Win XP SP2 won't boot
#16
Posted 11 January 2011 - 03:17 AM
#17
Posted 11 January 2011 - 03:20 AM
#18
Posted 11 January 2011 - 04:55 AM
On the clean computer, please download MBRCheck.exe and transfer to the infected computer's desktop. Run the application.
If no infection is found, it will produce a report on the desktop. Post that report in your next reply.
If an infection is found, you will be presented with the following dialog:
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.
#19
Posted 11 January 2011 - 12:59 PM
MBRCheck, version 1.2.3
© 2010, AD
Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000003d
Kernel Drivers (total 145):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E3000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB9F4A000 pcmcia.sys
0xBA0D8000 MountMgr.sys
0xB9F2B000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F05000 dmio.sys
0xBA4C4000 ACPIEC.sys
0xBA671000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9EED000 atapi.sys
0xB9E26000 iaStor.sys
0xBA0F8000 SbAlg.sys
0xBA108000 disk.sys
0xBA118000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E07000 fltMgr.sys
0xBA5AE000 SbFsLock.sys
0xB9DF5000 sr.sys
0xB9DDE000 KSecDD.sys
0xB9D51000 Ntfs.sys
0xB9D24000 NDIS.sys
0xB9D0C000 SafeBoot.sys
0xB9CF1000 Mup.sys
0xBA128000 hpdskflt.sys
0xBA158000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA208000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB8251000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB823D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA4A8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB821A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA4B0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB81F5000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB80A1000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xB8076000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xB8062000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA218000 \SystemRoot\system32\DRIVERS\IFXTPM.SYS
0xB95B5000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA340000 \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
0xB95A5000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xB7FE6000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xBA358000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB7FB0000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xBA606000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA368000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB9595000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB9585000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB9575000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB7F8D000 \SystemRoot\system32\DRIVERS\ks.sys
0xB9565000 \SystemRoot\system32\DRIVERS\Accelerometer.sys
0xBA578000 \SystemRoot\system32\DRIVERS\cpqbttn.sys
0xB9555000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA370000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA57C000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xBA580000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xB7E48000 \SystemRoot\system32\DRIVERS\btkrnl.sys
0xBA76B000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB9545000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA584000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB7E31000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB9535000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA228000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA360000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB7E20000 \SystemRoot\system32\DRIVERS\psched.sys
0xB9525000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA380000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA378000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB7DEF000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA248000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA608000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB7DBB000 \SystemRoot\system32\DRIVERS\update.sys
0xB9CCD000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB9CB9000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB8836000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA168000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xA6762000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xA6740000 \SystemRoot\system32\drivers\portcls.sys
0xBA178000 \SystemRoot\system32\drivers\drmk.sys
0xA6728000 \SystemRoot\system32\drivers\AEAudio.sys
0xA6602000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xBA420000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA458000 \SystemRoot\System32\drivers\psd.sys
0xBA65C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA7DA000 \SystemRoot\System32\Drivers\Null.SYS
0xBA65E000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA468000 \??\C:\Programmi\Symantec\Norton Ghost 2003\ghpciscan.sys
0xBA470000 \SystemRoot\System32\drivers\vga.sys
0xBA660000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA662000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA668000 \SystemRoot\System32\Drivers\InCDrec.SYS
0xA617C000 \SystemRoot\System32\Drivers\InCDfs.SYS
0xBA478000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA480000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB78EB000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA6119000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA717A000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xA60F1000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA60CF000 \SystemRoot\System32\drivers\afd.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xBA5C6000 \SystemRoot\System32\Drivers\RsvLock.SYS
0xA5DA9000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA5D12000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA6803000 \SystemRoot\System32\DRIVERS\InCDPass.sys
0xBA1B8000 \SystemRoot\System32\Drivers\Fips.SYS
0xA67F3000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xA5C91000 \SystemRoot\System32\Drivers\aswSP.SYS
0xA67DB000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xA61F6000 \SystemRoot\system32\DRIVERS\sfloppy.sys
0xA0171000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA0D3E000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA00AA000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xA0AAA000 \SystemRoot\System32\watchdog.sys
0xA07E9000 \SystemRoot\System32\drivers\Dxapi.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA707000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF058000 \SystemRoot\System32\igxpdv32.DLL
0xBF297000 \SystemRoot\System32\igxpdx32.DLL
0xA61FE000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xA1AD1000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA0055000 \SystemRoot\system32\drivers\wdmaud.sys
0xA0D1E000 \SystemRoot\system32\drivers\sysaudio.sys
0x9F9E1000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA638000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xBA3C0000 \??\C:\WINDOWS\system32\ANIO.SYS
0x9FA58000 \SystemRoot\System32\Drivers\Aspi32.SYS
0x9F9CA000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xA05EF000 \SystemRoot\system32\drivers\npf.sys
0x9F8FF000 \SystemRoot\system32\DRIVERS\srv.sys
0x9F5F5000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C910000 \WINDOWS\system32\ntdll.dll
Processes (total 52):
0 System Idle Process
4 System
528 C:\WINDOWS\system32\smss.exe
576 csrss.exe
600 C:\WINDOWS\system32\winlogon.exe
656 C:\WINDOWS\system32\services.exe
668 C:\WINDOWS\system32\lsass.exe
840 C:\WINDOWS\system32\svchost.exe
860 C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
892 C:\WINDOWS\system32\svchost.exe
956 C:\Programmi\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
988 svchost.exe
1024 C:\WINDOWS\system32\svchost.exe
1144 svchost.exe
1424 C:\WINDOWS\system32\spoolsv.exe
1532 scardsvr.exe
1840 C:\WINDOWS\explorer.exe
1896 C:\Programmi\Google\Update\GoogleUpdate.exe
196 C:\Programmi\Real\RealPlayer\Update\realsched.exe
212 C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
220 C:\Programmi\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
228 C:\WINDOWS\system32\igfxpers.exe
276 C:\WINDOWS\system32\igfxtray.exe
296 C:\WINDOWS\system32\hkcmd.exe
300 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I0F2.EXE
424 C:\WINDOWS\system32\accelerometerST.exe
436 C:\Programmi\File comuni\InstallShield\UpdateService\ISUSPM.exe
504 C:\Programmi\Skype\Phone\Skype.exe
672 C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
1060 C:\WINDOWS\system32\igfxsrvc.exe
1920 C:\Programmi\Hewlett-Packard\IAM\Bin\asghost.exe
392 C:\WINDOWS\system32\agrsmsvc.exe
776 C:\Programmi\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
1472 C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
1292 C:\Programmi\Symantec\Norton Ghost 2003\GhostStartService.exe
1684 C:\WINDOWS\system32\IFXSPMGT.exe
1220 C:\WINDOWS\system32\IFXTCS.exe
396 C:\Programmi\Ahead\InCD\incdsrv.exe
1488 C:\Programmi\Java\jre6\bin\jqs.exe
2056 C:\Programmi\Motorola\MotoConnectService\MotoConnectService.exe
2100 C:\WINDOWS\system32\IfxPsdSv.exe
2156 C:\WINDOWS\system32\svchost.exe
2236 C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
2372 C:\Programmi\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
2404 C:\Programmi\Motorola\MotoConnectService\MotoConnect.exe
2420 wmiprvse.exe
3576 C:\WINDOWS\system32\wbem\wmiapsrv.exe
3596 C:\WINDOWS\system32\wscntfy.exe
3692 C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
3800 C:\Programmi\Hewlett-Packard\Embedded Security Software\PSDrt.exe
2544 C:\Programmi\Skype\Plugin Manager\skypePM.exe
3020 C:\Documents and Settings\Iggy\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000d`6dbcc800 (NTFS)
PhysicalDrive0 Model Number: ST9160314AS, Rev: 0001SDM1
Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: F4CDBE5097E260AB28B6E6ED10CE614682153573
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Done!
#20
Posted 12 January 2011 - 04:55 AM
Step One
First we are going to try so solve that booting problem.
Run MBRCheck.exe once again.
You will be presented with the following dialog:
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Enter Y and press Enter.
The following dialog will be presented:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
Enter your choice:
Enter 2 and press Enter
The following dialog will be presented:
Enter the physical disk number to fix (0-99, -1 to cancel):
Enter 0 and press Enter
The following dialog will be presented:
Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel
Please select the MBR code to write to this drive:
Enter 1 and press Enter
The following dialog will be presented:
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue:
Type YES and press Enter (Must type the full word, YES). You will be inform if successfully wrote a new MBR code!
And last the following dialog will be presented:
Done! Press ENTER to exit...
Press Enter. A report will be produced on the desktop. Post that report in your next reply.
Step Two
We're going to extract clean copy from your XP CD.
Insert your Windows XP disk in your CD drive
Click Start > Run and type CMD {enter}
Click in the command box and type lines below pressing enter each line
expand e:\I386\tcpip.sy_ c:\windows\system32\dllcache\tcpip.sys
expand e:\I386\explorer.ex_ c:\windows\system32\dllcache\explorer.exe
expand e:\I386\winlogon.ex_ c:\windows\system32\dllcache\winlogon.exe
expand e:\I386\tcpip.sy_ c:\windows\system32\drivers\tcpip.sys
(if your CD is not drive E:, please substitute the actual drive letter)
Note: There should be a confirmation that files are expanded. Inform me if files are not being expanded.
Step Three
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
KillAll:: RenV:: c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl .exe c:\programmi\Ahead\InCD\InCD .exe c:\programmi\Ahead\Nero BackItUp\NBJ .exe c:\programmi\Analog Devices\Core\smax4pnp .exe c:\programmi\ANI\ANIWZCS2 Service\WZCSLDR2 .exe c:\programmi\D-Link\AirPlus XtremeG DWL-G122\AirGCFG .exe c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM .exe c:\programmi\File comuni\Java\Java Update\jusched .exe c:\programmi\File comuni\Real\Update_OB\realsched .exe c:\programmi\iTunes\iTunesHelper .exe c:\programmi\QuickTime\qttask .exe c:\programmi\Skype\Phone\Skype .exe c:\programmi\SUPERAntiSpyware\SUPERAntiSpyware .exe c:\programmi\Symantec\Norton Ghost 2003\GhostStartTrayApp .exe c:\programmi\Synaptics\SynTP\SynTPEnh .exe File:: c:\windows\3636C9237AD64DE3978A09609AEE8ECF.TMP c:\windows\41EBC322660F4D16A0DF53147210CBDB.TMP c:\documents and settings\Iggy\Dati applicazioni\skypePM\2011-01-07-2.ezlog Fcopy:: c:\windows\system32\dllcache\explorer.exe | C:\windows\explorer.exe c:\windows\system32\dllcache\winlogon.exe | C:\windows\system32\winlogon.exe Folder:: Registry:: Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Step Four
We'll reset the tcpip settings for your computer:
Press Start > Run and type cmd, in the command promptm type in the following:
netsh int ip reset C:\Resetlog.txt
netsh winsock reset catalog
ipconfig /flushdns
Exit
Restart computer and tell me if that solves the problem.
#21
Posted 12 January 2011 - 05:33 AM
I'm going to do it just after dinner! Thank you
Iggy
#22
Posted 13 January 2011 - 06:30 AM
MBRCheck, version 1.2.3
© 2010, AD
Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000003d
Kernel Drivers (total 143):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E3000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB9F4A000 pcmcia.sys
0xBA0D8000 MountMgr.sys
0xB9F2B000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F05000 dmio.sys
0xBA4C4000 ACPIEC.sys
0xBA671000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9EED000 atapi.sys
0xB9E26000 iaStor.sys
0xBA0F8000 SbAlg.sys
0xBA108000 disk.sys
0xBA118000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E07000 fltMgr.sys
0xBA5AE000 SbFsLock.sys
0xB9DF5000 sr.sys
0xB9DDE000 KSecDD.sys
0xB9D51000 Ntfs.sys
0xB9D24000 NDIS.sys
0xB9D0C000 SafeBoot.sys
0xB9CF1000 Mup.sys
0xBA128000 hpdskflt.sys
0xBA158000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB8148000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB8134000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA4A8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB8111000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA4B0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB80EC000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB7F98000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xB7F6D000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xB7F59000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\IFXTPM.SYS
0xBA1E8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA340000 \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xB7EDD000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xBA358000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB7EA7000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xBA600000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA368000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA208000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA218000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB9547000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB7E84000 \SystemRoot\system32\DRIVERS\ks.sys
0xB9537000 \SystemRoot\system32\DRIVERS\Accelerometer.sys
0xBA568000 \SystemRoot\system32\DRIVERS\cpqbttn.sys
0xB9527000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA360000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA56C000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xBA570000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xB7D3F000 \SystemRoot\system32\DRIVERS\btkrnl.sys
0xBA7A3000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB9517000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA574000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB7D28000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB9507000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB94F7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA370000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB7D17000 \SystemRoot\system32\DRIVERS\psched.sys
0xB94E7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA378000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA380000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB7CE6000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB94C7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA602000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB7CB2000 \SystemRoot\system32\DRIVERS\update.sys
0xBA58C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB9CCD000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB94B7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA2D8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xA5D25000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xA5D03000 \SystemRoot\system32\drivers\portcls.sys
0xBA2F8000 \SystemRoot\system32\drivers\drmk.sys
0xA5CEB000 \SystemRoot\system32\drivers\AEAudio.sys
0xA5BC5000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xBA430000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA3A0000 \SystemRoot\System32\drivers\psd.sys
0xBA66E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA6BD000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5B2000 \SystemRoot\System32\Drivers\Beep.SYS
0xA6781000 \??\C:\Programmi\Symantec\Norton Ghost 2003\ghpciscan.sys
0xA6779000 \SystemRoot\System32\drivers\vga.sys
0xBA5B4000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5C2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA5C4000 \SystemRoot\System32\Drivers\InCDrec.SYS
0xA4EF9000 \SystemRoot\System32\Drivers\InCDfs.SYS
0xA6739000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA55B5000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA6C4C000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA4EE6000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA4EBE000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA4E9C000 \SystemRoot\System32\drivers\afd.sys
0xA5B35000 \SystemRoot\system32\DRIVERS\netbios.sys
0xBA5C6000 \SystemRoot\System32\Drivers\RsvLock.SYS
0xA4E3C000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA4DCD000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA55AD000 \SystemRoot\System32\DRIVERS\InCDPass.sys
0xA5B25000 \SystemRoot\System32\Drivers\Fips.SYS
0xA5585000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xA534F000 \SystemRoot\system32\DRIVERS\sfloppy.sys
0x9FB37000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA03F5000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x9FA70000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0x9FD65000 \SystemRoot\System32\watchdog.sys
0x9FCE2000 \SystemRoot\System32\drivers\Dxapi.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA7AF000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF058000 \SystemRoot\System32\igxpdv32.DLL
0xBF297000 \SystemRoot\System32\igxpdx32.DLL
0xA0A87000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9FA1B000 \SystemRoot\system32\drivers\wdmaud.sys
0xA5B55000 \SystemRoot\system32\drivers\sysaudio.sys
0x9F3F9000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA64E000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xBA490000 \??\C:\WINDOWS\system32\ANIO.SYS
0x9F506000 \SystemRoot\System32\Drivers\Aspi32.SYS
0xBA3B8000 \SystemRoot\system32\drivers\npf.sys
0x9F306000 \SystemRoot\system32\DRIVERS\srv.sys
0x9F1CD000 \SystemRoot\system32\DRIVERS\ipnat.sys
0x9F0D5000 \SystemRoot\system32\DRIVERS\tcpip.sys
0x9F06C000 \SystemRoot\System32\Drivers\HTTP.sys
0x9EEB2000 \SystemRoot\system32\drivers\kmixer.sys
0x7C910000 \WINDOWS\system32\ntdll.dll
Processes (total 53):
0 System Idle Process
4 System
528 C:\WINDOWS\system32\smss.exe
576 csrss.exe
600 C:\WINDOWS\system32\winlogon.exe
656 C:\WINDOWS\system32\services.exe
668 C:\WINDOWS\system32\lsass.exe
828 C:\WINDOWS\system32\svchost.exe
848 C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
876 C:\WINDOWS\system32\svchost.exe
952 C:\Programmi\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
984 svchost.exe
1020 C:\WINDOWS\system32\svchost.exe
1140 svchost.exe
1492 C:\WINDOWS\system32\spoolsv.exe
1568 scardsvr.exe
1828 C:\WINDOWS\explorer.exe
1852 C:\Programmi\Google\Update\GoogleUpdate.exe
156 C:\Programmi\Real\RealPlayer\Update\realsched.exe
200 C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
188 C:\Programmi\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
248 C:\WINDOWS\system32\igfxpers.exe
268 C:\WINDOWS\system32\igfxtray.exe
300 C:\WINDOWS\system32\hkcmd.exe
356 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I0F2.EXE
456 C:\WINDOWS\system32\igfxsrvc.exe
632 C:\WINDOWS\system32\accelerometerST.exe
728 C:\Programmi\File comuni\InstallShield\UpdateService\ISUSPM.exe
900 C:\Programmi\Skype\Phone\Skype.exe
1200 C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
1904 C:\Programmi\Hewlett-Packard\IAM\Bin\asghost.exe
3008 C:\WINDOWS\system32\agrsmsvc.exe
3024 C:\Programmi\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
3036 C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
3068 C:\Programmi\Symantec\Norton Ghost 2003\GhostStartService.exe
3168 C:\WINDOWS\system32\IFXSPMGT.exe
3200 C:\WINDOWS\system32\IFXTCS.exe
3272 C:\Programmi\Ahead\InCD\incdsrv.exe
3304 C:\Programmi\Java\jre6\bin\jqs.exe
3356 C:\Programmi\Motorola\MotoConnectService\MotoConnectService.exe
3396 C:\WINDOWS\system32\IfxPsdSv.exe
3436 C:\WINDOWS\system32\svchost.exe
3544 C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
3652 C:\Programmi\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
3668 C:\Programmi\Motorola\MotoConnectService\MotoConnect.exe
3716 wmiprvse.exe
2448 C:\WINDOWS\system32\wbem\wmiapsrv.exe
2456 C:\WINDOWS\system32\wscntfy.exe
2492 C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
2668 C:\Programmi\Hewlett-Packard\Embedded Security Software\PSDrt.exe
3800 C:\Programmi\Skype\Plugin Manager\skypePM.exe
1592 C:\WINDOWS\system32\cmd.exe
2752 C:\Documents and Settings\Iggy\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000d`6dbcc800 (NTFS)
PhysicalDrive0 Model Number: ST9160314AS, Rev: 0001SDM1
Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: F4CDBE5097E260AB28B6E6ED10CE614682153573
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 0Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel
Please select the MBR code to write to this drive: 1
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: yes
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.
Done!
ComboFix 11-01-08.05 - Iggy 13/01/2011 12.32.35.11.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.2039.1676 [GMT 1:00]
Eseguito da: c:\documents and settings\Iggy\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Iggy\Desktop\CFScript.txt
FILE ::
"c:\documents and settings\Iggy\Dati applicazioni\skypePM\2011-01-07-2.ezlog"
"c:\windows\3636C9237AD64DE3978A09609AEE8ECF.TMP"
"c:\windows\41EBC322660F4D16A0DF53147210CBDB.TMP"
.
/wow section - STAGE 50
Impossibile trovare il percorso specificato.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
La copia infetta di c:\windows\explorer.exe č stata trovata e disinfettata
ipristinata copia da - c:\system volume information\_restore{187DBEC2-1C28-4DBE-BCCC-4456A43FA671}\RP8\A0005619.exe
La copia infetta di c:\windows\system32\winlogon.exe č stata trovata e disinfettata
ipristinata copia da - c:\system volume information\_restore{187DBEC2-1C28-4DBE-BCCC-4456A43FA671}\RP8\A0005945.exe
.
--------------- FCopy ---------------
c:\windows\system32\dllcache\explorer.exe --> c:\windows\explorer.exe
c:\windows\system32\dllcache\winlogon.exe --> c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((( Files Creati Da 2010-12-13 al 2011-01-13 )))))))))))))))))))))))))))))))))))
.
2011-01-13 11:32 . 2011-01-13 11:32 -------- d-----w- c:\windows\LastGood.Tmp
2011-01-12 14:56 . 2011-01-12 14:56 -------- d-----w- C:\TDSSKiller_Quarantine
2011-01-12 12:14 . 2004-08-03 22:14 359040 -c--a-w- c:\windows\system32\dllcache\tcpip.sys
2011-01-12 12:14 . 2004-08-03 22:14 359040 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-01-10 12:23 . 2011-01-10 12:33 -------- d-----w- c:\documents and settings\Iggy\Impostazioni locali\Dati applicazioni\Promosoft Corporation
2011-01-10 11:47 . 2011-01-10 11:47 -------- d-----w- c:\programmi\Trend Micro
2011-01-08 20:42 . 2011-01-08 20:42 -------- d-----w- c:\programmi\Pc Optimizer 360
2011-01-05 17:42 . 2004-08-19 08:00 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2011-01-05 17:42 . 2004-08-19 08:00 39424 ----a-w- c:\windows\system32\grpconv.exe
2011-01-05 15:58 . 2011-01-08 21:06 -------- d-----w- c:\programmi\CCleaner
2011-01-04 22:07 . 2004-08-19 14:39 1034752 ----a-w- c:\windows\explorer.exe
2011-01-03 18:10 . 2011-01-03 18:10 -------- d-----w- C:\Venus11
2011-01-01 18:26 . 2011-01-01 18:26 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-27 15:29 . 2010-12-27 15:29 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Identities
2010-12-27 11:06 . 2010-12-27 11:06 -------- d-----w- C:\sh4ldr
2010-12-27 11:06 . 2010-12-27 11:06 -------- d-----w- c:\programmi\Enigma Software Group
2010-12-25 19:45 . 2010-12-25 19:45 110080 ----a-r- c:\documents and settings\Iggy\Dati applicazioni\Microsoft\Installer\{3636C923-7AD6-4DE3-978A-09609AEE8ECF}\IconF7A21AF7.exe
2010-12-25 19:45 . 2010-12-25 19:45 110080 ----a-r- c:\documents and settings\Iggy\Dati applicazioni\Microsoft\Installer\{3636C923-7AD6-4DE3-978A-09609AEE8ECF}\IconD7F16134.exe
2010-12-25 17:41 . 2010-12-25 22:37 -------- d-----w- c:\windows\3636C9237AD64DE3978A09609AEE8ECF.TMP
2010-12-25 16:47 . 2010-12-25 19:44 -------- d-----w- c:\windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2010-12-25 16:47 . 2010-12-25 17:38 -------- d-----w- c:\programmi\File comuni\Wise Installation Wizard
2010-12-24 15:48 . 2010-12-24 15:48 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2010-12-23 09:27 . 2010-12-23 09:27 -------- d-----w- c:\programmi\Admiresoft
2010-12-22 18:50 . 2010-12-22 18:51 -------- d-----w- C:\Bilan11
2010-12-17 11:29 . 2010-12-17 11:30 -------- d-----w- c:\programmi\Hide IP NG
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-05 15:20 . 2009-07-26 10:49 1391104 ----a-w- c:\windows\system32\drivers\BCMWL5.SYS
2010-12-08 15:36 . 2010-12-08 15:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-08 15:36 . 2010-05-04 09:45 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-17 16:20 . 2010-10-17 16:20 40960 ----a-r- c:\documents and settings\Iggy\Dati applicazioni\Microsoft\Installer\{2DA701B1-5597-44BA-BA96-ED6A737CCA57}\NewShortcut1_9873BD74E565483399E18668472BEA7F.exe
1998-02-10 16:34 . 2009-07-29 14:11 128000 ----a-w- c:\programmi\UNWISE.EXE
.
<pre> c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM .exe c:\programmi\Skype\Phone\Skype .exe </pre>
------- Sigcheck -------
Cryptography Services Error !!
.
((((((((((((((((((((((((((((( SnapShot@2011-01-05_16.16.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-08-31 12:00 . 2011-01-10 22:12 91988 c:\windows\system32\perfc010.dat
- 2001-08-31 12:00 . 2011-01-05 16:06 91988 c:\windows\system32\perfc010.dat
- 2001-08-31 12:00 . 2011-01-05 16:06 76978 c:\windows\system32\perfc009.dat
+ 2001-08-31 12:00 . 2011-01-10 22:12 76978 c:\windows\system32\perfc009.dat
+ 2001-08-31 12:00 . 2011-01-10 22:12 508156 c:\windows\system32\perfh010.dat
- 2001-08-31 12:00 . 2011-01-05 16:06 508156 c:\windows\system32\perfh010.dat
+ 2001-08-31 12:00 . 2011-01-10 22:12 459256 c:\windows\system32\perfh009.dat
- 2001-08-31 12:00 . 2011-01-05 16:06 459256 c:\windows\system32\perfh009.dat
+ 2004-08-19 13:39 . 2004-08-19 08:00 151552 c:\windows\system32\dllcache\regedit.exe
+ 2004-08-19 13:39 . 2004-08-19 08:00 151552 c:\windows\regedit.exe
- 2004-08-19 13:39 . 2004-08-19 13:39 151552 c:\windows\regedit.exe
+ 2011-01-13 11:32 . 2004-08-19 14:39 504832 c:\windows\LastGood.Tmp\system32\winlogon.exe
+ 2011-01-13 11:32 . 2004-08-19 14:39 1034752 c:\windows\LastGood.Tmp\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\programmi\Ahead\Nero BackItUp\NBJ .exe" [N/A]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2008-11-18 21633320]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\programmi\real\realplayer\update\realsched.exe" [2010-11-18 274608]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QlbCtrl.exe"="c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-06-03 177456]
"PTHOSTTR"="c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-09 150040]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-09 150040]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-07-24 677144]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-09 178712]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE" [2003-09-11 99840]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928]
"ISUSPM"="c:\programmi\File comuni\InstallShield\UpdateService\isuspm.exe" [2006-05-16 213936]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [2009-07-18 257440]
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
BTTray.lnk - c:\programmi\WIDCOMM\Software Bluetooth\BTTray.exe [2006-5-12 581693]
LG SyncManager.lnk - c:\h7??\LGSyncManager.exe [N/A]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-06-08 07:04 49152 ----a-r- c:\windows\system32\DeviceNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-03-14 04:03 74752 ----a-r- c:\programmi\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
c:\progra~1\ALWILS~1\Avast5\avastUI.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\SiSoftware\\SiSoftware Sandra Professional Business 2009.SP1\\RpcAgentSrv.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\FlashGet\\FlashGet.exe"=
"c:\\Programmi\\Motorola\\RSD Lite\\SDL.exe"=
"c:\\Programmi\\Motorola\\Software Update\\msu.exe"=
"c:\\Programmi\\SiSoftware\\SiSoftware Sandra Professional Business 2009.SP1\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Programmi\\Port Forwarding Wizard\\bin\\Port Forwarding Wizard.exe"=
"c:\\Programmi\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Programmi\\Real\\RealPlayer\\realplay.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 SASKUTIL;SASKUTIL;c:\programmi\SUPERAntiSpyware\SASKUTIL.sys [x]
R2 gupdate1ca0e044ffa000;Servizio di Google Update (gupdate1ca0e044ffa000);c:\programmi\Google\Update\GoogleUpdate.exe [2009-07-26 133104]
R2 MotoConnect Service;MotoConnect Service;c:\programmi\Motorola\MotoConnectService\MotoConnectService.exe [2010-01-27 91392]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
R2 SWIHPWMI;SWIHPWMI;c:\programmi\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [2006-12-04 292384]
R3 Com4QLBEx;Com4QLBEx;c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv.sys [2007-06-08 30008]
R3 esgiguard;esgiguard; [x]
R3 FLCDLOCK;Controllo/blocco dispositivi HP ProtectTools;c:\windows\system32\flcdlock.exe [2007-06-08 172131]
R3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\DRIVERS\HP24X.sys [2006-10-18 33024]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [x]
R3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\programmi\SiSoftware\SiSoftware Sandra Professional Business 2009.SP1\RpcAgentSrv.exe [2008-11-03 98488]
R3 scrswi;Sierra Wireless Smart Card Reader;c:\windows\system32\DRIVERS\scrswi.sys [2008-01-10 44160]
R3 SWNC8U02;HP hs2300 MUX NDIS Driver (02);c:\windows\system32\DRIVERS\SWNC8U02.sys [2008-01-31 165248]
R3 SWUMX02;HP hs2300 USB MUX Driver (02);c:\windows\system32\DRIVERS\swumx02.sys [2008-01-31 142976]
S0 SafeBoot;SafeBoot; [x]
S0 SbAlg;SbAlg; [x]
S0 SbFsLock;SbFsLock; [x]
S1 GhPciScan;GhostPciScanner;c:\programmi\Symantec\Norton Ghost 2003\ghpciscan.sys [2003-05-28 5632]
S1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\System32\drivers\psd.sys [2007-07-24 38816]
S1 RsvLock;RsvLock; [x]
S2 ASBroker;Operatore della sessione di accesso;c:\windows\System32\svchost.exe [2004-08-19 14336]
S2 ASChannel;Canale di comunicazione locale;c:\windows\System32\svchost.exe [2004-08-19 14336]
S2 HpFkCryptService;Drive Encryption Service;c:\programmi\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2007-09-06 221184]
S3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2007-07-24 41216]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
.
Contenuto della cartella 'Scheduled Tasks'
2011-01-13 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-26 16:12]
2011-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-07-26 15:16]
2011-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-07-26 15:16]
2011-01-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1993962763-1078145449-682003330-1003.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-11-05 10:33]
2010-12-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1993962763-1078145449-682003330-1003.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-11-05 10:33]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyOverride = *.local
IE: &Scarica con FlashGet - c:\programmi\FlashGet\jc_link.htm
IE: &Scarica tutto con FlashGet - c:\programmi\FlashGet\jc_all.htm
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Invia a &Bluetooth - c:\programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
DPF: {2C546582-48CE-4890-9C88-B2665B125E15} - hxxp://www.registrywinner.com/RWOnline.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-13 12:54
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
- - - - - - - > 'winlogon.exe'(592)
c:\programmi\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\programmi\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\windows\SbHpNp.DLL
c:\windows\system32\DeviceNP.dll
c:\programmi\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\programmi\Hewlett-Packard\IAM\bin\HPBrand.dll
c:\programmi\Hewlett-Packard\IAM\bin\ITA\HPBrand.dll
c:\programmi\Hewlett-Packard\IAM\bin\ITA\ItMsg.dll
c:\programmi\Hewlett-Packard\IAM\Bin\ASChnl.dll
- - - - - - - > 'explorer.exe'(276)
c:\windows\system32\APSHook.dll
c:\windows\system32\msi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
c:\windows\System32\SCardSvr.exe
c:\windows\system32\igfxsrvc.exe
c:\programmi\Hewlett-Packard\IAM\bin\asghost.exe
c:\windows\system32\agrsmsvc.exe
c:\programmi\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
c:\programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
c:\programmi\Symantec\Norton Ghost 2003\GhostStartService.exe
c:\windows\system32\IFXTCS.exe
c:\programmi\Ahead\InCD\InCDsrv.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\IfxPsdSv.exe
c:\programmi\Motorola\MotoConnectService\MotoConnect.exe
c:\programmi\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Ora fine scansione: 2011-01-13 12:55:37 - Il pc č stato riavviato
ComboFix-quarantined-files.txt 2011-01-13 11:55
ComboFix2.txt 2011-01-12 14:26
ComboFix3.txt 2011-01-12 13:03
ComboFix4.txt 2011-01-10 22:12
ComboFix5.txt 2011-01-12 15:37
Pre-Run: 1.923.731.456 byte disponibili
Post-Run: 1.883.144.192 byte disponibili
- - End Of File - - B1961976F21F52CEA3B22E527FC6035A
MBRCheck, version 1.2.3
© 2010, AD
Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000003d
Kernel Drivers (total 144):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E3000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB9F4A000 pcmcia.sys
0xBA0D8000 MountMgr.sys
0xB9F2B000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F05000 dmio.sys
0xBA4C4000 ACPIEC.sys
0xBA671000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9EED000 atapi.sys
0xB9E26000 iaStor.sys
0xBA0F8000 SbAlg.sys
0xBA108000 disk.sys
0xBA118000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E07000 fltMgr.sys
0xBA5AE000 SbFsLock.sys
0xB9DF5000 sr.sys
0xB9DDE000 KSecDD.sys
0xB9D51000 Ntfs.sys
0xB9D24000 NDIS.sys
0xB9D0C000 SafeBoot.sys
0xB9CF1000 Mup.sys
0xBA128000 hpdskflt.sys
0xBA158000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA188000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB8125000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB8111000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA4A8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB80EE000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA4B0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB80C9000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB7F75000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xB7F4A000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xB7F36000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA198000 \SystemRoot\system32\DRIVERS\IFXTPM.SYS
0xBA1A8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA340000 \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
0xBA1B8000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xB7EBA000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xBA358000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB7E84000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xBA5F0000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA360000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB7E61000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\Accelerometer.sys
0xB95A8000 \SystemRoot\system32\DRIVERS\cpqbttn.sys
0xBA208000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA368000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB95A4000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB95A0000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xB7D1C000 \SystemRoot\system32\DRIVERS\btkrnl.sys
0xBA6D7000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA218000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB959C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB7D05000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB9524000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB9514000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA378000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB7CF4000 \SystemRoot\system32\DRIVERS\psched.sys
0xB9504000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA370000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA380000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB7CC3000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB94F4000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5F2000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB7C8F000 \SystemRoot\system32\DRIVERS\update.sys
0xBA584000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA5A0000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB872A000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA288000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xA5D79000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xA5D57000 \SystemRoot\system32\drivers\portcls.sys
0xBA2A8000 \SystemRoot\system32\drivers\drmk.sys
0xA5C9F000 \SystemRoot\system32\drivers\AEAudio.sys
0xA5B79000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xBA408000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA4A0000 \SystemRoot\System32\drivers\psd.sys
0xBA632000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA571A000 \SystemRoot\System32\Drivers\Null.SYS
0xBA634000 \SystemRoot\System32\Drivers\Beep.SYS
0xA5B69000 \??\C:\Programmi\Symantec\Norton Ghost 2003\ghpciscan.sys
0xA5B61000 \SystemRoot\System32\drivers\vga.sys
0xBA636000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA638000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA63A000 \SystemRoot\System32\Drivers\InCDrec.SYS
0xA4FE6000 \SystemRoot\System32\Drivers\InCDfs.SYS
0xA5B59000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA5B51000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA768C000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA4F83000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA4F5B000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA4F39000 \SystemRoot\System32\drivers\afd.sys
0xA5D47000 \SystemRoot\system32\DRIVERS\netbios.sys
0xBA63C000 \SystemRoot\System32\Drivers\RsvLock.SYS
0xA4E6D000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA4DFE000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA5B49000 \SystemRoot\System32\DRIVERS\InCDPass.sys
0xA5D37000 \SystemRoot\System32\Drivers\Fips.SYS
0xA523D000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xA50EE000 \SystemRoot\system32\DRIVERS\sfloppy.sys
0x9F8F2000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA08D3000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x9F82B000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xA0149000 \SystemRoot\System32\watchdog.sys
0x9FF4D000 \SystemRoot\System32\drivers\Dxapi.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA784000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF058000 \SystemRoot\System32\igxpdv32.DLL
0xBF297000 \SystemRoot\System32\igxpdx32.DLL
0xA542C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9F7D6000 \SystemRoot\system32\drivers\wdmaud.sys
0x9FF55000 \SystemRoot\system32\drivers\sysaudio.sys
0x9F254000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x9FE33000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA399B000 \??\C:\WINDOWS\system32\ANIO.SYS
0xA3647000 \SystemRoot\System32\Drivers\Aspi32.SYS
0xA378C000 \SystemRoot\system32\drivers\npf.sys
0x9EFCF000 \SystemRoot\system32\DRIVERS\srv.sys
0x9EDF6000 \SystemRoot\system32\DRIVERS\ipnat.sys
0x9ED9E000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA3DD1000 \??\C:\ComboFix\catchme.sys
0x9EC95000 \SystemRoot\System32\Drivers\HTTP.sys
0xBA668000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0x7C910000 \WINDOWS\system32\ntdll.dll
Processes (total 55):
0 System Idle Process
4 System
520 C:\WINDOWS\system32\smss.exe
568 csrss.exe
592 C:\WINDOWS\system32\winlogon.exe
636 C:\WINDOWS\system32\services.exe
648 C:\WINDOWS\system32\lsass.exe
800 C:\WINDOWS\system32\svchost.exe
828 C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
848 C:\WINDOWS\system32\svchost.exe
912 C:\Programmi\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
944 svchost.exe
976 C:\WINDOWS\system32\svchost.exe
1092 svchost.exe
1392 C:\WINDOWS\system32\spoolsv.exe
1472 scardsvr.exe
1752 C:\Programmi\Google\Update\GoogleUpdate.exe
1184 C:\Programmi\Real\RealPlayer\Update\realsched.exe
1204 C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
1220 C:\Programmi\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
1232 C:\WINDOWS\system32\igfxpers.exe
1284 C:\WINDOWS\system32\igfxtray.exe
1352 C:\WINDOWS\system32\hkcmd.exe
1436 C:\WINDOWS\system32\igfxsrvc.exe
1408 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I0F2.EXE
1632 C:\WINDOWS\system32\accelerometerST.exe
1652 C:\Programmi\File comuni\InstallShield\UpdateService\ISUSPM.exe
1680 C:\Programmi\Skype\Phone\Skype.exe
1928 C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
496 C:\Programmi\Hewlett-Packard\IAM\Bin\asghost.exe
3488 C:\WINDOWS\system32\agrsmsvc.exe
3528 C:\Programmi\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
1876 C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
3644 C:\Programmi\Symantec\Norton Ghost 2003\GhostStartService.exe
732 C:\WINDOWS\system32\IFXSPMGT.exe
3724 C:\WINDOWS\system32\IFXTCS.exe
3900 C:\Programmi\Ahead\InCD\incdsrv.exe
276 C:\WINDOWS\explorer.exe
200 C:\Programmi\Java\jre6\bin\jqs.exe
1244 C:\Programmi\Motorola\MotoConnectService\MotoConnectService.exe
2156 C:\WINDOWS\system32\IfxPsdSv.exe
2216 C:\WINDOWS\system32\svchost.exe
2624 C:\Programmi\Motorola\MotoConnectService\MotoConnect.exe
3112 C:\Programmi\Skype\Plugin Manager\skypePM.exe
3372 C:\Programmi\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
3576 wmiprvse.exe
2992 C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
3088 C:\WINDOWS\system32\imapi.exe
3052 C:\WINDOWS\system32\wbem\wmiapsrv.exe
3396 C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
1728 C:\Programmi\Hewlett-Packard\Embedded Security Software\PSDrt.exe
3948 C:\WINDOWS\system32\wscntfy.exe
1312 wmiprvse.exe
2912 C:\Programmi\Google\Update\GoogleUpdate.exe
3432 C:\Documents and Settings\Iggy\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000d`6dbcc800 (NTFS)
PhysicalDrive0 Model Number: ST9160314AS, Rev: 0001SDM1
Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: F4CDBE5097E260AB28B6E6ED10CE614682153573
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Done!
#23
Posted 13 January 2011 - 07:37 AM
Were we able to solve the booting problem or are you still booting using the USB floppy?
#24
Posted 13 January 2011 - 08:59 AM
#25
Posted 13 January 2011 - 09:12 AM
Lets find that rootkit.
Download the GMER Rootkit Scanner. Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
- Click NO
- In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
- Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity. - Click OK.
- GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
- Save it where you can easily find it, such as your desktop.
#26
Posted 13 January 2011 - 11:10 AM
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-13 18:04:23
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST916031 rev.0001
Running: gmer.exe; Driver: C:\DOCUME~1\Iggy\IMPOST~1\Temp\fxtdrpow.sys
---- Kernel code sections - GMER 1.0.15 ----
? C:\WINDOWS\system32\drivers\SafeBoot.sys Impossibile accedere al file. Il file č utilizzato da un altro processo.
---- User code sections - GMER 1.0.15 ----
.text C:\programmi\real\realplayer\update\realsched.exe[1720] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
#27
Posted 14 January 2011 - 05:21 AM
Well fix the mbr outside of windows.
Step One
Please download ARCDC from Artellos.com.
- Double click ARCDC.exe
- Follow the dialog until you see 6 options. Please pick: Windows Professional SP2 & SP3
- You will be prompted with a Terms of Use by Microsoft, please accept.
- You will see a few dos screens flash by, this is normal.
- Next you will be able to choose to add extra files. Select the Default Files.
- The last window will allow you to burn the disk using BurnCDCC
Next
Start the Recovery Console directly from the Windows XP CD you would do the following:
- The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press enter.
- It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter.
- If you entered the correct password you will now be presented with a C:\Windows> prompt and you can start using the Recovery Console.
- Type the following command then press enter.
fixmbr
- When ask for confirmation choose yes.
- Type exit when its done to restart computer
- Let the computer start normally without the USB stick
Step Two
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
KillAll:: RenV:: c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM .exe c:\programmi\Skype\Phone\Skype .exe File:: Folder:: Registry:: Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
#28
Posted 14 January 2011 - 06:08 AM
Another problem.After the R the answer was "setup did not find any hard disk drives installed...."
#29
Posted 14 January 2011 - 07:49 AM
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
KillAll:: RenV:: c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM .exe c:\programmi\Skype\Phone\Skype .exe MBR:: File:: Folder:: Registry:: Driver:: Rootkit::
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
#30
Posted 14 January 2011 - 08:49 AM
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.2039.1668 [GMT 1:00]
Eseguito da: c:\documents and settings\Iggy\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Iggy\Desktop\CFScript.txt
FILE ::
"c:\documents and settings\Iggy\Dati applicazioni\skypePM\2011-01-07-2.ezlog"
"c:\windows\3636C9237AD64DE3978A09609AEE8ECF.TMP"
"c:\windows\41EBC322660F4D16A0DF53147210CBDB.TMP"
.
/wow section - STAGE 50
Impossibile trovare il percorso specificato.
((((((((((((((((((((((((( Files Creati Da 2010-12-14 al 2011-01-14 )))))))))))))))))))))))))))))))))))
.
2011-01-14 11:47 . 2011-01-14 11:47 -------- d-----w- C:\RecoveryCD
2011-01-12 14:56 . 2011-01-12 14:56 -------- d-----w- C:\TDSSKiller_Quarantine
2011-01-12 12:14 . 2004-08-03 22:14 359040 -c--a-w- c:\windows\system32\dllcache\tcpip.sys
2011-01-12 12:14 . 2004-08-03 22:14 359040 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-01-10 12:23 . 2011-01-10 12:33 -------- d-----w- c:\documents and settings\Iggy\Impostazioni locali\Dati applicazioni\Promosoft Corporation
2011-01-10 11:47 . 2011-01-10 11:47 -------- d-----w- c:\programmi\Trend Micro
2011-01-08 20:42 . 2011-01-08 20:42 -------- d-----w- c:\programmi\Pc Optimizer 360
2011-01-05 17:42 . 2004-08-19 08:00 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2011-01-05 17:42 . 2004-08-19 08:00 39424 ----a-w- c:\windows\system32\grpconv.exe
2011-01-05 15:58 . 2011-01-08 21:06 -------- d-----w- c:\programmi\CCleaner
2011-01-04 22:07 . 2004-08-19 14:39 1034752 ----a-w- c:\windows\explorer.exe
2011-01-03 18:10 . 2011-01-03 18:10 -------- d-----w- C:\Venus11
2011-01-01 18:26 . 2011-01-01 18:26 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-27 15:29 . 2010-12-27 15:29 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Identities
2010-12-27 11:06 . 2010-12-27 11:06 -------- d-----w- C:\sh4ldr
2010-12-27 11:06 . 2010-12-27 11:06 -------- d-----w- c:\programmi\Enigma Software Group
2010-12-25 19:45 . 2010-12-25 19:45 110080 ----a-r- c:\documents and settings\Iggy\Dati applicazioni\Microsoft\Installer\{3636C923-7AD6-4DE3-978A-09609AEE8ECF}\IconF7A21AF7.exe
2010-12-25 19:45 . 2010-12-25 19:45 110080 ----a-r- c:\documents and settings\Iggy\Dati applicazioni\Microsoft\Installer\{3636C923-7AD6-4DE3-978A-09609AEE8ECF}\IconD7F16134.exe
2010-12-25 17:41 . 2010-12-25 22:37 -------- d-----w- c:\windows\3636C9237AD64DE3978A09609AEE8ECF.TMP
2010-12-25 16:47 . 2010-12-25 19:44 -------- d-----w- c:\windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2010-12-25 16:47 . 2010-12-25 17:38 -------- d-----w- c:\programmi\File comuni\Wise Installation Wizard
2010-12-24 15:48 . 2010-12-24 15:48 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2010-12-23 09:27 . 2010-12-23 09:27 -------- d-----w- c:\programmi\Admiresoft
2010-12-22 18:50 . 2010-12-22 18:51 -------- d-----w- C:\Bilan11
2010-12-17 11:29 . 2010-12-17 11:30 -------- d-----w- c:\programmi\Hide IP NG
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-05 15:20 . 2009-07-26 10:49 1391104 ----a-w- c:\windows\system32\drivers\BCMWL5.SYS
2010-12-08 15:36 . 2010-12-08 15:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-08 15:36 . 2010-05-04 09:45 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-17 16:20 . 2010-10-17 16:20 40960 ----a-r- c:\documents and settings\Iggy\Dati applicazioni\Microsoft\Installer\{2DA701B1-5597-44BA-BA96-ED6A737CCA57}\NewShortcut1_9873BD74E565483399E18668472BEA7F.exe
1998-02-10 16:34 . 2009-07-29 14:11 128000 ----a-w- c:\programmi\UNWISE.EXE
.
<pre> c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM .exe c:\programmi\Skype\Phone\Skype .exe </pre>
------- Sigcheck -------
Cryptography Services Error !!
.
((((((((((((((((((((((((((((( SnapShot@2011-01-05_16.16.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-08-31 12:00 . 2011-01-05 16:06 91988 c:\windows\system32\perfc010.dat
+ 2001-08-31 12:00 . 2011-01-10 22:12 91988 c:\windows\system32\perfc010.dat
- 2001-08-31 12:00 . 2011-01-05 16:06 76978 c:\windows\system32\perfc009.dat
+ 2001-08-31 12:00 . 2011-01-10 22:12 76978 c:\windows\system32\perfc009.dat
- 2001-08-31 12:00 . 2011-01-05 16:06 508156 c:\windows\system32\perfh010.dat
+ 2001-08-31 12:00 . 2011-01-10 22:12 508156 c:\windows\system32\perfh010.dat
- 2001-08-31 12:00 . 2011-01-05 16:06 459256 c:\windows\system32\perfh009.dat
+ 2001-08-31 12:00 . 2011-01-10 22:12 459256 c:\windows\system32\perfh009.dat
+ 2004-08-19 13:39 . 2004-08-19 08:00 151552 c:\windows\system32\dllcache\regedit.exe
+ 2004-08-19 13:39 . 2004-08-19 08:00 151552 c:\windows\regedit.exe
- 2004-08-19 13:39 . 2004-08-19 13:39 151552 c:\windows\regedit.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\programmi\Ahead\Nero BackItUp\NBJ .exe" [N/A]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2008-11-18 21633320]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\programmi\real\realplayer\update\realsched.exe" [2010-11-18 274608]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QlbCtrl.exe"="c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-06-03 177456]
"PTHOSTTR"="c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-09 150040]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-09 150040]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-07-24 677144]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-09 178712]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE" [2003-09-11 99840]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928]
"ISUSPM"="c:\programmi\File comuni\InstallShield\UpdateService\isuspm.exe" [2006-05-16 213936]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [2009-07-18 257440]
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
BTTray.lnk - c:\programmi\WIDCOMM\Software Bluetooth\BTTray.exe [2006-5-12 581693]
LG SyncManager.lnk - c:\h7??\LGSyncManager.exe [N/A]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-06-08 07:04 49152 ----a-r- c:\windows\system32\DeviceNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-03-14 04:03 74752 ----a-r- c:\programmi\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
c:\progra~1\ALWILS~1\Avast5\avastUI.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\SiSoftware\\SiSoftware Sandra Professional Business 2009.SP1\\RpcAgentSrv.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\FlashGet\\FlashGet.exe"=
"c:\\Programmi\\Motorola\\RSD Lite\\SDL.exe"=
"c:\\Programmi\\Motorola\\Software Update\\msu.exe"=
"c:\\Programmi\\SiSoftware\\SiSoftware Sandra Professional Business 2009.SP1\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Programmi\\Port Forwarding Wizard\\bin\\Port Forwarding Wizard.exe"=
"c:\\Programmi\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Programmi\\Real\\RealPlayer\\realplay.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 SASKUTIL;SASKUTIL;c:\programmi\SUPERAntiSpyware\SASKUTIL.sys [x]
R2 gupdate1ca0e044ffa000;Servizio di Google Update (gupdate1ca0e044ffa000);c:\programmi\Google\Update\GoogleUpdate.exe [2009-07-26 133104]
R2 MotoConnect Service;MotoConnect Service;c:\programmi\Motorola\MotoConnectService\MotoConnectService.exe [2010-01-27 91392]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
R2 SWIHPWMI;SWIHPWMI;c:\programmi\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [2006-12-04 292384]
R3 Com4QLBEx;Com4QLBEx;c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv.sys [2007-06-08 30008]
R3 esgiguard;esgiguard; [x]
R3 FLCDLOCK;Controllo/blocco dispositivi HP ProtectTools;c:\windows\system32\flcdlock.exe [2007-06-08 172131]
R3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\DRIVERS\HP24X.sys [2006-10-18 33024]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [x]
R3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\programmi\SiSoftware\SiSoftware Sandra Professional Business 2009.SP1\RpcAgentSrv.exe [2008-11-03 98488]
R3 scrswi;Sierra Wireless Smart Card Reader;c:\windows\system32\DRIVERS\scrswi.sys [2008-01-10 44160]
R3 SWNC8U02;HP hs2300 MUX NDIS Driver (02);c:\windows\system32\DRIVERS\SWNC8U02.sys [2008-01-31 165248]
R3 SWUMX02;HP hs2300 USB MUX Driver (02);c:\windows\system32\DRIVERS\swumx02.sys [2008-01-31 142976]
S0 SafeBoot;SafeBoot; [x]
S0 SbAlg;SbAlg; [x]
S0 SbFsLock;SbFsLock; [x]
S1 GhPciScan;GhostPciScanner;c:\programmi\Symantec\Norton Ghost 2003\ghpciscan.sys [2003-05-28 5632]
S1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\System32\drivers\psd.sys [2007-07-24 38816]
S1 RsvLock;RsvLock; [x]
S2 ASBroker;Operatore della sessione di accesso;c:\windows\System32\svchost.exe [2004-08-19 14336]
S2 ASChannel;Canale di comunicazione locale;c:\windows\System32\svchost.exe [2004-08-19 14336]
S2 HpFkCryptService;Drive Encryption Service;c:\programmi\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2007-09-06 221184]
S3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2007-07-24 41216]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
.
Contenuto della cartella 'Scheduled Tasks'
2011-01-14 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-26 16:12]
2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-07-26 15:16]
2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-07-26 15:16]
2011-01-14 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1993962763-1078145449-682003330-1003.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-11-05 10:33]
2010-12-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1993962763-1078145449-682003330-1003.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-11-05 10:33]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyOverride = *.local
IE: &Scarica con FlashGet - c:\programmi\FlashGet\jc_link.htm
IE: &Scarica tutto con FlashGet - c:\programmi\FlashGet\jc_all.htm
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Invia a &Bluetooth - c:\programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
DPF: {2C546582-48CE-4890-9C88-B2665B125E15} - hxxp://www.registrywinner.com/RWOnline.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-14 15:41
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
- - - - - - - > 'winlogon.exe'(428)
c:\programmi\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\programmi\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\windows\SbHpNp.DLL
c:\windows\system32\DeviceNP.dll
c:\programmi\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\programmi\Hewlett-Packard\IAM\bin\HPBrand.dll
c:\programmi\Hewlett-Packard\IAM\bin\ITA\HPBrand.dll
c:\programmi\Hewlett-Packard\IAM\bin\ITA\ItMsg.dll
c:\programmi\Hewlett-Packard\IAM\Bin\ASChnl.dll
- - - - - - - > 'explorer.exe'(2736)
c:\windows\system32\APSHook.dll
c:\windows\system32\msi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
c:\windows\System32\SCardSvr.exe
c:\windows\system32\igfxsrvc.exe
c:\programmi\Hewlett-Packard\IAM\bin\asghost.exe
c:\windows\system32\agrsmsvc.exe
c:\programmi\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
c:\programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
c:\programmi\Symantec\Norton Ghost 2003\GhostStartService.exe
c:\windows\system32\IFXTCS.exe
c:\programmi\Ahead\InCD\InCDsrv.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\IfxPsdSv.exe
c:\programmi\Motorola\MotoConnectService\MotoConnect.exe
c:\programmi\Skype\Plugin Manager\skypePM.exe
c:\programmi\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\windows\system32\imapi.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
c:\programmi\Hewlett-Packard\Embedded Security Software\PSDrt.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Ora fine scansione: 2011-01-14 15:42:53 - Il pc č stato riavviato
ComboFix-quarantined-files.txt 2011-01-14 14:42
ComboFix2.txt 2011-01-13 11:56
ComboFix3.txt 2011-01-12 14:26
ComboFix4.txt 2011-01-12 13:03
ComboFix5.txt 2011-01-14 14:18
Pre-Run: 211.746.816 byte disponibili
Post-Run: 186.068.992 byte disponibili
- - End Of File - - 06870ECDDCE27706328AB07F95054A24
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users