***Aggiungo commenti e log al tuo ultimo intervento:***
Ciao
Prova a terminare quei processi in Modalità provvisoria.
***In modalità provvisoria i processi non sono presenti***
Se non funziona, scarica questo:
http://download.sysinternals.com/Files/ProcessExplorer.zipE' sempre una Task Manager, ma riesce meglio a eliminare i processi. (bisogna eliminarli, altrimenti le operazioni che seguiranno, non serviranno a niente.)
Ecco anche una guida (leggila bene tutta) di sicuro ti servirà:
http://www.kuma215.it/Guide%20K&J/K/Pexp/procExpl%20guida.html***Ok, processi terminati in modalità normale***
Tieni disattivato il Ripristino Configurazione Sistema.
***Disattivato***
Poi :
Scarica VIRIT :
http://www.tgsoft.it/italy/download.htm lo aggiorni (cliccando sulla parabola in alto) e fai la scansione in Modalità Provvisoria (è molto importante). FAI 2 SCANSIONI.
***Fatto, ti ricordo che sul computer in questione non ho la connessione ad internet. Ho scaricato VIRIT da un altro computer, l’ho aggiornato e copiato su una penna e portato sul computer malato: non so se è lo stesso, ma in mancanza d’altro…
Comunque VIRIT non trova niente.***
Posta anche il log. (lo trovi sull'icona in alto, con raffigurato un block notes ,con una penna)
VirIT eXplorer Lite Log
[SCANSIONE DELLA MEMORIA]
OK
[SCANSIONE DELLA MEMORIA]
[Hidden Services]
NMSCFG - NIC Management Service Configuration Driver - \??\C:\WINDOWS\system32\drivers\NMSCFG.SYS
OK
08/10/2008 - 18:24:20
[SCANSIONE DEL REGISTRO]
OK
[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
[SCANSIONE DELLA MEMORIA]
OK
08/10/2008 - 18:34:39
[SCANSIONE DELLA MEMORIA]
OK
09/10/2008 - 18:42:02
[SCANSIONE DEL REGISTRO]
OK
[A:]
BOOT SECTOR: OK
[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
[D:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
[F:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
[G:]
[H:]
Chiavi Registro infette: 0.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 30180.
Files Totali: 30180.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.
Scarica anche Norman:
Scarica Norman Malware Cleaner
http://download.norman.no/public/Norman_Malware_Cleaner.exe e salvalo sul desktop
Avvia in MODALITA PROVVISORIA
Si avvia
si accetta la licenza
si clicca Start Scan
si attende la fine della scansione
Viene generato un log sul desktop, postalo qui.
Norman Malware Cleaner
Copyright © 1990 - 2008, Norman ASA. Built 2008/10/01 00:27:52
Norman Scanner Engine Version: 5.93.01
Nvcbin.def Version: 5.93.00, Date: 2008/10/01 00:27:52, Variants: 2064523
Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600(Safe mode) Service Pack 2
Logged on user: GIO-K7S2FZ7J5NE\Giorgio
Scan started: 09/10/2008 20:22:59
Scanning running processes and process memory...
Number of processes/threads found: 490
Number of processes/threads scanned: 490
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 18s
Scanning file system...
Scanning: C:\*.*
C:\Programmi\eMule\Incoming\David Gilmour - On an Island (2006) - Pop [www torrentazos com].rar/CMT (Error whilst scanning file: I/O Error (0x00220000))
C:\Programmi\eMule\Incoming\Filemaker Pro v7.0 v2 Multilingual Iso W Serial.par.eMule-Paradise.com.rar/CMT (Error whilst scanning file: I/O Error (0x00220000))
C:\Programmi\eMule\Incoming\Macro Magic v4.1T Incl Keygen-Eps By Infra-Red.rar/CMT (Error whilst scanning file: I/O Error (0x00220000))
C:\QooBox\Quarantine\catchme2008-10-03_203446.48.zip/Documents and Settings/Giorgio/Desktop/catchme.zip/Autorun.inf (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_203446.48.zip/Documents and Settings/Giorgio/Desktop/catchme.zip/autorun.inf.1 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_203446.48.zip/Documents and Settings/Giorgio/Desktop/catchme.zip/Autorun.inf.2 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_203446.48.zip/Documents and Settings/Giorgio/Desktop/catchme.zip/autorun.inf.3 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_203446.48.zip/Documents and Settings/Giorgio/Desktop/catchme.zip/Autorun.inf.4 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_203446.48.zip/Documents and Settings/Giorgio/Desktop/catchme.zip/Autorun.inf.5 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_203446.48.zip/Documents and Settings/Giorgio/Desktop/catchme.zip/autorun.inf.6 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_203446.48.zip/Documents and Settings/Giorgio/Desktop/catchme.zip/Autorun.inf.7 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_203446.48.zip/Documents and Settings/Giorgio/Desktop/catchme.zip/Autorun.inf.8 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_203446.48.zip/Documents and Settings/Giorgio/Desktop/catchme.zip/autorun.inf.9 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_203446.48.zip/Documents and Settings/Giorgio/Desktop/catchme.zip/Autorun.inf.10 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_203446.48.zip/Documents and Settings/Giorgio/Desktop/catchme.zip/Autorun.inf.11 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_22.59.48,45.zip/Autorun.inf (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_22.59.48,45.zip/Autorun.inf.1 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_22.59.48,45.zip/Autorun.inf.2 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_22.59.48,45.zip/Autorun.inf.3 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_22.59.48,45.zip/autorun.inf.4 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_22.59.48,45.zip/Autorun.inf.5 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_22.59.48,45.zip/Autorun.inf.6 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_22.59.48,45.zip/Autorun.inf.7 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_22.59.48,45.zip/autorun.inf.8 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_22.59.48,45.zip/Autorun.inf.9 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_22.59.48,45.zip/Autorun.inf.10 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_22.59.48,45.zip/Autorun.inf.11 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_22.59.48,45.zip/autorun.inf.12 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_22.59.48,45.zip/Autorun.inf.13 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_22.59.48,45.zip/Autorun.inf.14 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_224806.53.zip/Autorun.inf (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_224806.53.zip/Autorun.inf.1 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_224806.53.zip/autorun.inf.2 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_224806.53.zip/Autorun.inf.3 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_224806.53.zip/Autorun.inf.4 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_224806.53.zip/Autorun.inf.5 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_224806.53.zip/autorun.inf.6 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_224806.53.zip/Autorun.inf.7 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_224806.53.zip/Autorun.inf.8 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_224806.53.zip/Autorun.inf.9 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_224806.53.zip/autorun.inf.10 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_224806.53.zip/Autorun.inf.11 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_224806.53.zip/Autorun.inf.12 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_224806.53.zip/Autorun.inf.13 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_224806.53.zip/autorun.inf.14 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-03_224806.53.zip/Autorun.inf.15 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-07_18.46.14,53.zip/autorun.inf (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-07_18.46.14,53.zip/autorun.inf.1 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-07_18.46.14,53.zip/autorun.inf.2 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-07_18.46.14,53.zip/autorun.inf.3 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-07_18.46.14,53.zip/autorun.inf.4 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\catchme2008-10-07_18.46.14,53.zip/autorun.inf.5 (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\C\Autorun.inf.vir (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\C\Autorun.inf.zip/Autorun.inf (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\C\Autorun.inf.zip (Empty archive after cleaning)
Deleted file
C:\QooBox\Quarantine\C\WINDOWS\Autorun.inf.vir (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\D\Autorun.inf.vir (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\D\av4.zip/Qoobox/Autorun.inf (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\D\av4.zip/Qoobox/Quarantine/D/Autorun.inf.vir (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\D\av5.zip/Qoobox/Quarantine/D/Autorun.inf.vir (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\F\Autorun.inf.vir (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\F\Autorun.inf.zip/Autorun.inf (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\F\Autorun.inf.zip (Empty archive after cleaning)
Deleted file
C:\QooBox\Quarantine\F\av4.zip/Qoobox/Quarantine/F/Autorun.inf.vir (Infected with BAT/Autorun.BU)
Deleted file
C:\QooBox\Quarantine\F\av5.zip/Qoobox/Quarantine/F/Autorun.inf.vir (Infected with BAT/Autorun.BU)
Deleted file
C:\WINDOWS\$NtServicePackUninstall$\notepad.exe (Infected with W32/SubSeven.ATI)
Deleted file
C:\WINDOWS\Help\Autorun.inf (Infected with BAT/Autorun.BU)
Deleted file
C:\WINDOWS\security\Autorun.inf (Infected with BAT/Autorun.BU)
Deleted file
C:\WINDOWS\system\Autorun.inf (Infected with BAT/Autorun.BU)
Deleted file
Scanning: D:\*.*
D:\Autorun.inf (Infected with BAT/Autorun.BU)
Deleted file
Scanning: F:\*.*
F:\Autorun.inf (Infected with BAT/Autorun.BU)
Deleted file
F:\Setup\Games\Keygens\Dynomite Deluxe v2.71 Keygen.zip/dynomite.deluxe.2.7.keygen-tsrh.exe (Infected with W32/Malware.ACOL)
Deleted file
F:\Setup\Games\Keygens\dynomite.deluxe.2.7.keygen-tsrh.zip/dynomite.deluxe.2.7.keygen-tsrh.exe (Infected with W32/Malware.ACOL)
Deleted file
Scanning: c:\System Volume Information\*.*
Running post-scan cleanup routine:
Number of files found: 96236
Number of archives unpacked: 330
Number of files scanned: 96197
Number of files not scanned: 39
Number of files skipped due to exclude list: 0
Number of infected files found: 70
Number of infected files repaired/deleted: 70
Number of infections removed: 70
Total scanning time: 1h 12m 52s
In alcuni casi Norman Malware Cleaner potrebbe richiedere il riavvio del computer per rimuovere completamente l'infezione, in
questo caso è raccomandata una seconda esecuzione del programma dopo aver riavviato il PC per garantire la completa rimozione di tutti i files infetti.
***Fatto, norman trova ed elimina i diversi autorun.inf e non chiede il riavvio***
Dai una pulita (registro compreso)con CCleaner
http://www.aiutaamici.com/software?ID=11223***Fatto***
Fai una scansione completa in Modalità normale *con questo:
Scarica: Malwarebytes' Anti-MalwareMalwarebyte e salvalo dove vuoi tu. :
http://www.besttechie.net/tools/mbam-setup.exe * faccio subito notare che ad ogni riavvio in modalità normale il problema si ripresenta subito, aprendo 4 finestre del “disco C:”
Doppio click sull'icona di mbam-setup.exe che hai salvato,e procedi con l'installazione
Assicurati che ci siano entrambi i segni di spunta su :Aggiorna Malwarebytes' Anti-Malware e Avvia, e clicca Fine
Al primo avvio, ti comparirà un messaggio di benvenuto, Assicurati che il collegamento Internet
* vedi sopra sia attivo e clicca OK
Attendi la fine dell'aggiornamento.
Compare la schermata principale.
Clicca Scansiona
Potrebbe volerci parecchio tempo,(dipende quanto è infettato il pc) quindi bisogna avere un pò di pazienza.
Al termine della scansione, clicca OK
Assicurati che tutti i files evidenziati siano selezionati e clicca Rimuovi Selezionati
***Fatto, trova i soliti file da cancellare (csrss.exe, services.exe) e li elimina***
Quando la disinfezione sarà completata, verrà aperto Notepad con il risultato dell'operazione .
>RIAVVIA IL PC ( è molto importante)
Postalo qui.
Malwarebytes' Anti-Malware 1.27
Versione del database: 1127
Windows 5.1.2600 Service Pack 2
10/10/2008 0.06.36
mbam-log-2008-10-10 (00-06-36).txt
Tipo di scansione: Scansione rapida
Elementi scansionati: 42753
Tempo trascorso: 2 minute(s), 22 second(s)
Processi delle memoria infetti: 7
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 6
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 7
Processi delle memoria infetti:
C:\WINDOWS\CSRSS.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\SERVICES.exe (Trojan.Agent) -> Unloaded process successfully.
C:\CSRSS.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\SERVICES.exe (Backdoor.ProRat) -> Unloaded process successfully.
C:\WINDOWS\Help\CSRSS.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.
C:\WINDOWS\system\CSRSS.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.
C:\WINDOWS\system\WINLOGON.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.
Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)
Chiavi di registro infette:
(Nessun elemento malevolo rilevato)
Valori di registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avvio di windows (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\script di sistema (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\host info (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)
Cartelle infette:
(Nessun elemento malevolo rilevato)
File infetti:
C:\WINDOWS\Help\CSRSS.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\WINLOGON.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\CSRSS.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\SERVICES.exe (Trojan.Agent) -> Delete on reboot.
C:\CSRSS.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SERVICES.exe (Backdoor.ProRat) -> Delete on reboot.
C:\WINDOWS\system\CSRSS.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
Posta anche un nuovo log di HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0.07.57, on 10/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\security\CSRSS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SERVICES.EXE
C:\WINDOWS\SERVICES.EXE
C:\SERVICES.EXE
C:\SERVICES.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\CSRSS.exe
C:\WINDOWS\system\CSRSS.exe
C:\WINDOWS\system\WINLOGON.exe
C:\WINDOWS\help\CSRSS.exe
C:\CSRSS.exe
C:\WINDOWS\SERVICES.EXE
C:\SERVICES.EXE
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.tiscali.it/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Programmi\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Discovery] C:\WINDOWS\security\CSRSS.exe
O4 - HKLM\..\Run: [Script di Sistema] C:\WINDOWS\CSRSS.exe
O4 - HKLM\..\Run: [Host Info] C:\WINDOWS\system\CSRSS.exe
O4 - HKLM\..\Run: [Avvio di windows] C:\WINDOWS\system\WINLOGON.exe
O4 - HKLM\..\Run: [Internet] C:\WINDOWS\system32\CSRSS.exe
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\CSRSS.exe
O4 - HKLM\..\Run: [Help] C:\WINDOWS\help\CSRSS.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Programmi\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
--
End of file - 5327 bytes
P.S.: ho pensato di lanciare combofix una volta terminati i processi, ma la versione era scaduta…
Non ottenendo risultati, ho eseguito tutte le operazioni sopra elencate anche in modalità normale, nel caso avessi male interpretato.
L’unica certezza finora è che ad ogni avvio normale, i processi sono sempre lì a darmi il benvenuto…