Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » r16 malwarebytes

2 pages: [1] 2
r16 malwarebytes Opzioni
Topic Precedente · Topic Sucessivo
lello21
Inviato: Sunday, February 14, 2010 2:51:57 AM

Rank: AiutAmico

Iscritto dal : 2/26/2009
Posts: 30
sono sempre io, e visto il successo del primo computer eccoci con il secondo pc....


Malwarebytes' Anti-Malware 1.44
Versione del database: 3732
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

13/02/2010 18.06.27
mbam-log-2010-02-13 (18-06-14).txt

Tipo di scansione: Scansione completa (C:\|)
Elementi scansionati: 180311
Tempo trascorso: 59 minute(s), 27 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 4
Valori di registro infetti: 1
Elementi dato del registro infetti: 1
Cartelle infette: 2
File infetti: 2

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{db893839-10f0-4af9-92fa-b23528f530af} (Trojan.Dialer) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\SudoPlanet (Rogue.SudoPlanet) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pe386 (Rootkit.Agent) -> No action taken.

Valori di registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1 (Trojan.Agent) -> No action taken.

Elementi dato del registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.

Cartelle infette:
C:\Program Files\SudoPlanet (Adware.EGDAccess) -> No action taken.
C:\Program Files\SudoPlanet\updates (Adware.EGDAccess) -> No action taken.

File infetti:
C:\Program Files\SudoPlanet\SudoPlanet.dll (Adware.EGDAccess) -> No action taken.
C:\Program Files\SudoPlanet\SudoPlanet.exe (Adware.EGDAccess) -> No action taken.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17.19.38, on 13/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: &Tastiera Virtuale - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: C&ontrollo URL - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LoadDLLServ - Unknown owner - C:\Documents and Settings\IBM T40\Application Data\SysServDLL32.exe (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O24 - Desktop Component 0: (no name) - http://www.itakapress.org/wp-content/uplo/facebook.jpg

--
End of file - 7254 bytes
Torna in alto
 
Sponsor
Inviato: Sunday, February 14, 2010 2:51:57 AM

 
Torna in alto
 
r16
Inviato: Sunday, February 14, 2010 1:43:29 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Elimina tutto quello che ha trovato Malwarebytes.
Fai una scansione con Combofix. (segui le stesse indicazioni del post di combofix)
Posta il log.
Torna in alto
 
lello21
Inviato: Sunday, February 14, 2010 5:32:10 PM

Rank: AiutAmico

Iscritto dal : 2/26/2009
Posts: 30
ComboFix 10-02-12.01 - IBM T40 14/02/2010 18.10.34.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1033.18.767.465 [GMT 2:00]
Eseguito da: c:\documents and settings\IBM T40\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((( Files Creati Da 2010-01-14 al 2010-02-14 )))))))))))))))))))))))))))))))))))
.

2010-02-14 02:41 . 2010-02-14 16:10 -------- d-----w- c:\windows\system32\CatRoot2
2010-02-13 15:02 . 2010-02-13 15:02 -------- d-----w- c:\program files\Trend Micro
2010-02-13 13:56 . 2010-02-13 13:56 -------- d-----w- c:\documents and settings\IBM T40\Application Data\Malwarebytes
2010-02-13 13:55 . 2010-01-07 14:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-13 13:55 . 2010-02-13 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-13 13:55 . 2010-02-13 13:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-13 13:55 . 2010-01-07 14:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-06 22:37 . 2010-02-06 22:37 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-02-06 22:37 . 2010-02-06 22:37 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-02-06 22:37 . 2010-02-06 22:37 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-02-06 22:37 . 2010-02-06 22:37 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-02-06 22:37 . 2010-02-06 22:37 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-02-06 22:37 . 2010-02-06 22:37 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-02-06 22:23 . 2010-02-06 22:23 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-02-06 22:23 . 2010-02-06 22:23 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-02-06 22:22 . 2010-02-14 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-02-06 22:22 . 2010-02-06 22:22 -------- d-----w- c:\program files\Kaspersky Lab
2010-02-06 22:20 . 2010-02-06 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-01-31 17:09 . 2010-01-31 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-29 17:57 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-14 02:40 . 2010-02-14 02:40 80007 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-02-13 15:23 . 2009-11-21 11:43 -------- d-----w- c:\program files\TuneUp Utilities 2009
2010-02-02 17:35 . 2008-06-12 19:00 -------- d-----w- c:\program files\Windows Live
2010-01-16 09:16 . 2006-10-02 21:29 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-14 14:26 . 2010-01-14 14:26 -------- d-----w- c:\program files\Common Files\EPSON
2010-01-14 14:23 . 2007-01-10 12:28 -------- d-----w- c:\program files\Common Files\Ahead
2010-01-14 13:04 . 2010-01-14 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2010-01-14 13:03 . 2010-01-14 13:03 -------- d-----w- c:\program files\PHD
2010-01-14 13:03 . 2006-10-02 21:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-09 21:47 . 2009-11-07 18:05 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-31 16:50 . 1980-01-01 07:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-06-23 19:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2002-09-27 00:11 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 1980-01-01 07:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 1980-01-01 07:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 08:04 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 1980-01-01 07:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2006-10-23 20:49 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11 . 2005-08-30 17:14 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07 . 2001-08-18 05:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 1980-01-01 07:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-18 05:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07 . 1980-01-01 07:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 1980-01-01 07:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-21 15:51 . 1980-01-01 07:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
1772-12-28 00:56 . 2006-12-12 19:37 1732 ----a-w- c:\program files\CATALOG.LiveSubscribe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-12-26 2335952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-31 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-31 512000]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"BluetoothAuthenticationAgent"="irprops.cpl" [2008-04-14 380416]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2003-03-27 53248]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2003-08-08 897024]
"TP4EX"="tp4ex.exe" [2002-09-04 53248]
"AGRSMMSG"="AGRSMMSG.exe" [2002-10-18 87751]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-10-20 340456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check(3).lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2010-1-14 128000]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ibmmessages"=c:\program files\IBM\Messages By IBM\ibmmessages.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe"
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"ibmmessages"=c:\program files\IBM\Messages By IBM\ibmmessages.exe
"EZEJMNAP"=c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"S3TRAY2"=S3Tray2.exe
"TPHOTKEY"=c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
"BMMLREF"=c:\program files\ThinkPad\Utilities\BMMLREF.EXE
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" /r
"dla"=c:\windows\system32\dla\tfswctrl.exe
"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"msvcc25"=svcchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:emule_tcp
"4672:UDP"= 4672:UDP:emule_udp

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [14/10/2009 21.18.34 36880]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [02/10/2006 23.29.53 15360]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [14/09/2009 14.42.46 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02/10/2009 19.39.44 19472]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 akmahv;puvlv;c:\windows\system32\svchost.exe -k netsvcs [01/01/1980 9.00.00 14336]
S2 LoadDLLServ;LoadDLLServ;c:\documents and settings\IBM T40\Application Data\SysServDLL32.exe --> c:\documents and settings\IBM T40\Application Data\SysServDLL32.exe [?]
S3 bsusbser;PHD USB Device for Legacy Serial Communication;c:\windows\system32\drivers\bsusbser.sys [14/01/2010 15.06.59 94848]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
akmahv
.
Contenuto della cartella 'Scheduled Tasks'

2010-02-14 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 13:07]

2010-02-14 c:\windows\Tasks\User_Feed_Synchronization-{509F2D35-A64F-444F-ACB1-4AD8F8732B47}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-14 18:20
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\akmahv]
"ServiceDll"="c:\windows\system32\kaxkgdkm.dll"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"0140710900063D11C8EF10054038389C"="C?\\WINDOWS\\System32\\FM20ENU.DLL"
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\System32\\FM20ENU.DLL"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\System32\\FM20ENU.DLL"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\System32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(3588)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_ita.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\System32\S24EvMon.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\windows\System32\QCONSVC.EXE
c:\windows\System32\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\TpKmpSVC.exe
c:\windows\AGRSMMSG.exe
.
**************************************************************************
.
Ora fine scansione: 2010-02-14 18:25:09 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-02-14 16:25

Pre-Run: 8.537.612.288 bytes free
Post-Run: 8.568.274.944 bytes free

- - End Of File - - 192D67E6B4A775792DB078E9F544F314
GRAZIE!
Torna in alto
 
r16
Inviato: Sunday, February 14, 2010 7:54:29 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Apri un file di testo sul Desktop (start\esegui\digita: notepad.exe e poi clicca Ok
Ci incolli il codice che vedi qui sotto, e salvi il file di testo obbligatoriamente con il nome CFScript

Code:
KillAll::

NetSvcs::
akmahv

File::
c:\windows\system32\kaxkgdkm.dll

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\akmahv]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\akmahv]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\akmahv]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\akmahv]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\akmahv]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\akmahv]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\akmahv]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\akmahv]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\akmahv]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\akmahv]

Driver::
akmahv
Lbd


e trascinalo sull'icona di ComboFix.
Attendi la fine dei lavori, senza toccare tastiera, mouse o altro.
Posta il log aggiornato di combofix.
E poi, posta anche un log aggiornato di HJT.
Torna in alto
 
lello21
Inviato: Monday, February 15, 2010 2:53:58 AM

Rank: AiutAmico

Iscritto dal : 2/26/2009
Posts: 30
ComboFix 10-02-12.01 - IBM T40 15/02/2010 3.35.21.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1033.18.767.428 [GMT 2:00]
Eseguito da: c:\documents and settings\IBM T40\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\IBM T40\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!

FILE ::
"c:\windows\system32\kaxkgdkm.dll"
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AKMAHV
-------\Legacy_LBD
-------\Service_akmahv
-------\Service_Lbd


((((((((((((((((((((((((( Files Creati Da 2010-01-15 al 2010-02-15 )))))))))))))))))))))))))))))))))))
.

2010-02-14 02:41 . 2010-02-15 01:34 -------- d-----w- c:\windows\system32\CatRoot2
2010-02-13 15:02 . 2010-02-13 15:02 -------- d-----w- c:\program files\Trend Micro
2010-02-13 13:56 . 2010-02-13 13:56 -------- d-----w- c:\documents and settings\IBM T40\Application Data\Malwarebytes
2010-02-13 13:55 . 2010-01-07 14:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-13 13:55 . 2010-02-13 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-13 13:55 . 2010-02-13 13:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-13 13:55 . 2010-01-07 14:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-06 22:37 . 2010-02-06 22:37 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-02-06 22:37 . 2010-02-06 22:37 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-02-06 22:37 . 2010-02-06 22:37 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-02-06 22:37 . 2010-02-06 22:37 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-02-06 22:37 . 2010-02-06 22:37 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-02-06 22:37 . 2010-02-06 22:37 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-02-06 22:23 . 2010-02-06 22:23 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-02-06 22:23 . 2010-02-06 22:23 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-02-06 22:22 . 2010-02-15 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-02-06 22:22 . 2010-02-06 22:22 -------- d-----w- c:\program files\Kaspersky Lab
2010-02-06 22:20 . 2010-02-06 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-01-31 17:09 . 2010-01-31 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-29 17:57 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-14 02:40 . 2010-02-14 02:40 80007 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-02-13 15:23 . 2009-11-21 11:43 -------- d-----w- c:\program files\TuneUp Utilities 2009
2010-02-02 17:35 . 2008-06-12 19:00 -------- d-----w- c:\program files\Windows Live
2010-01-16 09:16 . 2006-10-02 21:29 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-14 14:26 . 2010-01-14 14:26 -------- d-----w- c:\program files\Common Files\EPSON
2010-01-14 14:23 . 2007-01-10 12:28 -------- d-----w- c:\program files\Common Files\Ahead
2010-01-14 13:04 . 2010-01-14 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2010-01-14 13:03 . 2010-01-14 13:03 -------- d-----w- c:\program files\PHD
2010-01-14 13:03 . 2006-10-02 21:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-09 21:47 . 2009-11-07 18:05 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-31 16:50 . 1980-01-01 07:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-06-23 19:33 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2002-09-27 00:11 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 1980-01-01 07:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 1980-01-01 07:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 08:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 1980-01-01 07:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2006-10-23 20:49 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11 . 2005-08-30 17:14 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07 . 2001-08-18 05:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 1980-01-01 07:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-18 05:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07 . 1980-01-01 07:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 1980-01-01 07:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-21 15:51 . 1980-01-01 07:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
1772-12-28 00:56 . 2006-12-12 19:37 1732 ----a-w- c:\program files\CATALOG.LiveSubscribe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-12-26 2335952]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-31 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-31 512000]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"BluetoothAuthenticationAgent"="irprops.cpl" [2008-04-14 380416]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2003-03-27 53248]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2003-08-08 897024]
"TP4EX"="tp4ex.exe" [2002-09-04 53248]
"AGRSMMSG"="AGRSMMSG.exe" [2002-10-18 87751]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-10-20 340456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check(3).lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2010-1-14 128000]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ibmmessages"=c:\program files\IBM\Messages By IBM\ibmmessages.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe"
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"ibmmessages"=c:\program files\IBM\Messages By IBM\ibmmessages.exe
"EZEJMNAP"=c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"S3TRAY2"=S3Tray2.exe
"TPHOTKEY"=c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
"BMMLREF"=c:\program files\ThinkPad\Utilities\BMMLREF.EXE
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" /r
"dla"=c:\windows\system32\dla\tfswctrl.exe
"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"msvcc25"=svcchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:emule_tcp
"4672:UDP"= 4672:UDP:emule_udp

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [14/10/2009 21.18.34 36880]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [02/10/2006 23.29.53 15360]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [14/09/2009 14.42.46 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02/10/2009 19.39.44 19472]
S2 LoadDLLServ;LoadDLLServ;c:\documents and settings\IBM T40\Application Data\SysServDLL32.exe --> c:\documents and settings\IBM T40\Application Data\SysServDLL32.exe [?]
S3 bsusbser;PHD USB Device for Legacy Serial Communication;c:\windows\system32\drivers\bsusbser.sys [14/01/2010 15.06.59 94848]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
.
Contenuto della cartella 'Scheduled Tasks'

2010-02-15 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 13:07]

2010-02-14 c:\windows\Tasks\User_Feed_Synchronization-{509F2D35-A64F-444F-ACB1-4AD8F8732B47}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************
scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti:

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"0140710900063D11C8EF10054038389C"="C?\\WINDOWS\\System32\\FM20ENU.DLL"
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\System32\\FM20ENU.DLL"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\System32\\FM20ENU.DLL"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\System32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(1560)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_ita.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\System32\S24EvMon.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\windows\AGRSMMSG.exe
c:\windows\System32\QCONSVC.EXE
c:\windows\System32\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\TpKmpSVC.exe
.
**************************************************************************
.
Ora fine scansione: 2010-02-15 03:49:46 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-02-15 01:49
ComboFix2.txt 2010-02-14 16:25

Pre-Run: 8.504.352.768 bytes free
Post-Run: 8.524.046.336 bytes free

- - End Of File - - B1CEED54691BD42B084F85D62869656B


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3.52.24, on 15/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: &Tastiera Virtuale - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: C&ontrollo URL - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LoadDLLServ - Unknown owner - C:\Documents and Settings\IBM T40\Application Data\SysServDLL32.exe (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O24 - Desktop Component 0: (no name) - http://www.itakapress.org/wp-content/uplo/facebook.jpg

--
End of file - 6328 bytes

THANK YOU!
Torna in alto
 
r16
Inviato: Monday, February 15, 2010 2:49:56 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Disattiva il ripristino configurazione di sistema, e tienilo disattivato, fino alla soluzione del problema http://guide.aiutamici.com/guide?C1=7&C2=68&ID=80121

Per eliminare i vari Tooll scaricati:
Scarica OTC by OldTimer sul desktop:
http://oldtimer.geekstogo.com/OTC.exe
doppio clic per eseguirlo
Clicca su CleanUp.
Ti chiederà di riavviare il pc.
Clicca sì.

Dai una pulita (registro compreso)con CCleaner: http://www.aiutamici.com/software?ID=11223
Nella schermata iniziale di CCleaner, clicca su Opzioni e poi Avanzate, togli il segno di spunta a: Cancella i file in Windows Temp solo se più vecchi di 48 ore. (poi esegui le pulizie)

Poi:
Start\Esegui\copia e incolla la stringa %temp% clicca su Ok, svuota la cartella temp. (non eliminare la cartella)
Poi:
Provvedi a svuotare del suo contenuto la cartella Prefetch :
clicca su Risorse del Computer
clicca su Disco locale C:
cerca, all’interno delle cartelle che saranno visualizzate la cartella Windows, aprila ed, al suo interno, cerca la cartella Prefetch, la apri ed elimina tutte le voci conservate al suo interno ( non eliminare la cartella)
SVUOTA IL CESTINO
Poi:
Lancia Hijackthis e pulisci gli ADS in questo modo:
clicca sulla voce Open the misc tool section
clicca su Open ads spy
togli la spunta alla voce Quick scan (windows base folder only)
clicca su Scan.
Aspetta pazientemente la fine della scansione.
se venissero rilevati ADS, spunta tutte le caselline e clicca su Remove selected

Fai una deframmentazione del HD.
Riattiva il ripristino configurazione di sistema e, se tutto è a posto, creane uno nuovo.

Se non riscontri problemi, dovresti essere a posto.
Torna in alto
 
lello21
Inviato: Tuesday, February 16, 2010 7:59:35 PM

Rank: AiutAmico

Iscritto dal : 2/26/2009
Posts: 30
eccomi ! ho eseguito tutto e il mio pc sembra nuovo! Infinitamente grazie per la tua pazienza!
Ultima cosa: ho dei problemi con il service pack 3. L'istallazione non va a buon fine. Ho provato a lanciare cleanup and repair e ad andare a scaricare l'aggiornamento direttamente dal sito dell microsoft ma niente. mi sai dare qualche consiglio?
Torna in alto
 
lello21
Inviato: Tuesday, February 16, 2010 8:04:26 PM

Rank: AiutAmico

Iscritto dal : 2/26/2009
Posts: 30
nel rapporto del fallimento di istallazione mi da Error Code: 0x51F
Grazie!
Torna in alto
 
r16
Inviato: Tuesday, February 16, 2010 8:07:50 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Ma guarda che dal log di HJT, il SP3 lo hai già installato.
Torna in alto
 
lello21
Inviato: Tuesday, February 16, 2010 9:46:26 PM

Rank: AiutAmico

Iscritto dal : 2/26/2009
Posts: 30
si però ripetutamente mi si ripropone l'aggiornamento da installare con lo scudo giallo. lo faccio partire e poi alla fine mi dice fallito.
Torna in alto
 
r16
Inviato: Tuesday, February 16, 2010 9:52:17 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Ma, è un aggiornamento, oppure l'SP3 completo.
Torna in alto
 
lello21
Inviato: Tuesday, February 16, 2010 9:53:57 PM

Rank: AiutAmico

Iscritto dal : 2/26/2009
Posts: 30
credo sia quello completo
Torna in alto
 
r16
Inviato: Tuesday, February 16, 2010 9:55:14 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Scrivimi il numero di questo aggiornamento.
Torna in alto
 
lello21
Inviato: Tuesday, February 16, 2010 10:02:16 PM

Rank: AiutAmico

Iscritto dal : 2/26/2009
Posts: 30
Microsoft Office 2003 Service Pack 3 (SP3) c'è scritto solo questo.
Torna in alto
 
r16
Inviato: Tuesday, February 16, 2010 10:04:58 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Quello, è l'SP3 di Microsoft Office 2003 Service Pack 3 (SP3).
Hai Microsoft Office installato?
Torna in alto
 
lello21
Inviato: Tuesday, February 16, 2010 10:08:44 PM

Rank: AiutAmico

Iscritto dal : 2/26/2009
Posts: 30
si
Torna in alto
 
r16
Inviato: Tuesday, February 16, 2010 10:14:08 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
http://support.microsoft.com/kb/875556
Traduci la pagina. (ti spiega perchè ti esce quel errore)
Oppure se vuoi puoi ignorare l'aggiornamento nascondendolo.
Torna in alto
 
lello21
Inviato: Tuesday, February 16, 2010 10:22:51 PM

Rank: AiutAmico

Iscritto dal : 2/26/2009
Posts: 30
ok. una domanda ma il SP3 si può disinstallare con cambia/rimuovi?
Torna in alto
 
r16
Inviato: Tuesday, February 16, 2010 10:23:50 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
lello21 ha scritto:
ok. una domanda ma il SP3 si può disinstallare con cambia/rimuovi?

Certo.
Ma te lo sconsiglio.
Torna in alto
 
Utenti presenti in questo topic
Guest

2 pages: [1] 2

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » r16 malwarebytes


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.