Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » log combofix di un amico

log combofix di un amico Opzioni
Topic Precedente · Topic Sucessivo
fdaccc
Inviato: Sunday, March 14, 2010 3:32:14 PM

Rank: AiutAmico

Iscritto dal : 12/12/2009
Posts: 2,114
Sperando che non abbia il rootkit nell mbr...
Gia fatto controluserpassword2, gia provato a rimuovere l'account ma niente.

Metto il mio amico nelle tue mani r16 =)



ComboFix 10-03-13.03 - Claudio 14/03/2010 14.56.59.1.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.39.1040.18.2047.1397 [GMT 1:00]
Eseguito da: c:\users\Claudio\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1892750078-2322759259-975240241-1000
c:\$recycle.bin\S-1-5-21-3805200160-1256103025-2377931038-1000
c:\$recycle.bin\S-1-5-21-51003140-4199384537-3980697693-500
c:\$recycle.bin\S-1-5-21-831119921-1791620592-3084076976-1001
c:\$recycle.bin\S-1-5-21-929530845-3106974072-3034993129-1000
c:\program files\Search Settings
c:\program files\Search Settings\FF\chrome.manifest
c:\program files\Search Settings\FF\chrome\content\plugin.js
c:\program files\Search Settings\FF\chrome\content\plugin.xul
c:\program files\Search Settings\FF\chrome\content\protection.js
c:\program files\Search Settings\FF\chrome\content\utils.js
c:\program files\Search Settings\FF\chrome\locale\en-US\searchsettingsplugin.dtd
c:\program files\Search Settings\FF\chrome\locale\en-US\searchsettingsplugin.properties
c:\program files\Search Settings\FF\components\IFBHOSearch.xpt
c:\program files\Search Settings\FF\components\IFBHOSearchHelperEngine.xpt
c:\program files\Search Settings\FF\components\IFHelperPreferences.xpt
c:\program files\Search Settings\FF\components\SearchSettingsFF.dll
c:\program files\Search Settings\FF\install.rdf
c:\program files\Search Settings\SearchSettings.exe
c:\program files\Search Settings\SearchSettingsRes409.dll
c:\recycler\S-1-5-21-823518204-527237240-1417001333-1003

.
((((((((((((((((((((((((( Files Creati Da 2010-02-14 al 2010-03-14 )))))))))))))))))))))))))))))))))))
.

2010-03-14 13:41 . 2010-03-14 13:42 -------- d-----w- C:\32788R22FWJFW
2010-03-13 13:25 . 2010-03-13 13:25 -------- d-----w- c:\users\Claudio\AppData\Roaming\Malwarebytes
2010-03-13 13:25 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-13 13:25 . 2010-03-13 13:25 -------- d-----w- c:\programdata\Malwarebytes
2010-03-13 13:24 . 2010-03-13 13:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-13 13:24 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-13 06:22 . 2010-03-13 06:22 388096 ----a-r- c:\users\Claudio\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-13 06:22 . 2010-03-13 06:22 -------- d-----w- c:\program files\TrendMicro
2010-03-11 18:50 . 2010-02-25 10:03 30536 ----a-w- c:\windows\system32\TURegOpt.exe
2010-03-11 18:50 . 2010-02-25 09:56 21320 ----a-w- c:\windows\system32\authuitu.dll
2010-03-11 18:50 . 2010-02-25 09:56 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2010-03-11 18:49 . 2010-03-11 18:49 -------- d-----w- c:\users\Claudio\AppData\Roaming\TuneUp Software
2010-03-11 18:49 . 2010-03-11 18:50 -------- d-----w- c:\program files\TuneUp Utilities 2010
2010-03-11 18:47 . 2010-03-11 18:49 -------- d-----w- c:\programdata\TuneUp Software
2010-03-11 18:47 . 2010-03-11 18:47 -------- d-sh--w- c:\programdata\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-03-10 08:05 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-10 08:05 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-10 08:05 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-09 17:10 . 2010-03-09 17:10 -------- d-----w- c:\program files\CCleaner
2010-03-04 15:13 . 2010-03-04 15:13 -------- d-----w- c:\programdata\PC Suite
2010-03-04 15:13 . 2010-03-04 15:13 -------- d-----w- c:\users\Claudio\AppData\Roaming\PC Suite
2010-03-04 15:12 . 2007-05-02 15:31 90624 ----a-w- c:\windows\system32\nmwcdcls.dll
2010-03-04 15:12 . 2010-03-04 15:12 -------- d-----w- c:\program files\DIFX
2010-03-04 15:12 . 2007-09-17 14:53 21632 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-03-04 15:12 . 2010-03-04 15:12 -------- dc----w- c:\windows\system32\DRVSTORE
2010-03-04 15:11 . 2009-03-20 09:01 90112 ----a-w- c:\windows\system32\drivers\ss_bbus.sys
2010-03-04 15:11 . 2009-03-20 09:01 14976 ----a-w- c:\windows\system32\drivers\ss_bmdfl.sys
2010-03-04 15:11 . 2009-03-20 09:01 121856 ----a-w- c:\windows\system32\drivers\ss_bmdm.sys
2010-03-04 15:11 . 2009-03-20 09:01 12160 ----a-w- c:\windows\system32\drivers\ss_bwhnt.sys
2010-03-04 15:11 . 2009-03-20 09:01 12160 ----a-w- c:\windows\system32\drivers\ss_bwh.sys
2010-03-04 15:11 . 2009-03-20 09:01 12160 ----a-w- c:\windows\system32\drivers\ss_bcmnt.sys
2010-03-04 15:11 . 2009-03-20 09:01 12160 ----a-w- c:\windows\system32\drivers\ss_bcm.sys
2010-03-04 15:09 . 2010-03-04 15:12 -------- d-----w- c:\program files\Samsung
2010-03-04 11:26 . 2010-03-04 11:26 -------- d-----w- c:\program files\Xilisoft
2010-02-28 13:04 . 2009-10-11 03:17 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-28 13:03 . 2010-03-01 06:22 -------- d-----w- c:\program files\Java
2010-02-24 06:15 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-24 06:14 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 06:14 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 06:14 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 06:14 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 06:14 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-24 06:14 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 06:14 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 06:14 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-24 06:14 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-24 06:14 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-24 06:14 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-24 06:14 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-22 06:25 . 2010-02-22 06:25 -------- d-----w- c:\program files\MSXML 4.0
2010-02-21 15:49 . 2010-02-21 15:54 2669568 ----a-w- c:\users\Claudio\AppData\Roaming\Samsung\New PC Studio\LiveUpdate\Setup_For_Full_Update_IH2_7.exe
2010-02-21 15:45 . 2010-03-04 15:11 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers
2010-02-21 15:44 . 2009-03-31 08:39 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2010-02-21 15:44 . 2009-03-31 08:39 233472 ----a-w- c:\windows\system32\FsUsbExService.Exe
2010-02-21 15:44 . 2009-03-31 08:39 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
2010-02-21 15:44 . 2010-02-21 15:44 -------- d-----w- c:\users\Claudio\AppData\Roaming\Samsung
2010-02-21 15:35 . 2010-02-21 15:35 -------- d-----w- c:\program files\MarkAny
2010-02-21 15:35 . 2010-03-04 15:12 -------- d-----w- c:\program files\PC Connectivity Solution
2010-02-21 13:49 . 2010-02-21 13:49 -------- d-----w- c:\users\Claudio\AppData\Roaming\java
2010-02-21 13:49 . 2010-02-21 13:49 45056 ---ha-w- c:\users\Claudio\AppData\Roaming\java\msnmsgs.exe
2010-02-21 13:49 . 2010-02-21 13:54 45056 ----a-w- c:\users\Claudio\AppData\Roaming\msnmsgs.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-14 13:15 . 2009-11-05 13:30 -------- d-----w- c:\programdata\avg9
2010-03-14 11:39 . 2009-11-24 15:38 0 ----a-w- c:\users\Claudio\AppData\Local\prvlcl.dat
2010-03-10 08:12 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-04 11:52 . 2009-06-04 19:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-24 08:09 . 2009-06-04 19:34 54296 ----a-w- c:\users\Claudio\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-21 14:51 . 2009-06-16 16:47 -------- d-----w- c:\users\Claudio\AppData\Roaming\dvdcss
2010-02-19 16:32 . 2010-02-03 13:13 -------- d-----w- c:\program files\Free Video Converter
2010-02-18 19:39 . 2009-06-05 16:58 -------- d-----w- c:\programdata\Messenger Plus!
2010-02-05 13:28 . 2009-12-01 21:15 -------- d-----w- c:\program files\Google
2010-02-03 13:13 . 2010-02-03 13:13 -------- d-----w- c:\program files\Application Updater
2010-02-03 13:13 . 2010-02-03 13:13 -------- d-----w- c:\users\Claudio\AppData\Roaming\FreeVideoConverter
2010-01-26 08:16 . 2009-06-17 11:21 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-24 17:07 . 2009-06-05 15:41 -------- d-----w- c:\program files\Messenger Plus! Live
2010-01-21 17:29 . 2010-01-21 17:29 -------- d-----w- c:\programdata\AppSoft
2010-01-20 12:01 . 2009-06-05 20:42 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-06 15:38 . 2010-02-24 06:14 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-24 06:14 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-24 06:14 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-02-24 06:14 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-02 06:38 . 2010-01-22 06:47 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 06:47 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 06:47 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 06:47 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2008-04-21 08:04 . 2008-04-21 06:56 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
2009-07-09 07:39 . 2006-11-02 06:25 10 --sha-r- c:\windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6000.16386_none_fbd6b71e75a2c6c8\config.sys
2009-07-09 07:39 . 2006-11-02 06:25 10 --sha-r- c:\windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6001.18000_none_fe0d791a728dd79c\config.sys
2009-07-09 07:39 . 2006-11-02 06:25 10 --sha-r- c:\windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6002.18005_none_fff8f2266fafa2e8\config.sys
.

------- Sigcheck -------

[-] 2010-02-18 . E8F0D3B322C7C2DFE8F33BFF26F2A88B . 247296 . . [6.0.6000.16386] . . c:\windows\System32\shsvcs.dll
[-] 2008-01-27 . 2406E3A5FAE743DCE81168A8CDB8573F . 247296 . . [6.0.6001.18000] . . c:\windows\Resources\Themes\Satin2\Vista SP1 Files\Vista SP1 system files\shsvcs.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-04-21 202240]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-04-21 125952]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2009-04-02 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Claudio^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dock.lnk]
path=c:\users\Claudio\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dock.lnk
backup=c:\windows\pss\Dock.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 14:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 00:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2009-04-02 17:05 102400 ----a-w- c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2007-03-26 09:42 1057328 ----a-w- c:\program files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 14:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-26 10:12 161328 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-04 23:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 10:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-04-21 07:41 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):10,5b,fb,dd,80,00,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2239721987-3611380266-2166745223-1000]
"EnableNotificationsRef"=dword:00000001

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-06-14 721904]
R2 gupdate;Servizio di Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-01 135664]
R3 ADM851X;IDF Alice Gate 2 plus USB;c:\windows\system32\DRIVERS\ADM851X.SYS [2004-10-27 22144]
R3 PAC207;CIF USB Camera;c:\windows\system32\DRIVERS\PFC027.SYS [2006-11-10 505984]
R3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\DRIVERS\ss_bbus.sys [2009-03-20 90112]
R3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\DRIVERS\ss_bmdfl.sys [2009-03-20 14976]
R3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\DRIVERS\ss_bmdm.sys [2009-03-20 121856]
R4 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [2009-12-16 375296]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-03-31 233472]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2010-02-25 1047880]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-03-31 36608]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2010-02-25 10064]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-11 15:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 08:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe
.
Contenuto della cartella 'Scheduled Tasks'

2010-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-01 21:15]

2010-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-01 21:15]

2010-03-14 c:\windows\Tasks\User_Feed_Synchronization-{6C87ECD6-F339-4C22-A004-0598BEF6AD38}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Claudio\AppData\Roaming\Mozilla\Firefox\Profiles\1jtwjlkt.default\
FF - prefs.js: browser.startup.homepage - www.google.it
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

WebBrowser-{196C3A46-4758-433D-A600-802C804AF39C} - (no file)
HKLM-Run-NPSStartup - (no file)
MSConfigStartUp-AliceRV_McciTrayApp - c:\program files\Alice ti aiuta\McciTrayApp.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-14 15:18
Windows 6.0.6002 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-2239721987-3611380266-2166745223-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E8B2D921-426E-70D2-FA5E-831E539FC168}*]
"paokmlciphnbpcdlbgfkollahbilaggj"=hex:6b,61,65,6a,67,69,70,6c,65,64,66,67,6c,
70,69,68,62,6c,6b,68,6d,6d,00,00
"abioonehhnabfglblomfghbdgkgghbdgec"=hex:6b,61,65,6a,67,69,70,6c,65,64,66,67,
6c,70,69,68,62,6c,6b,68,6d,6d,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Ora fine scansione: 2010-03-14 15:23:43
ComboFix-quarantined-files.txt 2010-03-14 14:23

Pre-Run: 48.397.373.440 byte disponibili
Post-Run: 48.360.644.608 byte disponibili

- - End Of File - - 8EE84151C29B4382DF0D10840B8B6DF4
Torna in alto
 
Sponsor
Inviato: Sunday, March 14, 2010 3:32:14 PM

 
Torna in alto
 
r16
Inviato: Sunday, March 14, 2010 4:10:28 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
I rootkit ci sono, ma non nel MBR. (dice Combofix)
Apri un file di testo con il Block Note sul Desktop .
Ci incolli il codice che vedi qui sotto, e salvi il file di testo obbligatoriamente con il nome CFScript.txt

Code:
RegNull::
[HKEY_USERS\S-1-5-21-2239721987-3611380266-2166745223-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E8B2D921-426E-70D2-FA5E-831E539FC168}*]

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]


e trascinalo sull'icona di ComboFix.
Attendi la fine dei lavori, senza toccare tastiera, mouse o altro.
Se il pc non si riavvia da solo, riavvialo tu
Posta il log aggiornato di combofix.

Poi una scansione con Malwarebytes non guasta.
Torna in alto
 
fdaccc
Inviato: Sunday, March 14, 2010 4:21:16 PM

Rank: AiutAmico

Iscritto dal : 12/12/2009
Posts: 2,114
grazie r16, gli faccio fare subito quello che hai detto.
Scusa la mia curiosità, ma come fai a dire che i rootkit ci sono ma non nell'mbr?
Come si identificano?
grazie :)
Torna in alto
 
r16
Inviato: Sunday, March 14, 2010 4:26:26 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
fdaccc ha scritto:
grazie r16, gli faccio fare subito quello che hai detto.
Scusa la mia curiosità, ma come fai a dire che i rootkit ci sono ma non nell'mbr?
Come si identificano?
grazie :)

Perchè Combofix non li ha rilevati, nel MBR, li ha rilevati in altre chiavi.
Torna in alto
 
fdaccc
Inviato: Sunday, March 14, 2010 4:31:25 PM

Rank: AiutAmico

Iscritto dal : 12/12/2009
Posts: 2,114
grazie della segnalazione, a breve proseguiamo con le tue indicazioni.
Torna in alto
 
fdaccc
Inviato: Sunday, March 14, 2010 5:27:44 PM

Rank: AiutAmico

Iscritto dal : 12/12/2009
Posts: 2,114
LOG AGGIORNATO COMBOFIX

ComboFix 10-03-13.03 - Claudio 14/03/2010 17.01.36.2.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.39.1040.18.2047.1376 [GMT 1:00]
Eseguito da: c:\users\Claudio\Desktop\ComboFix.exe
Opzioni usate :: c:\users\Claudio\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Creati Da 2010-02-14 al 2010-03-14 )))))))))))))))))))))))))))))))))))
.

2010-03-14 16:12 . 2010-03-14 16:13 -------- d-----w- c:\users\Claudio\AppData\Local\temp
2010-03-14 16:12 . 2010-03-14 16:12 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-14 16:12 . 2010-03-14 16:12 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2010-03-14 16:12 . 2010-03-14 16:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-14 15:54 . 2010-03-14 15:54 -------- d-----w- C:\32788R22FWJFW
2010-03-13 13:25 . 2010-03-13 13:25 -------- d-----w- c:\users\Claudio\AppData\Roaming\Malwarebytes
2010-03-13 13:25 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-13 13:25 . 2010-03-13 13:25 -------- d-----w- c:\programdata\Malwarebytes
2010-03-13 13:24 . 2010-03-13 13:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-13 13:24 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-13 06:22 . 2010-03-13 06:22 388096 ----a-r- c:\users\Claudio\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-13 06:22 . 2010-03-13 06:22 -------- d-----w- c:\program files\TrendMicro
2010-03-11 18:50 . 2010-02-25 10:03 30536 ----a-w- c:\windows\system32\TURegOpt.exe
2010-03-11 18:50 . 2010-02-25 09:56 21320 ----a-w- c:\windows\system32\authuitu.dll
2010-03-11 18:50 . 2010-02-25 09:56 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2010-03-11 18:49 . 2010-03-11 18:49 -------- d-----w- c:\users\Claudio\AppData\Roaming\TuneUp Software
2010-03-11 18:49 . 2010-03-11 18:50 -------- d-----w- c:\program files\TuneUp Utilities 2010
2010-03-11 18:47 . 2010-03-11 18:49 -------- d-----w- c:\programdata\TuneUp Software
2010-03-11 18:47 . 2010-03-11 18:47 -------- d-sh--w- c:\programdata\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-03-10 08:05 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-10 08:05 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-10 08:05 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-09 17:10 . 2010-03-09 17:10 -------- d-----w- c:\program files\CCleaner
2010-03-04 15:13 . 2010-03-04 15:13 -------- d-----w- c:\programdata\PC Suite
2010-03-04 15:13 . 2010-03-04 15:13 -------- d-----w- c:\users\Claudio\AppData\Roaming\PC Suite
2010-03-04 15:12 . 2007-05-02 15:31 90624 ----a-w- c:\windows\system32\nmwcdcls.dll
2010-03-04 15:12 . 2010-03-04 15:12 -------- d-----w- c:\program files\DIFX
2010-03-04 15:12 . 2007-09-17 14:53 21632 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-03-04 15:12 . 2010-03-04 15:12 -------- dc----w- c:\windows\system32\DRVSTORE
2010-03-04 15:11 . 2009-03-20 09:01 90112 ----a-w- c:\windows\system32\drivers\ss_bbus.sys
2010-03-04 15:11 . 2009-03-20 09:01 14976 ----a-w- c:\windows\system32\drivers\ss_bmdfl.sys
2010-03-04 15:11 . 2009-03-20 09:01 121856 ----a-w- c:\windows\system32\drivers\ss_bmdm.sys
2010-03-04 15:11 . 2009-03-20 09:01 12160 ----a-w- c:\windows\system32\drivers\ss_bwhnt.sys
2010-03-04 15:11 . 2009-03-20 09:01 12160 ----a-w- c:\windows\system32\drivers\ss_bwh.sys
2010-03-04 15:11 . 2009-03-20 09:01 12160 ----a-w- c:\windows\system32\drivers\ss_bcmnt.sys
2010-03-04 15:11 . 2009-03-20 09:01 12160 ----a-w- c:\windows\system32\drivers\ss_bcm.sys
2010-03-04 15:09 . 2010-03-04 15:12 -------- d-----w- c:\program files\Samsung
2010-03-04 11:26 . 2010-03-04 11:26 -------- d-----w- c:\program files\Xilisoft
2010-02-28 13:04 . 2009-10-11 03:17 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-28 13:03 . 2010-03-01 06:22 -------- d-----w- c:\program files\Java
2010-02-24 06:15 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-24 06:14 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 06:14 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 06:14 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 06:14 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 06:14 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-24 06:14 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 06:14 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 06:14 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-24 06:14 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-24 06:14 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-24 06:14 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-24 06:14 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-22 06:25 . 2010-02-22 06:25 -------- d-----w- c:\program files\MSXML 4.0
2010-02-21 15:49 . 2010-02-21 15:54 2669568 ----a-w- c:\users\Claudio\AppData\Roaming\Samsung\New PC Studio\LiveUpdate\Setup_For_Full_Update_IH2_7.exe
2010-02-21 15:45 . 2010-03-04 15:11 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers
2010-02-21 15:44 . 2009-03-31 08:39 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2010-02-21 15:44 . 2009-03-31 08:39 233472 ----a-w- c:\windows\system32\FsUsbExService.Exe
2010-02-21 15:44 . 2009-03-31 08:39 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
2010-02-21 15:44 . 2010-02-21 15:44 -------- d-----w- c:\users\Claudio\AppData\Roaming\Samsung
2010-02-21 15:35 . 2010-02-21 15:35 -------- d-----w- c:\program files\MarkAny
2010-02-21 15:35 . 2010-03-04 15:12 -------- d-----w- c:\program files\PC Connectivity Solution
2010-02-21 13:49 . 2010-02-21 13:49 -------- d-----w- c:\users\Claudio\AppData\Roaming\java
2010-02-21 13:49 . 2010-02-21 13:49 45056 ---ha-w- c:\users\Claudio\AppData\Roaming\java\msnmsgs.exe
2010-02-21 13:49 . 2010-02-21 13:54 45056 ----a-w- c:\users\Claudio\AppData\Roaming\msnmsgs.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-14 13:15 . 2009-11-05 13:30 -------- d-----w- c:\programdata\avg9
2010-03-14 11:39 . 2009-11-24 15:38 0 ----a-w- c:\users\Claudio\AppData\Local\prvlcl.dat
2010-03-10 08:12 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-04 11:52 . 2009-06-04 19:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-24 08:09 . 2009-06-04 19:34 54296 ----a-w- c:\users\Claudio\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-21 14:51 . 2009-06-16 16:47 -------- d-----w- c:\users\Claudio\AppData\Roaming\dvdcss
2010-02-19 16:32 . 2010-02-03 13:13 -------- d-----w- c:\program files\Free Video Converter
2010-02-18 19:39 . 2009-06-05 16:58 -------- d-----w- c:\programdata\Messenger Plus!
2010-02-05 13:28 . 2009-12-01 21:15 -------- d-----w- c:\program files\Google
2010-02-03 13:13 . 2010-02-03 13:13 -------- d-----w- c:\program files\Application Updater
2010-02-03 13:13 . 2010-02-03 13:13 -------- d-----w- c:\users\Claudio\AppData\Roaming\FreeVideoConverter
2010-01-26 08:16 . 2009-06-17 11:21 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-24 17:07 . 2009-06-05 15:41 -------- d-----w- c:\program files\Messenger Plus! Live
2010-01-21 17:29 . 2010-01-21 17:29 -------- d-----w- c:\programdata\AppSoft
2010-01-20 12:01 . 2009-06-05 20:42 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-06 15:38 . 2010-02-24 06:14 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-24 06:14 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-24 06:14 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-02-24 06:14 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-02 06:38 . 2010-01-22 06:47 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 06:47 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 06:47 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 06:47 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2008-04-21 08:04 . 2008-04-21 06:56 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
2009-07-09 07:39 . 2006-11-02 06:25 10 --sha-r- c:\windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6000.16386_none_fbd6b71e75a2c6c8\config.sys
2009-07-09 07:39 . 2006-11-02 06:25 10 --sha-r- c:\windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6001.18000_none_fe0d791a728dd79c\config.sys
2009-07-09 07:39 . 2006-11-02 06:25 10 --sha-r- c:\windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6002.18005_none_fff8f2266fafa2e8\config.sys
.

------- Sigcheck -------

[-] 2010-02-18 . E8F0D3B322C7C2DFE8F33BFF26F2A88B . 247296 . . [6.0.6000.16386] . . c:\windows\System32\shsvcs.dll
[-] 2008-01-27 . 2406E3A5FAE743DCE81168A8CDB8573F . 247296 . . [6.0.6001.18000] . . c:\windows\Resources\Themes\Satin2\Vista SP1 Files\Vista SP1 system files\shsvcs.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-04-21 202240]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-04-21 125952]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2009-04-02 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Claudio^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dock.lnk]
path=c:\users\Claudio\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dock.lnk
backup=c:\windows\pss\Dock.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 14:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 00:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2009-04-02 17:05 102400 ----a-w- c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2007-03-26 09:42 1057328 ----a-w- c:\program files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 14:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-26 10:12 161328 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-04 23:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 10:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-04-21 07:41 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):10,5b,fb,dd,80,00,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2239721987-3611380266-2166745223-1000]
"EnableNotificationsRef"=dword:00000001

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-06-14 721904]
R2 gupdate;Servizio di Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-01 135664]
R3 ADM851X;IDF Alice Gate 2 plus USB;c:\windows\system32\DRIVERS\ADM851X.SYS [2004-10-27 22144]
R3 PAC207;CIF USB Camera;c:\windows\system32\DRIVERS\PFC027.SYS [2006-11-10 505984]
R3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\DRIVERS\ss_bbus.sys [2009-03-20 90112]
R3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\DRIVERS\ss_bmdfl.sys [2009-03-20 14976]
R3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\DRIVERS\ss_bmdm.sys [2009-03-20 121856]
R4 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [2009-12-16 375296]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-03-31 233472]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2010-02-25 1047880]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-03-31 36608]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2010-02-25 10064]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-11 15:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 08:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe
.
Contenuto della cartella 'Scheduled Tasks'

2010-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-01 21:15]

2010-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-01 21:15]

2010-03-14 c:\windows\Tasks\User_Feed_Synchronization-{6C87ECD6-F339-4C22-A004-0598BEF6AD38}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Claudio\AppData\Roaming\Mozilla\Firefox\Profiles\1jtwjlkt.default\
FF - prefs.js: browser.startup.homepage - www.google.it
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-14 17:13
Windows 6.0.6002 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2010-03-14 17:18:53
ComboFix-quarantined-files.txt 2010-03-14 16:18
ComboFix2.txt 2010-03-14 14:23

Pre-Run: 48.060.784.640 byte disponibili
Post-Run: 48.032.444.416 byte disponibili

- - End Of File - - 413C04660B37645456628D3E32B8E9CE
Torna in alto
 
fdaccc
Inviato: Sunday, March 14, 2010 5:34:28 PM

Rank: AiutAmico

Iscritto dal : 12/12/2009
Posts: 2,114
HJT


Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 17.30.19, on 14/03/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/it/uno1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: FsUsbExService - Teruten - C:\Windows\system32\FsUsbExService.Exe
O23 - Service: Servizio di Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: @C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

--
End of file - 5385 bytes
Torna in alto
 
fdaccc
Inviato: Sunday, March 14, 2010 6:03:14 PM

Rank: AiutAmico

Iscritto dal : 12/12/2009
Posts: 2,114
come proseguo r16?
Torna in alto
 
fdaccc
Inviato: Sunday, March 14, 2010 6:36:02 PM

Rank: AiutAmico

Iscritto dal : 12/12/2009
Posts: 2,114
esiste ancora il remote desktop help assistant, non riesce ad eliminarlo.
Torna in alto
 
r16
Inviato: Sunday, March 14, 2010 8:35:03 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Start\Esegui\ copia-incolla control userpasswords2 e poi Ok.
Scrivimi gli account che vedi .
Torna in alto
 
fdaccc
Inviato: Monday, March 15, 2010 12:11:13 PM

Rank: AiutAmico

Iscritto dal : 12/12/2009
Posts: 2,114
eccoli, abbiamo gia provato a rimuovere il remote user

Claudio
Mcx1
RemoteUser
Torna in alto
 
r16
Inviato: Monday, March 15, 2010 1:27:54 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Anche disabilitando il UAC?
Torna in alto
 
fdaccc
Inviato: Monday, March 15, 2010 1:31:28 PM

Rank: AiutAmico

Iscritto dal : 12/12/2009
Posts: 2,114
questo no, puoi spiegarmi la procedura per disabilitare l'UAC da inoltrare all'amico?
Torna in alto
 
r16
Inviato: Monday, March 15, 2010 1:35:12 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
http://www.faqwindows.com/public/post/disabilitare-uac-da-pannello-di-controllo-disable-uac-12.asp
Torna in alto
 
fdaccc
Inviato: Monday, March 15, 2010 1:44:26 PM

Rank: AiutAmico

Iscritto dal : 12/12/2009
Posts: 2,114
grazie =)

dunque il log di combofix è a posto, quello di HJT c'è il conime.exe che non mi va, appena finisce la scansione con MBAM la posto.
Torna in alto
 
a.roselli
Inviato: Tuesday, March 16, 2010 8:53:10 PM

Rank: Admin

Iscritto dal : 10/4/2000
Posts: 19,044
fdaccc sei pregato di cambiare immediatamente il tuo avatar altrimenti ti blocco l'accesso al forum in modo permanente.


alfonso_aiutamici@hotmail.it
Torna in alto
 
Utenti presenti in questo topic
Guest

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » log combofix di un amico


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.