Inviato: Tuesday, December 01, 2009 12:14:12 PM
Salve ragazzi.ho un problema, non riesco a disinstallare ANTIVIRUS SYSTEM PRO.
sotto vi posto il log di hijackthis.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12.10.56, on 01/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
C:\Programmi\File comuni\Acronis\CDP\afcdpsrv.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\Programmi\Cyberlink\Shared Files\brs.exe
C:\Documents and Settings\Utente\Impostazioni locali\Dati applicazioni\kebyom\sqgfsysguard.exe
C:\Documents and Settings\Utente\Impostazioni locali\Dati applicazioni\kebyom\sqgfsysguard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\CyberLink\Shared files\RichVideo.exe
D:\DATI VECCHI\Documenti\kecco\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\WINDOWS\system32\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [RemoteControl9] C:\Programmi\CyberLink\PowerDVD9\PDVD9Serv.exe
O4 - HKLM\..\Run: [PDVD9LanguageShortcut] C:\Programmi\CyberLink\PowerDVD9\Language\Language.exe
O4 - HKLM\..\Run: [BDRegion] C:\Programmi\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Programmi\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [OPSE reminder] "C:\Programmi\ScanSoft\OmniPageSE2.0\EregIta\Ereg.exe" -r "C:\Programmi\ScanSoft\OmniPageSE2.0\EregIta\ereg.ini"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [amqcptgk] C:\Documents and Settings\Utente\Impostazioni locali\Dati applicazioni\kebyom\sqgfsysguard.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Programmi\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [amqcptgk] C:\Documents and Settings\Utente\Impostazioni locali\Dati applicazioni\kebyom\sqgfsysguard.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] C:\Programmi\Windows Sidebar\sidebar.exe /autoRun (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] C:\Programmi\Windows Sidebar\sidebar.exe /autoRun (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Programmi\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Programmi\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\btsendto_ie_ctx.htm
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O15 - Trusted Zone: *
O15 - Trusted Zone: * (HKLM)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Programmi\File comuni\Acronis\CDP\afcdpsrv.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmi\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exe

End of file - 7610 bytes
Inviato: Tuesday, December 01, 2009 12:14:12 PM

Inviato: Tuesday, December 01, 2009 1:14:34 PM

ANTIVIRUS SYSTEM PRO e' una delle solite truffe che girano in rete per farti installare un falso antivirus, che poi in effetti scarica ''schifezze'' nel pc

fai una scansione con combofix
Disconnetiti da internet
Disattiva l'antivirus.
Avvia il file ComboFix.exe
Digita 1 per avviare il tool
Segui le istruzioni (non fare nulla durante la scansione, se spariscono le icone dal desktop è normale) e alla fine verrà generato un log.
Finito, posta il log che trovi in C:\Combofix.txt

ripristina la Trusted Zone - scarica DelDomains e salvalo sul desktop.

=> clic con tasto destro del mouse e scegli "Installa".
Inviato: Tuesday, December 01, 2009 1:19:11 PM

Shapiro una domanda:
come fanno molti malcapitati a prendersi questi rogue?
immagino che bisogni accettare un qualche download per caricarli...Eh?
Inviato: Tuesday, December 01, 2009 1:32:15 PM

ciao Dario

basta visitare siti poco sicuri o non avere una protezione sufficientemente aggiornata..e' successo a me proprio qualche giorno fa'....l'ho bloccato per un pelo, aveva gia' installato delle chiavi Sick ....e pensare che aggiorno tutto e sempre
Inviato: Tuesday, December 01, 2009 2:03:52 PM

ciao ... beh dai meglio a te che a qualcunaltro, visto che tu almeno sai cavartela piuttosto bene.
Per la mia sicurezza dopo la disavventura con Mbr rootkit presa attraverso un semplice video in streaming ora ho installato e ne sono molto soddisfatto Prevx con protezione completa.
E' davvero ottimo sai, se poi lo si abbina ad un buon antiviurs e firewall non dico che si è sicuri al 100% ma si è davvero ben protetti con la funzione safer online.

Inviato: Thursday, December 03, 2009 3:31:21 PM
log combofix

ComboFix 09-12-02.07 - Utente 03/12/2009 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.895.632 [GMT 1:00]
Eseguito da: c:\documents and settings\Utente\Desktop\ComboFix.exe

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((( Files Creati Da 2009-11-03 al 2009-12-03 )))))))))))))))))))))))))))))))))))

2009-12-01 11:33 . 2009-12-01 11:33 -------- d-----w- c:\documents and settings\Utente\Impostazioni locali\Dati applicazioni\Threat Expert
2009-12-01 11:27 . 2009-11-10 09:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-12-01 11:27 . 2009-11-10 09:26 767952 ----a-w- c:\windows\BDTSupport.dll
2009-12-01 11:27 . 2008-11-26 11:08 131 ----a-w- c:\windows\
2009-12-01 11:27 . 2009-11-10 09:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-12-01 11:27 . 2009-11-10 09:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-12-01 11:27 . 2009-10-28 00:36 1152444 ----a-w- c:\windows\
2009-12-01 11:27 . 2009-10-30 10:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-01 11:27 . 2009-11-09 10:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-01 11:27 . 2009-10-06 15:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-01 11:26 . 2009-09-03 08:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-01 11:26 . 2009-12-01 11:45 -------- d-----w- c:\programmi\Spyware Doctor
2009-12-01 11:26 . 2009-12-01 11:27 -------- d-----w- c:\programmi\File comuni\PC Tools
2009-12-01 11:26 . 2009-12-01 11:26 -------- d-----w- c:\documents and settings\Utente\Dati applicazioni\PC Tools
2009-12-01 11:26 . 2009-12-01 11:26 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\PC Tools
2009-12-01 09:26 . 2009-12-01 09:26 -------- d-----w- c:\documents and settings\Utente\Dati applicazioni\Malwarebytes
2009-12-01 09:26 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-01 09:26 . 2009-12-01 09:26 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2009-12-01 09:26 . 2009-12-01 09:26 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-12-01 09:26 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-29 08:11 . 2009-11-29 08:11 -------- d-----w- c:\documents and settings\Utente\Impostazioni locali\Dati applicazioni\Identities
2009-11-29 07:49 . 2009-11-29 07:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-28 20:29 . 2009-12-01 11:37 -------- d-----w- c:\documents and settings\Utente\Impostazioni locali\Dati applicazioni\kebyom
2009-11-28 17:22 . 2009-11-28 17:22 -------- d-----w- C:\Giochi
2009-11-27 18:17 . 2003-10-15 06:27 49152 ----a-r- c:\programmi\BtBalloon.dll
2009-11-27 18:15 . 2009-11-27 18:15 -------- d-----w- c:\programmi\bin
2009-11-27 18:15 . 2009-11-27 18:15 -------- d-----w- c:\programmi\sync
2009-11-27 18:15 . 2009-11-27 18:15 -------- d-----w- c:\programmi\opp
2009-11-27 18:15 . 2009-11-27 18:15 -------- d-----w- c:\programmi\ftp
2009-11-27 14:04 . 2009-12-01 21:11 -------- d-----w- c:\documents and settings\Utente\Dati applicazioni\Canon
2009-11-26 20:14 . 2008-04-13 08:46 37888 -c--a-w- c:\windows\system32\dllcache\bthmodem.sys
2009-11-26 20:14 . 2008-04-13 08:46 37888 ----a-w- c:\windows\system32\drivers\bthmodem.sys
2009-11-26 11:52 . 2009-11-26 11:52 -------- d-----w- c:\windows\system32\LogFiles
2009-11-24 19:32 . 2009-11-24 19:32 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-23 17:20 . 2009-11-23 17:20 -------- d-----w- c:\documents and settings\Utente\Dati applicazioni\AdobeUM
2009-11-23 16:00 . 2009-11-23 16:00 -------- d-----w- c:\windows\Sun
2009-11-23 12:59 . 2009-11-23 12:59 -------- d-----w- c:\documents and settings\Utente\Dati applicazioni\dvdcss
2009-11-23 08:39 . 2009-11-23 08:39 -------- d-sh--w- c:\documents and settings\Utente\IECompatCache
2009-11-22 13:48 . 2008-04-13 17:13 26624 ----a-w- c:\documents and settings\LocalService\Dati applicazioni\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-11-22 13:48 . 2009-12-01 21:23 -------- d-----w- c:\documents and settings\Utente\Dati applicazioni\vlc
2009-11-22 13:27 . 2009-11-23 12:42 -------- d-----w- c:\documents and settings\Utente\Impostazioni locali\Dati applicazioni\Adobe
2009-11-22 13:24 . 2009-11-22 13:24 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\FLEXnet
2009-11-22 12:06 . 2009-11-22 12:06 -------- d-----w- c:\programmi\Bonjour
2009-11-22 12:00 . 2009-11-22 12:00 -------- d-----w- c:\programmi\File comuni\Macrovision Shared
2009-11-22 11:56 . 2009-11-22 11:56 -------- d-----w- C:\BJPrinter
2009-11-22 11:48 . 2009-11-22 11:48 -------- d-sh--w- c:\documents and settings\Utente\PrivacIE
2009-11-22 11:43 . 2008-04-13 08:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-11-22 11:43 . 2008-04-13 08:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-11-22 11:42 . 2008-04-22 12:09 32384 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-11-22 11:42 . 2008-04-22 12:09 32384 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-11-21 21:13 . 2009-11-21 21:13 -------- d-----w- c:\programmi\Microsoft
2009-11-21 21:11 . 2009-11-21 21:11 -------- d-----w- c:\programmi\File comuni\Windows Live
2009-11-21 21:06 . 2009-11-21 21:06 -------- d-----w- c:\programmi\MLT1100
2009-11-21 20:26 . 2009-11-21 20:26 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Messenger Plus!
2009-11-21 20:21 . 2009-11-21 20:21 159168 ----a-w- c:\windows\system32\drivers\afcdp.sys
2009-11-21 20:21 . 2009-11-21 20:21 902432 ----a-w- c:\windows\system32\drivers\tdrpm251.sys
2009-11-21 20:21 . 2009-11-21 20:21 570016 ----a-w- c:\windows\system32\drivers\timntr.sys
2009-11-21 20:21 . 2009-11-21 20:21 157248 ----a-w- c:\windows\system32\drivers\snapman.sys
2009-11-21 20:21 . 2009-11-21 20:21 -------- d-----w- c:\programmi\File comuni\Acronis
2009-11-21 20:21 . 2009-11-21 20:21 -------- d-----w- c:\programmi\Acronis
2009-11-21 20:15 . 2009-12-02 18:06 -------- d-----w- c:\documents and settings\Utente\Tracing
2009-11-21 20:14 . 2009-11-21 20:14 0 ----a-w- c:\windows\nsreg.dat
2009-11-21 20:14 . 2009-11-21 20:14 -------- d-----w- c:\documents and settings\Utente\Impostazioni locali\Dati applicazioni\Mozilla
2009-11-21 20:09 . 2009-11-21 20:09 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-21 20:08 . 2009-11-21 20:08 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2009-11-21 20:08 . 2009-11-21 20:08 -------- d-----r- c:\documents and settings\NetworkService\Preferiti
2009-11-21 20:02 . 2009-11-21 20:02 -------- d-----w- c:\programmi\VideoLAN
2009-11-21 20:00 . 2009-11-21 20:03 -------- d-----w- c:\documents and settings\Utente\Dati applicazioni\Skype
2009-11-21 20:00 . 2009-11-21 20:00 -------- d-----w- c:\programmi\File comuni\Skype
2009-11-21 20:00 . 2009-11-21 20:00 -------- d-----r- c:\programmi\Skype
2009-11-21 20:00 . 2009-11-21 20:00 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Skype
2009-11-21 19:57 . 2003-06-19 00:31 18944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2009-11-21 19:57 . 2003-06-19 00:31 17920 ----a-w- c:\windows\system32\mdimon.dll
2009-11-21 19:55 . 2009-11-21 19:55 -------- d-----w- c:\programmi\Microsoft Works
2009-11-21 19:55 . 2009-11-21 19:55 -------- d-----w- c:\windows\SHELLNEW
2009-11-21 19:54 . 2009-11-21 19:54 -------- d-----w- c:\programmi\Microsoft.NET
2009-11-21 19:53 . 2009-11-21 19:53 -------- d-----w- c:\programmi\Sygate
2009-11-21 19:53 . 2009-11-21 19:53 -------- d-----w- c:\programmi\File comuni\Wise Installation Wizard
2009-11-21 19:51 . 2009-11-21 19:51 -------- d-----w- c:\documents and settings\Utente\Impostazioni locali\Dati applicazioni\Cyberlink
2009-11-21 19:50 . 2009-11-21 19:51 -------- d-----w- c:\documents and settings\Utente\Dati applicazioni\CyberLink
2009-11-21 19:41 . 2009-11-21 19:41 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\CyberLink
2009-11-21 19:41 . 2009-11-21 19:41 -------- d-----w- c:\programmi\File comuni\CyberLink
2009-11-21 19:41 . 2009-11-21 19:41 -------- d-----w- c:\programmi\CyberLink
2009-11-21 19:40 . 2009-11-21 19:39 505128 ----a-w- c:\windows\system32\msvcp71.dll
2009-11-21 19:40 . 2009-11-21 19:39 353576 ----a-w- c:\windows\system32\msvcr71.dll
2009-11-21 19:40 . 2009-11-21 19:39 29480 ----a-w- c:\windows\system32\msxml3a.dll
2009-11-21 19:39 . 2009-12-03 14:06 -------- d---a-w- c:\documents and settings\All Users\Dati applicazioni\Temp
2009-11-21 19:39 . 2009-11-21 19:39 53319 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Temp\{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}\PostBuild.exe
2009-11-21 19:36 . 2006-01-20 22:46 20640 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-11-21 19:36 . 2006-01-20 22:46 109568 ------w- c:\windows\system32\pxinsi64.exe
2009-11-21 19:36 . 2006-01-20 22:46 108544 ------w- c:\windows\system32\pxcpyi64.exe
2009-11-21 19:36 . 2009-11-21 19:36 -------- d-----w- c:\programmi\DivX
2009-11-21 19:32 . 2009-07-28 15:34 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-21 19:32 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-21 19:32 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-21 19:32 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-21 19:32 . 2009-11-21 19:32 -------- d-----w- c:\programmi\Avira
2009-11-21 19:32 . 2009-11-21 19:32 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Avira
2009-11-21 19:30 . 2004-03-02 15:37 125184 ------w- c:\windows\system32\drivers\imagesrv.sys
2009-11-21 19:30 . 2004-03-02 15:37 5504 ------w- c:\windows\system32\drivers\imagedrv.sys
2009-11-21 19:30 . 2009-11-21 19:30 -------- d-----w- c:\programmi\File comuni\Ahead
2009-11-21 19:30 . 2004-07-26 15:16 476320 ------w- c:\windows\system32\ImagXpr7.dll
2009-11-21 19:30 . 2004-07-26 15:16 471040 ------w- c:\windows\system32\ImagXRA7.dll
2009-11-21 19:30 . 2004-07-26 15:16 262144 ------w- c:\windows\system32\ImagXR7.dll
2009-11-21 19:30 . 2004-07-26 15:16 1568768 ------w- c:\windows\system32\ImagX7.dll
2009-11-21 19:30 . 2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2009-11-21 19:30 . 2000-06-26 09:45 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2009-11-21 19:30 . 2009-11-21 19:30 -------- d-----w- c:\programmi\Ahead
2009-11-21 19:25 . 2009-11-22 12:00 -------- d-----w- c:\programmi\File comuni\Adobe
2009-11-21 19:25 . 1998-11-13 13:07 307712 ----a-w- c:\windows\IsUn0410.exe
2009-11-21 16:41 . 2000-01-29 00:23 34036 ----a-w- c:\windows\system32\DESIMON.DLL
2009-11-21 16:37 . 1998-10-02 18:00 327168 ----a-w- c:\windows\IsUninst.exe
2009-11-21 16:15 . 2009-11-21 16:15 -------- d-----w- c:\windows\system32\Lang
2009-11-21 16:08 . 2006-08-14 11:09 1428 ----a-w- c:\windows\system32\drivers\nvphy.bin
2009-11-21 16:08 . 2006-09-11 16:06 356352 ----a-w- c:\windows\system32\nvunrm.exe
2009-11-21 16:08 . 2009-11-21 16:11 -------- d-----w- c:\windows\nview
2009-11-21 16:08 . 2006-12-18 15:33 356352 ----a-w- c:\windows\system32\nvudisp.exe
2009-11-21 16:00 . 2006-12-18 15:33 356352 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-11-21 16:00 . 2009-11-21 16:00 -------- d-----w- c:\documents and settings\Utente\Dati applicazioni\InstallShield
2009-11-21 15:57 . 2008-04-13 08:45 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
2009-11-27 18:24 . 2001-08-31 14:00 83934 ----a-w- c:\windows\system32\perfc010.dat
2009-11-27 18:24 . 2001-08-31 14:00 489038 ----a-w- c:\windows\system32\perfh010.dat
2009-11-27 18:17 . 2009-11-27 18:17 346 ----a-w- c:\programmi\Risorse di rete Bluetooth.lnk
2009-11-24 11:47 . 2009-11-21 12:59 66432 ----a-w- c:\documents and settings\Default User\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-11-22 11:56 . 2009-11-22 11:52 -------- d-----w- c:\programmi\Canon
2009-11-22 11:54 . 2009-11-21 16:13 -------- d--h--w- c:\programmi\InstallShield Installation Information
2009-11-22 11:54 . 2009-11-21 16:13 -------- d-----w- c:\programmi\File comuni\InstallShield
2009-11-21 21:13 . 2009-11-21 12:58 -------- d-----w- c:\programmi\Windows Live
2009-11-21 16:13 . 2009-11-21 16:13 -------- d-----w- c:\programmi\Realtek
2009-11-21 16:13 . 2009-11-21 16:13 315392 ----a-w- c:\windows\HideWin.exe
2009-11-21 13:06 . 2009-11-21 12:52 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-21 12:59 . 2009-11-21 12:59 -------- d-----w- c:\programmi\microsoft frontpage
2009-11-21 12:59 . 2009-11-21 12:59 -------- d-----w- c:\programmi\Messenger Plus! Live
2009-11-21 12:59 . 2009-11-21 13:02 15184 ----a-w- c:\documents and settings\Utente\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-11-21 12:58 . 2009-11-21 12:58 -------- d-----w- c:\programmi\Windows Live SkyDrive
2009-11-21 12:57 . 2009-11-21 12:57 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-11-21 12:57 . 2009-11-21 12:57 -------- d-----w- c:\programmi\Java
2009-11-21 12:55 . 2009-11-21 12:55 -------- d-----w- c:\programmi\MSBuild
2009-11-21 12:55 . 2009-11-21 12:55 -------- d-----w- c:\programmi\Reference Assemblies
2009-11-21 12:53 . 2009-11-21 12:48 -------- d-----w- c:\programmi\Alky for Applications
2009-11-21 12:52 . 2009-11-21 12:52 -------- d-----w- c:\programmi\Servizi in linea
2009-11-21 12:51 . 2009-11-21 12:51 -------- d-----w- c:\programmi\Windows Media Connect 2
2009-11-21 12:49 . 2009-11-21 12:49 21840 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-21 12:48 . 2009-11-21 12:48 -------- d-----w- c:\programmi\Windows Journal Viewer
2009-11-21 12:48 . 2009-11-21 12:46 -------- d-----w- c:\programmi\Windows Sidebar
2009-11-21 12:47 . 2009-11-21 12:47 -------- d-----w- c:\programmi\MSXML 4.0
2009-11-21 12:46 . 2009-11-21 12:46 -------- d-----w- c:\programmi\Microsoft Silverlight
2003-10-15 12:49 . 2003-10-15 12:49 1130580 ----a-w- c:\programmi\BTStackServer.exe
2003-10-15 12:46 . 2003-10-15 12:46 503869 ----a-w- c:\programmi\BTTray.exe
2003-10-15 12:38 . 2003-10-15 12:38 69632 ----a-w- c:\programmi\btsendto_visio2k.vsl
2003-10-15 12:35 . 2003-10-15 12:35 49152 ----a-w- c:\programmi\btsendto_explorer.exe
2003-05-29 12:53 . 2003-05-29 12:53 91648 ----a-w- c:\programmi\gzip.exe
2003-05-29 12:53 . 2003-05-29 12:53 3158 ----a-w- c:\programmi\bt_cold_icon_grey.ico
2003-05-29 12:53 . 2003-05-29 12:53 3158 ----a-w- c:\programmi\bt_hot_icon.ico
2003-05-29 12:53 . 2003-05-29 12:53 1320 ----a-w- c:\programmi\btsendto_ie_ctx.htm
2003-05-29 12:53 . 2003-05-29 12:53 3158 ----a-w- c:\programmi\bt_cold_icon.ico
2003-05-29 12:53 . 2003-05-29 12:53 2681 ----a-w- c:\programmi\btsendto_ie.htm
2003-04-14 14:42 . 2003-04-14 14:42 1574 ----a-w- c:\programmi\
2003-03-24 09:38 . 2003-03-24 09:38 188659 ----a-w- c:\programmi\BTW_hlp.chm
2002-09-27 17:38 . 2002-09-27 17:38 73225 ----a-w- c:\programmi\context.hlp
2002-05-15 22:29 . 2002-05-15 22:29 591 ----a-w- c:\programmi\bttray.exe.manifest

------- Sigcheck -------

[-] 2009-06-21 . 52139397C3ECAEF129D9B698B1D8CECA . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

c:\windows\System32\wscntfy.exe ... è mancante !!
c:\windows\System32\regsvc.dll ... è mancante !!
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

"UnlockerAssistant"="c:\windows\system32\UnlockerAssistant.exe" [2009-06-21 15872]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"RemoteControl9"="c:\programmi\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-04-27 87336]
"PDVD9LanguageShortcut"="c:\programmi\CyberLink\PowerDVD9\Language\Language.exe" [2009-04-27 50472]
"BDRegion"="c:\programmi\Cyberlink\Shared Files\brs.exe" [2009-05-07 75048]
"TrueImageMonitor.exe"="c:\programmi\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-09-12 5048488]
"Acronis Scheduler2 Service"="c:\programmi\File comuni\Acronis\Schedule2\schedhlp.exe" [2009-09-12 357384]
"Malwarebytes Anti-Malware (reboot)"="c:\programmi\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-31 1622016]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-02-26 16125440]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-13 110592]

"Sidebar"="c:\programmi\Windows Sidebar\sidebar.exe" [2009-06-21 1291264]

"_nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-06-21 128512]

"NoResolveTrack"= 1 (0x1)

"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [01/12/2009 12.27.01 207792]
R0 tdrpman251;Acronis Try&Decide and Restore Points filter (build 251);c:\windows\system32\drivers\tdrpm251.sys [21/11/2009 21.21.46 902432]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/11/21 20:41];c:\programmi\CyberLink\PowerDVD9\000.fcl [07/05/2009 21.05.22 87536]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\programmi\File comuni\Acronis\CDP\afcdpsrv.exe [21/11/2009 21.21.47 2326920]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\programmi\Spyware Doctor\BDT\BDTUpdateService.exe [01/12/2009 12.27.16 112592]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [21/11/2009 21.21.48 159168]
S3 sdAuxService;PC Tools Auxiliary Service;c:\programmi\Spyware Doctor\pctsAuxs.exe [01/12/2009 12.26.54 359624]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
RUNDLL32 advpack.dll,LaunchINFSection WSidebar.inf,Register_SideBar
Contenuto della cartella 'Scheduled Tasks'

2009-11-28 c:\windows\Tasks\User_Feed_Synchronization-{9FE3EB6F-D051-4868-8029-291DFCDF7922}.job
- c:\windows\system32\msfeedssync.exe [2001-08-31 15:32]
------- Scansione supplementare -------
uStart Page = hxxp://
uInternet Settings,ProxyServer = http=
uInternet Settings,ProxyOverride = <local>
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Invia a &Bluetooth - c:\programmi\btsendto_ie_ctx.htm
Trusted Zone:
Trusted Zone:
FF - ProfilePath - c:\documents and settings\Utente\Dati applicazioni\Mozilla\Firefox\Profiles\g6pabq8u.default\
FF - prefs.js: browser.startup.homepage -

c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

HKLM-Run-OPSE reminder - c:\programmi\ScanSoft\OmniPageSE2.0\EregIta\Ereg.exe
AddRemove-NVIDIA Drivers - c:\windows\system32\nvuide.exe UninstallGUI


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2009-12-03 15:19
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x84A42618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf735ecb8
\Driver\atapi -> atapi.sys @ 0xf72d0852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7192bb0
PacketIndicateHandler -> NDIS.sys @ 0xf719fb21
SendHandler -> NDIS.sys @ 0xf717d87b
user & kernel MBR OK
malicious code @ sector 0x012A18AC4 !
PE file found in sector at 0x012A18ADA !


--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(868)

- - - - - - - > 'lsass.exe'(932)
Ora fine scansione: 2009-12-03 15:23
ComboFix-quarantined-files.txt 2009-12-03 14:23

Pre-Run: 43.653.279.744 byte disponibili
Post-Run: 43.639.336.960 byte disponibili

[boot loader]
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 2D53503FE49919F65D6AB682402C4784
Inviato: Thursday, December 03, 2009 4:46:03 PM

Scarica MBR:EXE direttamente in C:\

vai in modalità provvisoria

Da Start - Esegui - digita C:\mbr.exe e clicca su OK (fai copia-incolla)

posta il rapporto che rilascia
Inviato: Friday, December 04, 2009 1:59:54 PM
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x012A18AC4 !
PE file found in sector at 0x012A18ADA !
Inviato: Friday, December 04, 2009 4:47:45 PM

elimina il file di testo che mi hai postato da C:\

vai su Start>> Esegui e digita mbr.exe -f (FAI COPIA\INCOLLA)
Mbr.exe metterà qualche secondo a fare la scansione. Fatto ciò postami qui il contenuto del log creato che troverai in c:\mbr.log
Inviato: Friday, December 04, 2009 6:18:45 PM
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x012A18AC4 !
PE file found in sector at 0x012A18ADA !
Inviato: Friday, December 04, 2009 6:25:08 PM

sei sicuro di aver eliminato il primo file di testo prima di fare la scansione? eliminali tutti e due


vai su Start>> Esegui e digita mbr.exe -f (FAI COPIA\INCOLLA) e posta il risultato
