scansione eseguita con Malware....aggiornamento impossibile


Malwarebytes' Anti-Malware 1.41
Versione del database: 2775
Windows 6.0.6000

07/10/2009 23.26.15
mbam-log-2009-10-07 (23-26-15).txt

Tipo di scansione: Scansione completa (C:\|D:\|)
Elementi scansionati: 210543
Tempo trascorso: 1 hour(s), 48 minute(s), 19 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 0

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
(Nessun elemento malevolo rilevato)

formattazione lenta come si fa? i ho eseguito una formattazione tramite il cd di Vista....seconda e ultima domanda i file che ho recuperato li ho messi in un hard disk esterno , e se sono infettati? ho tutti i file dello studio e tutte le foto di anni...cosa faccio..devo formattare anche questo hard disk? il pennino infetto la stessa cosa? se metto questi file su dvd?

ok grazie....come antispyware quale mi consigli? e antivirus ? va bene avast (non mi caricava molto il pc e gli aggiornamenti erano istantanei e giornalieri ma dopo questa infezione non mi fido molto)?

allora...io ho effettuato la formattazione col cd di Vista e reinstallato lo stesso. Per quanto riguarda l'hard disk del pc infetto (WD1200BEAS) ho scaricato dal sito del produttore Data Lifeguard Diagnostic per DOS (da cd) perchè volevo fare questa Low Level Format su di esso, ma (sempre fortunato) mi da un errore: No HD Found error 120 (che significa errore generico)....quindi mi tengo il pc così formattato e speriamo bene....
Il pennino l'ho formattato da windows ma appena inserito in un altro pc Antivir mi da un segnale di allarme: infettato da......VIRUT. Allora ho riformattato dal pc non infetto il pennino e per sicurezza ho scaricato Hard Disk Low Level Format Tool e eseguito una formattazione basso livello sul pennino.....
ora mi è sorto un dubbio: non è che ho infettato anche il pc fisso? quindi ho eseguito Combofix su di esso con questi risultati...(qualcosina c'era ma forse si tratta di poca cosa) puoi dargli un occhiata? grazie di nuovo e scusa per il disturbo

ComboFix 09-10-06.04 - Marco 08/10/2009 10.31.49.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.39.1040.18.767.557 [GMT 2:00]
Eseguito da: c:\documents and settings\Marco\Desktop\ComboFix.exe

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\bdcore.dll
c:\windows\Downloaded Program Files\libfn.dll
c:\windows\Installer\WMEncoder.msi
c:\windows\system32\setup.ini

La copia infetta di c:\windows\system32\qmgr.dll è stata trovata e disinfettata
ipristinata copia da - c:\windows\LastGood\System32\qmgr.dll

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NTMLSVC
-------\Service_NtmlSvc
-------\Service_srosa


((((((((((((((((((((((((( Files Creati Da 2009-09-08 al 2009-10-08 )))))))))))))))))))))))))))))))))))
.

2009-10-02 11:28 . 2009-10-02 11:28 -------- d-----w- c:\programmi\MSN Messenger

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-08 08:23 . 2007-06-04 14:54 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\AntiVir PersonalEdition Classic
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="c:\programmi\DAEMON Tools\daemon.exe" [2007-09-18 171464]
"MsnMsgr"="c:\programmi\MSN Messenger\MsnMsgr.Exe" [2007-09-04 6856704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="c:\programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-08 919280]
"ZoneAlarm Client"="c:\programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-08 919280]
"avgnt"="c:\programmi\AntiVir PersonalEdition Classic\avgnt.exe" [2008-08-12 266497]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2006-09-01 282624]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-10-22 86016]
"PowerStrip"="c:\programmi\powerstrip\pstrip.exe" [2008-09-17 737408]
"UnlockerAssistant"="c:\programmi\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"AdslTaskBar"="stmctrl.dll" - c:\windows\system32\stmctrl.dll [2003-01-22 151552]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2001-08-31 13312]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Iou52.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Jou41.sys]
@="Driver"

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [04/06/2007 16.54.13 22360]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [04/06/2007 16.54.13 45400]
R2 ousbehci;%OWC_USBEHCD.DeviceDesc%;c:\windows\system32\drivers\ousbehci.sys [15/03/2007 17.43.27 29568]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [15/07/2007 3.37.04 27992]
R3 Stmatm;ATM/ADSL miniport;c:\windows\system32\drivers\stmatm.sys [29/01/2007 15.00.48 59338]
S0 Iou52;Iou52;c:\windows\System32\Drivers\Iou52.sys --> c:\windows\System32\Drivers\Iou52.sys [?]
S0 Jou41;Jou41;c:\windows\System32\Drivers\Jou41.sys --> c:\windows\System32\Drivers\Jou41.sys [?]
S3 TaurusUsb;ADSL Modem USB Service 1.09a;c:\windows\system32\drivers\torususb.sys [29/01/2007 15.00.48 527980]

--- Altri Servizi/Drivers In Memoria ---

*NewlyCreated* - ALG
*NewlyCreated* - IPNAT
.
Contenuto della cartella 'Scheduled Tasks'

2007-01-30 c:\windows\Tasks\WebReg Officejet 5600 series.job
- c:\programmi\HP\Digital Imaging\bin\hpqwrg.exe [2005-05-11 23:21]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.virgilio.it/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = 127.0.0.1:81
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Marco\Dati applicazioni\Mozilla\Firefox\Profiles\30i9ne3m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.virgilio.it/
FF - plugin: c:\programmi\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\programmi\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\programmi\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\programmi\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\programmi\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\programmi\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\programmi\Java\jre1.5.0_10\bin\NPOJI610.dll
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKCU-Run-ProxyWay - c:\programmi\ProxyWay\proxyway.exe
HKLM-Run-AliceRE_McciTrayApp - c:\programmi\Alice ti aiuta\vendors\AliceRE\content\template\driven_dev\syncer\McciTrayApp.exe
HKLM-Explorer_Run-5T19I3B27A - c:\windows\svchost.exe
AddRemove-eMule Plus_is1 - h:\emule\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-08 10:57
Windows 5.1.2600 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...


c:\windows\system32\wbem\Performance\WmiApRpl_new.ini 4354 bytes

Scansione completata con successo
Files nascosti: 1

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\ODBC32.dll
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll

- - - - - - - > 'lsass.exe'(804)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(4868)
c:\programmi\Unlocker\UnlockerHook.dll
c:\windows\System32\msi.dll
c:\windows\System32\WS2_32.dll
c:\windows\System32\WS2HELP.dll
c:\programmi\powerstrip\pshook.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\AntiVir PersonalEdition Classic\avguard.exe
c:\programmi\AntiVir PersonalEdition Classic\sched.exe
c:\programmi\Diskeeper Corporation\Diskeeper\DkService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\programmi\CyberLink\Shared files\RichVideo.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Ora fine scansione: 2009-10-08 11.07.22 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-10-08 09:06

Pre-Run: 10.655.289.344 byte disponibili
Post-Run: 11.262.820.352 byte disponibili

135

scusa.....forse non sono stato chiaro....questo log che ho appena postato è dell'altro pc da cui ti scrivo non quello infettato da virut (almeno spero che non lo sia pure questo). comunque eseguo quello che mi hai suggerito...

Tutto eseguito....:



############################## | FindyKill V5.012 |

# User : Marco (Administrators) # MARCO-3RARRJKJA
# Update on 20/09/2009 by Chiquitine29
# Start at: 15.13.30 | 08/10/2009
# Website : http://pagesperso-orange.fr/NosTools/index.html

# Intel(R) Pentium(R) 4 CPU 1.60GHz
# Microsoft Windows XP Professional (5.1.2600 32-bit) #
# Internet Explorer 6.0.2800.1106
# Windows Firewall Status : Enabled

# A:\ # Disco floppy, 3,5 pollici
# C:\ # Disco rigido locale # 31,27 Go (10,52 Go free) # NTFS
# D:\ # Disco rigido locale # 6,04 Go (1,42 Go free) # NTFS
# E:\ # Disco CD-ROM
# F:\ # Disco CD-ROM
# G:\ # Disco rigido locale # 18,62 Go (2,16 Go free) # NTFS
# I:\ # Disco CD-ROM
# K:\ # Disco CD-ROM

############################## | Processus actifs |

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

################## | C: |


################## | C:\WINDOWS |


################## | C:\WINDOWS\system32 |


################## | C:\WINDOWS\system32\drivers |


################## | C:\Documents and Settings\Marco\Dati applicazioni |


################## | Autres suppression ... |


################## | Temporary Internet Files |


################## | Registre / Clés infectieuses |


################## | Etat / Services / Informations |

# Mode sans echec : OK


# Affichage des fichiers cachés : OK

# Ndisuio -> Start = 3 ( Good = 3 | Bad = 4 )
# SharedAccess -> Start = 2 ( Good = 2 | Bad = 4 )
# wuauserv -> Start = 2 ( Good = 2 | Bad = 4 )
# wscsvc -> Start = 2 ( Good = 2 | Bad = 4 )

################## | PEH ... |


################## | Cracks / Keygens / Serials |

"C:\Documents and Settings\Marco\.housecall6.6\"patch.exe""
27/02/2008 20.55 |Size 218736 |Crc32 12c79c8b |Md5 b9a80ba0083fb8196f8ca0bef053ea4e






Malwarebytes' Anti-Malware 1.30
Versione del database: 1414
Windows 5.1.2600

08/10/2009 17.32.37
mbam-log-2009-10-08 (17-32-37).txt

Tipo di scansione: Scansione completa (C:\|D:\|G:\|)
Elementi scansionati: 111822
Tempo trascorso: 1 hour(s), 55 minute(s), 35 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 0

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
(Nessun elemento malevolo rilevato)





ComboFix 09-10-06.04 - Marco 08/10/2009 17.45.44.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.39.1040.18.767.340 [GMT 2:00]
Eseguito da: c:\documents and settings\Marco\Desktop\ComboFix.exe

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

La copia infetta di c:\windows\system32\qmgr.dll è stata trovata e disinfettata
ipristinata copia da - c:\windows\ERDNT\cache\qmgr.dll

.
((((((((((((((((((((((((( Files Creati Da 2009-09-09 al 2009-10-09 )))))))))))))))))))))))))))))))))))
.

2009-10-08 12:40 . 2009-10-08 13:13 -------- d-----w- C:\FindyKill
2009-10-08 11:54 . 2009-10-08 12:46 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\NOS
2009-10-08 10:42 . 2009-10-08 10:42 -------- d-----w- c:\programmi\HDDGURU LLF Tool
2009-10-02 11:28 . 2009-10-02 11:28 -------- d-----w- c:\programmi\MSN Messenger

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-08 12:51 . 2008-02-27 16:51 -------- d-----w- c:\programmi\Navilog1
2009-10-08 09:00 . 2001-08-31 11:00 437644 ----a-w- c:\windows\system32\perfh010.dat
2009-10-08 09:00 . 2001-08-31 11:00 69790 ----a-w- c:\windows\system32\perfc010.dat
2009-10-08 08:23 . 2007-06-04 14:54 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\AntiVir PersonalEdition Classic
.

((((((((((((((((((((((((((((( SnapShot@2009-10-08_08.57.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-09 10:53 . 2009-10-09 10:53 16384 c:\windows\temp\Perflib_Perfdata_608.dat
- 2001-08-31 11:00 . 2009-03-30 18:32 58732 c:\windows\system32\perfc009.dat
+ 2001-08-31 11:00 . 2009-10-08 09:00 58732 c:\windows\system32\perfc009.dat
- 2009-01-20 19:12 . 2009-01-20 19:12 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-01-20 19:12 . 2009-10-08 11:55 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2001-08-31 11:00 . 2009-03-30 18:32 392432 c:\windows\system32\perfh009.dat
+ 2001-08-31 11:00 . 2009-10-08 09:00 392432 c:\windows\system32\perfh009.dat
+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 c:\windows\system32\Macromed\Flash\NPSWF32.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="c:\programmi\DAEMON Tools\daemon.exe" [2007-09-18 171464]
"MsnMsgr"="c:\programmi\MSN Messenger\MsnMsgr.Exe" [2007-09-04 6856704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="c:\programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-08 919280]
"ZoneAlarm Client"="c:\programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-08 919280]
"avgnt"="c:\programmi\AntiVir PersonalEdition Classic\avgnt.exe" [2008-08-12 266497]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2006-09-01 282624]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-10-22 86016]
"PowerStrip"="c:\programmi\powerstrip\pstrip.exe" [2008-09-17 737408]
"UnlockerAssistant"="c:\programmi\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"AdslTaskBar"="stmctrl.dll" - c:\windows\system32\stmctrl.dll [2003-01-22 151552]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2001-08-31 13312]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Iou52.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Jou41.sys]
@="Driver"

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [04/06/2007 16.54.13 22360]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [04/06/2007 16.54.13 45400]
R2 ousbehci;%OWC_USBEHCD.DeviceDesc%;c:\windows\system32\drivers\ousbehci.sys [15/03/2007 17.43.27 29568]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [15/07/2007 3.37.04 27992]
R3 Stmatm;ATM/ADSL miniport;c:\windows\system32\drivers\stmatm.sys [29/01/2007 15.00.48 59338]
S0 Iou52;Iou52;c:\windows\System32\Drivers\Iou52.sys --> c:\windows\System32\Drivers\Iou52.sys [?]
S0 Jou41;Jou41;c:\windows\System32\Drivers\Jou41.sys --> c:\windows\System32\Drivers\Jou41.sys [?]
S3 TaurusUsb;ADSL Modem USB Service 1.09a;c:\windows\system32\drivers\torususb.sys [29/01/2007 15.00.48 527980]
.
Contenuto della cartella 'Scheduled Tasks'

2007-01-30 c:\windows\Tasks\WebReg Officejet 5600 series.job
- c:\programmi\HP\Digital Imaging\bin\hpqwrg.exe [2005-05-11 23:21]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.virgilio.it/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = 127.0.0.1:81
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Marco\Dati applicazioni\Mozilla\Firefox\Profiles\30i9ne3m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.virgilio.it/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-09 12:54
Windows 5.1.2600 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...


**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\ODBC32.dll
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll

- - - - - - - > 'lsass.exe'(648)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(4748)
c:\programmi\Unlocker\UnlockerHook.dll
c:\windows\System32\msi.dll
c:\windows\System32\WS2_32.dll
c:\windows\System32\WS2HELP.dll
c:\programmi\powerstrip\pshook.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\AntiVir PersonalEdition Classic\avguard.exe
c:\programmi\AntiVir PersonalEdition Classic\sched.exe
c:\programmi\Diskeeper Corporation\Diskeeper\DkService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\programmi\CyberLink\Shared files\RichVideo.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\ZoneLabs\vsmon.exe
.
**************************************************************************
.
Ora fine scansione: 2009-10-09 13.09.15 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-10-09 11:07
ComboFix2.txt 2009-10-08 09:07

Pre-Run: 11.248.738.304 byte disponibili
Post-Run: 11.215.413.248 byte disponibili

128

scusa....mentre che ci sono ti posto anche un log di hijackthis ....non si sa mai


Logfile of HijackThis v1.99.1
Scan saved at 13.35.44, on 09/10/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\programmi\powerstrip\pstrip.exe
C:\Programmi\Unlocker\UnlockerAssistant.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Marco\Documenti\virus\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgilio.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdslTaskBar] "rundll32.exe" stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PowerStrip] c:\programmi\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmi\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://betway.microgaming.com/betway/FlashAX.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

il sistema operativo non è aggiornato percheè è un pc vecchiotto e che non utilizzo molto a parte le emergenze come adesso....ma pur sempre indispensabile per recuperare i miei dati persi
allora io ho eseguito tutto-----dovrei essere apposto con questo pc vero?

Scandisk e daframmentazione li eseguo con calma dato che penso servono solo a migliorare le prestazioni...



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17.15.09, on 09/10/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgilio.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdslTaskBar] "rundll32.exe" stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3990 bytes

ok grazie di tutto......il mio unico problema adesso è l'hard disk esterno che sicuramente sarà infettato da virut.....non posso fare niente vero? ho paura a prendere i documenti da li...

allora io come prima cosa ho eseguito una scansion con antivir dell harddisk esterno...ha trovato 5 file infetti da virut....dopo con la funzione ricerca di windows ho cercato tutti i file .exe .zip .rar .html .htm .scr .php .asp e in una cartella Foto Ibiza ho trovato ben 1000 file .exe con nomi strani....ho eliminato tutti questi file (non ovviamente i file .zip e .rar che contenevano file word, excel o pdd per esempio).....svuotato il cestino....pulito tutto con ccleaner....