Grazie mille pidue per la risposta....il pc credo che adesso stia molto meglio.Ho fatto tutto quello che mi hai detto.
L'unica cosa che volevo dirti era questa: nella procedura in modalità provvisoria quando sono andato ad aprire HijackThis la spunta che mi hai detto di cancellare non c'era più e non c'era più neanche il file nella cartella temp che dovevo cancellare.Sono andato a controllare anche nella modalità normale ma anche li niente sia la stringa sia il file non ci sono più. Forse è stato combofix a risolvere il problema?
Adesso cmq ti lascio un log aggiornato di HijackThis e quello di combofix e poi dimmi come va.
Grazie ancora.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12.34.44, on 31/01/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16764)
Boot mode: Normal
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\svchost.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Windows\System32\p2phost.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [CollaborationHost] C:\Windows\system32\p2phost.exe -s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO DI RETE')
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} -
http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?IT (file missing)
O9 - Extra button: PokerStars.it - {C4046502-6524-4d87-896C-878F57D1FF07} - C:\Program Files\PokerStars.IT\PokerStarsUpdate.exe
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabO23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 8636 bytes
COMBOFIX
ComboFix 09-01-21.04 - Leonardo 2009-01-31 11.50.18.1 - NTFSx86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6000.0.1252.1.1040.18.1533.784 [GMT 1:00]
Eseguito da: c:\users\Leonardo\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Creato nuovo punto di ripristino
.
- MODALITÀ CON FUNZIONALITÀ RIDOTTE -
.
((((((((((((((((((((((((( Files Creati Da 2008-12-28 al 2009-01-31 )))))))))))))))))))))))))))))))))))
.
2009-01-31 00:04 . 2009-01-31 00:04 <DIR> d-------- c:\program files\Trend Micro
2009-01-30 23:53 . 2009-01-30 23:53 <DIR> d-------- c:\users\Leonardo\AppData\Roaming\PC Tools
2009-01-30 23:53 . 2009-01-31 11:45 <DIR> d-a------ c:\users\All Users\TEMP
2009-01-30 23:53 . 2009-01-31 11:45 <DIR> d-a------ c:\programdata\TEMP
2009-01-30 23:53 . 2009-01-31 00:01 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-30 23:53 . 2008-08-25 12:36 81,288 --a------ c:\windows\System32\drivers\iksyssec.sys
2009-01-30 23:53 . 2008-08-25 12:36 66,952 --a------ c:\windows\System32\drivers\iksysflt.sys
2009-01-30 23:53 . 2008-08-25 12:36 40,840 --a------ c:\windows\System32\drivers\ikfilesec.sys
2009-01-30 23:53 . 2008-06-02 16:19 29,576 --a------ c:\windows\System32\drivers\kcom.sys
2009-01-30 22:57 . 2009-01-30 22:57 <DIR> d-------- c:\users\All Users\Avira
2009-01-30 22:57 . 2009-01-30 22:57 <DIR> d-------- c:\programdata\Avira
2009-01-30 22:57 . 2009-01-30 22:57 <DIR> d-------- c:\program files\Avira
2009-01-22 15:25 . 2009-01-22 15:25 <DIR> d-------- c:\users\All Users\Office Genuine Advantage
2009-01-22 15:25 . 2009-01-22 15:25 <DIR> d-------- c:\programdata\Office Genuine Advantage
2009-01-16 21:14 . 2008-12-16 04:14 290,304 --a------ c:\windows\System32\drivers\srv.sys
2008-12-21 18:12 . 2008-12-12 02:53 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-12-14 03:13 . 2008-10-22 00:31 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-13 18:21 . 2008-12-13 18:21 <DIR> d-------- c:\windows\Sun
2008-12-13 15:48 . 2008-11-01 00:38 4,247,552 --a------ c:\windows\System32\GameUXLegacyGDFs.dll
2008-12-13 15:48 . 2008-06-23 02:52 2,855,424 --a------ c:\windows\System32\mf.dll
2008-12-13 15:48 . 2008-11-01 04:33 1,687,040 --a------ c:\windows\System32\gameux.dll
2008-12-13 15:48 . 2008-06-23 02:52 996,352 --a------ c:\windows\System32\WMNetMgr.dll
2008-12-13 15:48 . 2008-06-23 02:52 98,816 --a------ c:\windows\System32\mfps.dll
2008-12-13 15:48 . 2008-06-23 02:52 94,720 --a------ c:\windows\System32\logagent.exe
2008-12-13 15:48 . 2008-06-23 02:52 52,736 --a------ c:\windows\System32\rrinstaller.exe
2008-12-13 15:48 . 2008-11-01 04:33 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2008-12-13 15:48 . 2008-06-23 02:52 24,576 --a------ c:\windows\System32\mfpmp.exe
2008-12-13 15:48 . 2008-06-22 23:34 2,048 --a------ c:\windows\System32\mferror.dll
2008-12-13 15:47 . 2008-10-21 06:16 297,472 --a------ c:\windows\System32\gdi32.dll
2008-12-07 23:42 . 2008-12-13 15:44 <DIR> d-------- c:\program files\PokerStars.IT
2008-12-07 13:27 . 2008-12-07 13:27 410,976 --a------ c:\windows\System32\deploytk.dll
2008-12-06 14:14 . 2008-10-21 06:16 1,645,568 --a------ c:\windows\System32\connect.dll
2008-12-06 14:14 . 2008-08-28 04:24 712,192 --a------ c:\windows\System32\WindowsCodecs.dll
2008-12-06 14:14 . 2008-08-28 04:24 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-12-06 14:14 . 2008-08-28 04:24 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-12-06 14:14 . 2008-10-22 04:43 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-12-06 14:14 . 2008-10-22 04:43 160,768 --a------ c:\windows\System32\PortableDeviceTypes.dll
2008-12-06 14:14 . 2008-10-22 04:43 95,232 --a------ c:\windows\System32\PortableDeviceClassExtension.dll
2008-12-06 14:09 . 2008-09-10 04:25 1,341,440 --a------ c:\windows\System32\msxml6.dll
2008-12-06 14:09 . 2008-09-05 05:48 1,194,496 --a------ c:\windows\System32\msxml3.dll
2008-12-06 14:09 . 2008-08-26 02:11 211,456 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-12-06 14:09 . 2008-09-10 04:21 2,048 --a------ c:\windows\System32\msxml6r.dll
2008-12-06 14:09 . 2008-09-05 05:45 2,048 --a------ c:\windows\System32\msxml3r.dll
2008-12-06 14:06 . 2008-10-16 22:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-12-06 14:06 . 2008-10-16 21:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-12-06 14:06 . 2008-10-16 22:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-12-06 14:06 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-12-06 14:06 . 2008-10-16 21:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-12-06 14:06 . 2008-10-16 22:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-12-06 14:06 . 2008-10-16 22:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-12-06 14:06 . 2008-10-16 22:08 34,328 --a------ c:\windows\System32\wups.dll
2008-12-06 14:06 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-31 10:46 13,166 ----a-w c:\users\Leonardo\AppData\Roaming\nvModes.dat
2009-01-26 17:50 --------- d-----w c:\programdata\Microsoft Help
2009-01-25 13:20 --------- d-----w c:\program files\ESET
2009-01-17 02:13 --------- d-----w c:\program files\Windows Mail
2008-12-14 02:31 174 --sha-w c:\program files\desktop.ini
2008-12-07 12:26 --------- d-----w c:\program files\Java
2008-11-01 03:33 537,600 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:33 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:33 449,536 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:33 2,144,256 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:33 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-31 23:23 2,560 ----a-w c:\windows\AppPatch\AcRes.dll
2008-10-29 06:20 2,923,520 ----a-w c:\windows\explorer.exe
2008-10-16 04:40 826,368 ----a-w c:\windows\System32\wininet.dll
2008-10-16 04:40 56,320 ----a-w c:\windows\System32\iesetup.dll
2008-10-16 04:40 26,624 ----a-w c:\windows\System32\ieUnatt.exe
2009-01-12 10:04 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-12 10:04 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-12 10:04 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-12 10:04 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-12 10:04 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-08-17 439872]
"CollaborationHost"="c:\windows\system32\p2phost.exe" [2006-11-02 191488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-14 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2006-12-14 493688]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-11 530552]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-12-07 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-07 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-07 81920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2006-12-13 554640]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-07 c:\windows\RtHDVCpl.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Avvio veloce di Adobe Reader.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
SetupExecute REG_MULTI_SZ c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6001.18000_none_095f6148c74a7a64\poqexec.exe /display_progress \SystemRoot\WinSxS\pending.xml
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1992454746-662535005-1285478740-1000]
"EnableNotificationsRef"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{94E76438-2C43-488C-B98E-FFF418C43754}"= UDP:c:\program files\MSN Messenger\msnmsgr.exe:Windows Live Messenger 8.0
"{6059D5C7-1BCA-47DC-A1B4-544E5522645F}"= TCP:c:\program files\MSN Messenger\msnmsgr.exe:Windows Live Messenger 8.0
"{A1F0626A-4679-4E3B-9CDD-8C10C2521BEA}"= UDP:c:\program files\MSN Messenger\msnmsgr.exe:Windows Live Messenger 8.0
"{405C4248-6BF9-4321-8AED-12FF5CAB6AC6}"= TCP:c:\program files\MSN Messenger\msnmsgr.exe:Windows Live Messenger 8.0
"{20B84FF3-9FB5-4E24-AF53-A2D9E2CE187E}"= UDP:c:\program files\MSN Messenger\msnmsgr.exe:Windows Live Messenger 8.0
"{C3014522-EE42-4733-BA0B-9FA9C8E5807A}"= TCP:c:\program files\MSN Messenger\msnmsgr.exe:Windows Live Messenger 8.0
"{E68E85A5-D791-4F47-A161-79D008A82CB5}"= UDP:c:\program files\MSN Messenger\msncall.exe:Windows Live Messenger 8.0 (Phone)
"{F9AEC7BE-3379-404A-A2CF-F62C111C9E72}"= TCP:c:\program files\MSN Messenger\msncall.exe:Windows Live Messenger 8.0 (Phone)
"{15DFFA11-F29C-4262-B4CD-7694960625BB}"= UDP:c:\program files\MSN Messenger\msncall.exe:Windows Live Messenger 8.0 (Phone)
"{4287444B-D899-4A0F-97AB-9A4B335BF77E}"= TCP:c:\program files\MSN Messenger\msncall.exe:Windows Live Messenger 8.0 (Phone)
"{44FDA6A2-C584-443C-B190-3A9825039DEA}"= UDP:c:\program files\MSN Messenger\msncall.exe:Windows Live Messenger 8.0 (Phone)
"TCP Query User{A8082462-08F5-4210-A793-84AA9BEB2177}c:\\program files\\emule\\emule.exe"= UDP:c:\program files\emule\emule.exe:eMule
"UDP Query User{376CB480-9E3F-44FA-9ACC-B4E5DB4CAE07}c:\\program files\\emule\\emule.exe"= TCP:c:\program files\emule\emule.exe:eMule
"{F496DDDB-10BA-403C-8466-9FB303996FD2}"= c:\program files\Cyberlink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"{FB9CD2A9-D1C2-42F4-AA5A-67AE22606222}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{CD599A6B-B4F6-47C2-B362-CC601B50B77E}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{532D706E-39DB-41E4-9C3C-9DD3C30E3DFF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [2006-12-16 7168]
R4 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\
000.fcl [2006-11-02 15:51:58 13560]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-30 356920]
--- Altri Servizi/Drivers In Memoria ---
*Deregistered* - mchInjDrv
*Deregistered* - sptd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d29bbd1-57a4-11dc-b5ca-806e6f6e6963}]
\shell\AutoRun\command - F:\Pet_Soccer_Generic.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80fafb2d-fe4d-11dc-8e48-00a0d16affab}]
\shell\AutoRun\command - wscript.exe VirusRemoval.vbs
\shell\open\Command - wscript.exe VirusRemoval.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4012739-d838-11dd-8e4d-00a0d16affab}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL key.exe
\shell\infected\command - key.exe
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
HKCU-Run-Cognac - c:\users\Leonardo\AppData\Local\Temp\B1B9.tmp.exe
HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
HKLM-Run-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe
.
------- Scansione supplementare -------
.
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{C08CAF1D-C0A3-40D5-9970-06D067EAC017} -
http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?ITIE: {{C4046502-6524-4d87-896C-878F57D1FF07} - c:\program files\PokerStars.IT\PokerStarsUpdate.exe
FF - ProfilePath - c:\users\Leonardo\AppData\Roaming\Mozilla\Firefox\Profiles\bs5lun5a.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-01-31 11:51:32
Windows 6.0.6000 NTFS
detected NTDLL code modification:
ZwClose
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
**************************************************************************
.
Ora fine scansione: 2009-01-31 11.58.19
ComboFix-quarantined-files.txt 2009-01-31 10:56:53
Pre-Run: 2.112.937.984 byte disponibili
Post-Run: 1,987,256,320 byte disponibili
208 --- E O F --- 2009-01-31 10:50:49