Scusa, ma lì per lì non avevo capito subito cosa intendessi per "fuori dal sistema operativo" :-)

Sì, sono su in due partizioni diverse, anzi ti dirò di più, le due partizioni sono su 2 HD fisici diversi.
Personalmente, non ho mai letto né sentito che, per funzionare a dovere, l'antivirus andasse installato nella stessa partizione del S.O.
Anzi, ricordo che in un vecchio numero di PC Pro, (forse nella rubrica della posta, o forse in un servizio ad hoc sui backup) consigliavano come installazione ideale un HD dedicato esclusivamente al sistema operativo, ed un altro per programmi e dati (questi ultimi due eventualmente in 2 partizioni separate). In questo modo, un eventuale "piallata" dell'HD del SO sarebbe stata meno "traumatica" e più veloce.


Perché quando avvio XP, AVG si carica automaticamente e non c'è modo di disattivarlo. (Al contrario di ZoneAlarm o Spyware Doctor, che possono essere settati in modo che non partano automaticamente al successivo riavvio di Windows). Posso solo disattivare alcuni componenti, come ho già spiegato nel post precedente, ma AVG rimane in funzione :-(



Grazie di tutto e soprattutto per le informazioni e i consigli contenuti nell'ultimo "quote" così mi sono messo il cuore in pace a proposito della pulizia del log di HJT. (Fiuuu, se ero preoccupato!)

Ciao, Lorenzo.

sara' meglio che rileggi cio che ha scritto r16 in fondo all altra pagina.

Gasp, non faccio in tempo a rispondere alle richieste di informazioni r.16, che lui mi ha già trovato la soluzione! Quando si dice l'efficienza...

In questo momento non posso effettuare le modifiche perché sta facendo il backup dei 2 HD (sta finendo il primo e credo che per il secondo ci andrà tutta la serata), ma domani mattina mi cimento e posto i risultati!

GRAZZZZZZIEEE MILLEEEE!
Lorenzo.

Un momento, un momento, voialtri siete troppo veloci per me.
Così non vale, mentre rispondo ad un post me ne ritrovo già altri 3 :-)))

Allora, a bocce ferme, se ho capito bene:
1) winsys2.exe FORSE è un trojan (ma forse no)
2) O4 - HKLM\..\Run: [WinSys2] D:\WINDOWS\system32\winsys2.exe può essere eliminato senza problemi

r.16 mi dici di controllare il file winsys2.exe prima di eliminarlo.
Scusa ma sono un po' confuso, come o con cosa lo devo controllare?
Voglio dire, basta guardare le proprietà e fidarmi della data in cui è stato installato?
E se fosse un file leggittimo successivamente modificato da un virus, come me ne potrei accorgere?

Insomma, pendo dalla tua tastiera...
Grazie e ciao,
Lorenzo.

PROPRIETA'

Tab "Generale":
Tipo di file: Applicazione
Descrizione: DOT
Dimensioni: 204KB (208.896 bytes)
Dimensioni su disco: 204KB (208.896 bytes)
Data creazione: 7/11/2009 17.37.30
Modificato: 21/10/2008 17.00.00
Sola lettura

Tab "Versione"
Descrizione: DOT MFC Application
Cpyright 2003
Nome file originale: DOT.EXE
Nome interno: DOT
Nome prodotto: DOT Application
Versione del prodotto: 1.0.0.2
Versione file: 1.0.0.2

Grazie.

Dimenticavo, l'icona è verde e rappresenta un omino che corre.

Ho inviato il file sospetto a Virustotal.
Dei 42 antivirus utilizzati da Virustotal, solo 1 (eSafe) lo identifca come Trojan.
Il link con i risultati della verifica è: http://www.virustotal.com/it/analisis/7c47e876766ecd62aad68812a40f30bad56a32d994cc16a116b8d3c4ea30ee82-1268249659

Ho anche letto il seguente thread sul forum di Avast: http://forum.avast.com/index.php?topic=38875.0
dove si dice che WinSys2.exe è correlato al software installato con schede grafiche basate su Gpu della nVidia e commercializzata dalla MSI. E infatti io ho una scheda della MSI - GeForce 6200 AGP 8x 512 MB. (Forza, avanti con le battute sulla vetustà del mio PC :-))) )

Lorenzo.

Prima elimina la voce di HJT.

Il file, per il momento lo lasci dove si trova.
Vediamo cosa dicono i log delle scansioni.

Ok, grazie, ti farò sapere.

Lorenzo.

P.S. Prima di eliminare la voce di HJT, potrebbe essere opportuno fare una copia di riserva del file di registro?

r.16,

mi spiace, ma sono tornato a casa solo 1 ora fa e non ho ancora avuto modo di fare le prove che mi hai chiesto.

Come se non bastasse il backup con BackItUp non è andato a buon fine.
(Ieri sera avevo lasciato il PC acceso perché portasse a termine il backup. Stamattina l'ho trovato resettato sulla pagina di scelta utente. Sarà mancata la corrente stanotte? <GRRR!> ).

Stasera, invece di impostare un backup completo dei 2 HD, proverò a farne uno selettivo per mettere in salvo solo i dati importanti (foto, musica, ecc.).

Per fortuna domani è sabato e spero di avere più tempo in modo da far girare MWBytes e ComboFix.

Grazie come sempre per l'aiuto,
Lorenzo <Fiuuu, che giornataccia!>

Ecco il log di ComboFix:

ComboFix 10-03-10.05 - Lorenzo 13/03/2010 16.20.37.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.2048.1557 [GMT 1:00]
Eseguito da: d:\documents and settings\Lorenzo\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: ZoneAlarm Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\All Users\Menu Avvio\HP Image Zone .lnk
d:\windows\EventSystem.log
d:\windows\system32\Ijl11.dll

.
((((((((((((((((((((((((( Files Creati Da 2010-02-13 al 2010-03-13 )))))))))))))))))))))))))))))))))))
.

2010-03-13 10:13 . 2010-03-13 10:13 -------- d-----w- d:\documents and settings\Lorenzo\Dati applicazioni\Malwarebytes
2010-03-13 10:13 . 2010-01-07 15:07 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-03-13 10:13 . 2010-03-13 10:13 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2010-03-13 10:13 . 2010-03-13 13:02 -------- d-----w- d:\programmi\Malwarebytes' Anti-Malware
2010-03-13 10:13 . 2010-01-07 15:07 19160 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-03-10 20:15 . 2010-03-10 20:15 0 ----a-w- d:\windows\nsreg.dat
2010-03-10 20:15 . 2010-03-10 20:15 -------- d-----w- d:\documents and settings\Lorenzo\Impostazioni locali\Dati applicazioni\Mozilla
2010-03-07 08:53 . 2010-03-07 08:53 -------- d-----w- d:\documents and settings\Lorenzo\Dati applicazioni\AVG9
2010-03-05 17:59 . 2010-03-05 17:59 360584 ----a-w- d:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgtdix.sys
2010-03-05 17:59 . 2010-03-05 17:59 333192 ----a-w- d:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgldx86.sys
2010-03-05 17:59 . 2010-03-05 17:59 28424 ----a-w- d:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgmfx86.sys
2010-03-05 17:59 . 2010-03-05 17:59 161800 ----a-w- d:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgrkx86.sys
2010-03-05 17:59 . 2010-03-05 17:59 12464 ----a-w- d:\windows\system32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-13 15:09 . 2007-09-27 17:10 1913 --sha-w- d:\windows\system32\mmf.sys
2010-03-13 15:09 . 2006-12-12 20:14 -------- d---a-w- d:\documents and settings\All Users\Dati applicazioni\TEMP
2010-03-13 09:50 . 2010-03-13 09:50 55746 ----a-w- d:\windows\Internet Logs\vsmon_2nd_2010_03_13_10_43_56_small.dmp.zip
2010-03-13 08:35 . 2008-05-11 16:17 -------- d--h--w- d:\documents and settings\All Users\Dati applicazioni\{C961DEB2-7428-48DA-BB30-5049F9C9DA50}
2010-03-13 08:35 . 2008-05-11 16:20 -------- d---a-w- d:\documents and settings\All Users\Dati applicazioni\DietPower4.4
2010-03-12 20:14 . 2009-11-09 19:00 4212 ---ha-w- d:\windows\system32\zllictbl.dat
2010-03-12 19:43 . 2009-03-14 19:03 -------- d-----w- d:\documents and settings\Lorenzo\Dati applicazioni\HPAppData
2010-03-10 16:23 . 2009-11-10 17:08 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\avg9
2010-03-10 11:52 . 2010-03-10 11:54 2451456 ----a-w- d:\windows\Internet Logs\xDB4.tmp
2010-03-05 17:59 . 2009-11-10 17:08 242696 ----a-w- d:\windows\system32\drivers\avgtdix.sys
2010-03-05 17:59 . 2009-11-10 17:08 29512 ----a-w- d:\windows\system32\drivers\avgmfx86.sys
2010-03-05 17:58 . 2009-11-10 17:08 216200 ----a-w- d:\windows\system32\drivers\avgldx86.sys
2010-03-05 17:58 . 2009-11-10 17:08 52872 ----a-w- d:\windows\system32\drivers\avgrkx86.sys
2010-02-27 15:51 . 2006-12-23 13:48 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\pdf995
2010-02-24 12:49 . 2009-11-26 12:06 3242197 ----a-w- d:\windows\Internet Logs\tvDebug.Zip
2010-02-19 20:55 . 2009-05-28 17:31 -------- d-----w- d:\programmi\Microsoft Silverlight
2010-02-17 07:44 . 2009-04-17 15:13 -------- d-----w- d:\documents and settings\Lorenzo\Dati applicazioni\ContentGuard
2010-02-17 07:44 . 2009-04-17 15:13 188501 ----a-w- d:\documents and settings\Lorenzo\Dati applicazioni\ContentGuard\CGGuard2.dll
2010-02-09 18:19 . 2010-02-09 18:18 -------- d-----w- d:\programmi\iTunes
2010-02-09 18:18 . 2010-02-09 18:18 -------- d-----w- d:\programmi\iPod
2010-02-09 18:18 . 2007-06-30 14:14 -------- d-----w- d:\programmi\File comuni\Apple
2010-02-09 18:14 . 2010-02-09 18:13 -------- d-----w- d:\programmi\QuickTime
2010-02-09 18:07 . 2010-02-09 18:07 72488 ----a-w- d:\documents and settings\All Users\Dati applicazioni\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-21 23:21 . 2009-11-08 17:30 165840 ----a-w- d:\windows\PCTBDRes.dll
2010-01-21 23:21 . 2009-11-08 17:30 149456 ----a-w- d:\windows\SGDetectionTool.dll
2010-01-21 23:21 . 2009-11-08 17:30 1152444 ----a-w- d:\windows\UDB.zip
2010-01-21 23:21 . 2009-11-08 17:30 1652688 ----a-w- d:\windows\PCTBDCore.dll
2010-01-21 23:21 . 2009-11-08 17:30 767952 ----a-w- d:\windows\BDTSupport.dll
2010-01-19 15:26 . 2010-01-18 21:15 -------- d-----w- d:\documents and settings\Lorenzo\Dati applicazioni\Juniper Networks
2010-01-18 21:15 . 2010-01-18 21:15 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Juniper Networks
2010-01-15 15:54 . 2007-05-18 17:12 -------- d-----w- d:\documents and settings\Lorenzo\Dati applicazioni\ZoomBrowser EX
2010-01-12 08:44 . 2010-01-12 08:33 38784 ----a-w- d:\documents and settings\Lorenzo\Dati applicazioni\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-12 08:44 . 2010-01-11 13:04 38784 ----a-w- d:\documents and settings\Default User\Dati applicazioni\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-11 14:10 . 2006-10-06 18:50 47848 ----a-w- d:\documents and settings\Lorenzo\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-12-30 14:18 . 2009-12-30 14:18 116191 ----a-w- d:\windows\Internet Logs\vsmon_2nd_2009_12_30_15_11_16_small.dmp.zip
2009-12-25 16:53 . 2009-12-25 16:55 2102784 ----a-w- d:\windows\Internet Logs\xDB3.tmp
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DSLAGENTEXE"="dslagent.exe USB" [X]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"LanguageShortcut"="e:\programmi\Utility\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"NeroFilterCheck"="d:\programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl"="e:\programmi\Utility\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-08 68640]
"hpqSRMon"="e:\programmi\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"ASUS Probe"="e:\programmi\Utility\ASUS\Probe\AsusProb.exe" [2002-12-06 617984]
"SunJavaUpdateSched"="d:\programmi\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="d:\programmi\QuickTime\qttask.exe" [2009-11-10 417792]
"iTunesHelper"="d:\programmi\iTunes\iTunesHelper.exe" [2010-01-22 141608]
"nwiz"="nwiz.exe" [2008-10-07 1630208]
"WinSys2"="d:\windows\system32\winsys2.exe" [2008-10-21 208896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\System32\CTFMON.EXE" [2004-08-19 15360]

d:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Adobe Reader.lnk - d:\programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - e:\programmi\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "e:\programmi\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-05 17:59 12464 ----a-w- d:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:4\\Programmi\\MSN Messenger\\msncall.exe"=
"C:2\\Giochi\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"C:4\\Programmi\\Skype\\Phone\\Skype.exe"=
"C:4\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"C:4\\Programmi\\MSN Messenger\\livecall.exe"=
"C:4\\Programmi\\AVG\\AVG8\\avgemc.exe"=
"C:4\\Programmi\\AVG\\AVG8\\avgupd.exe"=
"C:4\\Programmi\\AVG\\AVG8\\avgnsx.exe"=
"C:4\\Programmi\\Bonjour\\mDNSResponder.exe"=
"e:\\Programmi\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"e:\\Programmi\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"e:\\Programmi\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"e:\\Programmi\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"e:\\Programmi\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:4\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"C:4\\Programmi\\AVG\\AVG9\\avgam.exe"=
"C:4\\Programmi\\AVG\\AVG9\\avgdiagex.exe"=
"C:4\\Programmi\\AVG\\AVG9\\avgemc.exe"=
"C:4\\Programmi\\AVG\\AVG9\\avgupd.exe"=
"C:4\\Programmi\\AVG\\AVG9\\avgnsx.exe"=
"e:\\Programmi\\Utility\\AVG\\AVG9\\avgam.exe"=
"e:\\Programmi\\Utility\\AVG\\AVG9\\avgdiagex.exe"=
"e:\\Programmi\\Utility\\AVG\\AVG9\\avgemc.exe"=
"e:\\Programmi\\Utility\\AVG\\AVG9\\avgupd.exe"=
"C:4\\Programmi\\iTunes\\iTunes.exe"=

R0 AvgRkx86;avgrkx86.sys;d:\windows\system32\drivers\avgrkx86.sys [10/11/2009 18.08.45 52872]
R0 hotcore;hotcore;d:\windows\system32\drivers\hotcore.sys [26/04/2007 10.48.31 18208]
R0 PCTCore;PCTools KDS;d:\windows\system32\drivers\PCTCore.sys [08/11/2009 18.30.28 207280]
R1 AvgLdx86;AVG AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [10/11/2009 18.08.36 216200]
R1 AvgTdiX;AVG Network Redirector;d:\windows\system32\drivers\avgtdix.sys [10/11/2009 18.08.44 242696]
R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;e:\programmi\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [09/10/2009 5.45.56 169312]
R2 avg9emc;AVG E-mail Scanner;e:\programmi\Utility\AVG\AVG9\avgemc.exe [05/03/2010 18.58.57 916760]
R2 avg9wd;AVG WatchDog;e:\programmi\Utility\AVG\AVG9\avgwdsvc.exe [05/03/2010 18.59.35 308064]
R2 Browser Defender Update Service;Browser Defender Update Service;e:\programmi\Utility\Spyware Doctor\BDT\BDTUpdateService.exe [08/11/2009 18.30.43 112592]
R2 ComodoBackupService;ComodoBackupService;o:\comodo\BackUp\CmdBkSvc.exe [28/10/2007 17.55.48 1023488]
R3 TotRec7;Total Recorder WDM audio driver;d:\windows\system32\drivers\TotRec7.sys [06/07/2008 17.24.41 128008]
S2 gafwload;ZyXEL USB ADSL Loader;d:\windows\system32\drivers\gafwload.sys [06/10/2006 20.31.18 26987]
S2 gupdate1c9afc225b1343a;Google Update Service (gupdate1c9afc225b1343a);d:\programmi\Google\Update\GoogleUpdate.exe [28/03/2009 17.27.50 133104]
S2 LicCtrlService;LicCtrl Service;d:\windows\Runservice.exe [27/09/2007 18.10.47 2560]
S3 INIDVD;Initio USB DVD Filter Driver;d:\windows\system32\drivers\inidvd.sys [30/12/2009 15.07.39 7936]
S3 MosIrUsb;MosIrUsb.sys;d:\windows\system32\drivers\MosIrUsb.sys [19/06/2009 21.02.59 20736]
S3 sdAuxService;PC Tools Auxiliary Service;e:\programmi\Utility\Spyware Doctor\pctsAuxs.exe [02/09/2008 18.20.16 358600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{969B3B70-8765-11D5-9809-0050BACBF861}]
2008-03-01 12:58 124928 ----a-w- d:\windows\system32\advpack.dll
.
Contenuto della cartella 'Scheduled Tasks'

2010-03-11 d:\windows\Tasks\20100131_121500_Psion_Backup_Dati_Agende.job
- e:\programmi\Utility\Nero\Nero 7\Nero BackItUp\BackItUp.exe [2006-08-08 19:22]

2010-03-13 d:\windows\Tasks\20100131_121700_Psion_Emulatore.job
- e:\programmi\Utility\Nero\Nero 7\Nero BackItUp\BackItUp.exe [2006-08-08 19:22]

2010-03-12 d:\windows\Tasks\20100131_184000_PolarProTrainer.job
- e:\programmi\Utility\Nero\Nero 7\Nero BackItUp\BackItUp.exe [2006-08-08 19:22]

2010-03-11 d:\windows\Tasks\20100307_144900_Psion_Backup_Schede_CF.job
- e:\programmi\Utility\Nero\Nero 7\Nero BackItUp\BackItUp.exe [2006-08-08 19:22]

2010-03-11 d:\windows\Tasks\20100307_153000_File Audio Lorenzo e Marcello.job
- e:\programmi\Utility\Nero\Nero 7\Nero BackItUp\BackItUp.exe [2006-08-08 19:22]

2010-03-11 d:\windows\Tasks\20100307_153800_Foto.job
- e:\programmi\Utility\Nero\Nero 7\Nero BackItUp\BackItUp.exe [2006-08-08 19:22]

2010-03-13 d:\windows\Tasks\20100311_094900_DietPower.job
- e:\programmi\Utility\Nero\Nero 7\Nero BackItUp\BackItUp.exe [2006-08-08 19:22]

2010-03-12 d:\windows\Tasks\20100312_081000_D1e D2 (solo dir e file scelti).job
- e:\programmi\Utility\Nero\Nero 7\Nero BackItUp\BackItUp.exe [2006-08-08 19:22]

2010-02-23 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\programmi\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-03-13 d:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- d:\programmi\Google\Update\GoogleUpdate.exe [2009-03-28 16:27]

2010-03-13 d:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- d:\programmi\Google\Update\GoogleUpdate.exe [2009-03-28 16:27]

2007-10-20 d:\windows\Tasks\Packard Bell Data Secure for Lorenzo.job
- e:\programmi\Utility\Packard Bell Data Secure\DSMsg.exe [2006-04-13 12:50]

2010-03-13 d:\windows\Tasks\User_Feed_Synchronization-{355E5059-B5F2-48E9-90BB-5DD5CBC6A490}.job
- d:\windows\system32\msfeedssync.exe [2006-10-17 10:58]
.
.
------- Scansione supplementare -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Download with GetRight - e:\programmi\Utility\GetRight\GRdownload.htm
IE: Open with GetRight Browser - e:\programmi\Utility\GetRight\GRbrowse.htm
Trusted Zone: wikipedia.it\www
TCP: {883C729C-3AE9-4BD0-A3BA-1F61F8CB2A10} = 192.168.1.1
FF - ProfilePath - d:\documents and settings\Lorenzo\Dati applicazioni\Mozilla\Firefox\Profiles\c0yein8c.default\
FF - component: d:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: d:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: d:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: d:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: d:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: d:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: d:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: d:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: d:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: d:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: d:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: d:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: d:\programmi\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: d:\programmi\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: d:\programmi\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: e:\programmi\Musica\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: e:\programmi\Musica\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: e:\programmi\Musica\Real\RealPlayer\Netscape6\nprpjplug.dll

---- FIREFOX POLICIES ----
e:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
e:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
e:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
e:\programmi\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
e:\programmi\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
e:\programmi\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
e:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
e:\programmi\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
e:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
e:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
e:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
e:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
e:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
e:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
e:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
e:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
e:\programmi\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
e:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
e:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
e:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
e:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
e:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
e:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
e:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
e:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
e:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
e:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
e:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
e:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
e:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
e:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
e:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKCU-Run-Polar Sync - (no file)
Notify-AtiExtEvent - (no file)
AddRemove-KB913433 - d:\windows\system32\MacroMed\Flash\genuinst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-13 16:29
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Polar Sync = ?:\program files\polar\polar sync\?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\INIDVD]
"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\INIDVD]
"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1409082233-616249376-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347]
"1"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,60,bf,2f,c2,35,91,ae,
25
"2"=hex:fb,e6,50,7f,41,f4,51,a7,7f,ec,2d,f9,42,45,3a,02,3a,b7,45,15,3f,9d,8b,
c3
"3"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,5d,f5,58,d1,21,e0,48,
8b,38,57,44,9c,4e,8d,78,88,fd,f1,01,9d,86,d8,b5,cb,d9,bf,23,55,4a,bb,31,1f

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\6F73F47D0E49C7DEAAB6F09908044133]
"1"=hex:fb,fa,a3,55,9e,7e,2a,c0,6c,cd,c1,de,ca,f6,ea,9d,02,da,04,e7,0f,e2,fa,
3c
"2"=hex:14,0b,51,fa,a6,4a,49,01
"3"=hex:1d,57,0d,3d,a8,51,db,9a,26,07,20,57,4b,50,e5,59,42,a0,4c,cc,0b,19,1a,
fc,1f,60,0b,18,98,d3,13,90,e4,7c,bf,2c,35,57,77,53,59,3d,b7,96,9a,97,db,3e,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:fb,fa,a3,55,9e,7e,2a,c0,6c,cd,c1,de,ca,f6,ea,9d,76,b2,47,9f,36,a8,67,
df,55,5f,99,50,87,f6,f9,cd,ce,2f,56,08,c1,f8,c2,f1,27,bf,4d,a9,0d,ad,7a,3c,\
"7"=hex:25,21,b0,73,b3,17,73,7c,43,f0,09,9b,ac,d2,b4,5d,0e,4c,65,e3,c2,37,a5,
39,8f,b6,40,78,be,c4,6f,08,c5,87,50,12,ed,f5,e1,12,16,d5,b2,b9,14,b2,32,af,\
"8"=hex:e4,8d,d1,c4,72,31,89,4d,74,9f,74,b6,69,ae,1d,c8,32,b0,fa,72,00,3c,35,
d7,b2,83,b9,db,f5,b9,81,6c,b1,fe,a3,e6,4e,c1,25,56,4b,57,b7,ec,3c,95,f0,41
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:8c,81,54,b9,ec,5a,bf,6c,c1,a7,ff,ee,8c,4b,6a,20,72,c3,1b,75,dd,f9,a1,
36,77,88,96,8a,0c,e2,74,3b,99,ea,10,48,fd,43,36,74,a0,14,11,df,1b,ac,1b,65,\
"13"=hex:a3,f6,51,c1,ea,22,cd,fd,0c,23,02,3a,97,62,a4,51,7c,a4,b3,a2,78,b0,69,
83,87,b7,3b,a6,63,41,a6,2a,6c,55,e0,3b,cb,40,ea,04
"14"=hex:4f,36,fb,f1,ff,d4,f9,af,ba,0b,d9,7d,ca,43,7d,c7
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:79,18,3e,c4,ea,c1,34,b3,c0,d9,01,65,19,c8,c9,3f
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:0f,f1,3a,e9,f8,d2,a7,7f,18,de,4d,13,f1,c6,2d,2f,4c,96,02,40,4d,fd,8e,
ba,48,a9,8d,64,ae,b4,f6,26,ca,bd,6d,5e,e9,9b,bd,e7,93,c2,3b,3b,87,0c,cf,01,\
.
Ora fine scansione: 2010-03-13 16:33:41
ComboFix-quarantined-files.txt 2010-03-13 15:33

Pre-Run: 1.661.145.088 byte disponibili
Post-Run: 2.543.542.272 byte disponibili

- - End Of File - - 2098FCF33EEEF4D2D59C1A666A80D5E5



Grazie, Lorenzo.