scusate l avevo postato gia qua
http://forum.aiutamici.com/yaf_postst64028_Firefox-crasha-di-continuo-e-Windows-diventa-instabile.aspx

ma siccome credo sia un virus lo posto qui. in pratica come dicevo ho fatto la scansione con Avira e non mi ha segnalato nulla..ora la sto facendo con malwarebytes e appena termina posto il log. comunque piu passa il tempo e piu non riesco ad aprire neanche la fintestra di Start perchè il pc sembra paralizzato e sembra ke faccia kissa quali sforzi.. e non riesco neanche a navigare in questo sito...

Tieni duro!

Gli esperti hanno bisogno di un'analisi di HiJackThis:

http://www.aiutamici.com/software?s=y


Se le cose si mettono male avresti un altro pc per seguire i consigli?

ora scarico hjthis.. però al link ke mi hai dato nn c e

Anche se alla fin fine NON fosse un virus la causa dei tuoi problemi ti assicuro che un Log di HiJack non è sprecato!

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe

Questo può dare dei problemi, ma i tuoi sarebbero esagerati.




Scheda Aiutamici: http://software.aiutamici.com/software?ID=10831

Aspetta R16

Non penso si possa disabilita TeaTimer, occorrerebbe disinstallare Spybot.

ok x ora non faccio nulla.. aspetto :) grazie anche a te=)

ecco il log di combofix cmq io ho disattivato l antivirus (infatti avevo sempre i segnali da windows e l'ombrello di avira si era chiuso) ma mi ha segnalato combo come virus..ma ho cliccato ignora!

ComboFix 09-10-25.01 - Mario 25/10/2009 22.03.21.5.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.510.182 [GMT 1:00]
Eseguito da: c:\documents and settings\Mario\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\$t021.tmp
C:\$t022.tmp
c:\docume~1\Mario\IMPOST~1\Temp\swt-gdip-win32-3448.dll
c:\docume~1\Mario\IMPOST~1\Temp\swt-win32-3448.dll
c:\documents and settings\Mario\Impostazioni locali\temp\swt-gdip-win32-3448.dll
c:\documents and settings\Mario\Impostazioni locali\temp\swt-win32-3448.dll

.
((((((((((((((((((((((((( Files Creati Da 2009-09-25 al 2009-10-25 )))))))))))))))))))))))))))))))))))
.

2009-10-23 19:36 . 2009-10-23 19:36 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2009-10-23 19:11 . 2009-10-23 19:32 -------- d--h--w- c:\documents and settings\HelpAssistant\Impostazioni locali
2009-10-23 19:11 . 2009-10-23 19:32 -------- d-----w- c:\documents and settings\HelpAssistant\Documenti
2009-10-23 19:11 . 2009-10-23 19:14 -------- d--h--r- c:\documents and settings\HelpAssistant\Dati applicazioni
2009-10-23 19:11 . 2002-04-09 08:21 -------- d--h--w- c:\documents and settings\HelpAssistant\Risorse di stampa
2009-10-23 19:11 . 2002-04-09 06:32 -------- d--h--w- c:\documents and settings\HelpAssistant\Modelli
2009-10-23 19:11 . 2009-10-25 15:50 -------- d-----w- c:\documents and settings\HelpAssistant

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-25 21:26 . 2009-09-13 15:02 -------- d-----w- c:\programmi\File comuni\Akamai
2009-10-25 21:24 . 2008-10-18 09:46 -------- d-----w- c:\documents and settings\Mario\Dati applicazioni\Azureus
2009-10-25 21:01 . 2004-08-19 12:00 80490 ----a-w- c:\windows\system32\perfc010.dat
2009-10-25 21:01 . 2004-08-19 12:00 482036 ----a-w- c:\windows\system32\perfh010.dat
2009-10-25 20:49 . 2008-03-15 21:41 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-10-16 10:26 . 2002-04-09 07:04 -------- d--h--w- c:\programmi\InstallShield Installation Information
2009-10-16 10:25 . 2009-09-03 21:51 -------- d-----w- c:\programmi\Total Video Converter
2009-10-16 10:25 . 2009-09-12 12:23 -------- d-----w- c:\programmi\MAGIX
2009-10-12 16:22 . 2009-01-24 21:09 21036 ----atw- c:\windows\system32\SIntfNT.dll
2009-10-12 16:22 . 2009-01-24 21:09 15132 ----atw- c:\windows\system32\SIntf32.dll
2009-10-12 16:22 . 2009-01-24 21:09 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-10-10 10:16 . 2009-07-27 08:03 -------- d---a-w- c:\documents and settings\All Users\Dati applicazioni\TEMP
2009-09-21 12:25 . 2009-08-03 20:59 -------- d-----w- c:\programmi\Spybot - Search & Destroy
2009-09-20 16:41 . 2009-08-09 13:21 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2009-09-13 15:01 . 2009-09-13 15:01 -------- d-----w- c:\programmi\SanrioTown
2009-09-12 14:34 . 2009-09-12 14:34 -------- d-----w- c:\documents and settings\Mario\Dati applicazioni\Apple Computer
2009-09-12 14:33 . 2008-03-10 08:14 149736 ----a-w- c:\documents and settings\Mario\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-09-12 12:43 . 2009-09-12 12:43 -------- d-----w- c:\documents and settings\Mario\Dati applicazioni\MAGIX
2009-09-12 12:42 . 2009-09-12 12:25 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\MAGIX
2009-09-12 12:41 . 2009-09-12 12:24 -------- d-----w- c:\programmi\File comuni\MAGIX Shared
2009-09-11 14:17 . 2004-08-19 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 12:54 . 2009-08-09 13:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 12:53 . 2009-08-09 13:21 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 15:23 . 2009-02-15 21:34 -------- d-----w- c:\programmi\Microsoft Silverlight
2009-09-04 21:03 . 2004-08-19 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:56 . 2004-08-19 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-19 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-14 12:40 . 2009-08-14 11:26 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-09 14:15 . 2009-05-10 07:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-05 08:59 . 2004-08-19 12:00 205312 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 20:56 . 2004-08-19 12:00 2192896 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 17:52 . 2009-08-04 17:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 17:26 . 2004-08-19 15:34 2069760 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 147456]
"SpybotSD TeaTimer"="c:\programmi\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"PMCRemote"="c:\programmi\Pinnacle\Shared Files\\Programs\Remote\Remoterm.exe" [2007-09-18 257096]
"DAEMON Tools Lite"="c:\programmi\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-08-09 149280]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-09-12 16264192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Reader Synchronizer.lnk - c:\programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Avvio veloce di Adobe Reader.lnk - c:\programmi\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Ralink Wireless Utility.lnk - c:\programmi\RALINK\Common\RaUI.exe [2008-3-10 675840]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Vuze\\Azureus.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Programmi\\NetMeeting\\conf.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Java\\jre6\\bin\\java.exe"=
"c:\\Programmi\\File comuni\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Programmi\\LimeWire\\LimeWire.exe"=
"c:\\Programmi\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Programmi\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Programmi\\Pinnacle\\Studio 12\\Programs\\umi.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3389:TCP"= 3389:TCP:Remote Desktop

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [09/04/2002 8.01.54 11264]
R3 3xHybrid;Pinnacle PCTV 100i-110i-300i-310i-MCE;c:\windows\system32\drivers\3xHybrid.sys [18/12/2006 17.53.02 1121536]

--- Altri Servizi/Drivers In Memoria ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contenuto della cartella 'Scheduled Tasks'

2009-08-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2008-04-11 15:57]

2009-10-25 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-02 12:15]

2009-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-08-02 12:19]

2009-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-08-02 12:19]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Aggiungi all'elenco di stampa Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Anteprima Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Stampa ad alta velocità Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Stampa Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\Mario\Dati applicazioni\Mozilla\Firefox\Profiles\larisuly.default\
FF - prefs.js: browser.search.selectedEngine - GoogleCOM
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.wcsearch.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\programmi\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\programmi\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - GoogleCOM
FF - user.js: keyword.URL - hxxp://www.wcsearch.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-25 22:27
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x81C9DB00]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x81c9db00
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> 0x81cda200
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x01314FFD8
malicious code @ sector 0x01314FFDB !
PE file found in sector at 0x01314FFF1 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\Ati2evxx.dll
c:\programmi\File comuni\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(5672)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\programmi\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\ConnAPI.DLL
c:\programmi\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_ita.nlr
c:\programmi\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\programmi\File comuni\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\windows\system32\ASTSRV.EXE
c:\programmi\Java\jre6\bin\jqs.exe
c:\programmi\File comuni\LightScribe\LSSrvc.exe
c:\programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\combofix\CF9462.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\programmi\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
c:\programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
c:\programmi\File comuni\Ahead\Lib\NMIndexingService.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Ora fine scansione: 2009-10-25 22.43.47 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-10-25 21:43

Pre-Run: 52.254.810.112 byte disponibili
Post-Run: 52.539.953.152 byte disponibili

- - End Of File - - 8F280ABBB4E26B08C1BE308C83B3EB67

scusa r 16 sn andata in provvisorio e ho lanciato il progamma come hai detto e mi esce una finestra nera x poki secondi e poi scompare ma di log nn c'è traccia! come faccio ad aavere il log? cmq ora devo spegnere...domani sera pero ci sarò! ciao e grazie

buonasera sono ritornata :) si l'avevo scaricato in C ma non avevo visto che si era creato li..

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x01314FFD8
malicious code @ sector 0x01314FFDB !
PE file found in sector at 0x01314FFF1 !