Grazie ragazzi.
Ho seguito i vostri consigli ma a quanto pare qualche virus c'è ma non si riesce a togliere.
Vi invio i risultati delle scansioni con 1. Malwarebytes e 2. Combofix
1. LOG Malwarebytes
Malwarebytes' Anti-Malware 1.37
Versione del database: 2220
Windows 5.1.2600 Service Pack 2
03/06/2009 13.21.08
mbam-log-2009-06-03 (13-20-56).txt
Tipo di scansione: Scansione completa (C:\|D:\|E:\|F:\|)
Elementi scansionati: 226005
Tempo trascorso: 2 hour(s), 5 minute(s), 5 second(s)
Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 2
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 1
Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)
Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)
Chiavi di registro infette:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
Valori di registro infetti:
(Nessun elemento malevolo rilevato)
Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)
Cartelle infette:
(Nessun elemento malevolo rilevato)
File infetti:
d:\documents and settings\CLIENT.UTENTE-28EDAFBD\Dati applicazioni\wiaserva.log (Malware.Trace) -> No action taken.
2. LOG Combofix
ComboFix 09-06-01.03 - CLIENT 04/06/2009 9.15.29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.3070.2514 [GMT 2:00]
Eseguito da: d:\documents and settings\CLIENT.UTENTE-28EDAFBD\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {00000000-F020-0012-5555-927C00000000}
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
d:\windows\system32\drivers\Msft_Kernel_winbondhidcir_01005.Wdf
d:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
d:\windows\system32\x64
d:\windows\system32\x64\csnp2uvc.dll
d:\windows\system32\x64\rsnpvc64.dll
d:\windows\system32\x64\sncduvc.sys
d:\windows\system32\x64\snp2uvc.sys
d:\windows\system32\x64\vsnpvc64.dll
d:\windows\system32\grpconv.exe . . . è infetto!!
.
((((((((((((((((((((((((( Files Creati Da 2009-05-04 al 2009-06-04 )))))))))))))))))))))))))))))))))))
.
2009-06-01 09:38 . 2009-03-30 08:33 96104 ----a-w- d:\windows\system32\drivers\avipbb.sys
2009-06-01 09:38 . 2009-03-24 14:08 55640 ----a-w- d:\windows\system32\drivers\avgntflt.sys
2009-06-01 09:38 . 2009-02-13 10:29 22360 ----a-w- d:\windows\system32\drivers\avgntmgr.sys
2009-06-01 09:38 . 2009-02-13 10:17 45416 ----a-w- d:\windows\system32\drivers\avgntdd.sys
2009-06-01 09:38 . 2009-06-01 09:38 -------- d-----w- d:\programmi\Avira
2009-06-01 09:38 . 2009-06-01 09:38 -------- d-----w- d:\documents and settings\All Users.WINDOWS\Dati applicazioni\Avira
2009-06-01 09:15 . 2009-06-01 11:42 -------- d-----w- d:\programmi\Navilog1
2009-06-01 08:42 . 2009-06-01 08:42 -------- d-----w- d:\documents and settings\CLIENT.UTENTE-28EDAFBD\.housecall6.6
2009-06-01 06:45 . 2009-06-01 06:54 -------- d-----w- d:\programmi\Registry Easy
2009-06-01 06:31 . 2009-06-01 06:31 -------- d-----w- d:\programmi\Trend Micro
2009-05-29 11:46 . 2008-12-11 06:38 159600 ----a-w- d:\windows\system32\drivers\pctgntdi.sys
2009-05-29 11:46 . 2009-06-04 07:27 -------- d---a-w- d:\documents and settings\All Users.WINDOWS\Dati applicazioni\TEMP
2009-05-29 11:46 . 2009-04-03 09:18 130936 ----a-w- d:\windows\system32\drivers\PCTCore.sys
2009-05-29 11:46 . 2008-12-18 10:16 73840 ----a-w- d:\windows\system32\drivers\PCTAppEvent.sys
2009-05-29 11:46 . 2009-05-29 11:46 -------- d-----w- d:\programmi\File comuni\PC Tools
2009-05-29 11:46 . 2008-12-10 09:36 64392 ----a-w- d:\windows\system32\drivers\pctplsg.sys
2009-05-29 11:46 . 2009-06-03 07:05 -------- d-----w- d:\programmi\Spyware Doctor
2009-05-29 11:46 . 2009-05-29 11:46 -------- d-----w- d:\documents and settings\CLIENT.UTENTE-28EDAFBD\Dati applicazioni\PC Tools
2009-05-29 11:46 . 2009-05-29 11:46 -------- d-----w- d:\documents and settings\All Users.WINDOWS\Dati applicazioni\PC Tools
2009-05-28 10:38 . 2009-05-28 10:38 -------- d-----w- d:\documents and settings\CLIENT.UTENTE-28EDAFBD\Dati applicazioni\Malwarebytes
2009-05-28 10:37 . 2009-05-26 11:20 40160 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2009-05-28 10:37 . 2009-06-03 09:11 -------- d-----w- d:\programmi\Malwarebytes' Anti-Malware
2009-05-28 10:37 . 2009-05-28 10:37 -------- d-----w- d:\documents and settings\All Users.WINDOWS\Dati applicazioni\Malwarebytes
2009-05-28 10:37 . 2009-05-26 11:19 19096 ----a-w- d:\windows\system32\drivers\mbam.sys
2009-05-28 09:26 . 2009-05-28 07:10 39419960 ----a-w- D:\Norman_Malware_Cleaner.exe
2009-05-28 09:17 . 2009-05-28 15:41 -------- d-----w- d:\windows\system32\NtmsData
2009-05-22 19:01 . 2009-06-01 07:49 -------- d-----w- d:\documents and settings\CLIENT.UTENTE-28EDAFBD\Dati applicazioni\Lavasoft
2009-05-17 13:19 . 2009-05-28 12:10 -------- d-----w- d:\windows\system32\CatRoot_bak
2009-05-17 13:19 . 2008-06-14 17:59 272768 -c----w- d:\windows\system32\dllcache\bthport.sys
2009-05-17 13:17 . 2008-10-24 11:10 453632 -c----w- d:\windows\system32\dllcache\mrxsmb.sys
2009-05-17 13:16 . 2009-02-09 11:49 2019328 -c----w- d:\windows\system32\dllcache\ntkrpamp.exe
2009-05-17 13:16 . 2009-02-09 11:48 2061440 -c----w- d:\windows\system32\dllcache\ntkrnlpa.exe
2009-05-17 13:16 . 2009-02-09 11:48 2184192 -c----w- d:\windows\system32\dllcache\ntoskrnl.exe
2009-05-17 13:16 . 2009-02-09 11:48 2139648 -c----w- d:\windows\system32\dllcache\ntkrnlmp.exe
2009-05-15 19:07 . 2008-07-30 15:42 23888 ----a-w- d:\windows\system32\drivers\COH_Mon.sys
2009-05-13 21:08 . 2009-05-13 21:08 32 --s-a-w- d:\windows\system32\3266401502.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 07:37 . 2009-02-19 16:07 -------- d-----w- d:\programmi\Norton AntiVirus
2009-06-03 07:32 . 2009-02-19 16:06 -------- d-----w- d:\programmi\File comuni\Symantec Shared
2009-06-03 06:55 . 2004-08-19 12:00 84354 ----a-w- d:\windows\system32\perfc010.dat
2009-06-03 06:55 . 2004-08-19 12:00 489648 ----a-w- d:\windows\system32\perfh010.dat
2009-05-28 13:17 . 2008-06-30 13:58 -------- d-----w- d:\documents and settings\All Users.WINDOWS\Dati applicazioni\Spybot - Search & Destroy
2009-05-16 12:47 . 2008-06-30 13:58 -------- d-----w- d:\programmi\Spybot - Search & Destroy
2009-05-15 19:07 . 2009-02-19 16:06 -------- d-----w- d:\documents and settings\All Users.WINDOWS\Dati applicazioni\Symantec
2009-04-24 16:58 . 2008-06-30 15:07 64744 ----a-w- d:\documents and settings\CLIENT.UTENTE-28EDAFBD\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-04-24 16:55 . 2004-08-19 12:00 504832 ----a-w- d:\windows\system32\winlogon.exe
2009-04-24 16:32 . 2008-06-10 15:08 23604 -c--a-w- d:\windows\system32\emptyregdb.dat
2009-04-24 11:29 . 2009-04-24 08:05 -------- d-----w- d:\programmi\VS Revo Group
2009-04-24 09:45 . 2009-04-24 09:45 -------- d-----w- d:\documents and settings\All Users.WINDOWS\Dati applicazioni\Office Genuine Advantage
2009-04-24 07:13 . 2009-04-07 21:18 -------- d-----w- d:\programmi\Yahoo!
2009-04-23 17:48 . 2008-06-10 15:10 86327 ----a-w- d:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-07 21:18 . 2009-04-07 21:18 -------- d-----w- d:\documents and settings\CLIENT.UTENTE-28EDAFBD\Dati applicazioni\Yahoo!
2009-04-07 21:18 . 2008-06-30 13:48 -------- d-----w- d:\programmi\CCleaner
2009-04-05 16:20 . 2008-06-10 16:09 -------- d-----w- d:\programmi\File comuni\Adobe
2009-03-06 14:44 . 2004-08-19 12:00 285696 ----a-w- d:\windows\system32\pdh.dll
.
------- Sigcheck -------
[-] 2009-04-24 16:55 504832 FD46B348FCA32A1987B9A32B6BA81D2E d:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"SpybotSD TeaTimer"="d:\programmi\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="d:\programmi\File comuni\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 139264]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="d:\windows\system32\dumprep 0 -u" [X]
"Symantec PIF AlertEng"="d:\programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"ccApp"="d:\programmi\File comuni\Symantec Shared\ccApp.exe" [2006-09-03 84640]
"ISTray"="d:\programmi\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"TkBellExe"="d:\programmi\File comuni\Real\Update_OB\realsched.exe" [2009-02-21 185872]
"SynTPStart"="d:\programmi\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400]
"RemoteControl"="d:\programmi\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"osCheck"="d:\programmi\Norton AntiVirus\osCheck.exe" [2006-09-05 26248]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2007-06-06 81920]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2007-06-06 8433664]
"NeroFilterCheck"="d:\programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"LManager"="d:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-01-02 707080]
"LanguageShortcut"="d:\programmi\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152]
"IAAnotif"="d:\programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-06-12 174872]
"HPDJ Taskbar Utility"="d:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-07-11 188416]
"AzMixerSel"="d:\programmi\Realtek\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"Adobe Reader Speed Launcher"="d:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ACU"="d:\programmi\Atheros\ACU.exe" [2005-01-31 253952]
"avgnt"="d:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"RTHDCPL"="RTHDCPL.EXE" - d:\windows\RTHDCPL.EXE [2006-09-10 16384512]
"nwiz"="nwiz.exe" - d:\windows\system32\nwiz.exe [2007-06-06 1626112]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoConfigPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoNetSetup"= 0 (0x0)
"NoNetSetupIDPage"= 0 (0x0)
"NoNetSetupSecurityPage"= 0 (0x0)
"NoWorkgroupContents"= 0 (0x0)
"NoEntireNetwork"= 0 (0x0)
"NoFileSharingControl"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"RestrictRun"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Programmi\\Microsoft Games\\Age of Mythology\\aomx.exe"=
R0 PCTCore;PCTools KDS;d:\windows\system32\drivers\PCTCore.sys [29/05/2009 13.46.52 130936]
R2 sdAuxService;PC Tools Auxiliary Service;d:\programmi\Spyware Doctor\pctsAuxs.exe [29/05/2009 13.46.41 348752]
R2 Utilità di pianificazione di LiveUpdate automatico;Utilità di pianificazione di LiveUpdate automatico;d:\programmi\Symantec\LiveUpdate\AluSchedulerSvc.exe [19/02/2009 18.06.39 198336]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;d:\programmi\File comuni\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [17/05/2009 15.18.38 101936]
R3 hidshim;Service for HID-KMDF Shim layer;d:\windows\system32\drivers\hidshim.sys [03/06/2008 13.37.04 5632]
R3 winbondhidcir;Winbond HID CIR Receiver;d:\windows\system32\drivers\winbondhidcir.sys [03/06/2008 13.37.00 23040]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;d:\windows\system32\drivers\RTL8150.SYS [10/06/2008 18.18.14 26505]
--- Altri Servizi/Drivers In Memoria ---
*Deregistered* - mchInjDrv
.
Contenuto della cartella 'Scheduled Tasks'
2009-03-20 d:\windows\Tasks\Norton AntiVirus - Scansione completa sistema - CLIENT.job
- d:\progra~1\NORTON~1\Navw32.exe [2006-09-07 00:38]
2009-06-01 d:\windows\Tasks\Schedule Task Weekly.job
- d:\programmi\Registry Easy\RE.exe [2009-06-01 15:47]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
SafeBoot-procexp90.Sys
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
mWindow Title = Microsoft Internet Explorer
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
TCP: {C9D37347-DA34-45DC-A981-B314A868C6E9} = 192.168.16.1
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-06-04 09:27
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
- - - - - - - > 'explorer.exe'(2124)
d:\windows\system32\msi.dll
d:\windows\system32\WPDShServiceObj.dll
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
d:\windows\system32\acs.exe
d:\programmi\Avira\AntiVir Desktop\sched.exe
d:\programmi\Avira\AntiVir Desktop\avguard.exe
d:\windows\system32\netdde.exe
d:\programmi\File comuni\Symantec Shared\ccSvcHst.exe
d:\windows\system32\clipsrv.exe
d:\programmi\Intel\Intel Matrix Storage Manager\IAANTmon.exe
d:\programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
d:\windows\system32\nvsvc32.exe
d:\programmi\CyberLink\Shared files\RichVideo.exe
d:\programmi\Spyware Doctor\pctsSvc.exe
d:\programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
d:\programmi\File comuni\Symantec Shared\AppCore\AppSvc32.exe
d:\programmi\Synaptics\SynTP\SynTPEnh.exe
d:\windows\system32\rundll32.exe
d:\docume~1\CLIENT~1.UTE\IMPOST~1\temp\RtkBtMnt.exe
d:\programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Ora fine scansione: 2009-06-04 9.30.25 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-06-04 07:30
Pre-Run: 102.967.549.952 byte disponibili
Post-Run: 102.869.598.208 byte disponibili
221 --- E O F --- 2009-06-01 09:42
GRAZIE A TUTTI PER L'AIUTO
