Aiutamici Forum
Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » Worm. AutoRun

3 pages: [1] 2 3
Worm. AutoRun Opzioni
Topic Precedente · Topic Sucessivo
mauros
Inviato: Monday, July 20, 2009 9:57:50 AM

Rank: AiutAmico

Iscritto dal : 9/25/2004
Posts: 136
Salve ho eseguito la scansione con Malwarebytes , ha rilevato il seguente file Worm.AutoRun c:\Users\Public\favorites\NiginuL_na.exe Non riesce a eliminarlo, ho eseguito con la funzione cerca e non riesco a trovare il file, di cosa si tratta? Allego log Hijack

Logfile of Trend Micro HijackThis v2.0.2.
Scan saved at 20.20.36, on 17/07/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18248)
Boot mode: Norma

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\PLFSetI.exe
C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
C:\Windows\System32\mobsync.exe
C:\Users\Maurizio\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Acer\Acer VCM\acp2HID.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0410&s=2&o=vp32&d=1008&m=aspire_5930
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [eAudio] "C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [AliceRV_McciTrayApp] C:\Program Files\Alice ti aiuta\McciTrayApp.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Program Files\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [PLFSetI] C:\Windows\PLFSetI.exe
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ePower_DMC] C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [BkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe"
O4 - HKLM\..\Run: [ArcadeDeluxeAgent] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO DI RETE')
O4 - Global Startup: Acer VCM.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Scarica con Download &Express - C:\Program Files\Download Express\Add_Url.htm
O9 - Extra button: Quick-Launching Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Acer\Acer Bio Protection\PwdBank.exe
O9 - Extra 'Tools' menuitem: Quick-Launching Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Acer\Acer Bio Protection\PwdBank.exe
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3274D6E-6C52-4AD0-BC7E-AE766170D63B}: NameServer = 62.13.171.5 62.13.171.4
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
O20 - Winlogon Notify: AWinNotifyVitaKey MC3000 - C:\Program Files\Acer\Acer Bio Protection\WinNotify.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: CLHNService - Unknown owner - C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: Google Desktop Manager 5.7.808.7150 (GoogleDesktopManager-080708-050100) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iGroupTec Service (IGBASVC) - Unknown owner - C:\Program Files\Acer\Acer Bio Protection\BASVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: Raw Socket Service (RS_Service) - Acer Incorporated - C:\Program Files\Acer\Acer VCM\RS_Service.exe

--
End of file - 11162 bytes
Torna in alto
 
Sponsor
Inviato: Monday, July 20, 2009 9:57:50 AM

 
Torna in alto
 
simo95
Inviato: Monday, July 20, 2009 10:43:04 AM

Rank: AiutAmico

Iscritto dal : 12/4/2008
Posts: 2,008
Se riesci a postare il log per intero è meglio. Visualizza file e cartelle nascoste così: apri una qualsiasi cartella, Strumenti>opzioni cartella>vai sulla linguetta "visualizzazione">seleziona "visualizza file e cartelle nascoste e togli la spunta da "nascondi file protetti di sistema (consigliato). All'avviso clicca su si. Per ora guarda solo se riesci a vedere il file, non eliminarlo, per quello aspetta gli esperti, magari è un falso positivo.
Torna in alto
 
r16
Inviato: Monday, July 20, 2009 10:50:28 AM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
@simo95 :
Quella è la procedura per XP.

@mauros :
Questa è la procedura per Vista:
http://windowshelp.microsoft.com/Windows/it-IT/help/27e9a81a-fac7-457f-896b-e0017a04a59f1040.mspx

Esegui queste operazioni come Amministratore, e disabilita il UAC.
http://www.faqwindows.com/public/post/disabilitare-uac-da-pannello-di-controllo-disable-uac-12.asp

Avvia hijackthis, metti la spunta alle voci che andrò ad elencarti e con tutte le applicazioni chiuse e disconnesso da Internet,premi su fix checked
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.1.cab
Dai una pulita (registro compreso)con CCleaner http://www.aiutaamici.com/software?ID=11223
Nella schermata iniziale di CCleaner, clicca su Opzioni e poi Avanzate, togli il segno di spunta a Cancella i file in Windows Temp solo se più vecchi di 48 ore


Scarica ed installa MalwareBytes:
clicca qui per il download :
http://www.aiutamici.com/software?id=80346
Prima di fare la scansione AGGIORNALO. (è molto importante)
Esegui una scansione completa del sistema.
Posta il log.
Torna in alto
 
simo95
Inviato: Monday, July 20, 2009 11:00:55 AM

Rank: AiutAmico

Iscritto dal : 12/4/2008
Posts: 2,008
Scusa Sick Sick

Non mi ero accorto!!
Torna in alto
 
mauros
Inviato: Monday, July 20, 2009 3:59:37 PM

Rank: AiutAmico

Iscritto dal : 9/25/2004
Posts: 136
Ho eseguito le procedure da tè descritte ti allego log
Malwarebytes' Anti-Malware 1.39
Versione del database: 2465
Windows 6.0.6001 Service Pack 1

20/07/2009 15.53.57
mbam-log-2009-07-20 (15-53-43).txt

Tipo di scansione: Scansione completa (C:\|D:\|)
Elementi scansionati: 193583
Tempo trascorso: 1 hour(s), 24 minute(s), 3 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 1

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
C:\Users\Public\Favorites\NginuL_na.exe (Worm.AutoRun) -> No action taken.
Torna in alto
 
r16
Inviato: Monday, July 20, 2009 5:19:38 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
cIAO.
Sembra che malwarebytes lo ha individuato.
Eliminalo, e riavvia il pc.
Altri problemi?
Torna in alto
 
simo95
Inviato: Monday, July 20, 2009 5:20:51 PM

Rank: AiutAmico

Iscritto dal : 12/4/2008
Posts: 2,008
Ma nel primo post aveva detto che aveva già fatto una scansione con malwarebytes e quello è stato il risultato..
Torna in alto
 
r16
Inviato: Monday, July 20, 2009 5:25:51 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Allora basta che elimini a mano il file in rosso:
C:\Users\Public\Favorites\NginuL_na.exe
L'operazione deve essere eseguita come Amministratore.
Se non funziona, provare in Modalità provvisoria.
Se non funziona, si prova con Avenger.
Se non funziona nemmeno con Avenger, cercheremo la chiave di riferimento.
Torna in alto
 
mauros
Inviato: Monday, July 20, 2009 8:18:09 PM

Rank: AiutAmico

Iscritto dal : 9/25/2004
Posts: 136
Ho avviato Malwarebytes in modalità provvisoria non trova nessun file infetto, riavvio il pc in modalità normale rieseguo il test ed individua il file, mi sorge un dubbio che il file NginuL_na.exe ricompare perchè ho installato la chiavetta modem della TRE, manualmente non lo trovo nemmeno con la funzione cerca ho visualizzato pure file e cartele nascoste,
Torna in alto
 
r16
Inviato: Monday, July 20, 2009 10:50:24 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Ok.
Vediamo se c'è veramente:(eseguilo come Amministratore)
Scarica Avenger, e scompattalo in una sua cartella non temporanea e non sul desktop:
http://swandog46.geekstogo.com/avenger.zip

Avvia AVENGER
Clicca Ok
Inserisci queste righe (fai copia-incolla) nel riquadro bianco:

Files to delete:
C:\Users\Public\Favorites\NginuL_na.exe


Togli la spunta da Scan for Rootkit
Clicca su Execute e aspetta...
Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
Al termine dell'operazione, posta qui il risultato di Avenger
Torna in alto
 
mauros
Inviato: Monday, July 20, 2009 11:03:35 PM

Rank: AiutAmico

Iscritto dal : 9/25/2004
Posts: 136
Ti allego risultato
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:


Error: could not open file "C:\Users\Public\Favorites\NginuL_na.exe"
Deletion of file "C:\Users\Public\Favorites\NginuL_na.exe" failed!
Status: 0xc0000280


Completed script processing.

*******************

Finished! Terminate.
Torna in alto
 
r16
Inviato: Monday, July 20, 2009 11:17:42 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Il file c'è, ma non è riuscito a eliminarlo.
Fai una scansione con Combofix, (UAC disabilitato, e lo esegui come amministratore)

Importante: Disabilita il tuo antivirus e chiudi TUTTI i programmi aperti,(Firewall compreso) e dopo aver scaricato COMBOFIX, chiudi la connessione.

Scarica Combofix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Salvalo sul desktop.
Doppio click su combofix.exe (comparirà una videata.)
Se ti verrà chiesto se vuoi Installare LA CONSOLE DI RIPRISTINO DI EMERGENZA, clicca NO.
E' probabile che ti siano inviati messaggi dall'antivirus, tu ignorali.
Durante l'operazione di scansione è importante non usare il PC (neanche il mouse) e attendere pazientemente la fine delle operazioni.
Al termine, verrà creato un file log sul Desktop, chiamato C:\ComboFix.txt. Postalo qui.
Torna in alto
 
mauros
Inviato: Tuesday, July 21, 2009 12:04:40 AM

Rank: AiutAmico

Iscritto dal : 9/25/2004
Posts: 136
Log ComboFix
ComboFix 09-07-20.01 - Maurizio 20/07/2009 23.39.18.1.2 - NTFSx86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.39.1040.18.3066.1956 [GMT 2:00]
Eseguito da: c:\users\Maurizio\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1392228022-1467505504-2512445263-500
c:\users\Maurizio\AppData\Roaming\.#
c:\windows\Installer\15246b.msi
c:\windows\Installer\321be.msi
c:\windows\Installer\Ref3053.msi

.
((((((((((((((((((((((((( Files Creati Da 2009-06-20 al 2009-07-20 )))))))))))))))))))))))))))))))))))
.

2009-07-20 21:43 . 2009-07-20 21:46 -------- d-----w- c:\users\Maurizio\AppData\Local\temp
2009-07-20 12:19 . 2009-07-20 12:19 -------- d-----w- c:\program files\CCleaner
2009-07-18 17:42 . 2009-07-18 17:42 -------- d-----w- c:\users\Maurizio\AppData\Roaming\Malwarebytes
2009-07-18 17:42 . 2009-07-13 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-18 17:42 . 2009-07-18 17:42 -------- d-----w- c:\programdata\Malwarebytes
2009-07-18 17:42 . 2009-07-13 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-18 17:42 . 2009-07-18 17:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-17 18:09 . 2009-07-20 12:36 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-17 17:43 . 2009-07-17 17:43 -------- d-----w- c:\program files\Trend Micro
2009-07-17 14:57 . 2009-07-17 14:57 262144 ----a-w- c:\users\NTUser.dat
2009-07-17 14:57 . 2009-07-17 14:57 -------- d-----w- c:\users\Maurizio\AppData\Roaming\MetaProducts
2009-07-17 14:57 . 2009-07-17 14:57 -------- d-----w- c:\program files\Download Express
2009-07-15 19:51 . 2009-07-15 21:58 -------- d-----w- c:\users\Maurizio\AppData\Roaming\Download Manager
2009-07-15 19:40 . 2009-06-15 15:24 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-07-15 19:40 . 2009-06-15 15:20 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-15 19:40 . 2009-06-15 15:20 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-07-15 19:40 . 2009-06-15 12:52 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-07-13 17:56 . 2009-07-13 17:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-13 17:56 . 2009-07-13 17:56 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-13 17:56 . 2009-07-13 17:56 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-13 17:56 . 2009-07-20 07:28 -------- d-----w- c:\windows\system32\drivers\Avg
2009-07-13 17:56 . 2009-07-13 17:56 -------- d-----w- c:\programdata\AVG Security Toolbar
2009-07-13 17:56 . 2009-07-13 17:56 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-13 17:55 . 2009-07-13 17:55 -------- d-----w- c:\programdata\avg8
2009-07-13 17:55 . 2009-07-13 17:55 -------- d-----w- c:\program files\AVG
2009-07-13 15:21 . 2009-07-13 15:21 -------- d-----w- c:\program files\uTorrent
2009-07-13 15:18 . 2009-07-20 12:35 -------- d-----w- c:\users\Maurizio\AppData\Roaming\uTorrent
2009-07-09 18:10 . 2009-07-09 18:10 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-07-08 20:38 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-07-08 20:38 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-07-08 20:38 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-07-08 20:38 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-07-08 20:38 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2009-07-08 20:38 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-07-08 20:38 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-07-08 20:33 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-07-08 20:32 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-07-08 20:32 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-07-08 20:32 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-07-08 20:32 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2009-07-08 19:14 . 2008-03-17 09:57 103680 ----a-w- c:\windows\system32\drivers\ewusbfake.sys
2009-07-08 19:14 . 2008-03-17 09:05 101632 ----a-r- c:\windows\system32\drivers\ewusbmdm.sys
2009-07-08 19:14 . 2008-03-16 12:47 872192 ----a-w- c:\windows\system32\drivers\mod7700.sys
2009-07-08 19:14 . 2008-01-22 13:10 100864 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2009-07-08 19:14 . 2007-08-09 02:06 23424 ----a-r- c:\windows\system32\drivers\ewdcsc.sys
2009-07-08 19:11 . 2009-07-08 19:16 -------- d-----w- c:\program files\MD-@ HSUPA
2009-06-25 19:58 . 2009-07-20 21:18 -------- d-----w- c:\users\Maurizio\Tracing
2009-06-25 19:56 . 2009-06-25 19:56 -------- d-----w- c:\program files\Microsoft
2009-06-25 19:56 . 2009-06-25 19:56 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-06-25 19:55 . 2009-06-25 19:56 -------- d-----w- c:\program files\Windows Live
2009-06-25 19:48 . 2009-06-25 19:48 -------- d-----w- c:\program files\Common Files\Windows Live
2009-06-25 19:07 . 2009-06-25 19:07 -------- d-----w- c:\program files\IZArc
2009-06-25 15:56 . 2009-06-25 15:56 -------- d-----w- c:\programdata\Macrium
2009-06-25 15:54 . 2009-06-25 15:54 43646 ----a-r- c:\users\Maurizio\AppData\Roaming\Microsoft\Installer\{3BAD2D97-4900-4014-A2F5-B549802CEEE2}\_E3296CA52D73B98AE9B5F9.exe
2009-06-25 15:54 . 2009-06-25 15:54 43646 ----a-r- c:\users\Maurizio\AppData\Roaming\Microsoft\Installer\{3BAD2D97-4900-4014-A2F5-B549802CEEE2}\_D707CE1C009F1381803C2C.exe
2009-06-25 15:54 . 2009-06-25 15:54 43646 ----a-r- c:\users\Maurizio\AppData\Roaming\Microsoft\Installer\{3BAD2D97-4900-4014-A2F5-B549802CEEE2}\_BBCA226959C1D3D63C885B.exe
2009-06-25 15:54 . 2009-06-25 15:54 43646 ----a-r- c:\users\Maurizio\AppData\Roaming\Microsoft\Installer\{3BAD2D97-4900-4014-A2F5-B549802CEEE2}\_21F3885A18D238E15AAE81.exe
2009-06-25 15:54 . 2009-06-25 15:54 29926 ----a-r- c:\users\Maurizio\AppData\Roaming\Microsoft\Installer\{3BAD2D97-4900-4014-A2F5-B549802CEEE2}\_EDC08689E679B6EDDC26F8.exe
2009-06-25 15:54 . 2009-06-25 15:54 109534 ----a-r- c:\users\Maurizio\AppData\Roaming\Microsoft\Installer\{3BAD2D97-4900-4014-A2F5-B549802CEEE2}\_6FEFF9B68218417F98F549.exe
2009-06-25 15:54 . 2009-06-25 15:54 -------- d-----w- c:\program files\Macrium
2009-06-24 19:41 . 2009-06-24 19:41 -------- d-----w- c:\users\Maurizio\AppData\Roaming\Template
2009-06-24 19:36 . 2009-06-24 19:37 -------- d-----w- c:\users\Maurizio\AppData\Local\Microsoft Games
2009-06-24 19:32 . 2009-06-25 20:30 -------- d-----w- c:\users\Maurizio\AppData\Roaming\eSobi
2009-06-24 17:48 . 2009-06-24 17:48 -------- d-----w- c:\users\Maurizio\Option
2009-06-24 17:48 . 2009-06-25 20:36 680 ----a-w- c:\users\Maurizio\AppData\Local\d3d9caps.dat
2009-06-23 20:12 . 2008-05-27 05:17 11776 ----a-w- c:\windows\system32\msshooks.dll
2009-06-23 20:12 . 2008-05-27 04:59 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin
2009-06-23 20:12 . 2008-05-27 04:59 106605 ----a-w- c:\windows\system32\StructuredQuerySchema.bin
2009-06-23 19:37 . 2009-06-23 19:37 -------- d-----w- c:\program files\MSXML 4.0
2009-06-23 19:35 . 2008-11-01 03:44 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-06-23 19:35 . 2008-11-01 01:21 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-06-23 18:45 . 2008-09-05 05:14 1191936 ----a-w- c:\windows\system32\msxml3.dll
2009-06-23 18:45 . 2008-06-19 03:31 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2009-06-23 18:45 . 2008-06-26 03:29 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2009-06-23 18:45 . 2008-08-12 03:39 443392 ----a-w- c:\windows\system32\win32spl.dll
2009-06-23 18:45 . 2009-04-23 12:43 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-06-23 18:45 . 2008-12-06 04:42 376832 ----a-w- c:\windows\system32\winhttp.dll
2009-06-23 18:45 . 2008-06-23 01:59 2868736 ----a-w- c:\windows\system32\mf.dll
2009-06-23 18:45 . 2008-06-23 01:59 996352 ----a-w- c:\windows\system32\WMNetMgr.dll
2009-06-23 18:45 . 2008-06-23 01:58 94720 ----a-w- c:\windows\system32\logagent.exe
2009-06-23 18:45 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-06-23 18:45 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-06-23 18:44 . 2008-12-16 02:42 288768 ----a-w- c:\windows\system32\drivers\srv.sys
2009-06-23 18:44 . 2009-04-23 12:42 636928 ----a-w- c:\windows\system32\localspl.dll
2009-06-23 18:44 . 2008-10-29 06:29 2927104 ----a-w- c:\windows\explorer.exe
2009-06-23 17:35 . 2008-09-10 03:40 1334272 ----a-w- c:\windows\system32\msxml6.dll
2009-06-23 17:32 . 2008-08-27 01:05 212480 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-06-23 17:32 . 2008-10-21 05:25 1645568 ----a-w- c:\windows\system32\connect.dll
2009-06-23 17:32 . 2008-10-22 03:57 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-06-23 17:27 . 2009-06-23 17:27 380928 ----a-w- c:\programdata\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_it_8021704D7EC2DEFB.dll
2009-06-23 17:19 . 2008-10-16 21:09 51224 ----a-w- c:\windows\system32\wuauclt.exe
2009-06-23 17:19 . 2008-10-16 21:09 43544 ----a-w- c:\windows\system32\wups2.dll
2009-06-23 17:19 . 2008-10-16 21:13 1809944 ----a-w- c:\windows\system32\wuaueng.dll
2009-06-23 17:19 . 2008-10-16 20:56 1524736 ----a-w- c:\windows\system32\wucltux.dll
2009-06-23 17:18 . 2008-10-16 21:08 34328 ----a-w- c:\windows\system32\wups.dll
2009-06-23 17:18 . 2008-10-16 21:12 561688 ----a-w- c:\windows\system32\wuapi.dll
2009-06-23 17:18 . 2008-10-16 20:55 83456 ----a-w- c:\windows\system32\wudriver.dll
2009-06-23 17:18 . 2008-10-16 12:08 162064 ----a-w- c:\windows\system32\wuwebv.dll
2009-06-23 14:11 . 2009-06-23 16:45 -------- d-----w- c:\users\Maurizio\AppData\Local\PlayMovie
2009-06-23 14:11 . 2009-06-24 17:41 -------- d-----w- c:\users\Maurizio\AppData\Local\PowerCinema
2009-06-23 14:11 . 2009-06-23 17:26 -------- d-----w- c:\program files\Google
2009-06-23 14:06 . 2009-06-23 14:06 -------- d-sh--we c:\users\Default\Risorse di stampa

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-20 21:46 . 2009-07-20 16:54 28124 ----a-w- c:\programdata\nvModes.dat
2009-07-20 17:25 . 2008-05-08 06:57 662846 ----a-w- c:\windows\system32\perfh010.dat
2009-07-20 17:25 . 2008-05-08 06:57 120326 ----a-w- c:\windows\system32\perfc010.dat
2009-07-15 22:03 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-13 17:52 . 2008-05-07 21:08 -------- d-----w- c:\programdata\McAfee
2009-07-09 22:45 . 2008-05-07 21:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-09 22:40 . 2008-05-07 21:29 -------- d-----w- c:\programdata\CyberLink
2009-07-09 18:28 . 2009-06-23 14:09 71280 ----a-w- c:\users\Maurizio\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-09 18:18 . 2008-05-07 21:10 -------- d-----w- c:\programdata\Microsoft Help
2009-07-09 18:16 . 2008-05-07 21:11 -------- d-----w- c:\program files\Microsoft Works
2009-06-25 20:30 . 2008-10-15 21:14 -------- d-----w- c:\programdata\eSobi
2009-06-25 19:07 . 2009-06-25 19:07 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-06-24 19:41 . 2009-06-24 19:41 0 ----a-w- c:\users\Maurizio\AppData\Roaming\wklnhst.dat
2009-06-24 17:20 . 2008-05-07 21:09 -------- d-----w- c:\programdata\SiteAdvisor
2009-06-23 16:41 . 2009-06-23 16:41 -------- d-----w- c:\program files\Common Files\Motive
2009-06-23 16:41 . 2009-06-23 16:41 -------- d-----w- c:\programdata\Motive
2009-06-23 16:08 . 2009-06-23 16:07 -------- d-----w- c:\users\Maurizio\AppData\Roaming\CyberLink
2009-06-23 14:10 . 2008-05-07 21:28 -------- d-----w- c:\program files\Acer
2009-06-23 14:06 . 2009-06-23 14:06 -------- d-sh--we c:\programdata\Preferiti
2009-06-23 14:06 . 2009-06-23 14:06 -------- d-sh--we c:\programdata\Modelli
2009-06-23 14:06 . 2009-06-23 14:06 -------- d-sh--we c:\programdata\Menu Avvio
2009-06-23 14:06 . 2009-06-23 14:06 -------- d-sh--we c:\programdata\Documenti
2009-06-23 14:06 . 2009-06-23 14:06 -------- d-sh--we c:\programdata\Dati applicazioni
2009-06-23 14:06 . 2009-06-23 14:06 -------- d-sh--we c:\program files\File comuni
2009-04-24 16:05 . 2009-06-23 17:31 827904 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:02 . 2009-06-23 17:31 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 13:44 . 2009-06-23 17:31 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2008-10-16 06:40 . 2008-10-16 06:38 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 08:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-03-04 21:38 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-23 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-02-22 1037608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-19 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-19 92704]
"eAudio"="c:\program files\Acer\Empowering Technology\eAudio\eAudio.exe" [2008-03-07 544768]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-03-04 526896]
"WarReg_PopUp"="c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe" [2008-01-29 303104]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-04-18 167936]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-07-25 809480]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-04-30 397312]
"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-04-10 167936]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-06 34040]
"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-04-10 147456]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-13 1948440]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-04-25 6111232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey MC3000]
2008-10-15 21:09 3110912 ----a-w- c:\program files\Acer\Acer Bio Protection\WinNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Acer VCM.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Acer VCM.lnk
backup=c:\windows\pss\Acer VCM.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Maurizio^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Orion.lnk]
path=c:\users\Maurizio\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Orion.lnk
backup=c:\windows\pss\Orion.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{EDD33C57-C9CF-452D-AF8F-BF917549F62B}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{DF21046C-0A25-4FAF-A1BF-517BEF5405D8}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{DC808DF1-C040-4E29-A5B1-73952534C8BA}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{0D51BA99-356E-4B7A-9E65-987ED78BA285}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe
"{E7396943-4CE5-42E3-A7EA-71FF51C54DCF}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{8D0247B6-B148-4E39-870B-8FF98EEBC8C8}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{A38B6703-8CFB-464A-BA28-0C7599718CD6}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe
"{F0599F67-0601-4D3D-A86A-E4681DE023BA}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{8CE8F528-1E9F-4430-AD9B-10259617BCBD}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{DAB62A11-5106-43CC-860A-6339630E376A}"= c:\program files\Acer\Acer VCM\VC.exe:Acer VCM
"{15D6745A-FBB4-4A3F-BE85-B23963848937}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{91D3F1D2-6AA4-4540-80C0-3347D9A63ADA}"= c:\program files\Acer Arcade Deluxe\PlayMovie\PlayMovie.exe:Acer Play Movie
"{266021B5-A370-4C57-A432-DF90AA1F28A4}"= c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe:Acer Play Movie Resident Program
"{715D9F92-9F1A-4C6F-906A-312B4B926094}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:Acer HomeMedia
"{20B0E8FB-5BD4-4EA6-AB01-C0F65F04D0F5}"= UDP:19489:Utorrent
"{326BDA2C-DBAA-41D3-88E3-258986667AAB}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{8689D69D-5886-43B4-9549-BBF060EF18FD}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{5D8976BC-C83C-450B-976F-FE049164FFAB}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"TCP Query User{D224566F-663F-4B93-8B06-68590F77123A}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{93D78973-848A-4BAB-B252-3C91D2A9300D}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"{CD09B6B8-BD76-4768-974E-6DE42B65DFB4}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{D316D70E-E720-40FF-80D8-D7F7FA06CDFC}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R0 AlfaFF;AlfaFF File System mini-filter;c:\windows\System32\drivers\AlfaFF.sys [15/10/2008 23.09.41 43184]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\System32\drivers\pssnap.sys [20/05/2008 8.32.40 15328]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [13/07/2009 19.56.35 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [13/07/2009 19.56.01 108552]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [15/10/2008 23.21.39 61424]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [13/07/2009 19.56.01 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [13/07/2009 19.56.00 298776]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [03/03/2008 13.11.14 16384]
R2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [15/10/2008 23.22.19 81504]
R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [07/05/2008 23.28.16 24576]
R2 IGBASVC;iGroupTec Service;c:\program files\Acer\Acer Bio Protection\BASVC.exe [15/10/2008 23.09.45 3517440]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [06/04/2008 22.42.24 50424]
R2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [15/10/2008 23.22.20 122368]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [04/04/2008 3.03.14 131072]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [06/08/2008 11.34.02 216032]
R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [15/10/2008 23.08.58 233472]
R3 NETw5v32;Driver scheda Intel(R) Wireless WiFi Link per Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [16/10/2008 8.38.24 3658752]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [16/10/2008 8.37.41 44064]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [21/01/2008 4.23.20 179712]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [23/06/2009 16.11.02 24064]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKLM-Run-AliceRV_McciTrayApp - c:\program files\Alice ti aiuta\McciTrayApp.exe
HKLM-Run-eRecoveryService - (no file)


.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0410&s=2&o=vp32&d=1008&m=aspire_5930
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Scarica con Download &Express - c:\program files\Download Express\Add_Url.htm
Name-Space Handler: ftp\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
Name-Space Handler: http\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
Name-Space Handler: https\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
.

**************************************************************************
scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'Explorer.exe'(4796)
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\windows\System32\SysHook.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\Acer\Acer Bio Protection\CompPtcVUI.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\windows\System32\conime.exe
c:\program files\Cyberlink\Shared files\RichVideo.exe
c:\windows\System32\WUDFHost.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\rundll32.exe
c:\program files\Launch Manager\LManager.exe
c:\windows\System32\wbem\unsecapp.exe
c:\users\Maurizio\AppData\Local\temp\RtkBtMnt.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
.
**************************************************************************
.
Ora fine scansione: 2009-07-20 23.50.42 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-07-20 21:50

Pre-Run: 79.594.033.152 byte disponibili
Post-Run: 79.305.748.480 byte disponibili

338 --- E O F --- 2009-07-20 13:59
Torna in alto
 
r16
Inviato: Tuesday, July 21, 2009 12:21:57 AM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Ok, qualcosa è stato tolto.
Adesso rifai la scansione con Malwarebytes,e vedi se rileva ancora quel file.
Se lo rileva lo elimini, e rifai un'altra scansione.
Controlla se quel file si trova nella chiavetta della TRE. (nel S.O non c'e traccia)
Per saperlo, devi scansionare la chiavetta.
Torna in alto
 
mauros
Inviato: Tuesday, July 21, 2009 8:24:26 AM

Rank: AiutAmico

Iscritto dal : 9/25/2004
Posts: 136
Ho rifatto la scansione non lo elimina. In modalità provvisoria non risulta nessun file infetto.Ho controllato la chiavetta risulta pulita, ti allego Image
Torna in alto
 
r16
Inviato: Tuesday, July 21, 2009 11:42:15 AM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Che strano...
Ti se ricordato di visualizzare i file e le cartelle nascoste?
Poi prova cosi:
Con la funzione "Cerca" copia-incolla questa parola:
Favorites
e lancia la ricerca.
dovrebbe comparire una cartella, con scritto Favorites
La apri, e dovresti trovare all'interno il file:
NginuL_na.exe
Torna in alto
 
mauros
Inviato: Tuesday, July 21, 2009 1:26:11 PM

Rank: AiutAmico

Iscritto dal : 9/25/2004
Posts: 136
Grazie per la tua pazienza. Non sò piu che strada prendere per eliminare quel maledetto file non lo trovo le cartelle che ho trovato non lo contengono ti allego Image
Torna in alto
 
r16
Inviato: Tuesday, July 21, 2009 5:17:47 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Prova a scansionare quelle cartelle una alla volta con Malwarebytes. (e anche con AVG)
Sempre con la funzione Cerca, vedi se trovi questo eseguibile:
Msoffice.exe
Fai copia-incolla.
Altra cosa, hai provato a fare una scansione completa con AVG?
Torna in alto
 
mauros
Inviato: Tuesday, July 21, 2009 8:55:46 PM

Rank: AiutAmico

Iscritto dal : 9/25/2004
Posts: 136
Ho eseguito tutte le scansione non risulta nulla d'infetto. Ho eseguito di nuovo con Malwarebytes, col tasto dx ho cliccato sul file, esclusione dalla lista , rifaccio di nuovo il test risulta tutto pulito,speriamo che abbiamo risolto ti allego Log
Malwarebytes' Anti-Malware 1.39
Versione del database: 2465
Windows 6.0.6001 Service Pack 1

21/07/2009 20.46.53
mbam-log-2009-07-21 (20-46-53).txt

Tipo di scansione: Scansione rapida
Elementi scansionati: 78121
Tempo trascorso: 1 minute(s), 39 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 0

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
(Nessun elemento malevolo rilevato)
Torna in alto
 
Utenti presenti in questo topic
Guest

3 pages: [1] 2 3

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » Worm. AutoRun


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.