problemi pc - Sicurezza VIRUS - Aiutamici Forum

Aiutamici Forum

Benvenuto Ospite

Cerca | Topic Attivi | Utenti | | Log In | Registra

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » problemi pc

5 pages: [1] 2 3 4 5

problemi pc

Opzioni

Topic Precedente · Topic Sucessivo

sibo78

Inviato: Wednesday, December 24, 2008 8:38:56 PM

Rank: Newbie

Iscritto dal : 12/9/2008
Posts: 0

Ciao a tutti e tanti auguri!!!

scusate se non ho piu risposto al post precedente ma ho deciso di formattare il pc.
Ora però a distanza di qualche giorno ho ancora qualche problema.
fino ad oggi tutto ok ma due ore fa il pc mi si è riavviato automaticamente ed al riavvio avast non funziona piu.
cercando di lanciarlo appare un allarme che dice che il file avast. exe non è un'applicazione di win32 valida.
la stessa cosa succede cercando di lanciare hijackthis.
ho fatto una scansione con malwarebyte e questo è il log:

Malwarebytes' Anti-Malware 1.31
Versione del database: 1540
Windows 5.1.2600 Service Pack 3

24/12/2008 19.42.15
mbam-log-2008-12-24 (19-42-15).txt

Tipo di scansione: Scansione completa (C:\|D:\|F:\|G:\|)
Elementi scansionati: 90753
Tempo trascorso: 38 minute(s), 41 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 3
Valori di registro infetti: 1
Elementi dato del registro infetti: 0
Cartelle infette: 1
File infetti: 7

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sk9ou0s (Worm.Bagel) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sk9ou0s (Worm.Bagel) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sk9ou0s (Worm.Bagel) -> Quarantined and deleted successfully.

Valori di registro infetti:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mule_st_key (Trojan.Agent) -> Delete on reboot.

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
C:\Documents and Settings\Sibo\Dati applicazioni\m (Trojan.Agent) -> Delete on reboot.

File infetti:
C:\Documents and Settings\Sibo\Dati applicazioni\drivers\srosa2.sys (Worm.Bagel) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sibo\Dati applicazioni\m\data.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sibo\Dati applicazioni\m\list.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sibo\Dati applicazioni\m\srvlist.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mdelk.exe (Trojan.Spammer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wintems.exe (Trojan.Spammer) -> Delete on reboot.
C:\Documents and Settings\Sibo\Dati applicazioni\m\flec006.exe (Trojan.Agent) -> Delete on reboot.

grazie a tutti e auguri ancora per un felice natale

simo

Sponsor

Inviato: Wednesday, December 24, 2008 8:38:56 PM

shapiro

Inviato: Wednesday, December 24, 2008 9:05:44 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164

ciao e Auguri

se ci riesci, cancella subito quello che malwarebytes ti ha trovato

purtroppo sei stato colpito dal terribile bagle

segui attentamente le procedure

disattiva il ripristino durante tutte le operazioni

scarica http://swandog46.geekstogo.com/avenger.zip

lo installi e lo lanci

Copi e incolli nella finestra: "Input script here" il testo in rosso così come lo vedi scritto:

Files to delete:
%SystemDrive%\WINDOWS\system32\drivers\hidr.exe
%SystemDrive%\WINDOWS\system32\drivers\srosa.sys
%SystemDrive%\WINDOWS\system32\wintems.exe
%SystemDrive%\WINDOWS\system32\hldrrr.exe
%SystemDrive%\WINDOWS\system32\trusted.exe
%SystemDrive%\WINDOWS\system32\drivers\pci32.sys
%UserProfile%\Dati applicazioni\hidires\hidr.exe
%UserProfile%\Dati applicazioni\hidires\rosa.sys
%UserProfile%\Dati applicazioni\m\list.oct
%UserProfile%\Dati applicazioni\m\data.oct
%UserProfile%\Dati applicazioni\m\flec006.exe
%UserProfile%\Dati applicazioni\m\svrlist.oct
%SystemDrive%\system32\re_file.exe
%SystemDrive%\elist.xpt
%UserProfile%\Dati applicazioni\hidires\m_hook.sys
%SystemDrive%\WINDOWS\system32\drivers\hldrrr.exe
%SystemDrive%\WINDOWS\system32\drivers\hldrrr.ex_
%SystemDrive%\WINDOWS\system32\mdelk.exe
%SystemDrive%\WINDOWS\system32\drivers\mdelk.exe
%SystemDrive%\WINDOWS\system32\drivers\pci32.sys
%SystemDrive%\WINDOWS\system32\edlm.exe
%SystemDrive%\WINDOWS\system32\edlm2.exe
%SystemDrive%\Windows\system32\ldR64.dll
%SystemDrive%\WINDOWS\system32\german.exe
%SystemDrive%\WINDOWS\system32\drivers\srosa.sys.XXX
%SystemDrive%\WINDOWS\system32\mdelk.exe.XXX
%SystemDrive%\WINDOWS\system32\wintems.exe.XXX
%SystemDrive%\WINDOWS\system32\1.exe

Folders to delete:
%SystemDrive%\WINDOWS\exefqd
%SystemDrive%\WINDOWS\exefnd
%SystemDrive%\WINDOWS\exefld
%UserProfile%\Dati applicazioni\hidires
%UserProfile%\Dati applicazioni\hidn
%UserProfile%\Dati applicazioni\m\shared
%UserProfile%\Dati applicazioni\m
%SystemDrive%\WINDOWS\System32\drivers\down
%SystemDrive%\WINDOWS\system32\drivers\downld

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
HKLM\SYSTEM\CurrentControlSet\Services\pci32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32
HKLM\SYSTEM\CurrentControlSet\Services\rosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK
HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_SROSA
HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64

Registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | hldrrr
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | drvsyskit
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | german.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | drv_st_key

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Drivers to disable:
%SystemDrive%\WINDOWS\system32\drivers\hidr.exe
%SystemDrive%\WINDOWS\system32\drivers\srosa.sys
%SystemDrive%\WINDOWS\system32\drivers\pci32.sys
%SystemDrive%\WINDOWS\system32\drivers\hldrrr.exe
%SystemDrive%\WINDOWS\system32\drivers\mdelk.exe

Spunta "Automatically disable any rootkits found" e clicca su "execute".
Il pc dovrebbe riavviarsi da solo, altrimenti riavvialo tu. Posta il report rilasciato lo trovi in c:\avenger.

scarica questo programmino... il download lo trovi in fondo alla pagina http://www.zonavirus.com/datos/descargas/95/elibagla.asp

vai in modalita' provvisoria

se non riesci ad accedere alla provvisoria, scarica questo file, cliccaci su e accetta le modifiche al registro- in questo modo verra' ripristinata la provvisoria- se hai windows vista come sistema operativo , comunicamelo

http://wikisend.com/download/928298/SafeBoot.zip

lancia il programma e spunta '' ELIMINAR FICHEROS AUTOMATICAMENTE''

clicca su EXPLORAR per avviare la scansione

quando avrà finito genererà il report in file di testo C:\InfoSat.txt. che posterai qui nel forum

scarica http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disattiva l'antivirus e i programmi anti-spyware
Disconnetti il pc da internet
Se hai delle icone di collegamento a programmi sul desktop, crea una cartella apposita e copiale al suo interno

Doppio click su combofix.exe e segui le istruzioni passo a passo

Quando avrà finito creerà il log C:\combofix.txt salvalo e postalo come gli altri report.

Nota bene : durante la scansione verranno creati dei file sul desktop e scompariranno le icone, potrebbe succedere che qualche programma ti chiede cosa fare per la rimozione dei drivers, in questo caso accossenti, si tratta probabilmente di drivers infetti.

Il programma creerà la cartella C:\QooBox ed all'interno della stessa verrà posizionato un backup dei files rimossi ed un file di backup del registro di windows chiamato Hiv-backup.

NON TOCCARE MOUSE E TASTIERA durante la scansione.

attendo tue notizie

sibo78

Inviato: Wednesday, December 24, 2008 9:13:11 PM

Rank: Newbie

Iscritto dal : 12/9/2008
Posts: 0

l'ho scaricato ma se lancio l'installazione mi da il solito messaggio, il file non è un'applicazione di win32 valida

shapiro

Inviato: Wednesday, December 24, 2008 9:14:19 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164

prova a rinominarlo in abc.exe

sibo78

Inviato: Thursday, January 01, 2009 4:29:26 PM

Rank: Newbie

Iscritto dal : 12/9/2008
Posts: 0

ciao, scusa il ritardo ,ma non ero a casa in questi giorni.

Ho rinominato il file come da te suggerito ma non riesco ancora a lanciarlo, mi appare sempre lo stesso avviso.

shapiro

Inviato: Thursday, January 01, 2009 4:53:09 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164

prova con questo, non dovrebbe riconoscerlo

scarica http://sd-1.archive-host.com/membres/up/116615172019703188/FindyKill.exe

Doppio click sull'icona Findykill per avviare l'installazione:
Inserisci la prima spunta per accettare la licenza e prosegui > Suivant
Clicca su "Si" per destinare una cartella al programma
Clicca su Dèmarrer > Quitter per terminare l'installazione.
Cerca l'icona del programma sul desktop o in programmi ed eseguilo
Dovrai usare prima il tasto 1 (invio) per la ricerca e successivamente il tanto 2 (invio) per la pulizia.
Il report delle operazioni effettuate lo trovarai in C:\FindyKill.txt
Allega il rapporto nella tua risposta.

sibo78

Inviato: Thursday, January 01, 2009 5:21:29 PM

Rank: Newbie

Iscritto dal : 12/9/2008
Posts: 0

Almeno questo sono riuscito a lanciarlo, di seguito il report della sola scansione, ora faccio la pulizia:

----------------- FindyKill V4.710 ------------------

* User: Sibo - SIMO-EB13199DED
* Executed from : C:\Programmi\FindyKill
* Update on 21/12/08 by Chiquitine29
* Start at 17:18:48 the 01/01/2009
* Windows XP - Internet Explorer 7.0.5730.13

((((((((((((((((( *** Searching *** ))))))))))))))))))

--------------- [ Active Processes ] ----------------

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\slserv.exe
C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Microsoft ActiveSync\wcescomm.exe
C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Programmi\MagicDisc\MagicDisc.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

--------------- [ Infected files / folders ] ----------------

»»»» Presence Files in C:

»»»» Presence Files in C:\WINDOWS

»»»» Presence Files in C:\WINDOWS\Prefetch

»»»» Presence Files in C:\WINDOWS\system32

»»»» Presence Files in C:\WINDOWS\system32\config\systemprofile\AppData\Roaming

»»»» Presence Files in C:\WINDOWS\system32\drivers

»»»» Presence Files in C:\Documents and Settings\Sibo\Dati applicazioni

Found ! [01/01/2009 17.17] - "C:\Documents and Settings\Sibo\Dati applicazioni\drivers"
Found ! [01/01/2009 17.17] - "C:\Documents and Settings\Sibo\Dati applicazioni\drivers\downld"

»»»» Presence Files in C:\DOCUME~1\Sibo\IMPOST~1\Temp

»»»» Presence Files in C:\Documents and Settings\Sibo\Local Settings\Temporary Internet Files\Content.IE5

--------------- [ Registry / Startup ] ----------------

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
ctfmon.exe=C:\WINDOWS\system32\ctfmon.exe
AlcoholAutomount="C:\Programmi\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
H/PC Connection Agent="C:\Programmi\Microsoft ActiveSync\wcescomm.exe"
drvsyskit=C:\Documents and Settings\Sibo\Dati applicazioni\drivers\winupgro.exe
german.exe=C:\WINDOWS\system32\wintems.exe
mule_st_key=C:\Documents and Settings\Sibo\Dati applicazioni\m\flec006.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
avast!=C:\Programmi\Alwil Software\Avast4\ashDisp.exe
ZoneAlarm Client="C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
Adobe Reader Speed Launcher="C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents=
<NO NAME>=
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL=
Installed=1
<NO NAME>=
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI=
Installed=1
NoChange=1
<NO NAME>=
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS=
Installed=1
<NO NAME>=

[HKEY_CURRENT_USER\software\local appwizard-generated applications\axcmd]

--------------- [ Registry / Infected keys ] ----------------

Found ! - HKEY_USERS\S-1-5-21-448539723-527237240-725345543-1004\Software\bisoft
Found ! - HKEY_CURRENT_USER\Software\bisoft
Found ! - [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] | drvsyskit
Found ! - [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] | german.exe
Found ! - [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] | mule_st_key

--------------- [ States / Services ] ----------------

+- Services : [ Auto=2 / Request=3 / Disable=4 ]

Ndisuio - Type of startup = 3

EapHost - Type of startup = 2

Ip6Fw - Type of startup = 2

SharedAccess - Type of startup = 2

wuauserv - Type of startup = 2

wscsvc - Type of startup = 2

--------------- [ Searching in removable drives ] ----------------

+- Informations :

C: - Unit… fissa

D: - Unit… fissa

F: - Unit… fissa

G: - Unit… fissa

J: - Unit… rimovibile

+- Presence of files :

--------------- [ Registry / Mountpoint2 ] ----------------

-> Not found !

------------------- ! End of report ! --------------------

sibo78

Inviato: Thursday, January 01, 2009 5:26:59 PM

Rank: Newbie

Iscritto dal : 12/9/2008
Posts: 0

e questo è il report della pulizia:

----------------- FindyKill V4.710 ------------------

* User : Sibo - SIMO-EB13199DED
* executed from : C:\Programmi\FindyKill
* Update on 21/12/08 par Chiquitine29
* Start at 17:23:57 the 01/01/2009
* Windows XP - Internet Explorer 7.0.5730.13

((((((((((((((( *** deleting *** ))))))))))))))))))

--------------- [ Active Processes ] ----------------

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\alg.exe

--------------- [ Infected files / folders ] ----------------

»»»» Supression files in C:

»»»» Supression files in C:\WINDOWS

»»»» Supression files in C:\WINDOWS\Prefetch

»»»» Supression files in C:\WINDOWS\system32

»»»» Supression files in C:\WINDOWS\system32\config\systemprofile\AppData\Roaming

»»»» Supression files in C:\WINDOWS\system32\drivers

»»»» Supression files in C:\Documents and Settings\Sibo\Dati applicazioni

Deleted ! - "C:\Documents and Settings\Sibo\Dati applicazioni\drivers\downld"
Deleted ! - "C:\Documents and Settings\Sibo\Dati applicazioni\drivers"

»»»» Supression files in C:\DOCUME~1\Sibo\IMPOST~1\Temp

»»»» Supression files in C:\Documents and Settings\Sibo\Local Settings\Temporary Internet Files\Content.IE5

Deleted ! - C:\Documents and Settings\All Users\Dati applicazioni\Skype\Plugins\Local Cache\D3987B641C134048B815DB578D607F42_more.jpg
Deleted ! - C:\Documents and Settings\Sibo\Impostazioni locali\Temporary Internet Files\Content.IE5\4WEZ1BHW\b64[1].jpg
Deleted ! - C:\Documents and Settings\Sibo\Impostazioni locali\Temporary Internet Files\Content.IE5\4WEZ1BHW\b64[2].jpg
Deleted ! - C:\Documents and Settings\Sibo\Impostazioni locali\Temporary Internet Files\Content.IE5\4WEZ1BHW\b64_5[1].jpg
Deleted ! - C:\Documents and Settings\Sibo\Impostazioni locali\Temporary Internet Files\Content.IE5\4WEZ1BHW\mxd[1].jpg
Deleted ! - C:\Documents and Settings\Sibo\Impostazioni locali\Temporary Internet Files\Content.IE5\4WEZ1BHW\mxd[2].jpg

--------------- [ Registry / Infected keys ] ----------------

Deleted ! - HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_SROSA

--------------- [ States / Restarting of services ] ----------------

+- Services : [ Auto=2 / Request=3 / Disable=4 ]

Ndisuio - Type of startup = 3

EapHost - Type of startup = 2

Ip6Fw - Type of startup = 2

SharedAccess - Type of startup = 2

wuauserv - Type of startup = 2

wscsvc - Type of startup = 2

--------------- [ Cleaning removable drives ] ----------------

+- Informations :

C: - Unit… fissa

D: - Unit… fissa

F: - Unit… fissa

G: - Unit… fissa

+- deleting files :

--------------- [ Registry / Mountpoint2 ] ----------------

-> Not found !

--------------- [ Searching Cracks / Keygen ] ----------------

C:\Documents and Settings\Sibo\Dati applicazioni\uTorrent\Alcohol 120% v1.9.7 (Build 6221) Multi (ITA) + crack by GEEX.rar.torrent
C:\Documents and Settings\Sibo\Recent\Alcohol 120% v1.9.7 (Build 6221) Multi (ITA) + crack by GEEX.rar.lnk
C:\Documents and Settings\Sibo\Recent\Avast 4.1 Pro+Keygen+Skins.lnk
C:\Documents and Settings\Sibo\Recent\[Pc-Game-Ita] Doom 3 ITA Full + Keygen [DVD].iso.lnk

---------------- ! End of report ! ------------------

shapiro

Inviato: Thursday, January 01, 2009 5:35:04 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164

findkill ha tolto qualcosa

adesso vedi se riesci a lanciare avenger- se ci riesci fai come ti ho scritto nel post di prima

prova a lanciarlo anche da provvisoria

sibo78

Inviato: Thursday, January 01, 2009 5:36:13 PM

Rank: Newbie

Iscritto dal : 12/9/2008
Posts: 0

non riesco ancora a lanciarlo purtroppo, nemmeno rinominandolo.

shapiro

Inviato: Thursday, January 01, 2009 5:47:26 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164

prova da qui

http://wikisend.com/download/637232/fog.zip

se non ti riesce, lancia di nuovo findkill - appena finita posta il report e fai una scansione online

http://www.kaspersky.com/virusscanner

1. Clicca su Kaspersky Online Scanner
2. Clicca su Accept
3. Partirà un Update
4. Vai nella colonna di sinistra dov'è scritto Scan e scegli my computer
5. Al termine della scansione in fondo a destra trovi la voce View Scan Report. Cliccaci sopra e poi clicca su Save "Save Report As" e salvalo sul desktop.

La scansione richiede il java della sun e l'accettazione del controllo activex
Per effettuare la scansione, portati sulla pagina di kaspersky, devi avere solo quella pagina aperta, disattiva il tuo antivirus, lancia la scansione, dopo che avrà caricato tutti i files del database e comincerà a scansionare puoi anche disconnettere il pc da internet e lasciarlo lavorare.

sibo78

Inviato: Thursday, January 01, 2009 6:12:48 PM

Rank: Newbie

Iscritto dal : 12/9/2008
Posts: 0

sono riuscito a lanciare il programma, sono andato in modalità provvisoria ed ho lanciato elibagla, questo è il suo report:

Thu Jan 01 18:05:55 2009
EliBagle v12.07 (c)2008 S.G.H. / Satinfo S.L. (Actualizado el 30 de Diciembre del 2008)

Lista de Acciones (por Acción Directa):

Thu Jan 01 18:06:11 2009
EliBagle v12.07 (c)2008 S.G.H. / Satinfo S.L. (Actualizado el 30 de Diciembre del 2008)

Lista de Acciones (por Exploración):
Explorando "C:\"

Nº Total de Directorios: 1724
Nº Total de Ficheros: 25200
Nº de Ficheros Analizados: 8309
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0

ora provo con combofix!

sibo78

Inviato: Thursday, January 01, 2009 6:21:48 PM

Rank: Newbie

Iscritto dal : 12/9/2008
Posts: 0

ecco il report di combofix:

ComboFix 08-12-31.01 - Sibo 2009-01-01 18.17.18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1040.18.767.562 [GMT 1:00]
Eseguito da: J:\ComboFix.exe
* Creato nuovo punto di ripristino

ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sibo\Dati applicazioni\drivers\downld
C:\Documents
C:\InfoSat.txt
c:\programmi\Alcohol Soft\Alcohol 120\axcmd.exe
J:\InfoSat.txt

.
((((((((((((((((((((((((( Files Creati Da 2008-12-01 al 2009-01-01 )))))))))))))))))))))))))))))))))))
.

2009-01-01 18:05 . 2008-12-15 23:19 <DIR> d--h----- c:\documents and settings\Administrator\Risorse di stampa
2009-01-01 18:05 . 2008-12-15 23:19 <DIR> d--h----- c:\documents and settings\Administrator\Risorse di rete
2009-01-01 18:05 . 2008-12-15 23:19 <DIR> d-------- c:\documents and settings\Administrator\Preferiti
2009-01-01 18:05 . 2008-12-15 22:28 <DIR> d--h----- c:\documents and settings\Administrator\Modelli
2009-01-01 18:05 . 2008-12-15 23:19 <DIR> dr------- c:\documents and settings\Administrator\Menu Avvio
2009-01-01 18:05 . 2009-01-01 18:18 <DIR> d--h----- c:\documents and settings\Administrator\Impostazioni locali
2009-01-01 18:05 . 2008-12-15 23:19 <DIR> d-------- c:\documents and settings\Administrator\Documenti
2009-01-01 18:05 . 2008-12-15 23:19 <DIR> dr-h----- c:\documents and settings\Administrator\Dati applicazioni
2009-01-01 18:05 . 2009-01-01 18:05 <DIR> d-------- c:\documents and settings\Administrator
2009-01-01 17:55 . 2009-01-01 18:17 <DIR> d--h----- c:\documents and settings\Sibo\Dati applicazioni\drivers
2009-01-01 17:53 . 2009-01-01 17:53 135,168 --a------ C:\zip.exe
2009-01-01 17:53 . 2009-01-01 17:53 19,286 --a------ C:\cleanup.exe
2009-01-01 17:53 . 2009-01-01 17:53 574 --a------ C:\cleanup.bat
2009-01-01 17:53 . 2009-01-01 17:53 0 --a------ C:\backup.reg
2009-01-01 17:02 . 2009-01-01 17:25 <DIR> d-------- c:\programmi\FindyKill
2008-12-24 19:53 . 2008-12-24 19:53 <DIR> d-------- c:\programmi\Trend Micro
2008-12-24 18:34 . 2008-12-24 18:34 <DIR> d-------- c:\programmi\Malwarebytes' Anti-Malware
2008-12-24 18:34 . 2008-12-24 18:34 <DIR> d-------- c:\documents and settings\Sibo\Dati applicazioni\Malwarebytes
2008-12-24 18:34 . 2008-12-24 18:34 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2008-12-24 18:34 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-24 18:34 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-24 10:47 . 2008-12-24 10:47 <DIR> d-------- c:\programmi\MagicDisc
2008-12-24 10:47 . 2008-07-28 17:19 116,736 --a------ c:\windows\system32\drivers\mcdbus.sys
2008-12-24 10:40 . 2008-12-24 10:40 <DIR> d-------- c:\programmi\MagicISO
2008-12-23 18:29 . 2008-12-24 18:15 <DIR> d-------- c:\programmi\eMule
2008-12-22 21:04 . 2008-12-22 21:04 <DIR> d-------- c:\programmi\Microsoft ActiveSync
2008-12-22 21:02 . 2008-12-22 21:02 <DIR> d-------- c:\programmi\Windows Mobile Device Handbook
2008-12-20 17:58 . 2008-02-22 12:30 334,792 --a------ c:\windows\system32\_AxShlEx.dll
2008-12-20 17:45 . 2008-12-20 17:47 <DIR> d-------- c:\programmi\InstallShield Installation Information
2008-12-20 17:39 . 2008-12-20 17:47 <DIR> d-------- c:\programmi\Doom 3
2008-12-20 12:35 . 2008-12-20 12:35 <DIR> d-------- c:\programmi\File comuni\InstallShield
2008-12-20 11:51 . 2008-12-20 11:51 <DIR> d-------- c:\programmi\Alcohol Soft
2008-12-20 11:44 . 2008-12-20 11:44 716,272 --a------ c:\windows\system32\drivers\sptd.sys
2008-12-20 11:37 . 1993-07-22 23:00 210,944 --------- c:\windows\system32\Msvcrt10.dll
2008-12-20 11:36 . 2008-12-20 11:36 <DIR> d-------- c:\windows\system32\Adobe
2008-12-20 11:36 . 2001-03-15 04:55 101,200 --------- c:\windows\system32\pdfshell.dll
2008-12-20 11:36 . 2001-03-15 05:18 65,536 --------- c:\windows\system32\adistres.dll
2008-12-20 11:36 . 2001-03-15 05:18 20,584 --------- c:\windows\system32\PdfPorts.dll
2008-12-20 11:35 . 2008-12-20 11:35 <DIR> d-------- c:\documents and settings\Sibo\Dati applicazioni\InterTrust
2008-12-20 11:35 . 1998-10-29 14:45 306,688 --a------ c:\windows\IsUninst.exe
2008-12-20 11:21 . 2001-12-19 11:45 8,576 --a------ c:\windows\system32\drivers\VCdRom.sys
2008-12-20 11:19 . 2008-12-18 09:53 <DIR> d-------- c:\programmi\Virtual CD-ROM
2008-12-19 19:24 . 2008-12-19 19:24 <DIR> d-------- c:\programmi\MediaMonkey
2008-12-18 17:53 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-12-18 17:53 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2008-12-18 17:53 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-12-17 21:46 . 2008-12-17 21:46 <DIR> d-------- c:\documents and settings\Sibo\Tracing
2008-12-17 21:42 . 2008-12-17 21:42 <DIR> d-------- c:\programmi\Windows Live SkyDrive
2008-12-17 21:42 . 2008-12-17 21:42 <DIR> d-------- c:\programmi\Windows Live
2008-12-17 21:42 . 2008-12-17 21:42 <DIR> d-------- c:\programmi\Microsoft
2008-12-17 21:34 . 2008-12-17 21:34 <DIR> d-------- c:\programmi\File comuni\Windows Live
2008-12-17 21:33 . 2008-12-24 18:58 <DIR> d-------- c:\documents and settings\Sibo\Dati applicazioni\skypePM
2008-12-17 21:33 . 2008-12-17 21:33 56 --ah----- c:\windows\system32\ezsidmv.dat
2008-12-17 21:32 . 2008-12-24 20:21 <DIR> d-------- c:\documents and settings\Sibo\Dati applicazioni\Skype
2008-12-17 21:31 . 2008-12-17 21:31 <DIR> d-------- c:\programmi\Skype
2008-12-17 21:31 . 2008-12-17 21:31 <DIR> d-------- c:\programmi\File comuni\Skype
2008-12-17 21:31 . 2008-12-17 21:31 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Skype
2008-12-17 19:26 . 2008-12-17 19:26 0 --a------ c:\windows\nsreg.dat
2008-12-17 18:51 . 2008-12-17 18:51 <DIR> d-------- c:\programmi\uTorrent
2008-12-17 18:51 . 2008-12-24 18:17 <DIR> d-------- c:\documents and settings\Sibo\Dati applicazioni\uTorrent
2008-12-16 19:28 . 2008-12-16 19:28 <DIR> d-------- c:\programmi\easy CD Extractor
2008-12-16 19:27 . 2008-12-16 19:27 <DIR> d-------- c:\documents and settings\cavalleris
2008-12-16 18:51 . 2008-10-16 21:04 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-12-16 18:51 . 2007-04-17 10:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-16 18:51 . 2007-03-08 06:11 1,032,192 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-16 18:51 . 2008-10-16 21:04 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-12-16 18:51 . 2008-10-16 21:04 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-16 18:51 . 2008-10-16 21:04 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-12-16 18:51 . 2008-10-16 21:04 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-12-16 18:51 . 2008-10-16 21:04 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-16 18:51 . 2008-10-16 14:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-12-16 18:24 . 2008-08-14 14:22 2,192,896 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-16 18:24 . 2008-08-14 14:22 2,148,864 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-16 18:24 . 2008-08-14 14:22 2,069,760 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-16 18:24 . 2008-08-14 14:22 2,027,520 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-16 18:24 . 2008-09-08 11:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-12-16 18:23 . 2008-08-14 11:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-12-16 18:18 . 2008-06-14 18:32 272,768 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-16 18:14 . 2008-12-20 11:36 <DIR> d-------- c:\programmi\File comuni\Adobe
2008-12-16 18:11 . 2008-12-16 18:58 <DIR> d-------- c:\programmi\NOS
2008-12-16 18:11 . 2008-12-16 18:58 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\NOS
2008-12-16 07:23 . 2008-12-16 18:51 <DIR> d-------- c:\windows\system32\it-it
2008-12-16 07:23 . 2008-12-16 07:23 <DIR> d-------- c:\windows\system32\it
2008-12-16 07:23 . 2008-12-16 07:23 <DIR> d-------- c:\windows\system32\bits
2008-12-16 07:23 . 2008-12-16 07:23 <DIR> d-------- c:\windows\l2schemas
2008-12-16 07:20 . 2008-12-16 07:23 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-16 07:14 . 2008-12-16 07:14 <DIR> d-------- c:\windows\EHome
2008-12-16 00:22 . 2004-08-19 15:23 327,168 --------- c:\windows\system32\drivers\ati2mtaa.sys
2008-12-15 23:57 . 2008-04-13 19:45 172,416 --a------ c:\windows\system32\drivers\kmixer.sys
2008-12-15 23:57 . 2008-04-13 17:39 142,592 --a------ c:\windows\system32\drivers\aec.sys
2008-12-15 23:57 . 2008-04-13 20:17 83,072 --a------ c:\windows\system32\drivers\wdmaud.sys
2008-12-15 23:57 . 2008-04-13 20:15 60,800 --a------ c:\windows\system32\drivers\sysaudio.sys
2008-12-15 23:57 . 2008-04-13 19:45 56,576 --a------ c:\windows\system32\drivers\swmidi.sys
2008-12-15 23:57 . 2008-04-13 19:45 52,864 --a------ c:\windows\system32\drivers\dmusic.sys
2008-12-15 23:57 . 2008-04-13 19:45 6,272 --a------ c:\windows\system32\drivers\splitter.sys
2008-12-15 23:57 . 2008-04-13 19:45 2,944 --a------ c:\windows\system32\drivers\drmkaud.sys
2008-12-15 23:56 . 2004-11-01 04:19 163,712 --a------ c:\windows\system32\drivers\vinyl97.sys
2008-12-15 23:56 . 2008-04-13 20:19 146,048 --a------ c:\windows\system32\drivers\portcls.sys
2008-12-15 23:56 . 2008-04-13 19:45 60,160 --a------ c:\windows\system32\drivers\drmk.sys
2008-12-15 23:48 . 2008-12-24 18:56 4,124,704 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-15 23:48 . 2008-12-24 18:56 54,632 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-15 23:46 . 2008-12-15 23:56 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-12-15 23:46 . 2008-10-30 14:10 117,120 --a------ c:\windows\system32\drivers\Rtnicxp.sys
2008-12-15 23:46 . 2008-07-16 22:35 9,728 --a------ c:\windows\system32\RtNicProp32.dll
2008-12-15 23:37 . 2008-07-09 09:05 54,672 --a------ c:\windows\system32\vsutil_loc0410.dll
2008-12-15 23:37 . 2008-07-09 09:05 42,384 --a------ c:\windows\zllsputility_loc0410.dll
2008-12-15 23:37 . 2008-07-09 09:05 21,904 --a------ c:\windows\system32\imsinstall_loc0410.dll
2008-12-15 23:37 . 2008-07-09 09:05 17,808 --a------ c:\windows\system32\imslsp_install_loc0410.dll
2008-12-15 23:36 . 2008-12-15 23:36 <DIR> d-------- c:\programmi\Zone Labs
2008-12-15 23:36 . 2008-12-15 23:36 <DIR> d-------- c:\programmi\Innovative Solutions
2008-12-15 23:30 . 2003-03-18 21:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2008-12-15 23:30 . 2003-03-18 20:14 499,712 --a------ c:\windows\system32\MSVCP71.dll
2008-12-15 23:30 . 2003-02-21 04:42 348,160 --a------ c:\windows\system32\MSVCR71.dll
2008-12-15 23:23 . 2003-03-18 21:20 1,060,864 --a------ c:\windows\system32\MFCBA.tmp
2008-12-15 23:23 . 2003-03-18 20:14 499,712 --a------ c:\windows\system32\MSVB8.tmp
2008-12-15 23:23 . 2003-02-21 04:42 348,160 --a------ c:\windows\system32\MSVB9.tmp
2008-12-15 23:19 . 2008-12-15 23:19 <DIR> d--h----- c:\documents and settings\Default User\Risorse di stampa
2008-12-15 23:19 . 2008-12-15 23:19 <DIR> d--h----- c:\documents and settings\Default User\Risorse di rete
2008-12-15 23:19 . 2008-12-15 23:19 <DIR> d-------- c:\documents and settings\Default User\Preferiti
2008-12-15 23:19 . 2008-12-15 22:28 <DIR> d--h----- c:\documents and settings\Default User\Modelli
2008-12-15 23:19 . 2008-12-15 23:19 <DIR> dr------- c:\documents and settings\Default User\Menu Avvio
2008-12-15 23:19 . 2008-12-15 23:19 <DIR> dr-h----- c:\documents and settings\Default User\Impostazioni locali
2008-12-15 23:19 . 2008-12-15 23:19 <DIR> d-------- c:\documents and settings\Default User\Documenti
2008-12-15 23:19 . 2008-12-15 23:19 <DIR> d-------- c:\documents and settings\All Users\Preferiti
2008-12-15 23:19 . 2008-12-15 23:19 <DIR> d--h----- c:\documents and settings\All Users\Modelli

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 21:51 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\MailFrontier
2008-12-15 21:41 --------- d-----w c:\programmi\Alwil Software
2008-12-15 21:33 --------- d-----w c:\programmi\microsoft frontpage
2008-12-15 21:31 --------- d-----w c:\programmi\Servizi in linea
2008-12-02 21:37 49,480 ----a-w c:\windows\system32\sirenacm.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:04 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\programmi\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\programmi\Alwil Software\Avast4\ashDisp.exe" [2009-01-01 81000]
"ZoneAlarm Client"="c:\programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2009-01-01 919016]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Sibo\Menu Avvio\Programmi\Esecuzione automatica\
MagicDisc.lnk - c:\programmi\MagicDisc\MagicDisc.exe [2008-12-24 575488]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Acrobat Assistant.lnk - c:\programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2008-12-20 49254]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Sibo\\Desktop\\utorrent.exe"=
"c:\programmi\Microsoft ActiveSync\rapimgr.exe"= c:\programmi\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\programmi\Microsoft ActiveSync\wcescomm.exe"= c:\programmi\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\programmi\Microsoft ActiveSync\WCESMgr.exe"= c:\programmi\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\VCdRom.sys [2008-12-20 8576]
S1 aswSP;avast! Self Protection; []
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys []

*Newly Created Service* - PROCEXP90
.
- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-AlcoholAutomount - c:\programmi\Alcohol Soft\Alcohol 120\axcmd.exe

.
------- Supplementare di scansione -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Sibo\Dati applicazioni\Mozilla\Firefox\Profiles\a5nykxps.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://www.bidda.it
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-01 18:18:31
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2009-01-01 18.20.16
ComboFix-quarantined-files.txt 2009-01-01 17:19:03

Pre-Run: 34.162.823.168 byte disponibili
Post-Run: 34,169,065,472 byte disponibili

229 --- E O F --- 2008-12-19 17:20:07

shapiro

Inviato: Thursday, January 01, 2009 6:30:10 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164

dovresti seguire le procedure che ti indico volta per volta, altrimenti la mia presenza qui e' inutile

ora controllo il report di combofix, anche se ha gia' eliminato Alcohol 120 che prima volevo chiederti togliere

sibo78

Inviato: Thursday, January 01, 2009 6:33:24 PM

Rank: Newbie

Iscritto dal : 12/9/2008
Posts: 0

scusa, avevi scritto di fare come descritto nei post precedenti ed io l'ho fatto. Ho capito male.

shapiro

Inviato: Thursday, January 01, 2009 6:37:04 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164

Commenta:

scusa, avevi scritto di fare come descritto nei post precedenti ed io l'ho fatto. Ho capito male.

non ho mai indicato combofix - intendevo findkill

sibo78

Inviato: Thursday, January 01, 2009 6:42:13 PM

Rank: Newbie

Iscritto dal : 12/9/2008
Posts: 0

ok, scusa, ho lanciato findykill e questo è il report della scansione, ora faccio la pulizia, ma tra poco dovrò uscire, quindi continuerò stasera o domattina. Ciao e grazie

----------------- FindyKill V4.710 ------------------

* User: Sibo - SIMO-EB13199DED
* Executed from : C:\Programmi\FindyKill
* Update on 21/12/08 by Chiquitine29
* Start at 18:39:05 the 01/01/2009
* Windows XP - Internet Explorer 7.0.5730.13

((((((((((((((((( *** Searching *** ))))))))))))))))))

--------------- [ Active Processes ] ----------------

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Microsoft ActiveSync\wcescomm.exe
C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Programmi\MagicDisc\MagicDisc.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe

--------------- [ Infected files / folders ] ----------------

»»»» Presence Files in C:

»»»» Presence Files in C:\WINDOWS

»»»» Presence Files in C:\WINDOWS\Prefetch

»»»» Presence Files in C:\WINDOWS\system32

»»»» Presence Files in C:\WINDOWS\system32\config\systemprofile\AppData\Roaming

»»»» Presence Files in C:\WINDOWS\system32\drivers

»»»» Presence Files in C:\Documents and Settings\Sibo\Dati applicazioni

Found ! [01/01/2009 18.17] - "C:\Documents and Settings\Sibo\Dati applicazioni\drivers"

»»»» Presence Files in C:\DOCUME~1\Sibo\IMPOST~1\Temp

»»»» Presence Files in C:\Documents and Settings\Sibo\Local Settings\Temporary Internet Files\Content.IE5

--------------- [ Registry / Startup ] ----------------

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
ctfmon.exe=C:\WINDOWS\system32\ctfmon.exe
H/PC Connection Agent="C:\Programmi\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
avast!=C:\Programmi\Alwil Software\Avast4\ashDisp.exe
ZoneAlarm Client="C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
Adobe Reader Speed Launcher="C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents=
<NO NAME>=
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL=
Installed=1
<NO NAME>=
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI=
Installed=1
NoChange=1
<NO NAME>=
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS=
Installed=1
<NO NAME>=

[HKEY_CURRENT_USER\software\local appwizard-generated applications\axcmd]

--------------- [ Registry / Infected keys ] ----------------

--------------- [ States / Services ] ----------------

+- Services : [ Auto=2 / Request=3 / Disable=4 ]

Ndisuio - Type of startup = 3

EapHost - Type of startup = 2

Ip6Fw - Type of startup = 2

SharedAccess - Type of startup = 2

wuauserv - Type of startup = 2

wscsvc - Type of startup = 2

--------------- [ Searching in removable drives ] ----------------

+- Informations :

C: - Unit… fissa

D: - Unit… fissa

F: - Unit… fissa

G: - Unit… fissa

+- Presence of files :

--------------- [ Registry / Mountpoint2 ] ----------------

-> Not found !

------------------- ! End of report ! --------------------

sibo78

Inviato: Thursday, January 01, 2009 6:46:14 PM

Rank: Newbie

Iscritto dal : 12/9/2008
Posts: 0

questo è il report dopo la pulizia con FindyKill:

----------------- FindyKill V4.710 ------------------

* User : Sibo - SIMO-EB13199DED
* executed from : C:\Programmi\FindyKill
* Update on 21/12/08 par Chiquitine29
* Start at 18:42:55 the 01/01/2009
* Windows XP - Internet Explorer 7.0.5730.13

((((((((((((((( *** deleting *** ))))))))))))))))))

--------------- [ Active Processes ] ----------------

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\slserv.exe

--------------- [ Infected files / folders ] ----------------

»»»» Supression files in C:

»»»» Supression files in C:\WINDOWS

»»»» Supression files in C:\WINDOWS\Prefetch

»»»» Supression files in C:\WINDOWS\system32

»»»» Supression files in C:\WINDOWS\system32\config\systemprofile\AppData\Roaming

»»»» Supression files in C:\WINDOWS\system32\drivers

»»»» Supression files in C:\Documents and Settings\Sibo\Dati applicazioni

Deleted ! - "C:\Documents and Settings\Sibo\Dati applicazioni\drivers"

»»»» Supression files in C:\DOCUME~1\Sibo\IMPOST~1\Temp

»»»» Supression files in C:\Documents and Settings\Sibo\Local Settings\Temporary Internet Files\Content.IE5

Deleted ! - C:\Documents and Settings\All Users\Dati applicazioni\Skype\Plugins\Local Cache\D3987B641C134048B815DB578D607F42_more.jpg
Deleted ! - C:\Documents and Settings\Sibo\Impostazioni locali\Temporary Internet Files\Content.IE5\4WEZ1BHW\b64[1].jpg
Deleted ! - C:\Documents and Settings\Sibo\Impostazioni locali\Temporary Internet Files\Content.IE5\4WEZ1BHW\b64[2].jpg
Deleted ! - C:\Documents and Settings\Sibo\Impostazioni locali\Temporary Internet Files\Content.IE5\4WEZ1BHW\b64_5[1].jpg
Deleted ! - C:\Documents and Settings\Sibo\Impostazioni locali\Temporary Internet Files\Content.IE5\4WEZ1BHW\mxd[1].jpg
Deleted ! - C:\Documents and Settings\Sibo\Impostazioni locali\Temporary Internet Files\Content.IE5\4WEZ1BHW\mxd[2].jpg

--------------- [ Registry / Infected keys ] ----------------

Deleted ! - HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_SROSA

--------------- [ States / Restarting of services ] ----------------

+- Services : [ Auto=2 / Request=3 / Disable=4 ]

Ndisuio - Type of startup = 3

EapHost - Type of startup = 2

Ip6Fw - Type of startup = 2

SharedAccess - Type of startup = 2

wuauserv - Type of startup = 2

wscsvc - Type of startup = 2

--------------- [ Cleaning removable drives ] ----------------

+- Informations :

C: - Unit… fissa

D: - Unit… fissa

F: - Unit… fissa

G: - Unit… fissa

J: - Unit… rimovibile

+- deleting files :

--------------- [ Registry / Mountpoint2 ] ----------------

-> Not found !

--------------- [ Searching Cracks / Keygen ] ----------------

C:\Documents and Settings\Sibo\Dati applicazioni\uTorrent\Alcohol 120% v1.9.7 (Build 6221) Multi (ITA) + crack by GEEX.rar.torrent
C:\Documents and Settings\Sibo\Recent\Alcohol 120% v1.9.7 (Build 6221) Multi (ITA) + crack by GEEX.rar.lnk
C:\Documents and Settings\Sibo\Recent\Avast 4.1 Pro+Keygen+Skins.lnk
C:\Documents and Settings\Sibo\Recent\[Pc-Game-Ita] Doom 3 ITA Full + Keygen [DVD].iso.lnk

---------------- ! End of report ! ------------------

shapiro

Inviato: Thursday, January 01, 2009 9:25:59 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164

findkill ha tolto altra robaccia

noti miglioramenti?

Utenti presenti in questo topic

5 pages: [1] 2 3 4 5

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » problemi pc

Salta al Forum

Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS :

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.

Invia topic via Email

RSS Feed

Watch this topic

Stampa topic

Normale

Threaded