Aiutamici Forum
Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

Olmarik.RF Opzioni
autodidatta
Inviato: Friday, January 08, 2010 12:56:04 PM
Rank: AiutAmico

Iscritto dal : 2/20/2005
Posts: 194
Ciao
Il mio antivirus Nod 32, ha rilevato in C\Windows\System32\Drivers\atapi.sys
la minaccia: win32 /olmarik.rfvirus, peo non riesce ad eliminarlo.
Domanda come faccio x disinfettare? il SO è XP sp3
Grazie
Sponsor
Inviato: Friday, January 08, 2010 12:56:04 PM

 
bazzurlone
Inviato: Friday, January 08, 2010 1:06:46 PM

Rank: AiutAmico

Iscritto dal : 1/20/2005
Posts: 1,537
Usa questo
http://www.aiutamici.com/software?ID=80346
Installa, aggiornalo, esegui una scansione completa e alla fine ,senza eliminare nulla incolla il log
autodidatta
Inviato: Friday, January 08, 2010 7:29:13 PM
Rank: AiutAmico

Iscritto dal : 2/20/2005
Posts: 194
Ciao, scusa se non ti invio il log, ma mio figlio ha cancellato quello che aveva trovato senza salvare il log.
Se si ripresenta ti invio il log.
Grazie
fdaccc
Inviato: Friday, January 08, 2010 7:42:50 PM

Rank: AiutAmico

Iscritto dal : 12/12/2009
Posts: 2,114
posta un log appena puoi =)
r16
Inviato: Friday, January 08, 2010 10:36:37 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Commenta:
ma mio figlio ha cancellato quello che aveva trovato senza salvare il log.

Il log lo trovi, aprendo Malwarebytes, alla voce in alto " File di log".
Guarda la data, e lo posti.
autodidatta
Inviato: Saturday, January 09, 2010 3:37:34 PM
Rank: AiutAmico

Iscritto dal : 2/20/2005
Posts: 194
Ciao, ecco qua il log sono riuscito a recuperarlo


Malwarebytes' Anti-Malware 1.44
Versione del database: 3515
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

08/01/2010 17.03.05
mbam-log-2010-01-08 (17-03-05).txt

Tipo di scansione: Scansione completa (C:\|D:\|)
Elementi scansionati: 237855
Tempo trascorso: 1 hour(s), 21 minute(s), 13 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 14

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
D:\Programmi Vari\Adobe\Adobe Photoshop CS4 Extended - Italiano - Incl Crack\ADOBE CS4\Crack\keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Programmi Vari\Programmi per Duplicare DVD\Any DVD\AnyDVD HD 6.5.2.2 (installato)\Crack\AnyDVD.v6.5.x.x.Patcher.v1.0.R2.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
D:\Programmi Vari\XP\Crack per cambiare la product key\WindowsXP Product Key Viewer.exe (Hacktool.KeySteal) -> Quarantined and deleted successfully.
D:\Programmi Vari\Programmi per Masterizzare\Alcohol\Alcohol 120% v1.9.6.5429 ITA (Su C20 il 04-01-10)\Crack\Alcohol.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Programmi Vari\Programmi per Masterizzare\Any DVD\AnyDVD HD 6.5.2.2 (provare)\Crack\AnyDVD.v6.5.x.x.Patcher.v1.0.R2.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
D:\Programmi Vari\Programmi per Masterizzare\Nero\Nero 8.3.2.1 Ita\Keygen\keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{6086BDFD-627A-4FC9-89EF-9AA61B0C2F13}\RP606\A0090344.exe (Malware.Packer) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{6086BDFD-627A-4FC9-89EF-9AA61B0C2F13}\RP612\A0091587.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{6086BDFD-627A-4FC9-89EF-9AA61B0C2F13}\RP543\A0075638.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{E9923CA7-32E8-4CD1-A830-9EB2008B5331}\RP263\A0033220.exe (Hacktool.KeySteal) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{F965E2F1-6F43-438A-B63B-221C4613CB60}\RP83\A0002626.exe (Malware.Tool) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{F965E2F1-6F43-438A-B63B-221C4613CB60}\RP97\A0004438.exe (Malware.Packer.Krunchy) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{F965E2F1-6F43-438A-B63B-221C4613CB60}\RP97\A0004458.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Download\Emule\Norton\Keygen\KEYGEN.EXE (Spyware.OnlineGames) -> Quarantined and deleted successfully.
r16
Inviato: Saturday, January 09, 2010 3:41:01 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Scarica Combofix

http://download.bleepingcomputer.com/sUBs/ComboFix.exe


Salvalo sul desktop.

Importante: Disabilita il tuo antivirus e chiudi TUTTI i programmi aperti,(Firewall compreso) e dopo aver scaricato COMBOFIX, chiudi la connessione.

Doppio click su combofix.exe (comparirà una videata.)
Se ti verrà chiesto se vuoi Installare LA CONSOLE DI RIPRISTINO DI EMERGENZA, clicca NO.
E' probabile che ti siano inviati messaggi dall'antivirus, tu ignorali.
Durante l'operazione di scansione è importante non usare il PC (neanche il mouse) e attendere pazientemente la fine delle operazioni.
Al termine, verrà creato un file log sul Desktop, chiamato C:\ComboFix.txt. Postalo qui.
fdaccc
Inviato: Saturday, January 09, 2010 3:47:40 PM

Rank: AiutAmico

Iscritto dal : 12/12/2009
Posts: 2,114
Possiedi dei programmi craccati che contengono minacce, per fortuna MBAM ha provedduto ad eliminare i file infetti.
Il mio consiglio è di eliminare le cartelle in rosso,poiche utilizzano spazio e non sono più utilizzabili ( dato che i crack e i keygen sono stati eliminati)


D:\Programmi Vari\Adobe\Adobe Photoshop CS4 Extended - Italiano - Incl Crack
D:\Programmi Vari\Programmi per Duplicare DVD\Any DVD
D:\Programmi Vari\XP\Crack per cambiare la product key
D:\Programmi Vari\Programmi per Masterizzare\Alcohol
D:\Programmi Vari\Programmi per Masterizzare\Any DVD
D:\Programmi Vari\Programmi per Masterizzare\Nero\Nero 8.3.2.1 Ita
D:\Download\Emule\Norton

..dico bene r16?
autodidatta
Inviato: Sunday, January 10, 2010 2:10:58 PM
Rank: AiutAmico

Iscritto dal : 2/20/2005
Posts: 194
Ciao, le cartelle le ho gia eliminate
Adesso provo la procedura che mi ha suggerito r16, poi vi invio il log
fdaccc
Inviato: Sunday, January 10, 2010 2:25:16 PM

Rank: AiutAmico

Iscritto dal : 12/12/2009
Posts: 2,114
Bene, attendiamo! =)
autodidatta
Inviato: Sunday, January 10, 2010 7:44:42 PM
Rank: AiutAmico

Iscritto dal : 2/20/2005
Posts: 194
Eccomi ti invio il log di ComboFix

ComboFix 10-01-04.01 - Biagio 10/01/2010 19.28.05.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1023.527 [GMT 1:00]
Eseguito da: c:\documents and settings\Biagio\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active


ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Biagio\Dati applicazioni\Live Update.exe
c:\windows\box.exe
c:\windows\patchw32.dll
c:\windows\pw32a.dll

.
((((((((((((((((((((((((( Files Creati Da 2009-12-10 al 2010-01-10 )))))))))))))))))))))))))))))))))))
.

2010-01-10 18:28 . 2010-01-10 18:28 -------- d-----w- c:\documents and settings\Biagio\Impostazioni locali\Dati applicazioni\ESET
2010-01-08 13:12 . 2010-01-08 13:12 -------- d-----w- c:\documents and settings\Biagio\Dati applicazioni\Malwarebytes
2010-01-08 13:12 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 13:12 . 2010-01-08 13:12 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2010-01-08 13:12 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-08 13:12 . 2010-01-08 13:12 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2009-12-29 12:36 . 2009-12-29 12:36 -------- d-----w- c:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\ESET
2009-12-29 11:59 . 2009-12-29 11:59 -------- d-----w- c:\programmi\ESET
2009-12-29 11:59 . 2009-12-29 11:59 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\ESET
2009-12-29 11:14 . 2009-08-24 20:08 28160 ----a-w- c:\windows\system32\DfSdkBt.exe
2009-12-29 11:14 . 2009-12-29 11:14 -------- d-----w- c:\programmi\Ashampoo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-10 18:23 . 2008-12-18 20:32 -------- d-----w- c:\documents and settings\Biagio\Dati applicazioni\DNA
2010-01-10 18:16 . 2008-12-18 20:32 -------- d-----w- c:\programmi\DNA
2010-01-06 16:02 . 2009-01-03 15:16 -------- d-----w- c:\programmi\eMule
2009-12-29 11:42 . 2008-12-18 20:33 -------- d-----w- c:\documents and settings\Biagio\Dati applicazioni\BitTorrent
2009-12-05 19:03 . 2009-01-19 19:38 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Symantec
2009-12-05 19:03 . 2009-03-25 13:17 -------- d-----w- c:\programmi\File comuni\Symantec Shared
2009-12-05 18:41 . 2009-12-05 18:41 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_GenericMount_01009.Wdf
2009-12-05 18:41 . 2009-12-05 18:41 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2009-12-05 04:53 . 2009-12-05 04:53 9586784 ----a-w- c:\documents and settings\Biagio\Dati applicazioni\ashampoo_winoptimizer_2010_6.50_6585.exe
2009-12-05 04:53 . 2009-12-05 04:53 9586784 ----a-w- c:\documents and settings\Biagio\Dati applicazioni\ashampoo_winoptimizer_2010_6.50_6585.exe
2009-12-03 12:50 . 2009-06-02 13:42 -------- d-----w- c:\programmi\Google
2009-12-02 22:21 . 2009-09-22 17:10 3695616 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-12-02 11:53 . 2001-08-31 11:00 80008 ----a-w- c:\windows\system32\perfc010.dat
2009-12-02 11:53 . 2001-08-31 11:00 480058 ----a-w- c:\windows\system32\perfh010.dat
2009-11-21 15:54 . 2008-04-13 17:13 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-15 11:41 . 2009-11-15 11:41 -------- d-----w- c:\programmi\UltraISO
2009-11-15 11:41 . 2009-11-15 11:41 -------- d-----w- c:\programmi\File comuni\EZB Systems
2009-11-04 18:48 . 2009-11-04 18:48 152576 ----a-w- c:\documents and settings\Biagio\Dati applicazioni\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-02 19:42 . 2009-10-02 15:59 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 13:35 . 2009-10-29 13:35 2232 ----a-w- c:\windows\java\Packages\Data\NFBHFPB5.DAT
2009-10-29 13:35 . 2009-10-29 13:35 155995 ----a-w- c:\windows\java\Packages\5Z1BB7HV.ZIP
2009-10-29 13:35 . 2009-10-29 13:35 2678 ----a-w- c:\windows\java\Packages\Data\OVFR9BRT.DAT
2009-10-29 13:35 . 2009-10-29 13:35 2678 ----a-w- c:\windows\java\Packages\Data\VL7VFD77.DAT
2009-10-29 13:35 . 2009-10-29 13:35 2678 ----a-w- c:\windows\java\Packages\Data\O05V3HJN.DAT
2009-10-29 13:35 . 2009-10-29 13:35 2678 ----a-w- c:\windows\java\Packages\Data\MFJDBJDZ.DAT
2009-10-29 13:35 . 2009-10-29 13:35 2678 ----a-w- c:\windows\java\Packages\Data\KETFZ37T.DAT
2009-10-29 07:40 . 2008-11-14 11:10 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2008-04-13 17:13 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-13 17:13 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-13 09:53 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-18 15:52 . 2009-07-15 14:26 2353992 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-10-13 10:33 . 2008-04-13 17:13 271360 ----a-w- c:\windows\system32\oakley.dll
.

------- Sigcheck -------

[-] 2008-11-14 . 3316C8A8EC07A9D4C0BE10310809A9E5 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2008-04-13 1695232]
"BitTorrent DNA"="c:\programmi\DNA\btdna.exe" [2009-11-13 323392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"CloneCDTray"="c:\programmi\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"Windows Defender"="c:\programmi\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Adobe Acrobat Speed Launcher"="c:\programmi\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\programmi\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"CARPService"="carpserv.exe" [2001-12-22 4608]
"TrueImageMonitor.exe"="c:\programmi\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-05-19 4386216]
"AcronisTimounterMonitor"="c:\programmi\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-05-19 961080]
"Servizio Acronis Scheduler2"="c:\programmi\File comuni\Acronis\Schedule2\schedhlp.exe" [2009-05-19 377472]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"egui"="c:\programmi\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-01 2054360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
"DWQueuedReporting"="c:\progra~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 434528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
BTTray.lnk - c:\programmi\D-Link\Software Bluetooth\BTTray.exe [2005-7-26 577597]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programmi\\File comuni\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Programmi\\DNA\\btdna.exe"=
"c:\\Programmi\\BitTorrent\\bittorrent.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [15/07/2009 15.09.02 64160]
R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\system32\drivers\tdrpm228.sys [28/07/2009 15.31.22 902592]
R0 Vax347s;Vax347s;c:\windows\system32\drivers\Vax347s.sys [06/02/2009 23.26.59 5248]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [01/10/2009 15.06.40 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [01/10/2009 15.07.30 96408]
R2 ekrn;ESET Service;c:\programmi\ESET\ESET NOD32 Antivirus\ekrn.exe [01/10/2009 15.06.52 735960]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\programmi\Lavasoft\Ad-Aware\AAWService.exe [18/01/2009 22.34.37 1028432]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\programmi\McAfee\SiteAdvisor\McSACore.exe [01/01/2009 18.15.26 206096]
R2 WinDefend;Windows Defender;c:\programmi\Windows Defender\MsMpEng.exe [03/11/2006 19.19.58 13592]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [06/01/2009 17.56.57 717296]
S0 Vax347b;Vax347b;c:\windows\system32\drivers\Vax347b.sys [06/02/2009 23.26.59 159616]
S2 EsetNod32Fix;Nod32 AV;c:\windows\regedit.exe [13/04/2008 18.14.18 151552]
S2 gupdate1c9e38bb56a2f10;Google Update Service (gupdate1c9e38bb56a2f10);c:\programmi\Google\Update\GoogleUpdate.exe [02/06/2009 15.09.10 133104]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [31/08/2001 12.00.00 3584]
S3 DfSdkS;Defragmentation-Service;c:\programmi\Ashampoo\Ashampoo WinOptimizer 2010\DfSdkS.exe [29/12/2009 12.14.14 406016]
S3 EOlmarikFix;EOlmarikFix;\??\c:\docume~1\Biagio\IMPOST~1\Temp\EOlmalikFixer\EOlmarikFix.sys --> c:\docume~1\Biagio\IMPOST~1\Temp\EOlmalikFixer\EOlmarikFix.sys [?]
S3 GenericMount;Generic Mount Driver;c:\windows\system32\DRIVERS\GenericMount.sys --> c:\windows\system32\DRIVERS\GenericMount.sys [?]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [07/11/2009 23.01.40 167808]
.
Contenuto della cartella 'Scheduled Tasks'

2010-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-06-02 14:08]

2010-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-06-02 14:08]

2010-01-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\programmi\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.msn.it/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
IE: Aggiungi a PDF esistente - c:\programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Aggiungi destinazione link a PDF esistente - c:\programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append the content of the link to existing PDF file - c:\programmi\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\programmi\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF file - c:\programmi\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Converti destinazione link in Adobe PDF - c:\programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Converti in Adobe PDF - c:\programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Create PDF file - c:\programmi\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\programmi\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\programmi\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Invia a &Bluetooth - c:\programmi\D-Link\Software Bluetooth\btsendto_ie_ctx.htm
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} - hxxp://aiuto.alice.it/ata/static/installers/WebflowActiveXInstaller_4-1-5.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-10 19:35
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1060284298-1708537768-2146663699-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\Ati2evxx.dll
c:\programmi\File comuni\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Ora fine scansione: 2010-01-10 19:37:43
ComboFix-quarantined-files.txt 2010-01-10 18:37

Pre-Run: 54.702.624.768 byte disponibili
Post-Run: 54.703.046.656 byte disponibili

- - End Of File - - 5FCB685D1C83E53C506FF403C0A95E69
r16
Inviato: Sunday, January 10, 2010 9:55:51 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Apri un file di testo sul Desktop (start\esegui\digita: notepad.exe\ Ok
Ci incolli il codice che vedi qui sotto, e salvi il file di testo obbligatoriamente con il nome CFScript.txt

Code:
File::
c:\docume~1\Biagio\IMPOST~1\Temp\EOlmalikFixer\EOlmarikFix.sys

Folder::
c:\docume~1\Biagio\IMPOST~1\Temp\EOlmalikFixer
c:\programmi\McAfee

Driver::
EOlmarikFix
McAfee SiteAdvisor Service


e trascinalo sull'icona di ComboFix.
Attendi la fine dei lavori, senza toccare tastiera, mouse o altro.
Posta il log aggiornato di combofix

Controlla se il Nod trova ancora quel file.
autodidatta
Inviato: Monday, January 11, 2010 7:09:20 PM
Rank: AiutAmico

Iscritto dal : 2/20/2005
Posts: 194
Ciao r16
Ecco il nuovo log

ComboFix 10-01-04.01 - Biagio 11/01/2010 18.47.35.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1023.648 [GMT 1:00]
Eseguito da: c:\documents and settings\Biagio\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Biagio\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active


ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!

FILE ::
"c:\docume~1\Biagio\IMPOST~1\Temp\EOlmalikFixer\EOlmarikFix.sys"
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programmi\McAfee
c:\programmi\McAfee\SiteAdvisor\apengine.dll
c:\programmi\McAfee\SiteAdvisor\chrome.manifest
c:\programmi\McAfee\SiteAdvisor\cntscan.dll
c:\programmi\McAfee\SiteAdvisor\Components\IMcFFPlg.xpt
c:\programmi\McAfee\SiteAdvisor\Components\McFFPlg.dll
c:\programmi\McAfee\SiteAdvisor\content.dat
c:\programmi\McAfee\SiteAdvisor\default.txt
c:\programmi\McAfee\SiteAdvisor\elist.dat
c:\programmi\McAfee\SiteAdvisor\ffplg.inf
c:\programmi\McAfee\SiteAdvisor\ieplg.inf
c:\programmi\McAfee\SiteAdvisor\install.rdf
c:\programmi\McAfee\SiteAdvisor\McBrwctl.dll
c:\programmi\McAfee\SiteAdvisor\mcfrmwk.dll
c:\programmi\McAfee\SiteAdvisor\McIEPlg.dll
c:\programmi\McAfee\SiteAdvisor\mcplgUI.dll
c:\programmi\McAfee\SiteAdvisor\McSACore.exe
c:\programmi\McAfee\SiteAdvisor\McSACorePS.dll
c:\programmi\McAfee\SiteAdvisor\msacmain.inf
c:\programmi\McAfee\SiteAdvisor\sac.inf
c:\programmi\McAfee\SiteAdvisor\sachook.inf
c:\programmi\McAfee\SiteAdvisor\sacimg.inf
c:\programmi\McAfee\SiteAdvisor\sacomm.inf
c:\programmi\McAfee\SiteAdvisor\sacore.dll
c:\programmi\McAfee\SiteAdvisor\sacore.inf
c:\programmi\McAfee\SiteAdvisor\sacres.inf
c:\programmi\McAfee\SiteAdvisor\safelocalization.inf
c:\programmi\McAfee\SiteAdvisor\sahook.dll
c:\programmi\McAfee\SiteAdvisor\saplugin.dll
c:\programmi\McAfee\SiteAdvisor\sares.dll
c:\programmi\McAfee\SiteAdvisor\saset.dll
c:\programmi\McAfee\SiteAdvisor\sasets.ini
c:\programmi\McAfee\SiteAdvisor\saupkeep.dll
c:\programmi\McAfee\SiteAdvisor\Scripts\balloon_logo.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\balloon_logo_plus.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\button_black.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\button_disabled.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\button_green.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\button_green_lock.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\button_grey.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\button_grey_lock.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\button_hs.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\button_hs_lock.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\button_red.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\button_red_lock.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\button_yellow.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\button_yellow_lock.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\contents.rdf
c:\programmi\McAfee\SiteAdvisor\Scripts\down_arrow.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\download_careful.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\download_unsafe.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\g.png
c:\programmi\McAfee\SiteAdvisor\Scripts\gl.png
c:\programmi\McAfee\SiteAdvisor\Scripts\gllc.png
c:\programmi\McAfee\SiteAdvisor\Scripts\glrc.png
c:\programmi\McAfee\SiteAdvisor\Scripts\gr.png
c:\programmi\McAfee\SiteAdvisor\Scripts\green.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\greenbubble.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\greendownarrow.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\greenuparrow.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\gul.png
c:\programmi\McAfee\SiteAdvisor\Scripts\gulc.png
c:\programmi\McAfee\SiteAdvisor\Scripts\gurc.png
c:\programmi\McAfee\SiteAdvisor\Scripts\hackersafe.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\hs.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\cs-CZ\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\cs-CZ\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\da-DK\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\da-DK\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\de-DE\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\de-DE\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\el-GR\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\el-GR\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\en-AU\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\en-AU\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\en-CA\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\en-CA\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\en-GB\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\en-GB\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\en-IE\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\en-IE\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\en-US\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\en-US\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\es-AR\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\es-AR\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\es-CL\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\es-CL\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\es-ES\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\es-ES\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\es-MX\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\es-MX\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\es-PE\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\es-PE\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\fi-FI\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\fi-FI\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\fr-CA\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\fr-CA\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\fr-FR\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\fr-FR\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\hu-HU\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\hu-HU\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\it-IT\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\it-IT\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\ja-JP\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\ja-JP\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\ko-KR\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\ko-KR\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\nb-NO\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\nb-NO\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\nl-NL\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\nl-NL\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\no-NO\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\no-NO\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\pl-PL\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\pl-PL\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\pt-BR\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\pt-BR\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\pt-PT\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\pt-PT\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\ru-RU\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\ru-RU\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\sk-SK\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\sk-SK\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\sv-SE\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\sv-SE\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\tr-TR\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\tr-TR\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\zh-CN\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\zh-CN\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\zh-TW\FF\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\locale\zh-TW\IE\safe.css
c:\programmi\McAfee\SiteAdvisor\Scripts\main.js
c:\programmi\McAfee\SiteAdvisor\Scripts\mainff.js
c:\programmi\McAfee\SiteAdvisor\Scripts\mcafeesiteadvisor.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\protection.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\r.png
c:\programmi\McAfee\SiteAdvisor\Scripts\red.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\redbubble.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\reddownarrow.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\reduparrow.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\rl.png
c:\programmi\McAfee\SiteAdvisor\Scripts\rllc.png
c:\programmi\McAfee\SiteAdvisor\Scripts\rlrc.png
c:\programmi\McAfee\SiteAdvisor\Scripts\rr.png
c:\programmi\McAfee\SiteAdvisor\Scripts\rul.png
c:\programmi\McAfee\SiteAdvisor\Scripts\rulc.png
c:\programmi\McAfee\SiteAdvisor\Scripts\rurc.png
c:\programmi\McAfee\SiteAdvisor\Scripts\safe-facet-green.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\safe-facet-red.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\safe-facet-white.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\safe-facet-yellow.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\safe.xul
c:\programmi\McAfee\SiteAdvisor\Scripts\safesearch.dat
c:\programmi\McAfee\SiteAdvisor\Scripts\safesearch.js
c:\programmi\McAfee\SiteAdvisor\Scripts\saffplg.js
c:\programmi\McAfee\SiteAdvisor\Scripts\searchglass.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\siteadvisor.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\untested.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\whitebubble.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\whitedownarrow.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\whiteuparrow.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\xdown.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\xup.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\y.png
c:\programmi\McAfee\SiteAdvisor\Scripts\yellow.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\yellowbubble.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\yellowdownarrow.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\yellowuparrow.gif
c:\programmi\McAfee\SiteAdvisor\Scripts\yl.png
c:\programmi\McAfee\SiteAdvisor\Scripts\yllc.png
c:\programmi\McAfee\SiteAdvisor\Scripts\ylrc.png
c:\programmi\McAfee\SiteAdvisor\Scripts\yr.png
c:\programmi\McAfee\SiteAdvisor\Scripts\yul.png
c:\programmi\McAfee\SiteAdvisor\Scripts\yulc.png
c:\programmi\McAfee\SiteAdvisor\Scripts\yurc.png
c:\programmi\McAfee\SiteAdvisor\subst.inf
c:\programmi\McAfee\SiteAdvisor\uninstall.exe

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EOLMARIKFIX
-------\Legacy_MCAFEE_SITEADVISOR_SERVICE
-------\Service_EOlmarikFix
-------\Service_McAfee SiteAdvisor Service


((((((((((((((((((((((((( Files Creati Da 2009-12-11 al 2010-01-11 )))))))))))))))))))))))))))))))))))
.

2010-01-10 18:28 . 2010-01-10 18:28 -------- d-----w- c:\documents and settings\Biagio\Impostazioni locali\Dati applicazioni\ESET
2010-01-08 13:12 . 2010-01-08 13:12 -------- d-----w- c:\documents and settings\Biagio\Dati applicazioni\Malwarebytes
2010-01-08 13:12 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 13:12 . 2010-01-08 13:12 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2010-01-08 13:12 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-08 13:12 . 2010-01-08 13:12 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2009-12-29 12:36 . 2009-12-29 12:36 -------- d-----w- c:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\ESET
2009-12-29 11:59 . 2009-12-29 11:59 -------- d-----w- c:\programmi\ESET
2009-12-29 11:59 . 2009-12-29 11:59 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\ESET
2009-12-29 11:14 . 2009-08-24 20:08 28160 ----a-w- c:\windows\system32\DfSdkBt.exe
2009-12-29 11:14 . 2009-12-29 11:14 -------- d-----w- c:\programmi\Ashampoo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-11 17:57 . 2008-12-18 20:32 -------- d-----w- c:\programmi\DNA
2010-01-11 17:57 . 2008-12-18 20:32 -------- d-----w- c:\documents and settings\Biagio\Dati applicazioni\DNA
2010-01-06 16:02 . 2009-01-03 15:16 -------- d-----w- c:\programmi\eMule
2009-12-29 11:42 . 2008-12-18 20:33 -------- d-----w- c:\documents and settings\Biagio\Dati applicazioni\BitTorrent
2009-12-05 19:03 . 2009-01-19 19:38 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Symantec
2009-12-05 19:03 . 2009-03-25 13:17 -------- d-----w- c:\programmi\File comuni\Symantec Shared
2009-12-05 18:41 . 2009-12-05 18:41 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_GenericMount_01009.Wdf
2009-12-05 18:41 . 2009-12-05 18:41 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2009-12-05 04:53 . 2009-12-05 04:53 9586784 ----a-w- c:\documents and settings\Biagio\Dati applicazioni\ashampoo_winoptimizer_2010_6.50_6585.exe
2009-12-05 04:53 . 2009-12-05 04:53 9586784 ----a-w- c:\documents and settings\Biagio\Dati applicazioni\ashampoo_winoptimizer_2010_6.50_6585.exe
2009-12-03 12:50 . 2009-06-02 13:42 -------- d-----w- c:\programmi\Google
2009-12-02 22:21 . 2009-09-22 17:10 3695616 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-12-02 11:53 . 2001-08-31 11:00 80008 ----a-w- c:\windows\system32\perfc010.dat
2009-12-02 11:53 . 2001-08-31 11:00 480058 ----a-w- c:\windows\system32\perfh010.dat
2009-11-21 15:54 . 2008-04-13 17:13 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-15 11:41 . 2009-11-15 11:41 -------- d-----w- c:\programmi\UltraISO
2009-11-15 11:41 . 2009-11-15 11:41 -------- d-----w- c:\programmi\File comuni\EZB Systems
2009-11-04 18:48 . 2009-11-04 18:48 152576 ----a-w- c:\documents and settings\Biagio\Dati applicazioni\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-02 19:42 . 2009-10-02 15:59 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 13:35 . 2009-10-29 13:35 2232 ----a-w- c:\windows\java\Packages\Data\NFBHFPB5.DAT
2009-10-29 13:35 . 2009-10-29 13:35 155995 ----a-w- c:\windows\java\Packages\5Z1BB7HV.ZIP
2009-10-29 13:35 . 2009-10-29 13:35 2678 ----a-w- c:\windows\java\Packages\Data\OVFR9BRT.DAT
2009-10-29 13:35 . 2009-10-29 13:35 2678 ----a-w- c:\windows\java\Packages\Data\VL7VFD77.DAT
2009-10-29 13:35 . 2009-10-29 13:35 2678 ----a-w- c:\windows\java\Packages\Data\O05V3HJN.DAT
2009-10-29 13:35 . 2009-10-29 13:35 2678 ----a-w- c:\windows\java\Packages\Data\MFJDBJDZ.DAT
2009-10-29 13:35 . 2009-10-29 13:35 2678 ----a-w- c:\windows\java\Packages\Data\KETFZ37T.DAT
2009-10-29 07:40 . 2008-11-14 11:10 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2008-04-13 17:13 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-13 17:13 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-13 09:53 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-18 15:52 . 2009-07-15 14:26 2353992 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
.

------- Sigcheck -------

[-] 2008-11-14 . 3316C8A8EC07A9D4C0BE10310809A9E5 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2008-04-13 1695232]
"BitTorrent DNA"="c:\programmi\DNA\btdna.exe" [2009-11-13 323392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"CloneCDTray"="c:\programmi\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"Windows Defender"="c:\programmi\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Adobe Acrobat Speed Launcher"="c:\programmi\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\programmi\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"CARPService"="carpserv.exe" [2001-12-22 4608]
"TrueImageMonitor.exe"="c:\programmi\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-05-19 4386216]
"AcronisTimounterMonitor"="c:\programmi\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-05-19 961080]
"Servizio Acronis Scheduler2"="c:\programmi\File comuni\Acronis\Schedule2\schedhlp.exe" [2009-05-19 377472]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"egui"="c:\programmi\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-01 2054360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
"DWQueuedReporting"="c:\progra~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 434528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
BTTray.lnk - c:\programmi\D-Link\Software Bluetooth\BTTray.exe [2005-7-26 577597]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programmi\\File comuni\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Programmi\\DNA\\btdna.exe"=
"c:\\Programmi\\BitTorrent\\bittorrent.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [15/07/2009 15.09.02 64160]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [06/01/2009 17.56.57 717296]
R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\system32\drivers\tdrpm228.sys [28/07/2009 15.31.22 902592]
R0 Vax347b;Vax347b;c:\windows\system32\drivers\Vax347b.sys [06/02/2009 23.26.59 159616]
R0 Vax347s;Vax347s;c:\windows\system32\drivers\Vax347s.sys [06/02/2009 23.26.59 5248]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [01/10/2009 15.06.40 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [01/10/2009 15.07.30 96408]
R2 ekrn;ESET Service;c:\programmi\ESET\ESET NOD32 Antivirus\ekrn.exe [01/10/2009 15.06.52 735960]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\programmi\Lavasoft\Ad-Aware\AAWService.exe [18/01/2009 22.34.37 1028432]
R2 WinDefend;Windows Defender;c:\programmi\Windows Defender\MsMpEng.exe [03/11/2006 19.19.58 13592]
S2 EsetNod32Fix;Nod32 AV;c:\windows\regedit.exe [13/04/2008 18.14.18 151552]
S2 gupdate1c9e38bb56a2f10;Google Update Service (gupdate1c9e38bb56a2f10);c:\programmi\Google\Update\GoogleUpdate.exe [02/06/2009 15.09.10 133104]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [31/08/2001 12.00.00 3584]
S3 DfSdkS;Defragmentation-Service;c:\programmi\Ashampoo\Ashampoo WinOptimizer 2010\DfSdkS.exe [29/12/2009 12.14.14 406016]
S3 GenericMount;Generic Mount Driver;c:\windows\system32\DRIVERS\GenericMount.sys --> c:\windows\system32\DRIVERS\GenericMount.sys [?]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [07/11/2009 23.01.40 167808]
.
Contenuto della cartella 'Scheduled Tasks'

2010-01-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\programmi\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 17:10]

2010-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-06-02 14:08]

2010-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-06-02 14:08]

2010-01-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\programmi\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.msn.it/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
IE: Aggiungi a PDF esistente - c:\programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Aggiungi destinazione link a PDF esistente - c:\programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append the content of the link to existing PDF file - c:\programmi\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\programmi\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF file - c:\programmi\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Converti destinazione link in Adobe PDF - c:\programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Converti in Adobe PDF - c:\programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Create PDF file - c:\programmi\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\programmi\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\programmi\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Invia a &Bluetooth - c:\programmi\D-Link\Software Bluetooth\btsendto_ie_ctx.htm
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} - hxxp://aiuto.alice.it/ata/static/installers/WebflowActiveXInstaller_4-1-5.cab
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

AddRemove-{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A} - c:\programmi\McAfee\SiteAdvisor\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-11 18:59
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86149008]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7872f28
\Driver\ACPI -> ACPI.sys @ 0xf76a6cb8
\Driver\atapi -> 0x86149008
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
malicious code @ sector 0x94fe9bd size 0x1fd !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x094FE9BD !

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1060284298-1708537768-2146663699-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll
c:\programmi\File comuni\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2128)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\programmi\File comuni\Acronis\Schedule2\schedul2.exe
c:\programmi\D-Link\Software Bluetooth\bin\btwdins.exe
c:\documents and settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\programmi\Java\jre6\bin\jqs.exe
c:\programmi\File comuni\Nero\Nero BackItUp 4\NBService.exe
c:\programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\carpserv.exe
c:\progra~1\ALICET~1\vendors\AliceRE\content\template\driven~1\syncer\MCCITR~1.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\programmi\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Ora fine scansione: 2010-01-11 19:05:46 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-01-11 18:05
ComboFix2.txt 2010-01-10 18:37

Pre-Run: 54.657.368.064 byte disponibili
Post-Run: 54.543.863.808 byte disponibili

- - End Of File - - CCA260BDBD0D877B391F812896D33EB6
r16
Inviato: Monday, January 11, 2010 10:35:45 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
C'è l'MBR da sistemare.

Scarica MBR:EXE direttamente nella Directory C:\ (Devi scaricarlo obligatoriamente in C: )

http://www2.gmer.net/mbr/mbr.exe

Clicca Start

Clicca Esegui...

Digita: cmd

si apre la finestra DOS, digita: CD \
premi invio

digita: mbr -f (fai il Copia-Incolla)
premi invio

Poi digita: exit
premi invio

Riavvia il pc

Posta qui il contenuto del log che troverai in C:\mbr.log
autodidatta
Inviato: Tuesday, January 12, 2010 6:28:23 PM
Rank: AiutAmico

Iscritto dal : 2/20/2005
Posts: 194
Ciao r16, scusa la mia ignoranza ma cosè l'MBR?
Comunque adesso eseguo il tuo passo passo poi ti invio il log
simo95
Inviato: Tuesday, January 12, 2010 6:42:01 PM

Rank: AiutAmico

Iscritto dal : 12/4/2008
Posts: 2,008
autodidatta ha scritto:
Ciao r16, scusa la mia ignoranza ma cosè l'MBR?
Comunque adesso eseguo il tuo passo passo poi ti invio il log


Sta per Master Boot Record.
Cioè, il settore di avvio primario dell'hard disk, dove sono presenti le informazioni necessarie all'avvio del SO, la tabella delle partizioni ecc...
Se un malware si insedia in quel punto (come nel tuo caso) ha la possibilità di avviarsi prima del SO, e così è più difficile da individuare da parte dell'AV.
Ciao
autodidatta
Inviato: Tuesday, January 12, 2010 6:51:58 PM
Rank: AiutAmico

Iscritto dal : 2/20/2005
Posts: 194
Grazie simo
comunque ecco il log

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x94fe9bd size 0x1fd !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x094FE9BD !

Mi sembra di capire che il tutto abbia avuto successo quantomeno nella prima parte, pero vorrei il vostro giudizio dettagliato se non chiedo molto
Grazie
simo95
Inviato: Tuesday, January 12, 2010 8:07:28 PM

Rank: AiutAmico

Iscritto dal : 12/4/2008
Posts: 2,008
autodidatta ha scritto:
Grazie simo
comunque ecco il log

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x94fe9bd size 0x1fd !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x094FE9BD !

Mi sembra di capire che il tutto abbia avuto successo quantomeno nella prima parte, pero vorrei il vostro giudizio dettagliato se non chiedo molto

Grazie


Ma hai dato il comando mbr-f ?
autodidatta
Inviato: Tuesday, January 12, 2010 10:10:18 PM
Rank: AiutAmico

Iscritto dal : 2/20/2005
Posts: 194
si ho eseguito tutti i passi che mi hasuggerito r16
Utenti presenti in questo topic
Guest


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.