Aiutamici Forum
Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

Controllo HiJackThis Opzioni
xpproblema
Inviato: Friday, June 11, 2010 12:12:12 PM
Rank: AiutAmico

Iscritto dal : 6/11/2010
Posts: 119
Ciao, ho una marea di problemi con l'xp: lentissimo, mi sono venuti un casino di virus /spyware, venuti programmi strani su installazione applicazioni del pannello di controllo , mentre non compaiono molti programmi giusti (come AVG), il computer si blocca completamente molte volte...
Vabbè comunque ho fatto un controllo con HIJackthis

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11.53.38, on 11/06/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
D:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Luigi\Dati applicazioni\sdra64.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programmi\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programmi\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programmi\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programmi\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Programmi\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] "C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Ritaglio schermata e avvio di OneNote 2007.lnk = C:\Programmi\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/it/mjss/MJSS.cab109791.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/it/uno1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programmi\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - C:\Programmi\MAGIX\Common\Database\bin\fbserver.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: UPnPService - Magix AG - C:\Programmi\File comuni\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 9239 bytes

POTETE CONTROLLARE??
CON UNA ANALISI ONLINE QUESTA VOCE HA LA "X"
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

GRAZIE..
Sponsor
Inviato: Friday, June 11, 2010 12:12:12 PM

 
shapiro
Inviato: Friday, June 11, 2010 1:12:44 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164
ciao

nel log non sembra esserci niente di pericoloso

scarica sul desktop questi programmi

malwarebytes


combofix



avvia malwarebytes

1) lo installi
2) lo aggiorni
3) fai una scansione scegliendo la modalità completa
4) NON eliminare per ora le ventuali minacce che rileva
5) finita la scansione seleziona il tabellino log, apri il file di testo e postalo sul forum


disattiva l'antivirus

esegui ComboFix.exe (non installare la recovery console)
- digita 1
- segui le instruzioni
- finita la scansione portati in C:\ e copia/incolla, nella tua prossima risposta, il contenuto del file di testo Combofix.txt
paolopa
Inviato: Friday, June 11, 2010 1:45:12 PM

Rank: AiutAmico

Iscritto dal : 10/14/2008
Posts: 2,777
@shapiro:ciao,scusami,ma mi è cascato l occhio su quell f2 che finisce per sdra64.exe,e se non ricordo male non è nulla di buono(il sdra64.exe intendo)se ho preso un abbaglio scusami.
r16
Inviato: Friday, June 11, 2010 1:46:53 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
shapiro ha scritto:
ciao
nel log non sembra esserci niente di pericoloso

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Luigi\Dati applicazioni\sdra64.exe,C:\WINDOWS\system32\sdra64.exe,

Dici?
Va bè che con le varie scansioni si metteranno le cose a posto.
Ma che non ci sia niente di pericoloso, mi sembra esagerato.
xpproblema
Inviato: Friday, June 11, 2010 1:49:50 PM
Rank: AiutAmico

Iscritto dal : 6/11/2010
Posts: 119
Grazie a tutti ragazzi, fare la scansione con malwarebytes è un po difficile, si è già bloccato tutto una volta e ho dovuto staccare la spina, speriamo riesco a farla tutta senza che si interrompa..
xpproblema
Inviato: Friday, June 11, 2010 1:52:29 PM
Rank: AiutAmico

Iscritto dal : 6/11/2010
Posts: 119
Quel sdra64.exe guardando su internet lo danno come virus, vabbè ora ri-faccio la scansione!
xpproblema
Inviato: Friday, June 11, 2010 3:23:08 PM
Rank: AiutAmico

Iscritto dal : 6/11/2010
Posts: 119
ecco il log di malwarebytes (c'erano più di 50 elementi infetti..)


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Versione database: 4188

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/06/2010 15.21.08
mbam-log-2010-06-11 (15-21-08).txt

Tipo di scansione: Scansione completa (C:\|D:\|)
Elementi esaminati: 258600
Tempo trascorso: 1 ore, 1 minuti, 16 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 17
Valori di registro infetti: 2
Voci infette nei dati di registro: 1
Cartelle infette: 2
File infetti: 29

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2611ba72-ca20-b5c8-637b-81247c22a589} (Adware.Netweb) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\V71IQL7HI7 (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\Software\M5T8QL3YW3 (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.TryMedia) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectNet (Adware.AdSpy) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Fci (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ICF (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srosa (Worm.Bagle) -> No action taken.

Valori di registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\kr_done1 (Malware.Trace) -> No action taken.

Voci infette nei dati di registro:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Luigi\Dati applicazioni\sdra64.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> No action taken.

Cartelle infette:
C:\Programmi\RelevantKnowledge (Spyware.MarketScore) -> No action taken.
C:\Programmi\RelevantKnowledge\components (Spyware.MarketScore) -> No action taken.

File infetti:
C:\Documents and Settings\HelpAssistant\Impostazioni locali\Dati applicazioni\BrightBuy\mcltus40.dll (Adware.LuckyEstimation) -> No action taken.
C:\Documents and Settings\HelpAssistant\Impostazioni locali\Dati applicazioni\BrightBuy\mcltus40.dl_ (Adware.LuckyEstimation) -> No action taken.
C:\Documents and Settings\HelpAssistant\Impostazioni locali\Temp\khvcol.exe (Adware.Agent) -> No action taken.
C:\Documents and Settings\Luigi\Impostazioni locali\Temp\khvcol.exe (Adware.Agent) -> No action taken.
C:\System Volume Information\_restore{4F8DCD25-E786-4E7B-A620-068FBCBABBDF}\RP400\A0252092.dll (Trojan.Tracur) -> No action taken.
C:\System Volume Information\_restore{4F8DCD25-E786-4E7B-A620-068FBCBABBDF}\RP400\A0252094.exe (Rogue.AVSecuritySuite) -> No action taken.
C:\System Volume Information\_restore{4F8DCD25-E786-4E7B-A620-068FBCBABBDF}\RP400\A0252095.exe (Rogue.AVSecuritySuite) -> No action taken.
C:\System Volume Information\_restore{4F8DCD25-E786-4E7B-A620-068FBCBABBDF}\RP400\A0252096.exe (Rogue.AntimalwareDoctor) -> No action taken.
C:\System Volume Information\_restore{4F8DCD25-E786-4E7B-A620-068FBCBABBDF}\RP400\A0252097.dll (Adware.RelevantKnowledge) -> No action taken.
C:\System Volume Information\_restore{4F8DCD25-E786-4E7B-A620-068FBCBABBDF}\RP400\A0252098.dll (Adware.RelevantKnowledge) -> No action taken.
C:\System Volume Information\_restore{4F8DCD25-E786-4E7B-A620-068FBCBABBDF}\RP400\A0252099.dll (Adware.RelevantKnowledge) -> No action taken.
C:\System Volume Information\_restore{4F8DCD25-E786-4E7B-A620-068FBCBABBDF}\RP400\A0252100.exe (Adware.RelevantKnowledge) -> No action taken.
C:\System Volume Information\_restore{4F8DCD25-E786-4E7B-A620-068FBCBABBDF}\RP400\A0252101.exe (Adware.RelevantKnowledge) -> No action taken.
C:\System Volume Information\_restore{4F8DCD25-E786-4E7B-A620-068FBCBABBDF}\RP400\A0252102.dll (Adware.RelevantKnowledge) -> No action taken.
C:\System Volume Information\_restore{64E7B142-57B4-455A-8B64-9B9187A62354}\RP423\A0268103.exe (Adware.Agent) -> No action taken.
C:\System Volume Information\_restore{64E7B142-57B4-455A-8B64-9B9187A62354}\RP432\A0272310.exe (Adware.Agent) -> No action taken.
C:\System Volume Information\_restore{64E7B142-57B4-455A-8B64-9B9187A62354}\RP436\A0274364.exe (Adware.Agent) -> No action taken.
C:\System Volume Information\_restore{64E7B142-57B4-455A-8B64-9B9187A62354}\RP436\A0275384.exe (Adware.Agent) -> No action taken.
C:\System Volume Information\_restore{64E7B142-57B4-455A-8B64-9B9187A62354}\RP437\A0276379.exe (Adware.Agent) -> No action taken.
C:\System Volume Information\_restore{64E7B142-57B4-455A-8B64-9B9187A62354}\RP437\A0277817.exe (Adware.Agent) -> No action taken.
C:\System Volume Information\_restore{64E7B142-57B4-455A-8B64-9B9187A62354}\RP437\A0278828.exe (Adware.Agent) -> No action taken.
C:\System Volume Information\_restore{64E7B142-57B4-455A-8B64-9B9187A62354}\RP438\A0283301.exe (Adware.Agent) -> No action taken.
C:\WINDOWS\system32\sbhryqduvxvit.exe (Adware.Adrotator) -> No action taken.
C:\Programmi\RelevantKnowledge\install.rdf (Spyware.MarketScore) -> No action taken.
C:\Programmi\RelevantKnowledge\MSVCP71.DLL (Spyware.MarketScore) -> No action taken.
C:\Programmi\RelevantKnowledge\MSVCR71.DLL (Spyware.MarketScore) -> No action taken.
C:\Programmi\RelevantKnowledge\rloci.bin (Spyware.MarketScore) -> No action taken.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> No action taken.
C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) -> No action taken.

CONTINUATE AD AIUTARMI!!
ora faccio il lavoro con combofix
xpproblema
Inviato: Friday, June 11, 2010 4:01:08 PM
Rank: AiutAmico

Iscritto dal : 6/11/2010
Posts: 119
ed ecco il log di combofix


ComboFix 10-06-10.04 - Luigi 11/06/2010 15.42.36.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.2037.1632 [GMT 2:00]
Eseguito da: c:\documents and settings\Luigi\Documenti\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {0057005C-0069-006E-5300-780053005C00}
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programmi\RelevantKnowledge
c:\programmi\RelevantKnowledge\install.rdf
c:\programmi\RelevantKnowledge\MSVCP71.DLL
c:\programmi\RelevantKnowledge\MSVCR71.DLL
c:\programmi\RelevantKnowledge\rloci.bin
c:\windows\exefld
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\unins000.exe
c:\windows\winhelp.ini

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ICF
-------\Legacy_SROSA
-------\Service_ICF
-------\Service_srosa


((((((((((((((((((((((((( Files Creati Da 2010-05-11 al 2010-06-11 )))))))))))))))))))))))))))))))))))
.

2010-06-11 11:31 . 2010-06-11 11:31 -------- d-----w- c:\documents and settings\Luigi\Dati applicazioni\Malwarebytes
2010-06-11 11:30 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-11 11:30 . 2010-06-11 11:30 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2010-06-11 11:30 . 2010-06-11 11:30 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2010-06-11 11:30 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-11 09:31 . 2010-05-06 10:32 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-11 09:18 . 2009-06-30 07:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-06-11 09:17 . 2010-06-11 09:17 -------- d-----w- c:\programmi\Panda Security
2010-06-11 09:13 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-11 09:13 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-11 09:13 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-11 09:13 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-11 09:13 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-11 09:13 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-11 09:13 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-11 09:12 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-06-11 09:12 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-11 09:12 . 2010-06-11 09:12 -------- d-----w- c:\programmi\Alwil Software
2010-06-11 09:12 . 2010-06-11 09:12 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Alwil Software
2010-06-10 16:31 . 2010-06-10 16:31 -------- d-----w- c:\programmi\Microsoft Sync Framework
2010-06-10 16:29 . 2010-06-10 16:29 -------- d-----w- c:\programmi\Microsoft
2010-06-10 15:52 . 2009-11-25 09:19 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-06-10 14:39 . 2010-06-10 14:39 -------- d-----w- c:\documents and settings\HelpAssistant\Impostazioni locali\Dati applicazioni\Microangelo Toolset 6
2010-06-10 14:39 . 2010-06-10 14:39 -------- d-----w- c:\documents and settings\HelpAssistant\Impostazioni locali\Dati applicazioni\Macromedia
2010-06-10 14:39 . 2010-06-10 14:39 -------- d-----w- c:\documents and settings\HelpAssistant\Impostazioni locali\Dati applicazioni\IsolatedStorage
2010-06-10 14:39 . 2010-06-10 14:39 -------- d-----w- c:\documents and settings\HelpAssistant\Impostazioni locali\Dati applicazioni\Identities
2010-06-10 14:39 . 2010-06-10 14:39 -------- d-----w- c:\documents and settings\HelpAssistant\Impostazioni locali\Dati applicazioni\HP
2010-06-10 14:39 . 2010-06-10 14:39 -------- d-----w- c:\documents and settings\HelpAssistant\Impostazioni locali\Dati applicazioni\Help
2010-06-07 18:35 . 2010-06-10 12:00 -------- d-----w- c:\documents and settings\Luigi\Impostazioni locali\Dati applicazioni\vortbkl
2010-06-07 18:34 . 2010-06-07 18:34 50981 ----a-w- c:\windows\system32\sbhryqduvxvit.exe
2010-06-07 18:34 . 2010-06-07 18:34 -------- d-----w- c:\programmi\$NtUninstallWTF1012$
2010-06-07 18:33 . 2010-06-07 18:34 -------- d-----w- c:\documents and settings\Luigi\Dati applicazioni\8BCDD3AAC06E20C3BD22DD50F82550A1
2010-05-29 19:14 . 2010-05-29 19:14 3177 ----a-w- c:\windows\mozver.dat
2010-05-23 17:16 . 2010-05-23 17:16 -------- d-----w- c:\documents and settings\Luigi\.android
2010-05-22 15:54 . 2010-05-22 17:40 -------- d-----w- c:\documents and settings\Luigi\Dati applicazioni\Pro Cycling Manager 2007 - Demo
2010-05-22 15:50 . 2010-05-22 15:50 -------- d-----w- c:\programmi\Cyanide
2010-05-17 16:40 . 2010-05-17 16:40 -------- d-----w- c:\programmi\mp3DirectCut
2010-05-17 16:36 . 2010-05-17 16:36 -------- d-----w- C:\video_output

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-11 13:06 . 2009-03-26 21:26 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Google Updater
2010-06-11 10:30 . 2009-04-22 11:25 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Microsoft Help
2010-06-11 10:21 . 2004-08-19 12:00 85132 ----a-w- c:\windows\system32\perfc010.dat
2010-06-11 10:21 . 2004-08-19 12:00 492266 ----a-w- c:\windows\system32\perfh010.dat
2010-06-10 21:31 . 2009-10-21 15:50 -------- d-----w- c:\programmi\EasyPHP5.3.0
2010-06-10 20:55 . 2007-03-24 20:45 -------- d-----w- c:\programmi\File comuni\HP
2010-06-10 20:40 . 2010-01-21 14:27 -------- d-----w- c:\programmi\Windows Live Safety Center
2010-06-10 16:31 . 2010-01-14 14:31 -------- d-----w- c:\programmi\Windows Live
2010-06-05 21:02 . 2009-11-06 16:15 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-05 19:02 . 2009-12-19 13:22 -------- d-----w- c:\programmi\FreeTime
2010-06-05 13:51 . 2009-11-16 19:38 -------- d-----w- c:\programmi\Microsoft Silverlight
2010-05-31 12:37 . 2010-02-07 16:43 -------- d-----w- c:\programmi\NoteWorthy Composer
2010-05-17 16:34 . 2009-03-18 18:17 -------- d-----w- c:\documents and settings\Luigi\Dati applicazioni\GetRightToGo
2010-05-07 17:52 . 2006-08-25 18:23 -------- d-----w- c:\programmi\Google
2010-05-06 10:32 . 2004-08-19 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 08:06 . 2004-08-19 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-28 18:47 . 2005-11-21 12:36 -------- d--h--w- c:\programmi\InstallShield Installation Information
2010-04-28 18:45 . 2010-04-28 18:41 -------- d-----w- c:\documents and settings\Luigi\Dati applicazioni\Audacity
2010-04-28 18:28 . 2010-04-28 18:28 -------- d-----w- c:\programmi\File comuni\DVDVideoSoft
2010-04-28 18:28 . 2010-04-28 18:28 -------- d-----w- c:\programmi\DVDVideoSoft
2010-04-20 05:30 . 2004-08-19 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-18 16:38 . 2010-04-18 15:25 -------- d-----w- c:\programmi\Notation
2010-04-18 15:17 . 2010-04-18 15:17 -------- d-----w- c:\documents and settings\Luigi\Dati applicazioni\MusE
2010-04-16 20:12 . 2010-04-16 20:12 48464 ----a-w- c:\windows\system32\sirenacm.dll
2010-04-06 18:30 . 2010-06-10 14:38 103752 ----a-w- c:\documents and settings\HelpAssistant\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-04-06 18:30 . 2005-11-23 14:09 103752 ----a-w- c:\documents and settings\Luigi\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-04-02 15:10 . 2009-03-13 17:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-02 15:10 . 2010-04-02 15:10 152576 ----a-w- c:\documents and settings\Luigi\Dati applicazioni\Sun\Java\jre1.6.0_16\lzma.dll
2010-03-14 14:38 . 2010-02-21 12:53 540 ---ha-w- C:\os501435.bin
2004-03-11 12:27 . 2005-11-21 13:16 40960 ----a-w- c:\programmi\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\programmi\Ahead\Nero BackItUp\NBJ.exe" [2004-09-22 1871872]
"swg"="c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-26 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]
"GrooveMonitor"="c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2010-04-02 149280]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\HelpAssistant\Menu Avvio\Programmi\Esecuzione automatica\
Ritaglio schermata e avvio di OneNote 2007.lnk - c:\programmi\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\Luigi\Menu Avvio\Programmi\Esecuzione automatica\
Ritaglio schermata e avvio di OneNote 2007.lnk - c:\programmi\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
WinZip Quick Pick.lnk - c:\programmi\WinZip\WZQKPICK.EXE [2009-11-18 495432]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^EPSON Status Monitor 3 Environment Check 2.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\EPSON Status Monitor 3 Environment Check 2.lnk
backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-06-10 17:27 136176 ----atw- c:\documents and settings\Luigi\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 10:44 31072 ----a-w- c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3130:TCP"= 3130:TCP:Services
"4760:TCP"= 4760:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"6757:TCP"= 6757:TCP:Services
"6758:TCP"= 6758:TCP:Services

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/06/2010 11.18.24 28552]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/06/2010 11.13.44 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/06/2010 11.13.45 19024]
S3 {F2AFBF83-1FF8-4D1A-972AEEFC33F0B0B6};{F2AFBF83-1FF8-4D1A-972AEEFC33F0B0B6};\??\c:\windows\TEMP\18B.tmp --> c:\windows\TEMP\18B.tmp [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\programmi\MAGIX\Common\Database\bin\fbserver.exe --> c:\programmi\MAGIX\Common\Database\bin\fbserver.exe [?]
S3 FXDRV;FXDRV;\??\e:\fxdrv.sys --> e:\Fxdrv.sys [?]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\ICDUSB2.sys [27/06/2006 20.33.50 39048]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [11/06/2010 13.30.41 38224]
S3 UPnPService;UPnPService;c:\programmi\File comuni\MAGIX Shared\UPnPService\UPnPService.exe [15/02/2007 22.53.58 544768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contenuto della cartella 'Scheduled Tasks'

2010-06-11 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-20 12:18]

2010-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1979792683-725345543-1004Core.job
- c:\documents and settings\Luigi\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2010-06-10 17:27]

2010-06-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1979792683-725345543-1004UA.job
- c:\documents and settings\Luigi\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2010-06-10 17:27]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

Notify-AtiExtEvent - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-11 15:51
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8991778A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> ntkrnlpa.exe @ 0x80586e11
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> 0x8997d8a0
PacketIndicateHandler -> NDIS.sys @ 0xb9e50a21
SendHandler -> NDIS.sys @ 0xb9e2e87b
copy of MBR has been found in sector 0x098A7FEC
malicious code @ sector 0x098A7FEF !
PE file found in sector at 0x098A8005 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{F2AFBF83-1FF8-4D1A-972AEEFC33F0B0B6}]
"ImagePath"="\??\c:\windows\TEMP\18B.tmp"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1123561945-1979792683-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-1123561945-1979792683-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{05C0C8D3-6C60-76D2-3CD5-73FE41BA2C09}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oappkbkogpgodacjgmcpebdghpkfho"=hex:64,61,6d,62,64,6b,6b,67,00,85
"oalabhcdohdmcfekapmmcijakpcmgk"=hex:6a,61,70,62,65,6a,6e,6a,65,6c,68,6d,65,6d,
6d,6b,63,67,63,64,00,02
"nabbdglchlaccopkdgkmmbdkdgbl"=hex:6a,61,70,62,65,6a,6e,6a,65,6c,68,6d,65,6d,
6d,6b,63,67,63,64,00,02

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]
"0140710900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(2832)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\WgaTray.exe
c:\programmi\File comuni\EPSON\EBAPI\SAgent2.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\HPZipm12.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Ora fine scansione: 2010-06-11 15:59:26 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-06-11 13:59

Pre-Run: 11.368.353.792 byte disponibili
Post-Run: 11.536.883.712 byte disponibili

WindowsXP-KB310994-SP2-Home-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\wubildr.mbr = "Ubuntu"

- - End Of File - - 942E59A20D2CE95B44A8E184EADFB506
shapiro
Inviato: Friday, June 11, 2010 4:12:58 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164
riavvia malwarebytes e togli tutto quello che ha trovato

Disattiva Ripristino configurazione di sistema
tasto destro del mouse sull'icona Risorse del Computer
seleziona la voce Proprietà
apri la scheda Ripristino configurazione di Sistema
spunta la voce Disattiva ripristino configurazione di sistema
conferma, la modifica, con Applica e, poi Ok


riavvia il pc

riattivalo e crea un nuovo punto



scarica MBR:EXE in C:\

VAI IN PROVVISORIA

Da Start - Esegui - digita C:\mbr.exe e clicca su OK

Posta il log che troverai in C:\ come mbr.log


fai anche questo controllo


start\esegui digita nel box bianco control userpasswords e dai ok

dimmi quali utenti vedi
xpproblema
Inviato: Friday, June 11, 2010 4:44:01 PM
Rank: AiutAmico

Iscritto dal : 6/11/2010
Posts: 119
ok grazie, ora rifaccio la scansione
xpproblema
Inviato: Friday, June 11, 2010 6:03:04 PM
Rank: AiutAmico

Iscritto dal : 6/11/2010
Posts: 119
ri fatta la scansione, mi trova solo 26 elementi infetti, prima erano una cinquantina,mistero..
shapiro
Inviato: Friday, June 11, 2010 6:15:42 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164
cortesemente mi esegui i passaggi che ti ho citato nell'ultimo post?
xpproblema
Inviato: Friday, June 11, 2010 6:21:08 PM
Rank: AiutAmico

Iscritto dal : 6/11/2010
Posts: 119
fatto ciò che mi hai detto, allora:

log in c:mbr.exe:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x098A7FEC
malicious code @ sector 0x098A7FEF !
PE file found in sector at 0x098A8005 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

start\esegui digita nel box bianco control userpasswords e dai ok

dimmi quali utenti vedi:

vedo il mio utente: "luigi" e uno mai visto: "guest" con la descrizione sotto: account guest non attivato
shapiro
Inviato: Friday, June 11, 2010 6:45:48 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164
sempre da provvisoria start => esegui => digita: c:\mbr.exe -f
attenzione!: c'è uno spazio prima di -f (fai copia incolla)

posta il nuovo log creato che troverai in c:\mbr.log



abilita la visualizzazione dei file nascosti (apri una cartella qualsiasi, vai su Strumenti--> Opzioni cartella--> Visualizzazione e spunta Visualizza file e cartelle nascosti

segui il percorso elimina le cartelle segnate in rosso


c:\documents and settings\HelpAssistant\Impostazioni locali\Dati applicazioni\Microangelo Toolset 6

c:\documents and settings\HelpAssistant\Impostazioni locali\Dati applicazioni\Macromedia

c:\documents and settings\HelpAssistant\Impostazioni locali\Dati applicazioni\IsolatedStorage

c:\documents and settings\HelpAssistant\Impostazioni locali\Dati applicazioni\Identities

c:\documents and settings\HelpAssistant\Impostazioni locali\Dati applicazioni\HP

c:\documents and settings\HelpAssistant\Impostazioni locali\Dati applicazioni\Help

c:\documents and settings\HelpAssistant\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT



Dal Pannello di Controllo vai in Strumenti di Amministrazione ed apri Gestione Computer

Espandi(clicca usa il segno +) la visualizzazione di Utenti e gruppi locali

Clicca una volta sopra la cartellina Users - sulla destra della pagina,dovresti trovare HelpAssistant.
Clicca con il tasto destro del mouse, sull'account HelpAssistant.
clicca su: Proprietà.


Nella finestra di dialogo Proprietà metti la spunta, a l'opzione: Account disabilitato.
Poi, clicca nuovamente su: Proprietà, clicca sulla tabella in alto: "Membro di" e se nel box appare Amministratore, selezionalo, e premi il tasto "Rimuovi":


finisci queste operazioni, dopo dovremo eliminare altro

poi mi dirai cosa hai scricato, c'e' di tutto persino il worm bagle
xpproblema
Inviato: Friday, June 11, 2010 6:48:49 PM
Rank: AiutAmico

Iscritto dal : 6/11/2010
Posts: 119
ottimo, ora faccio
xpproblema
Inviato: Friday, June 11, 2010 6:57:53 PM
Rank: AiutAmico

Iscritto dal : 6/11/2010
Posts: 119
empre da provvisoria start => esegui => digita: c:\mbr.exe -f
attenzione!: c'è uno spazio prima di -f (fai copia incolla)

posta il nuovo log creato che troverai in c:\mbr.log

ecco

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x098A7FEC
malicious code @ sector 0x098A7FEF !
PE file found in sector at 0x098A8005 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !

ora faccio il resto

xpproblema
Inviato: Friday, June 11, 2010 7:05:03 PM
Rank: AiutAmico

Iscritto dal : 6/11/2010
Posts: 119
scusami una volta aperta gestione computer ho da espandere "utilità di sistema", "archiviazione" o "servizi e applicazione",, non trovo utenti e gruppi locali,, e poi "users"
shapiro
Inviato: Friday, June 11, 2010 7:09:03 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164
sistema operativo?

xp o xp home?
xpproblema
Inviato: Friday, June 11, 2010 7:09:45 PM
Rank: AiutAmico

Iscritto dal : 6/11/2010
Posts: 119
xp home edition
Utenti presenti in questo topic
Guest


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.