Benvenuto Ospite

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » Controllo log... ma senza fretta

Controllo log... ma senza fretta

Opzioni

Topic Precedente · Topic Sucessivo

passodellupo

Inviato: Saturday, March 28, 2009 2:57:46 PM

Rank: AiutAmico

Iscritto dal : 9/21/2003
Posts: 38

Cari amici, visto che avete controllato il log redatto da combofix per il pc del lavoro, mi è venuta la curiosità di esaminare quello di casa, che non dà problemi di sorta.
Se qualcuno non ha cose più urgenti da fare, mi controllerebbe il log? Senza fretta e impegno. Grazie

Torna in alto

Sponsor

Inviato: Saturday, March 28, 2009 2:57:46 PM

Torna in alto

r16

Inviato: Saturday, March 28, 2009 3:22:36 PM

Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016

Ciao
Posta un log di HJT.
http://www.aiutaamici.com/software?ID=11175

Torna in alto

passodellupo

Inviato: Sunday, March 29, 2009 12:02:03 AM

Rank: AiutAmico

Iscritto dal : 9/21/2003
Posts: 38

ok, questo è il log di combofix
ComboFix 09-03-25.04 - User 2009-03-28 14.48.10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.2047.1474 [GMT 1:00]
Eseguito da: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Creato nuovo punto di ripristino

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
ADS - WINDOWS: deleted 48 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User\Dati applicazioni\inst.exe

.
((((((((((((((((((((((((( Files Creati Da 2009-02-28 al 2009-03-28 )))))))))))))))))))))))))))))))))))
.

2009-03-12 18:08 . 2008-12-05 07:55 144,896 -----c--- c:\windows\system32\dllcache\schannel.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-28 13:46 --------- d---a-w c:\documents and settings\All Users\Dati applicazioni\TEMP
2009-03-28 13:46 --------- d-----w c:\programmi\SpywareBlaster
2009-03-25 22:25 --------- d-----w c:\programmi\Recuva
2009-03-24 22:51 --------- d-----w c:\documents and settings\User\Dati applicazioni\uTorrent
2009-03-23 22:28 --------- d-----w c:\documents and settings\User\Dati applicazioni\Skype
2009-03-03 14:17 --------- d-----w c:\programmi\eMule
2009-02-24 22:24 --------- d--h--w c:\programmi\InstallShield Installation Information
2009-02-20 20:31 --------- d-----w c:\documents and settings\User\Dati applicazioni\CoSoSys
2009-02-16 21:03 --------- d-----w c:\programmi\Google
2009-02-13 22:31 --------- d-----w c:\programmi\File comuni\Skype
2009-02-13 22:31 --------- d-----r c:\programmi\Skype
2009-02-10 21:23 --------- d-----w c:\programmi\Watchtower
2009-02-10 14:29 --------- d-----w c:\documents and settings\User\Dati applicazioni\Autodesk
2009-02-10 14:25 --------- d-----w c:\programmi\AutoCAD 2002 Ita
2009-02-10 14:24 --------- d-----w c:\programmi\WexTech
2009-02-10 14:24 --------- d-----w c:\programmi\File comuni\Wextech Shared
2009-02-10 14:24 --------- d-----w c:\programmi\File comuni\LHSPF
2009-02-10 14:24 --------- d-----w c:\programmi\File comuni\Autodesk Shared
2009-02-09 14:04 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-03 22:39 --------- d-----w c:\programmi\CCleaner
2009-01-30 14:30 --------- dc----w c:\documents and settings\All Users\Dati applicazioni\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-01-28 23:02 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-28 23:02 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-28 23:02 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-28 23:01 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\avg8
2009-01-21 09:27 2,080,536 ----a-w c:\windows\system32\AutoPartNt.exe
2009-01-16 20:25 37,888 ----a-w c:\windows\system32\setupnt.dll
2008-04-08 19:35 92,064 ----a-w c:\documents and settings\User\mqdmmdm.sys
2008-04-08 19:35 9,232 ----a-w c:\documents and settings\User\mqdmmdfl.sys
2008-04-08 19:35 79,328 ----a-w c:\documents and settings\User\mqdmserd.sys
2008-04-08 19:35 66,656 ----a-w c:\documents and settings\User\mqdmbus.sys
2008-04-08 19:35 6,208 ----a-w c:\documents and settings\User\mqdmcmnt.sys
2008-04-08 19:35 5,936 ----a-w c:\documents and settings\User\mqdmwhnt.sys
2008-04-08 19:35 4,048 ----a-w c:\documents and settings\User\mqdmcr.sys
2008-04-08 19:35 25,600 ----a-w c:\documents and settings\User\usbsermptxp.sys
2008-04-08 19:35 22,768 ----a-w c:\documents and settings\User\usbsermpt.sys
2008-01-25 22:42 32 ----a-w c:\documents and settings\All Users\Dati applicazioni\ezsid.dat
2008-01-24 18:03 47,360 ----a-w c:\documents and settings\User\Dati applicazioni\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="c:\programmi\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"AnyDVD"="c:\programmi\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-09-19 2182080]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-29 1601304]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2008-12-13 136600]
"ISUSScheduler"="c:\programmi\File comuni\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"NeroFilterCheck"="c:\programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"TrueImageMonitor.exe"="c:\programmi\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-11-21 4371440]
"AcronisTimounterMonitor"="c:\programmi\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-11-21 961208]
"Acronis Scheduler2 Service"="c:\programmi\File comuni\Acronis\Schedule2\schedhlp.exe" [2008-11-21 165144]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]
"PD0630 STISvc"="P0630Pin.dll" [2005-06-05 c:\windows\system32\P0630Pin.dll]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-04-04 c:\windows\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
HP Digital Imaging Monitor.lnk - c:\programmi\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-29 00:02 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"VIDC.MJPG"= pvmjpg21.dll
"msacm.dvacm"= c:\progra~1\FILECO~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\FILECO~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\FILECO~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 16:24 54840 c:\programmi\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
--a------ 2005-11-29 19:19 40960 c:\programmi\OLYMPUS\OLYMPUS Master\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Programmi\\Windows Media Player\\wmplayer.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgemc.exe"=
"c:\programmi\Microsoft ActiveSync\rapimgr.exe"= c:\programmi\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\programmi\Microsoft ActiveSync\wcescomm.exe"= c:\programmi\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\programmi\Microsoft ActiveSync\WCESMgr.exe"= c:\programmi\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 snapman380;Acronis Snapshots Manager (Build 380);c:\windows\system32\drivers\snman380.sys [2009-01-17 134272]
R0 tdrpman147;Acronis Try&Decide and Restore Points filter (build 147);c:\windows\system32\drivers\tdrpm147.sys [2009-01-17 971584]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-17 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-05-17 107272]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-05-17 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-17 298264]
S2 gupdate1c9907979d58a10;Google Update Service (gupdate1c9907979d58a10);c:\programmi\Google\Update\GoogleUpdate.exe [2009-02-16 133104]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2007-10-03 39424]
S3 CamSpaceBus;CamSpace Virtual Joystick Bus device driver;c:\windows\system32\drivers\CamSpaceBus.sys [2008-08-24 14848]
S3 CamSpaceJoy;CamSpace Virtual Joystick device driver;c:\windows\system32\drivers\CamSpaceJoy.sys [2008-08-24 30464]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2008-02-06 91841]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32b6fe44-03d2-11de-8350-001d601c7262}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Wscript.exe /e:vbs winfile.jpg

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e8cd1da-537d-11dd-a2b8-0090d0d221d5}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e8cd1db-537d-11dd-a2b8-0090d0d221d5}]
\Shell\Auto\command - bittorrent.exe e
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9bb2e3ce-bc72-11dd-a40a-001d601c7262}]
\Shell\AutoRun\command - E:\fototaxi3.exe
.
Contenuto della cartella 'Scheduled Tasks'

2009-03-28 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-02-16 21:59]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

MSConfigStartUp-Adobe Reader Speed Launcher - c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-CamSpace - c:\programmi\CamSpace\CamSpaceAgent.exe
MSConfigStartUp-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100429 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET

.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {1F831FA9-42FC-11D4-95A6-0080AD30DCE1} - file:///C:/Programmi/AutoCAD%202002%20Ita/InstFred.ocx
DPF: {AE563729-B4F5-11D4-A415-00108302FDFD} - file:///C:/Programmi/AutoCAD%202002%20Ita/InstBanr.ocx
DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} - hxxps://register.creative.com/register/OCXs/CtORWebClientNoMFC.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 14:49:30
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|é•9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
Ora fine scansione: 2009-03-28 14.50.46
ComboFix-quarantined-files.txt 2009-03-28 13:50:44

Pre-Run: 94.454.587.392 byte disponibili
Post-Run: 94,522,142,720 byte disponibili

184 --- E O F --- 2009-03-14 08:42:49

Domani, quando ho meno sonno, faccio un esame con hjt.

Torna in alto

r16

Inviato: Sunday, March 29, 2009 12:24:30 PM

Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016

Ciao.
Combofix ha tolto un troyan (inst.exe).
Poi, tanto per "cambiare," hai la solita chiavetta infettata.
E "fatalità", con lo stesso virus, che è infettato il pc aziendale. (winfile.jpg)

Apri un file di testo sul Desktop
Ci incolli il codice che vedi qui sotto, e salvi il file di testo obbligatoriamente con il nome CFScript.txt

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32b6fe44-03d2-11de-8350-001d601c7262}]

trascinalo sull'icona di ComboFix.
Attendi la fine dei lavori, senza toccare tastiera, mouse o altro.
Posta il log aggiornato di combofix
*********************************************************************************************************
Bisogna disattivare momentaneamente il riconoscimento automatico delle periferiche USB;
Serve il programma TweakUI scaricabile in questa pagina (lo trovi sulla destra verso metà pagina) e installalo:
http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx
Una volta installato, eseguilo e procedi con questi passaggi:

clicca sul simbolo + la sezione My Computer
clicca sul simbolo [+] la sottosezione Autoplay
Spostati in Types
Togli il segno di spunta a Enable Autoplay for removable drives
Clicca su Apply
Chiudi TweakUI

Da questo momento tutti gli apparati USB smetteranno di avviarsi automaticamente.
Inserisci le tue chiavette e fai una scansione delle stesse, con il tuo antivirus.
Quando sei sicuro che tutto è a posto, puoi riabilitare l'avvio automatico, rifacendo lo stesso percorso che ti ho indicato.

Oltre al log di Combofix, allega anche un log aggiornato di HJT.

Torna in alto

passodellupo

Inviato: Sunday, March 29, 2009 11:02:01 PM

Rank: AiutAmico

Iscritto dal : 9/21/2003
Posts: 38

Tutto fatto!
Ecco il log di HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22.50.55, on 29/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Google\Update\GoogleUpdate.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Programmi\File comuni\InterVideo\DeviceService\DevSvc.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Java\jre6\bin\jusched.exe
C:\Programmi\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Programmi\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
c:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre6\bin\ssv.dll
O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Programmi\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Programmi\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Programmi\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Programmi\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {1F831FA9-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file:///C:/Programmi/AutoCAD%202002%20Ita/InstFred.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Controllo AcDc oggi) - file:///C:/Programmi/AutoCAD%202002%20Ita/AcDcToday.ocx
O16 - DPF: {AE563729-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///C:/Programmi/AutoCAD%202002%20Ita/InstBanr.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - https://register.creative.com/register/OCXs/CtORWebClientNoMFC.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Controllo AcPreview) - file:///C:/Programmi/AutoCAD%202002%20Ita/AcPreview.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15034/CTPID.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmi\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Programmi\File comuni\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Google Update Service (gupdate1c9907979d58a10) (gupdate1c9907979d58a10) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8147 bytes

E questo è quello di combofix dopo la correzione consigliatami.
ComboFix 09-03-25.04 - User 2009-03-29 21.27.49.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.2047.1454 [GMT 2:00]
Eseguito da: c:\documents and settings\User\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\User\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Creato nuovo punto di ripristino

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((( Files Creati Da 2009-02-28 al 2009-03-29 )))))))))))))))))))))))))))))))))))
.

2009-03-12 19:08 . 2008-12-05 08:55 144,896 -----c--- c:\windows\system32\dllcache\schannel.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-28 13:54 --------- d---a-w c:\documents and settings\All Users\Dati applicazioni\TEMP
2009-03-28 13:46 --------- d-----w c:\programmi\SpywareBlaster
2009-03-25 22:25 --------- d-----w c:\programmi\Recuva
2009-03-24 22:51 --------- d-----w c:\documents and settings\User\Dati applicazioni\uTorrent
2009-03-23 22:28 --------- d-----w c:\documents and settings\User\Dati applicazioni\Skype
2009-03-03 14:17 --------- d-----w c:\programmi\eMule
2009-02-24 22:24 --------- d--h--w c:\programmi\InstallShield Installation Information
2009-02-20 20:31 --------- d-----w c:\documents and settings\User\Dati applicazioni\CoSoSys
2009-02-16 21:03 --------- d-----w c:\programmi\Google
2009-02-13 22:31 --------- d-----w c:\programmi\File comuni\Skype
2009-02-13 22:31 --------- d-----r c:\programmi\Skype
2009-02-10 21:23 --------- d-----w c:\programmi\Watchtower
2009-02-10 14:29 --------- d-----w c:\documents and settings\User\Dati applicazioni\Autodesk
2009-02-10 14:25 --------- d-----w c:\programmi\AutoCAD 2002 Ita
2009-02-10 14:24 --------- d-----w c:\programmi\WexTech
2009-02-10 14:24 --------- d-----w c:\programmi\File comuni\Wextech Shared
2009-02-10 14:24 --------- d-----w c:\programmi\File comuni\LHSPF
2009-02-10 14:24 --------- d-----w c:\programmi\File comuni\Autodesk Shared
2009-02-09 14:04 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-03 22:39 --------- d-----w c:\programmi\CCleaner
2009-01-30 14:30 --------- dc----w c:\documents and settings\All Users\Dati applicazioni\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-01-28 23:02 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-28 23:02 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-28 23:02 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-28 23:01 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\avg8
2009-01-21 09:27 2,080,536 ----a-w c:\windows\system32\AutoPartNt.exe
2009-01-16 20:25 37,888 ----a-w c:\windows\system32\setupnt.dll
2008-04-08 19:35 92,064 ----a-w c:\documents and settings\User\mqdmmdm.sys
2008-04-08 19:35 9,232 ----a-w c:\documents and settings\User\mqdmmdfl.sys
2008-04-08 19:35 79,328 ----a-w c:\documents and settings\User\mqdmserd.sys
2008-04-08 19:35 66,656 ----a-w c:\documents and settings\User\mqdmbus.sys
2008-04-08 19:35 6,208 ----a-w c:\documents and settings\User\mqdmcmnt.sys
2008-04-08 19:35 5,936 ----a-w c:\documents and settings\User\mqdmwhnt.sys
2008-04-08 19:35 4,048 ----a-w c:\documents and settings\User\mqdmcr.sys
2008-04-08 19:35 25,600 ----a-w c:\documents and settings\User\usbsermptxp.sys
2008-04-08 19:35 22,768 ----a-w c:\documents and settings\User\usbsermpt.sys
2008-01-25 22:42 32 ----a-w c:\documents and settings\All Users\Dati applicazioni\ezsid.dat
2008-01-24 18:03 47,360 ----a-w c:\documents and settings\User\Dati applicazioni\pcouffin.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-03-28_14.49.54,98 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 07:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 06:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 07:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 06:00:00 161,792 ----a-w c:\windows\SWREG.exe
- 2009-02-20 23:02:03 59,780 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-29 19:15:49 59,916 ----a-w c:\windows\system32\perfc009.dat
- 2009-02-20 23:02:03 71,908 ----a-w c:\windows\system32\perfc010.dat
+ 2009-03-29 19:15:49 72,130 ----a-w c:\windows\system32\perfc010.dat
- 2009-02-20 23:02:03 397,560 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-29 19:15:49 397,696 ----a-w c:\windows\system32\perfh009.dat
- 2009-02-20 23:02:03 443,528 ----a-w c:\windows\system32\perfh010.dat
+ 2009-03-29 19:15:49 443,900 ----a-w c:\windows\system32\perfh010.dat
+ 2009-03-29 19:13:54 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_360.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="c:\programmi\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"AnyDVD"="c:\programmi\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-09-19 2182080]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-29 1601304]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2008-12-13 136600]
"ISUSScheduler"="c:\programmi\File comuni\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"NeroFilterCheck"="c:\programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"TrueImageMonitor.exe"="c:\programmi\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-11-21 4371440]
"AcronisTimounterMonitor"="c:\programmi\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-11-21 961208]
"Acronis Scheduler2 Service"="c:\programmi\File comuni\Acronis\Schedule2\schedhlp.exe" [2008-11-21 165144]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]
"PD0630 STISvc"="P0630Pin.dll" [2005-06-05 c:\windows\system32\P0630Pin.dll]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-04-04 c:\windows\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
HP Digital Imaging Monitor.lnk - c:\programmi\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-29 01:02 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"VIDC.MJPG"= pvmjpg21.dll
"msacm.dvacm"= c:\progra~1\FILECO~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\FILECO~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\FILECO~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 17:24 54840 c:\programmi\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 02:41 8523776 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
--a------ 2005-11-29 20:19 40960 c:\programmi\OLYMPUS\OLYMPUS Master\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Programmi\\Windows Media Player\\wmplayer.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgemc.exe"=
"c:\programmi\Microsoft ActiveSync\rapimgr.exe"= c:\programmi\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\programmi\Microsoft ActiveSync\wcescomm.exe"= c:\programmi\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\programmi\Microsoft ActiveSync\WCESMgr.exe"= c:\programmi\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 snapman380;Acronis Snapshots Manager (Build 380);c:\windows\system32\drivers\snman380.sys [2009-01-17 134272]
R0 tdrpman147;Acronis Try&Decide and Restore Points filter (build 147);c:\windows\system32\drivers\tdrpm147.sys [2009-01-17 971584]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-17 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-05-17 107272]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-05-17 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-17 298264]
S2 gupdate1c9907979d58a10;Google Update Service (gupdate1c9907979d58a10);c:\programmi\Google\Update\GoogleUpdate.exe [2009-02-16 133104]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2007-10-03 39424]
S3 CamSpaceBus;CamSpace Virtual Joystick Bus device driver;c:\windows\system32\drivers\CamSpaceBus.sys [2008-08-24 14848]
S3 CamSpaceJoy;CamSpace Virtual Joystick device driver;c:\windows\system32\drivers\CamSpaceJoy.sys [2008-08-24 30464]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2008-02-06 91841]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e8cd1da-537d-11dd-a2b8-0090d0d221d5}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e8cd1db-537d-11dd-a2b8-0090d0d221d5}]
\Shell\Auto\command - bittorrent.exe e
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9bb2e3ce-bc72-11dd-a40a-001d601c7262}]
\Shell\AutoRun\command - E:\fototaxi3.exe
.
Contenuto della cartella 'Scheduled Tasks'

2009-03-29 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-02-16 22:59]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {1F831FA9-42FC-11D4-95A6-0080AD30DCE1} - file:///C:/Programmi/AutoCAD%202002%20Ita/InstFred.ocx
DPF: {AE563729-B4F5-11D4-A415-00108302FDFD} - file:///C:/Programmi/AutoCAD%202002%20Ita/InstBanr.ocx
DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} - hxxps://register.creative.com/register/OCXs/CtORWebClientNoMFC.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 21:29:05
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|é•9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
Ora fine scansione: 2009-03-29 21.30.31
ComboFix-quarantined-files.txt 2009-03-29 19:30:25
ComboFix2.txt 2009-03-28 13:50:47

Pre-Run: 90.245.029.888 byte disponibili
Post-Run: 90,232,614,912 byte disponibili

193 --- E O F --- 2009-03-14 08:42:49

Torna in alto

r16

Inviato: Sunday, March 29, 2009 11:12:00 PM

Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016

Bene ,il file winfile.jpg è stato eliminato.
Disattiva il ripristino configurazione di sistema, e tienilo disattivato, fino alla soluzione del problema http://guide.aiutamici.com/guide?C1=7&C2=68&ID=80121
Dai una pulita (registro compreso)con CCleaner http://www.aiutaamici.com/software?ID=11223
Poi:
Start\Esegui\copia e incolla la stringa %temp% clicca su Ok, svuota la cartella temp. (non eliminare la cartella)
Poi:
Provvedi a svuotare del suo contenuto la cartella Prefetch :
clicca su Risorse del Computer
clicca su Disco locale C:
cerca, all’interno delle cartelle che saranno visualizzate la cartella Windows, aprila ed, al suo interno, cerca la cartella Prefetch, la apri ed elimina tutte le voci conservate al suo interno ( non eliminare la cartella)
SVUOTA IL CESTINO
Poi:
Lancia Hijackthis e pulisci gli ADS in questo modo:
clicca sulla voce Open the misc tool section
clicca su Open ads spy
togli la spunta alla voce Quick scan (windows base folder only)
clicca su Scan
se venissero rilevati ADS, spunta tutte le caselline e clicca su Remove selected
N.B: non avere paura , nessun programma verrà eliminato, ma solo i flussi associati.
Riavvia il pc.
Riattiva il ripristino configurazione di sistema e, se tutto è a posto, creane uno nuovo.
Dovrebbe essere più "sveglio" adesso il pc.

Torna in alto

passodellupo

Inviato: Sunday, March 29, 2009 11:13:09 PM

Rank: AiutAmico

Iscritto dal : 9/21/2003
Posts: 38

Una piccola aggiunta: leggendo QUI avevo corretto queste chiavi di registro per disabilitare l'autoplay permanentemente (apro le chiavette con esplora risorse):

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000128
"NoSetFolders"=dword:00000000
"NoControlPanel"=dword:00000000

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\IniFileMapping\Autorun.inf]

@="@SYS:DoesNotExist"

Era quindi necessario l'uso di TweakUI? Posso disistallarlo?

E poi AVG non rileva il file winfile.jpg
L'ho eliminato abilitando la visualizzazione dei file di sistema e cancellandoli semplicemente con maiusc+canc
E' sufficiente?

Torna in alto

r16

Inviato: Sunday, March 29, 2009 11:22:49 PM

Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016

Se l'hai disabilitato permanentemente, non serve allora TweakUI.
Il file winfile.jpg l'ho levato dal pc non dalla chiavetta.
Tu lo avrai eliminato, ma come vedi nella chiave del registro c'era ancora.
Combofix me lo segnalava cosi:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32b6fe44-03d2-11de-8350-001d601c7262}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Wscript.exe /e:vbs winfile.jpg

Sia in C:\ che in e:\

Torna in alto

passodellupo

Inviato: Sunday, March 29, 2009 11:40:24 PM

Rank: AiutAmico

Iscritto dal : 9/21/2003
Posts: 38

Si, si. Io intendevo adesso, dopo le tue istruzioni di esaminare le chiavette con l'antivirus. Spero sia stato sufficiente...

Dalla cartella temp ci sono 3 file che non si lasciano cancellare perchè utilizzati da un'altro programma...?!? Vedo sulla tray il simbolo non attivo di Activsync, forse è quello.

Rispondendo all'OT dell'altro post riguardante il lavoro...
No, il piccolo dell'avatar è un'immagine che avevo trovato su una rivista e che mi piaceva... prima che nascesse il mio... Non avevo mai provveduto a cambiare l'avatar.
Adesso corrisponde a mio figlio... 6 mesi fa.

ancora OT
l'offerta per la scrivania non è uno scherzo. Io sono in prov di ancona.

Torna in alto

r16

Inviato: Sunday, March 29, 2009 11:50:45 PM

Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016

Se quei file non hanno l'estensione .exe lasciali li'.

Ti consiglio di installare questo software che è molto valido contro i Malware:
Scarica ed installa MalwareBytes:
clicca qui per il download : http://www.aiutamici.com/software?id=80346
Prima di fare la scansione AGGIORNALO.
Esegui una scansione completa del sistema
Se trova qualcosa posta il log.

OT:
Complimenti per il figlio, ha l'aria di essere un "monello". (detto bonariamente)

Torna in alto

passodellupo

Inviato: Tuesday, March 31, 2009 10:03:17 PM

Rank: AiutAmico

Iscritto dal : 9/21/2003
Posts: 38

non ha trovato niente.
tutto pulito. grazie di cuore per l'aiuto.

Torna in alto

Utenti presenti in questo topic

Guest

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » Controllo log... ma senza fretta

Salta al Forum

Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Invia topic via Email

RSS Feed

Watch this topic

Stampa topic

Normale

Threaded