Mad_Griffith
14-07-2008, 12:43
Salve ragazzi, da un pò di tempo ho questo file crlog_.tot.tmp che mi si riforma, e non so cosa sia né da dove provenga.
Ho fatto partire combofix e questo è il log:
ComboFix 08-07-13.9 - Niccolò 2008-07-14 12.30.10.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1040.18.1174 [GMT 2:00]
Eseguito da: C:\Users\Niccolò\Desktop\ComboFix.exe
Command switches used :: C:\Users\Niccolò\Desktop\CFScript.txt
* Creato nuovo punto di ripristino
* Resident AV is active
FILE ::
C:\crlog_.tot.tmp
C:\DOCUME~1\FAMLIA~1\CONFIG~1\Temp\oflpydin.sys
C:\install.dat
C:\WINDOWS\avisplitter.INI
C:\WINDOWS\msdownld.tmp
C:\WINDOWS\system32\d3d9caps.dat
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\crlog_.tot.tmp
C:\WINDOWS\avisplitter.INI
.
((((((((((((((((((((((((( Files Creati Da 2008-06-14 al 2008-07-14 )))))))))))))))))))))))))))))))))))
.
2008-07-11 14:20 . 2008-06-26 03:45 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll
2008-07-11 14:19 . 2008-06-26 03:45 2,644,480 --a------ C:\Windows\System32\NlsLexicons0009.dll
2008-07-11 14:19 . 2008-06-26 05:29 801,280 --a------ C:\Windows\System32\NaturalLanguage6.dll
2008-07-10 20:24 . 2008-06-12 04:51 2,048 --a------ C:\Windows\System32\tzres.dll
2008-07-09 08:40 . 2008-05-08 23:59 430,080 --a------ C:\Windows\System32\vbscript.dll
2008-07-09 08:40 . 2008-05-08 23:59 180,224 --a------ C:\Windows\System32\scrobj.dll
2008-07-09 08:40 . 2008-05-08 23:59 172,032 --a------ C:\Windows\System32\scrrun.dll
2008-07-09 08:40 . 2008-05-08 23:59 155,648 --a------ C:\Windows\System32\wscript.exe
2008-07-09 08:40 . 2008-05-08 23:58 135,168 --a------ C:\Windows\System32\wshom.ocx
2008-07-09 08:40 . 2008-05-08 23:58 135,168 --a------ C:\Windows\System32\cscript.exe
2008-07-09 08:40 . 2008-05-08 23:59 90,112 --a------ C:\Windows\System32\wshext.dll
2008-07-08 13:55 . 2008-07-08 13:55 <DIR> d-------- C:\Program Files\Common Files\ATI Technologies
2008-07-08 13:54 . 2008-07-08 13:54 <DIR> d-------- C:\Program Files\ATI
2008-07-08 13:53 . 2008-07-08 13:55 <DIR> d-------- C:\Program Files\ATI Technologies
2008-07-08 13:48 . 2008-01-27 01:09 615,424 --a------ C:\Windows\System32\themeui.dll
2008-07-08 13:48 . 2008-01-27 01:09 240,128 --a------ C:\Windows\System32\uxtheme.dll
2008-06-30 22:33 . 2008-04-26 10:25 3,600,952 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-06-30 22:33 . 2008-04-26 10:25 3,549,240 --a------ C:\Windows\System32\ntoskrnl.exe
2008-06-30 22:33 . 2008-04-26 10:26 891,448 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-06-30 22:33 . 2008-04-12 05:32 784,896 --a------ C:\Windows\System32\rpcrt4.dll
2008-06-30 22:33 . 2008-05-10 05:35 564,736 --a------ C:\Windows\System32\emdmgmt.dll
2008-06-30 22:33 . 2008-04-05 03:21 72,192 --a------ C:\Windows\System32\drivers\pacer.sys
2008-06-30 22:33 . 2008-04-05 05:34 15,360 --a------ C:\Windows\System32\pacerprf.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 10:33 3,932,160 --sha-w C:\Users\Niccolò\NTUSER.DAT
2008-07-14 10:33 3,932,160 --sha-w C:\Users\Niccolò\NTUSER.DAT
2008-07-14 10:24 --------- d-----w C:\Program Files\Java
2008-07-14 10:21 --------- d-----w C:\Program Files\PowerArchiver
2008-07-11 12:21 --------- d-----w C:\ProgramData\Microsoft Help
2008-07-09 06:44 --------- d-----w C:\Program Files\Windows Mail
2008-07-06 00:46 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-03 21:32 --------- d-----w C:\Program Files\Opera
2008-06-29 11:11 --------- d-----w C:\Users\NICCOL~1\AppData\Roaming\uTorrent
2008-06-26 04:46 3,879,936 ----a-w C:\Windows\system32\drivers\atikmdag.sys
2008-06-26 02:06 43,520 ----a-w C:\Windows\System32\ati2edxx.dll
2008-06-26 02:06 421,888 ----a-w C:\Windows\System32\ATIDEMGX.dll
2008-06-26 02:06 327,680 ----a-w C:\Windows\System32\atipdlxx.dll
2008-06-26 02:06 258,048 ----a-w C:\Windows\System32\Oemdspif.dll
2008-06-26 02:06 159,744 ----a-w C:\Windows\System32\atitmmxx.dll
2008-06-26 02:05 270,336 ----a-w C:\Windows\System32\Ati2evxx.dll
2008-06-26 02:04 700,416 ----a-w C:\Windows\System32\Ati2evxx.exe
2008-06-26 01:51 3,822,592 ----a-w C:\Windows\System32\atiumdag.dll
2008-06-26 01:42 9,678,848 ----a-w C:\Windows\System32\atioglxx.dll
2008-06-26 01:34 4,452,352 ----a-w C:\Windows\System32\atiumdva.dll
2008-06-26 01:22 50,688 ----a-w C:\Windows\System32\amdpcom32.dll
2008-06-26 01:22 45,568 ----a-w C:\Windows\System32\atiadlxx.dll
2008-06-26 01:09 53,248 ----a-w C:\Windows\system32\drivers\ati2erec.dll
2008-06-12 23:45 --------- d-----w C:\Program Files\QuickTime
2008-06-09 22:22 --------- d-----w C:\Users\NICCOL~1\AppData\Roaming\Audacity
2008-06-07 13:52 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-06-06 11:03 --------- d-----w C:\Program Files\Common Files\GTK
2008-06-06 10:23 --------- d-----w C:\Users\NICCOL~1\AppData\Roaming\.purple
2008-06-06 09:37 --------- d-----w C:\Users\NICCOL~1\AppData\Roaming\gtk-2.0
2008-06-05 19:10 --------- d-----w C:\Program Files\Adunanza
2008-06-05 15:49 --------- d-----w C:\ProgramData\eMule AdunanzA
2008-06-03 13:04 --------- d-----w C:\Program Files\Google
2008-06-03 12:20 --------- d-----w C:\Users\NICCOL~1\AppData\Roaming\Thunderbird
2008-05-28 19:11 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-05-23 00:04 --------- d-----w C:\Program Files\StuffPlug3
2008-05-04 10:28 7,680 ----a-w C:\Windows\System32\ff_vfw.dll
2008-04-26 08:08 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-04-25 04:35 826,880 ----a-w C:\Windows\System32\wininet.dll
2008-04-23 04:42 428,544 ----a-w C:\Windows\System32\EncDec.dll
2008-04-23 04:42 293,376 ----a-w C:\Windows\System32\psisdecd.dll
2008-04-20 14:15 691,545 ----a-w C:\Windows\unins000.exe
2008-04-12 08:04 174 --sha-w C:\Program Files\desktop.ini
2007-10-02 11:20 22,328 ----a-w C:\Users\NICCOL~1\AppData\Roaming\PnkBstrK.sys
2007-11-14 12:02 2,073,121 --sh--r C:\Windows\System32\avgemcu.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2008-05-26 02:08 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Habu"="C:\Program Files\Razer\Habu\razerhid.exe" [2007-05-11 11:58 176128]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-04-23 14:57 1443072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= divxa32.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1195851666-242174495-470605716-1000]
"EnableNotificationsRef"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"= C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{52788103-5457-4EC8-B567-2BF744A4C4ED}C:\\program files\\adunanza\\emule_adnza.exe"= UDP:C:\program files\adunanza\emule_adnza.exe:eMule
"UDP Query User{1AC8B718-798F-4F14-A3BC-BB00EA5CE5C2}C:\\program files\\adunanza\\emule_adnza.exe"= TCP:C:\program files\adunanza\emule_adnza.exe:eMule
"{F51B5E3A-C222-4186-A00F-6E0039AE00D2}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{AA54342C-96A5-4AF4-AC78-DD7C4486E943}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{4CE9F9A4-0CAF-4C76-A20F-A3883AC62B84}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{1BC16928-9C18-41B1-9C0F-53843C3F119D}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"TCP Query User{D67DEDC4-3BBF-40F2-85FF-3C7E42C1C417}C:\\program files\\steam\\steamapps\\mad_griffith\\half-life 2 deathmatch\\hl2.exe"= UDP:C:\program files\steam\steamapps\mad_griffith\half-life 2 deathmatch\hl2.exe:hl2
"UDP Query User{50DE8980-EE0A-4713-A307-7442CA46B16D}C:\\program files\\steam\\steamapps\\mad_griffith\\half-life 2 deathmatch\\hl2.exe"= TCP:C:\program files\steam\steamapps\mad_griffith\half-life 2 deathmatch\hl2.exe:hl2
"TCP Query User{F66A484B-BA60-4245-A2C1-980038C1F8BF}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{DB5BCD6E-8198-4A72-8776-A562BAA5524B}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{FD29A9F0-6164-48E8-9957-4B1EA1F0E529}C:\\program files\\steam\\steamapps\\common\\enemy territory quake wars demo\\etqw.exe"= UDP:C:\program files\steam\steamapps\common\enemy territory quake wars demo\etqw.exe:Enemy Territory: QUAKE Wars
"UDP Query User{191BB6C4-DEAC-49B2-A293-2A2E96B03340}C:\\program files\\steam\\steamapps\\common\\enemy territory quake wars demo\\etqw.exe"= TCP:C:\program files\steam\steamapps\common\enemy territory quake wars demo\etqw.exe:Enemy Territory: QUAKE Wars
"{DB2434C3-120F-41FD-A35C-BA5C961B9E77}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{7589847A-A826-422D-A779-D15B34C0B9C1}C:\\program files\\common files\\nero\\nero web\\setupx.exe"= UDP:C:\program files\common files\nero\nero web\setupx.exe:Nero Installer
"UDP Query User{34299EDB-DC70-4175-BFE1-01D9C16BA7CF}C:\\program files\\common files\\nero\\nero web\\setupx.exe"= TCP:C:\program files\common files\nero\nero web\setupx.exe:Nero Installer
"{00B1D435-5212-471E-8124-78ADAF6EECCC}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{EDA0310A-0432-472C-B640-6704C77EC02D}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{C42191D9-3643-4DEC-9254-955015897E34}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{3A992036-7DD7-4D33-B1FF-9D1343C8FD67}"= UDP:C:\Program Files\KONAMI\Pro Evolution Soccer 2008\PES2008.exe:Pro Evolution Soccer 2008
"{8EA23F2E-232E-47D5-9BDF-E838720C5E73}"= TCP:C:\Program Files\KONAMI\Pro Evolution Soccer 2008\PES2008.exe:Pro Evolution Soccer 2008
"{AAA1ACAF-0925-4C28-BFFB-9723CEDB686A}"= UDP:C:\Users\Niccolò\Desktop\utorrent.exe:µTorrent
"{4A7D244B-4BE7-4458-AAB3-1BB8269D2600}"= TCP:C:\Users\Niccolò\Desktop\utorrent.exe:µTorrent
"TCP Query User{12B421F3-16C2-498C-816F-B18D94BFBD1F}C:\\users\\niccolò\\desktop\\hfs.exe"= UDP:C:\users\niccolò\desktop\hfs.exe:hfs.exe
"UDP Query User{B2B8AEDF-D8F9-45FC-90CA-D23A67331647}C:\\users\\niccolò\\desktop\\hfs.exe"= TCP:C:\users\niccolò\desktop\hfs.exe:hfs.exe
"TCP Query User{3DD8197B-125A-4D3E-BB76-AB383E0E0C2D}C:\\users\\niccolò\\downloads\\scaricati\\hfs.exe"= UDP:C:\users\niccolò\downloads\scaricati\hfs.exe:hfs.exe
"UDP Query User{4919CA89-77FB-47C3-B98D-5CCAF66727D1}C:\\users\\niccolò\\downloads\\scaricati\\hfs.exe"= TCP:C:\users\niccolò\downloads\scaricati\hfs.exe:hfs.exe
"TCP Query User{FDD7E022-9DA5-4000-86BF-6F80D50F5319}C:\\program files\\steam\\steamapps\\common\\outrun2006 coast 2 coast\\or2006c2c.exe"= UDP:C:\program files\steam\steamapps\common\outrun2006 coast 2 coast\or2006c2c.exe:OR2006C2C
"UDP Query User{4ECDCD2E-F3AC-4EF5-9A8C-0DD89717AC70}C:\\program files\\steam\\steamapps\\common\\outrun2006 coast 2 coast\\or2006c2c.exe"= TCP:C:\program files\steam\steamapps\common\outrun2006 coast 2 coast\or2006c2c.exe:OR2006C2C
"TCP Query User{D2AB5145-A500-4475-937E-AD339DE3AE74}C:\\program files\\steam\\steamapps\\mad_griffith\\source sdk base\\hl2.exe"= UDP:C:\program files\steam\steamapps\mad_griffith\source sdk base\hl2.exe:hl2
"UDP Query User{A7146831-3F9D-41F0-A21E-1153E4A439F4}C:\\program files\\steam\\steamapps\\mad_griffith\\source sdk base\\hl2.exe"= TCP:C:\program files\steam\steamapps\mad_griffith\source sdk base\hl2.exe:hl2
"TCP Query User{612A1A66-CB36-4974-86CF-BD9A5D0368CB}C:\\users\\niccolò\\desktop\\utorrent-1.8-alpha-7928.upx.exe"= UDP:C:\users\niccolò\desktop\utorrent-1.8-alpha-7928.upx.exe:utorrent-1.8-alpha-7928.upx.exe
"UDP Query User{11E0E6AB-A637-420C-A719-06A125555B26}C:\\users\\niccolò\\desktop\\utorrent-1.8-alpha-7928.upx.exe"= TCP:C:\users\niccolò\desktop\utorrent-1.8-alpha-7928.upx.exe:utorrent-1.8-alpha-7928.upx.exe
"TCP Query User{58FC4FAB-D0E8-47A9-BE20-15C1F901E113}C:\\users\\niccolò\\downloads\\scaricati\\utorrent-1.8-alpha-7928.upx.exe"= UDP:C:\users\niccolò\downloads\scaricati\utorrent-1.8-alpha-7928.upx.exe:utorrent-1.8-alpha-7928.upx.exe
"UDP Query User{60EAD793-1BBC-46DA-B498-E04D4F1BA81B}C:\\users\\niccolò\\downloads\\scaricati\\utorrent-1.8-alpha-7928.upx.exe"= TCP:C:\users\niccolò\downloads\scaricati\utorrent-1.8-alpha-7928.upx.exe:utorrent-1.8-alpha-7928.upx.exe
"TCP Query User{B3F8E84E-FE99-427F-96A7-B77C3861E6FD}C:\\users\\niccolò\\appdata\\local\\temp\\wzse0.tmp\\symnrt.exe"= UDP:C:\users\niccolò\appdata\local\temp\wzse0.tmp\symnrt.exe:symnrt.exe
"UDP Query User{27F78B02-7D5E-40FF-9528-72BEB5FFB455}C:\\users\\niccolò\\appdata\\local\\temp\\wzse0.tmp\\symnrt.exe"= TCP:C:\users\niccolò\appdata\local\temp\wzse0.tmp\symnrt.exe:symnrt.exe
"TCP Query User{6DF17C49-52FF-46CA-AA86-CCD0B4E13ABC}C:\\users\\niccolò\\desktop\\emule\\emule.exe"= UDP:C:\users\niccolò\desktop\emule\emule.exe:emule.exe
"UDP Query User{F2537C1D-5F4D-4C0E-A55B-6719A026E0EF}C:\\users\\niccolò\\desktop\\emule\\emule.exe"= TCP:C:\users\niccolò\desktop\emule\emule.exe:emule.exe
"{89370ACD-83E5-459E-9D6B-6F1213B0FB52}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{1A304188-625D-4736-8BFF-7B1DD4BEFB84}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"= C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\Windows\system32\DRIVERS\atl01v32.sys [2007-03-15 16:41]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2008-06-26 06:46]
R3 cmudaxp;ASUS Xonar D2X Audio Interface;C:\Windows\system32\drivers\cmudaxp.sys [2008-01-30 15:25]
R3 HabuFltr;Habu Mouse;C:\Windows\system32\drivers\habu.sys [2006-10-23 12:09]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-04-02 19:06]
S3 uisp;Freescale USB JW32 driver;C:\Windows\system32\Drivers\usbicp.sys [2005-12-21 11:23]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3fb37636-2fc4-11dd-864b-001bfcfb7f34}]
\shell\AutoRun\command - F:\ClickMe.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{609bbcac-70da-11dc-8670-001bfcfb7f34}]
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\antihost.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad7f02c3-b455-11dc-ae58-001bfcfb7f34}]
\shell\AutoRun\command - E:\ClickMe.exe
*Newly Created Service* - CATCHME
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 12:33:41
Windows 6.0.6001 Service Pack 1 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
Ora fine scansione: 2008-07-14 12:34:59
ComboFix-quarantined-files.txt 2008-07-14 10:34:55
5 Directory 169,002,246,144 byte disponibili
12 Directory 168,970,522,624 byte disponibili
194 --- E O F --- 2008-07-11 12:22:41
Ho fatto partire combofix e questo è il log:
ComboFix 08-07-13.9 - Niccolò 2008-07-14 12.30.10.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1040.18.1174 [GMT 2:00]
Eseguito da: C:\Users\Niccolò\Desktop\ComboFix.exe
Command switches used :: C:\Users\Niccolò\Desktop\CFScript.txt
* Creato nuovo punto di ripristino
* Resident AV is active
FILE ::
C:\crlog_.tot.tmp
C:\DOCUME~1\FAMLIA~1\CONFIG~1\Temp\oflpydin.sys
C:\install.dat
C:\WINDOWS\avisplitter.INI
C:\WINDOWS\msdownld.tmp
C:\WINDOWS\system32\d3d9caps.dat
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\crlog_.tot.tmp
C:\WINDOWS\avisplitter.INI
.
((((((((((((((((((((((((( Files Creati Da 2008-06-14 al 2008-07-14 )))))))))))))))))))))))))))))))))))
.
2008-07-11 14:20 . 2008-06-26 03:45 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll
2008-07-11 14:19 . 2008-06-26 03:45 2,644,480 --a------ C:\Windows\System32\NlsLexicons0009.dll
2008-07-11 14:19 . 2008-06-26 05:29 801,280 --a------ C:\Windows\System32\NaturalLanguage6.dll
2008-07-10 20:24 . 2008-06-12 04:51 2,048 --a------ C:\Windows\System32\tzres.dll
2008-07-09 08:40 . 2008-05-08 23:59 430,080 --a------ C:\Windows\System32\vbscript.dll
2008-07-09 08:40 . 2008-05-08 23:59 180,224 --a------ C:\Windows\System32\scrobj.dll
2008-07-09 08:40 . 2008-05-08 23:59 172,032 --a------ C:\Windows\System32\scrrun.dll
2008-07-09 08:40 . 2008-05-08 23:59 155,648 --a------ C:\Windows\System32\wscript.exe
2008-07-09 08:40 . 2008-05-08 23:58 135,168 --a------ C:\Windows\System32\wshom.ocx
2008-07-09 08:40 . 2008-05-08 23:58 135,168 --a------ C:\Windows\System32\cscript.exe
2008-07-09 08:40 . 2008-05-08 23:59 90,112 --a------ C:\Windows\System32\wshext.dll
2008-07-08 13:55 . 2008-07-08 13:55 <DIR> d-------- C:\Program Files\Common Files\ATI Technologies
2008-07-08 13:54 . 2008-07-08 13:54 <DIR> d-------- C:\Program Files\ATI
2008-07-08 13:53 . 2008-07-08 13:55 <DIR> d-------- C:\Program Files\ATI Technologies
2008-07-08 13:48 . 2008-01-27 01:09 615,424 --a------ C:\Windows\System32\themeui.dll
2008-07-08 13:48 . 2008-01-27 01:09 240,128 --a------ C:\Windows\System32\uxtheme.dll
2008-06-30 22:33 . 2008-04-26 10:25 3,600,952 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-06-30 22:33 . 2008-04-26 10:25 3,549,240 --a------ C:\Windows\System32\ntoskrnl.exe
2008-06-30 22:33 . 2008-04-26 10:26 891,448 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-06-30 22:33 . 2008-04-12 05:32 784,896 --a------ C:\Windows\System32\rpcrt4.dll
2008-06-30 22:33 . 2008-05-10 05:35 564,736 --a------ C:\Windows\System32\emdmgmt.dll
2008-06-30 22:33 . 2008-04-05 03:21 72,192 --a------ C:\Windows\System32\drivers\pacer.sys
2008-06-30 22:33 . 2008-04-05 05:34 15,360 --a------ C:\Windows\System32\pacerprf.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 10:33 3,932,160 --sha-w C:\Users\Niccolò\NTUSER.DAT
2008-07-14 10:33 3,932,160 --sha-w C:\Users\Niccolò\NTUSER.DAT
2008-07-14 10:24 --------- d-----w C:\Program Files\Java
2008-07-14 10:21 --------- d-----w C:\Program Files\PowerArchiver
2008-07-11 12:21 --------- d-----w C:\ProgramData\Microsoft Help
2008-07-09 06:44 --------- d-----w C:\Program Files\Windows Mail
2008-07-06 00:46 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-03 21:32 --------- d-----w C:\Program Files\Opera
2008-06-29 11:11 --------- d-----w C:\Users\NICCOL~1\AppData\Roaming\uTorrent
2008-06-26 04:46 3,879,936 ----a-w C:\Windows\system32\drivers\atikmdag.sys
2008-06-26 02:06 43,520 ----a-w C:\Windows\System32\ati2edxx.dll
2008-06-26 02:06 421,888 ----a-w C:\Windows\System32\ATIDEMGX.dll
2008-06-26 02:06 327,680 ----a-w C:\Windows\System32\atipdlxx.dll
2008-06-26 02:06 258,048 ----a-w C:\Windows\System32\Oemdspif.dll
2008-06-26 02:06 159,744 ----a-w C:\Windows\System32\atitmmxx.dll
2008-06-26 02:05 270,336 ----a-w C:\Windows\System32\Ati2evxx.dll
2008-06-26 02:04 700,416 ----a-w C:\Windows\System32\Ati2evxx.exe
2008-06-26 01:51 3,822,592 ----a-w C:\Windows\System32\atiumdag.dll
2008-06-26 01:42 9,678,848 ----a-w C:\Windows\System32\atioglxx.dll
2008-06-26 01:34 4,452,352 ----a-w C:\Windows\System32\atiumdva.dll
2008-06-26 01:22 50,688 ----a-w C:\Windows\System32\amdpcom32.dll
2008-06-26 01:22 45,568 ----a-w C:\Windows\System32\atiadlxx.dll
2008-06-26 01:09 53,248 ----a-w C:\Windows\system32\drivers\ati2erec.dll
2008-06-12 23:45 --------- d-----w C:\Program Files\QuickTime
2008-06-09 22:22 --------- d-----w C:\Users\NICCOL~1\AppData\Roaming\Audacity
2008-06-07 13:52 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-06-06 11:03 --------- d-----w C:\Program Files\Common Files\GTK
2008-06-06 10:23 --------- d-----w C:\Users\NICCOL~1\AppData\Roaming\.purple
2008-06-06 09:37 --------- d-----w C:\Users\NICCOL~1\AppData\Roaming\gtk-2.0
2008-06-05 19:10 --------- d-----w C:\Program Files\Adunanza
2008-06-05 15:49 --------- d-----w C:\ProgramData\eMule AdunanzA
2008-06-03 13:04 --------- d-----w C:\Program Files\Google
2008-06-03 12:20 --------- d-----w C:\Users\NICCOL~1\AppData\Roaming\Thunderbird
2008-05-28 19:11 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-05-23 00:04 --------- d-----w C:\Program Files\StuffPlug3
2008-05-04 10:28 7,680 ----a-w C:\Windows\System32\ff_vfw.dll
2008-04-26 08:08 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-04-25 04:35 826,880 ----a-w C:\Windows\System32\wininet.dll
2008-04-23 04:42 428,544 ----a-w C:\Windows\System32\EncDec.dll
2008-04-23 04:42 293,376 ----a-w C:\Windows\System32\psisdecd.dll
2008-04-20 14:15 691,545 ----a-w C:\Windows\unins000.exe
2008-04-12 08:04 174 --sha-w C:\Program Files\desktop.ini
2007-10-02 11:20 22,328 ----a-w C:\Users\NICCOL~1\AppData\Roaming\PnkBstrK.sys
2007-11-14 12:02 2,073,121 --sh--r C:\Windows\System32\avgemcu.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2008-05-26 02:08 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Habu"="C:\Program Files\Razer\Habu\razerhid.exe" [2007-05-11 11:58 176128]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-04-23 14:57 1443072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= divxa32.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1195851666-242174495-470605716-1000]
"EnableNotificationsRef"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"= C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{52788103-5457-4EC8-B567-2BF744A4C4ED}C:\\program files\\adunanza\\emule_adnza.exe"= UDP:C:\program files\adunanza\emule_adnza.exe:eMule
"UDP Query User{1AC8B718-798F-4F14-A3BC-BB00EA5CE5C2}C:\\program files\\adunanza\\emule_adnza.exe"= TCP:C:\program files\adunanza\emule_adnza.exe:eMule
"{F51B5E3A-C222-4186-A00F-6E0039AE00D2}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{AA54342C-96A5-4AF4-AC78-DD7C4486E943}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{4CE9F9A4-0CAF-4C76-A20F-A3883AC62B84}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{1BC16928-9C18-41B1-9C0F-53843C3F119D}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"TCP Query User{D67DEDC4-3BBF-40F2-85FF-3C7E42C1C417}C:\\program files\\steam\\steamapps\\mad_griffith\\half-life 2 deathmatch\\hl2.exe"= UDP:C:\program files\steam\steamapps\mad_griffith\half-life 2 deathmatch\hl2.exe:hl2
"UDP Query User{50DE8980-EE0A-4713-A307-7442CA46B16D}C:\\program files\\steam\\steamapps\\mad_griffith\\half-life 2 deathmatch\\hl2.exe"= TCP:C:\program files\steam\steamapps\mad_griffith\half-life 2 deathmatch\hl2.exe:hl2
"TCP Query User{F66A484B-BA60-4245-A2C1-980038C1F8BF}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{DB5BCD6E-8198-4A72-8776-A562BAA5524B}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{FD29A9F0-6164-48E8-9957-4B1EA1F0E529}C:\\program files\\steam\\steamapps\\common\\enemy territory quake wars demo\\etqw.exe"= UDP:C:\program files\steam\steamapps\common\enemy territory quake wars demo\etqw.exe:Enemy Territory: QUAKE Wars
"UDP Query User{191BB6C4-DEAC-49B2-A293-2A2E96B03340}C:\\program files\\steam\\steamapps\\common\\enemy territory quake wars demo\\etqw.exe"= TCP:C:\program files\steam\steamapps\common\enemy territory quake wars demo\etqw.exe:Enemy Territory: QUAKE Wars
"{DB2434C3-120F-41FD-A35C-BA5C961B9E77}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{7589847A-A826-422D-A779-D15B34C0B9C1}C:\\program files\\common files\\nero\\nero web\\setupx.exe"= UDP:C:\program files\common files\nero\nero web\setupx.exe:Nero Installer
"UDP Query User{34299EDB-DC70-4175-BFE1-01D9C16BA7CF}C:\\program files\\common files\\nero\\nero web\\setupx.exe"= TCP:C:\program files\common files\nero\nero web\setupx.exe:Nero Installer
"{00B1D435-5212-471E-8124-78ADAF6EECCC}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{EDA0310A-0432-472C-B640-6704C77EC02D}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{C42191D9-3643-4DEC-9254-955015897E34}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{3A992036-7DD7-4D33-B1FF-9D1343C8FD67}"= UDP:C:\Program Files\KONAMI\Pro Evolution Soccer 2008\PES2008.exe:Pro Evolution Soccer 2008
"{8EA23F2E-232E-47D5-9BDF-E838720C5E73}"= TCP:C:\Program Files\KONAMI\Pro Evolution Soccer 2008\PES2008.exe:Pro Evolution Soccer 2008
"{AAA1ACAF-0925-4C28-BFFB-9723CEDB686A}"= UDP:C:\Users\Niccolò\Desktop\utorrent.exe:µTorrent
"{4A7D244B-4BE7-4458-AAB3-1BB8269D2600}"= TCP:C:\Users\Niccolò\Desktop\utorrent.exe:µTorrent
"TCP Query User{12B421F3-16C2-498C-816F-B18D94BFBD1F}C:\\users\\niccolò\\desktop\\hfs.exe"= UDP:C:\users\niccolò\desktop\hfs.exe:hfs.exe
"UDP Query User{B2B8AEDF-D8F9-45FC-90CA-D23A67331647}C:\\users\\niccolò\\desktop\\hfs.exe"= TCP:C:\users\niccolò\desktop\hfs.exe:hfs.exe
"TCP Query User{3DD8197B-125A-4D3E-BB76-AB383E0E0C2D}C:\\users\\niccolò\\downloads\\scaricati\\hfs.exe"= UDP:C:\users\niccolò\downloads\scaricati\hfs.exe:hfs.exe
"UDP Query User{4919CA89-77FB-47C3-B98D-5CCAF66727D1}C:\\users\\niccolò\\downloads\\scaricati\\hfs.exe"= TCP:C:\users\niccolò\downloads\scaricati\hfs.exe:hfs.exe
"TCP Query User{FDD7E022-9DA5-4000-86BF-6F80D50F5319}C:\\program files\\steam\\steamapps\\common\\outrun2006 coast 2 coast\\or2006c2c.exe"= UDP:C:\program files\steam\steamapps\common\outrun2006 coast 2 coast\or2006c2c.exe:OR2006C2C
"UDP Query User{4ECDCD2E-F3AC-4EF5-9A8C-0DD89717AC70}C:\\program files\\steam\\steamapps\\common\\outrun2006 coast 2 coast\\or2006c2c.exe"= TCP:C:\program files\steam\steamapps\common\outrun2006 coast 2 coast\or2006c2c.exe:OR2006C2C
"TCP Query User{D2AB5145-A500-4475-937E-AD339DE3AE74}C:\\program files\\steam\\steamapps\\mad_griffith\\source sdk base\\hl2.exe"= UDP:C:\program files\steam\steamapps\mad_griffith\source sdk base\hl2.exe:hl2
"UDP Query User{A7146831-3F9D-41F0-A21E-1153E4A439F4}C:\\program files\\steam\\steamapps\\mad_griffith\\source sdk base\\hl2.exe"= TCP:C:\program files\steam\steamapps\mad_griffith\source sdk base\hl2.exe:hl2
"TCP Query User{612A1A66-CB36-4974-86CF-BD9A5D0368CB}C:\\users\\niccolò\\desktop\\utorrent-1.8-alpha-7928.upx.exe"= UDP:C:\users\niccolò\desktop\utorrent-1.8-alpha-7928.upx.exe:utorrent-1.8-alpha-7928.upx.exe
"UDP Query User{11E0E6AB-A637-420C-A719-06A125555B26}C:\\users\\niccolò\\desktop\\utorrent-1.8-alpha-7928.upx.exe"= TCP:C:\users\niccolò\desktop\utorrent-1.8-alpha-7928.upx.exe:utorrent-1.8-alpha-7928.upx.exe
"TCP Query User{58FC4FAB-D0E8-47A9-BE20-15C1F901E113}C:\\users\\niccolò\\downloads\\scaricati\\utorrent-1.8-alpha-7928.upx.exe"= UDP:C:\users\niccolò\downloads\scaricati\utorrent-1.8-alpha-7928.upx.exe:utorrent-1.8-alpha-7928.upx.exe
"UDP Query User{60EAD793-1BBC-46DA-B498-E04D4F1BA81B}C:\\users\\niccolò\\downloads\\scaricati\\utorrent-1.8-alpha-7928.upx.exe"= TCP:C:\users\niccolò\downloads\scaricati\utorrent-1.8-alpha-7928.upx.exe:utorrent-1.8-alpha-7928.upx.exe
"TCP Query User{B3F8E84E-FE99-427F-96A7-B77C3861E6FD}C:\\users\\niccolò\\appdata\\local\\temp\\wzse0.tmp\\symnrt.exe"= UDP:C:\users\niccolò\appdata\local\temp\wzse0.tmp\symnrt.exe:symnrt.exe
"UDP Query User{27F78B02-7D5E-40FF-9528-72BEB5FFB455}C:\\users\\niccolò\\appdata\\local\\temp\\wzse0.tmp\\symnrt.exe"= TCP:C:\users\niccolò\appdata\local\temp\wzse0.tmp\symnrt.exe:symnrt.exe
"TCP Query User{6DF17C49-52FF-46CA-AA86-CCD0B4E13ABC}C:\\users\\niccolò\\desktop\\emule\\emule.exe"= UDP:C:\users\niccolò\desktop\emule\emule.exe:emule.exe
"UDP Query User{F2537C1D-5F4D-4C0E-A55B-6719A026E0EF}C:\\users\\niccolò\\desktop\\emule\\emule.exe"= TCP:C:\users\niccolò\desktop\emule\emule.exe:emule.exe
"{89370ACD-83E5-459E-9D6B-6F1213B0FB52}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{1A304188-625D-4736-8BFF-7B1DD4BEFB84}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"= C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\Windows\system32\DRIVERS\atl01v32.sys [2007-03-15 16:41]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2008-06-26 06:46]
R3 cmudaxp;ASUS Xonar D2X Audio Interface;C:\Windows\system32\drivers\cmudaxp.sys [2008-01-30 15:25]
R3 HabuFltr;Habu Mouse;C:\Windows\system32\drivers\habu.sys [2006-10-23 12:09]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-04-02 19:06]
S3 uisp;Freescale USB JW32 driver;C:\Windows\system32\Drivers\usbicp.sys [2005-12-21 11:23]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3fb37636-2fc4-11dd-864b-001bfcfb7f34}]
\shell\AutoRun\command - F:\ClickMe.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{609bbcac-70da-11dc-8670-001bfcfb7f34}]
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\antihost.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad7f02c3-b455-11dc-ae58-001bfcfb7f34}]
\shell\AutoRun\command - E:\ClickMe.exe
*Newly Created Service* - CATCHME
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 12:33:41
Windows 6.0.6001 Service Pack 1 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
Ora fine scansione: 2008-07-14 12:34:59
ComboFix-quarantined-files.txt 2008-07-14 10:34:55
5 Directory 169,002,246,144 byte disponibili
12 Directory 168,970,522,624 byte disponibili
194 --- E O F --- 2008-07-11 12:22:41