio veloce di Adobe Reader.lnk - c:\programmi\Adobe\Acrobat
7.0\Reader\reader_sl.exe [2005-9-23 29696]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu
Avvio^Programmi^Esecuzione automatica^Alice ti aiuta.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione
automatica\Alice ti aiuta.lnk
backup=c:\windows\pss\Alice ti aiuta.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\C-Media Echo Control]
2001-12-05 14:47 147456 ----a-w- c:\programmi\PCI Audio
Applications\Bin\EchoCtrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\C-Media Mixer]
2002-03-04 03:02 1454080 ----a-w- c:\windows\mixer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Skype]
2009-10-09 12:11 25623336 ----a-r- c:\programmi\Skype\Phone\Skype.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\GlobalSCAPE\\CuteFTP 7 Professional\\ftpte.exe"=
"c:\\Programmi\\Wolfram Research\\Mathematica\\6.0\\math.exe"=
"c:\\Programmi\\Wolfram Research\\Mathematica\\6.0\\Mathematica.exe"=
"c:\\Programmi\\Wolfram Research\\Mathematica\\6.0\\MathKernel.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys
[17/08/2009 17.31.06 114768]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys
[18/04/2010 22.16.22 18816]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [17/08/2009
17.31.06 20560]
S2 gupdate1ca20ae96719a4a;Servizio di Google Update
(gupdate1ca20ae96719a4a);c:\programmi\Google\Update\GoogleUpdate.exe
[19/08/2009 11.22.34 133104]
S2 Network WanMiniport First Position;Network WanMiniport First
Position;c:\programmi\Telecom Italia\WanMiniport1st\srvany.exe [15/02/2010
23.46.09 8192]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\F.tmp -->
c:\windows\system32\F.tmp [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contenuto della cartella 'Scheduled Tasks'
2010-04-19 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
[2009-08-19 09:22]
2010-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-08-19 09:22]
2010-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-08-19 09:22]
2010-04-18
c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2052111302-1935655697-839522115-1003Core.job
- c:\documents and settings\extrabyte\Impostazioni locali\Dati
applicazioni\Google\Update\GoogleUpdate.exe [2009-08-17 17:17]
2010-04-19
c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2052111302-1935655697-839522115-1003UA.job
- c:\documents and settings\extrabyte\Impostazioni locali\Dati
applicazioni\Google\Update\GoogleUpdate.exe [2009-08-17 17:17]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\programmi\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page -
c:\programmi\Google\GoogleToolbar1.dll/cmcache.html
IE: E&sporta in Microsoft Excel -
c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\programmi\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English -
c:\programmi\Google\GoogleToolbar1.dll/cmtrans.html
DPF: Microsoft XML Parser for Java -
file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\extrabyte\Dati
applicazioni\Mozilla\Firefox\Profiles\thk3bqz9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it
FF - component: c:\documents and settings\extrabyte\Dati
applicazioni\Mozilla\Firefox\Profiles\thk3bqz9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\programmi\Mozilla
Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\extrabyte\Dati
applicazioni\Mozilla\Firefox\Profiles\thk3bqz9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\extrabyte\Impostazioni locali\Dati
applicazioni\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\programmi\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programmi\Google\Google
Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\programmi\Google\Update\1.2.183.23\npGoogleOneClick8.dll
---- FIREFOX POLICIES ----
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors",
true);
c:\programmi\Mozilla Firefox\greprefs\all.js -
pref("ui.use_native_popup_windows", false);
c:\programmi\Mozilla Firefox\greprefs\all.js -
pref("browser.enable_click_image_resizing", true);
c:\programmi\Mozilla Firefox\greprefs\all.js -
pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\programmi\Mozilla Firefox\greprefs\all.js -
pref("javascript.options.mem.high_water_mark", 32);
c:\programmi\Mozilla Firefox\greprefs\all.js -
pref("javascript.options.mem.gc_frequency", 1600);
c:\programmi\Mozilla Firefox\greprefs\all.js -
pref("network.auth.force-generic-ntlm", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled",
false);
c:\programmi\Mozilla Firefox\greprefs\all.js -
pref("ui.trackpoint_hack.enabled", -1);
c:\programmi\Mozilla Firefox\greprefs\all.js -
pref("browser.formfill.debug", false);
c:\programmi\Mozilla Firefox\greprefs\all.js -
pref("browser.formfill.agedWeight", 2);
c:\programmi\Mozilla Firefox\greprefs\all.js -
pref("browser.formfill.bucketSize", 1);
c:\programmi\Mozilla Firefox\greprefs\all.js -
pref("browser.formfill.maxTimeGroupings", 25);
c:\programmi\Mozilla Firefox\greprefs\all.js -
pref("browser.formfill.timeGroupingSize", 604800);
c:\programmi\Mozilla Firefox\greprefs\all.js -
pref("browser.formfill.boundaryWeight", 25);
c:\programmi\Mozilla Firefox\greprefs\all.js -
pref("browser.formfill.prefixWeight", 5);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js -
pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref",
true);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js -
pref("security.ssl.renego_unrestricted_hosts", "");
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js -
pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js -
pref("security.ssl.require_safe_negotiation", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js -
pref("app.update.download.backgroundInterval", 600);
c:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js -
pref("app.update.url.manual", "http://www.firefox.com");
c:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js -
pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js -
pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",
"chrome://browser/locale/browser.properties");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js -
pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description",
"chrome://browser/locale/browser.properties");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js -
pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js -
pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js -
pref("lightweightThemes.update.enabled", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js -
pref("browser.allTabs.previews", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js -
pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js -
pref("plugins.update.notifyUser", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js -
pref("toolbar.customization.usesheet", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js -
pref("browser.taskbar.previews.enable", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js -
pref("browser.taskbar.previews.max", 20);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js -
pref("browser.taskbar.previews.cachetime", 20);
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
HKLM-Run-CmPCIaudio - CMICNFG3.CPL
AddRemove-HijackThis -
c:\docume~1\EXTRAB~1\IMPOST~1\Temp\Rar$EX00.218\HijackThis.exe
AddRemove-Pdf995 - c:\programmi\pdf995\setup.exe
AddRemove-{16F3DE12-630D-4156-8CE5-D9866F2ACA48}_is1 -
c:\windows\unins000.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2010-04-19 08:21
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\F.tmp"
.
Ora fine scansione: 2010-04-19 08:22:32
ComboFix-quarantined-files.txt 2010-04-19 06:22
Pre-Run: 34.113.720.320 byte disponibili
Post-Run: 34.261.266.432 byte disponibili
WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP
Professional" /noexecute=optin /fastdetect
- - End Of File - - 510FB70190C1CD452F6769A2EBF066DF
****************************************************************************************
************************************************************************************
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\ALICET~1\vendors\AliceRE\content\template\DRIVEN~1\syncer\MCCITR~1.EXE
C:\Programmi\Java\jre6\bin\jusched.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\Telecom Italia\WanMiniport1st\srvany.exe
C:\Programmi\Telecom Italia\WanMiniport1st\WanMiniport1st_srv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\JGsoft\EditPadLite\EditPad.exe
C:\Programmi\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\extrabyte\Documenti\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection -
{53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Guida per l'accesso a Windows Live -
{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft
Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\programmi\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO -
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -
C:\Programmi\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper -
{DBC80044-A445-435b-BC74-9C25C1C588A9} -
C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -
C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge]
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AliceRE_McciTrayApp]
C:\PROGRA~1\ALICET~1\vendors\AliceRE\content\template\DRIVEN~1\syncer\MCCITR~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched]
"C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows
Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search &
Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and
Settings\extrabyte\Impostazioni locali\Dati
applicazioni\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg]
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User
'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User
'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File
comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti
aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk =
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search -
res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links -
res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages -
res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://C:\Programmi\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -
C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software -
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil
Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil
Software\Avast4\ashWebSv.exe
O23 - Service: Servizio di Google Update (gupdate1ca20ae96719a4a)
(gupdate1ca20ae96719a4a) - Google Inc. -
C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google -
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun
Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: Network WanMiniport First Position - Unknown owner -
C:\Programmi\Telecom Italia\WanMiniport1st\srvany.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\system32\nvsvc32.exe
Registrazione
