Aiutamici Forum
Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » forse Master Boot Record "rootkit".

4 pages: 1 [2] 3 4
forse Master Boot Record "rootkit". Opzioni
Topic Precedente · Topic Sucessivo
shapiro
Inviato: Monday, August 15, 2011 12:17:50 AM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164

pittina sara' un controllo forzato il mio ma vorrei che analizzassi su virus total questo file mi sembra un percorso un po' strano Think

C:\Documents and Settings\Administrator\Impostazioni locali\Temp\7zS2.tmp\App\ObjectDock.exe
Torna in alto
 
pittina
Inviato: Monday, August 15, 2011 6:14:20 PM
Rank: AiutAmico

Iscritto dal : 5/15/2010
Posts: 230
Nel percorso che mi hai scritto ci trovo una .dll:
C:\Documents and Settings\Administrator\Impostazioni locali\Temp\7zS2.tmp\App\Docklets\Search\SearchDocklet.dll
Ho passato esetnod32 in tutta la cartella App e non mi dà nessuna infezione.
virus total quale sarebbe ?
Torna in alto
 
tamagon
Inviato: Monday, August 15, 2011 6:18:26 PM

Rank: AiutAmico

Iscritto dal : 3/6/2009
Posts: 2,913
virus total

http://www.virustotal.com/
Torna in alto
 
shapiro
Inviato: Monday, August 15, 2011 6:21:47 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164


pittina devi controllarmi questo file in rosso

C:\Documents and Settings\Administrator\Impostazioni locali\Temp\7zS2.tmp\App\ObjectDock.exe
Torna in alto
 
pittina
Inviato: Monday, August 15, 2011 6:39:06 PM
Rank: AiutAmico

Iscritto dal : 5/15/2010
Posts: 230
scusami, ho visto che total virus è una scansione on-line. L'ho fatta ma non riesco a salvare il risultato per postarlo. Ho copiato la pagina a scansione finita:

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this URL is benign. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this URL is malicious.
Submission date:
2011-08-15 16:04:04 (UTC)
Current status:
finished
Antivirus report:
Not available
Webscan result:
1 /16 (6.2%)

VT Community

not reviewed
Safety score: -
Compact
Print results
URL analysis tool Result
Avira Clean site
BitDefender Clean site
Dr.Web Error
Firefox Clean site
G-Data Clean site
Google Safebrowsing Clean site
Malc0de Database Clean site
MalwareDomainList Malware site
Opera Clean site
ParetoLogic Clean site
Phishtank Clean site
TrendMicro Clean site
Websense ThreatSeeker Unrated site
Wepawet Unrated site
Additional information
Normalized URL: http://pittia@none/
URL MD5: dc599bac70856a6b866bed68ecdaae7f
Content-Type: text/plain

VT Community

This URL has never been reviewed by any VT Community member. Be the first one to comment on it!
Torna in alto
 
shapiro
Inviato: Monday, August 15, 2011 8:35:19 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164


non e' stato controllato da tutti gli antivirus

per l'errore torna nel visualizzatore eventi ne selezioni uno alla volta vai su azione/cancella tutti gli eventi /ok Fai cosi anche con gli altri due

fatto questo chiudi e torna a lavorare col pc appena vedi il problema torna nel visualizzatore e copia quello relativo all'ora dell'errore stesso

fai riferimento all'orologio di windows
Torna in alto
 
pittina
Inviato: Monday, August 15, 2011 9:20:13 PM
Rank: AiutAmico

Iscritto dal : 5/15/2010
Posts: 230
a quale errore ti riferisci, a quello "Sottosistema Windows 16 bit NTVDM ha rilevato un errore di sistema ecc. ecc.. ? sono arrivata al punto che adesso stampo regolarmente. l'errore con quel messaggio me lo dà se faccio il setup dei driver della stampante, per ora mi si presenta solo in questa occasione.
Torna in alto
 
shapiro
Inviato: Monday, August 15, 2011 9:33:20 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164
Commenta:
l'errore con quel messaggio me lo dà se faccio il setup dei driver della stampante, per ora mi si presenta solo in questa occasione.


se tutto e' a posto allora possiamo chiudere....che dici? ci sarebbe un controllo in piu' che vorrei fare tenuto conto che hai avuto un misto di infezioni
Torna in alto
 
pittina
Inviato: Monday, August 15, 2011 9:42:40 PM
Rank: AiutAmico

Iscritto dal : 5/15/2010
Posts: 230
se non ti prendo troppo tempo facciamolo.......
Torna in alto
 
shapiro
Inviato: Monday, August 15, 2011 9:44:46 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164


oramai siamo in ballo...

disattiva il tuo antivirus e rimani connessa solo su aiutamici


scarica combofix sul desktop

alla richiesta se vuoi installare la recovery console clicca su NO

esegui ComboFix.exe

segui le instruzioni

finita la scansione portati in C:\ e copia/incolla, nella tua prossima risposta, il contenuto del file di testo Combofix.txt

come usare correttamente combofix
Torna in alto
 
pittina
Inviato: Monday, August 15, 2011 10:07:26 PM
Rank: AiutAmico

Iscritto dal : 5/15/2010
Posts: 230
ComboFix 11-08-15.07 - Administrator 15/08/2011 19.57.12.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1023.337 [GMT 2:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\ADMINI~1\IMPOST~1\Temp\7zS2.tmp\App\DockShellHook.dll
c:\documents and settings\Administrator\Dati applicazioni\OfferBox
c:\documents and settings\Administrator\Dati applicazioni\OfferBox\config.xml
c:\documents and settings\Administrator\Impostazioni locali\Temp\7zS2.tmp\App\DockShellHook.dll
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\tbHElper.dll
c:\programmi\filesubmit
C:\Thumbs.db
c:\windows\system32\dvuqrlupourgp.dll
c:\windows\XSxS
.
.
((((((((((((((((((((((((( Files Creati Da 2011-07-15 al 2011-08-15 )))))))))))))))))))))))))))))))))))
.
.
2011-08-14 20:51 . 2011-08-14 20:51 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\NeoSmart_Technologies
2011-08-14 20:46 . 2011-08-15 09:31 -------- d-----w- c:\programmi\NeoSmart Technologies
2011-08-14 18:02 . 2011-08-14 18:02 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Malwarebytes
2011-08-14 18:01 . 2011-07-06 17:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-14 18:01 . 2011-08-14 18:01 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2011-08-14 18:01 . 2011-07-06 17:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-14 18:01 . 2011-08-14 18:53 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2011-08-14 17:15 . 2011-08-14 19:55 -------- d-----w- c:\programmi\HJ
2011-08-14 17:02 . 2011-08-14 17:02 89088 ----a-w- C:\mbr.exe
2011-08-10 06:58 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 06:58 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-10 06:52 . 2011-08-10 06:52 -------- d-----w- c:\programmi\CCleaner
2011-08-10 06:51 . 2011-08-10 06:51 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Soulseek
2011-08-09 05:00 . 2011-08-09 05:00 -------- d-----w- c:\programmi\EPSON
2011-08-08 21:01 . 2011-08-10 07:00 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Adobe
2011-08-08 16:18 . 2007-08-31 16:36 36864 ----a-w- c:\windows\system32\trayicon_handler.ocx
2011-08-08 16:18 . 2003-01-26 11:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2011-08-08 14:22 . 2011-08-10 06:51 -------- d-----w- c:\programmi\SoulseekNS
2011-08-08 11:58 . 2011-08-09 18:15 -------- d-----w- c:\programmi\Innovative Solutions
2011-08-08 11:54 . 2011-08-08 11:54 -------- d-----w- C:\drivex max pro
2011-08-08 10:58 . 2011-08-08 11:00 -------- d-----w- C:\drivermax.pro.5.7
2011-08-08 08:02 . 2011-08-08 08:02 -------- d-----w- C:\spoolerlogs
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-15 13:29 . 2004-08-03 21:15 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2001-08-31 15:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2008-08-13 19:02 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-22 14:14 . 2011-07-03 16:01 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2011-06-22 14:13 . 2011-07-03 16:01 24576 ----a-w- c:\windows\system32\msxml3a.dll
2011-06-21 18:18 . 2004-08-19 13:39 669696 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:18 . 2004-08-19 13:39 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:18 . 2004-08-03 20:59 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-06-21 18:17 . 2004-08-19 13:26 371200 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-19 13:39 293888 ----a-w- c:\windows\system32\winsrv.dll
2011-06-16 15:34 . 2011-05-20 14:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-06 11:35 . 2004-08-19 13:31 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{90d46c30-9f25-4104-aea9-35c3f84477ff}"= "c:\programmi\mipony-plugin\tbmip1.dll" [2011-02-22 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{90d46c30-9f25-4104-aea9-35c3f84477ff}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90d46c30-9f25-4104-aea9-35c3f84477ff}]
2011-02-22 18:08 3911776 ----a-w- c:\programmi\mipony-plugin\tbmip1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{90d46c30-9f25-4104-aea9-35c3f84477ff}"= "c:\programmi\mipony-plugin\tbmip1.dll" [2011-02-22 3911776]
"{C86FF9FA-AEED-451B-A9CC-39A53173AE2E}"= "c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\tbcore3.dll" [2010-06-18 2604032]
.
[HKEY_CLASSES_ROOT\clsid\{90d46c30-9f25-4104-aea9-35c3f84477ff}]
.
[HKEY_CLASSES_ROOT\clsid\{c86ff9fa-aeed-451b-a9cc-39a53173ae2e}]
[HKEY_CLASSES_ROOT\TBSB07458.TBSB07458.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB07458.TBSB07458]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{90D46C30-9F25-4104-AEA9-35C3F84477FF}"= "c:\programmi\mipony-plugin\tbmip1.dll" [2011-02-22 3911776]
"{C86FF9FA-AEED-451B-A9CC-39A53173AE2E}"= "c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\tbcore3.dll" [2010-06-18 2604032]
.
[HKEY_CLASSES_ROOT\clsid\{90d46c30-9f25-4104-aea9-35c3f84477ff}]
.
[HKEY_CLASSES_ROOT\clsid\{c86ff9fa-aeed-451b-a9cc-39a53173ae2e}]
[HKEY_CLASSES_ROOT\TBSB07458.TBSB07458.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB07458.TBSB07458]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2008-08-12 21741864]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"TrueImageMonitor.exe"="c:\programmi\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-04-07 1106297]
"AcronisTimounterMonitor"="c:\programmi\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-04-07 1827640]
"Acronis Scheduler2 Service"="c:\programmi\File comuni\Acronis\Schedule2\schedhlp.exe" [2006-04-07 126976]
"egui"="c:\programmi\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2011-04-08 254696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
.
c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\
Stardock ObjectDock.lnk - d:\documents and settings\Administrator\Impostazioni locali\Temp\7zS2.tmp\App\ObjectDock.exe [2008-10-4 3450608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 20:16 39792 ----a-w- c:\programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 20:11 3872080 ----a-w- c:\programmi\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]
2010-10-17 22:42 404200 ----a-w- c:\programmi\Sandboxie\SbieCtrl.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Opera\\opera.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [06/02/2009 14.23.18 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [06/02/2009 14.24.24 93336]
R2 ekrn;ESET Service;c:\programmi\ESET\ESET NOD32 Antivirus\ekrn.exe [06/02/2009 14.23.36 727720]
R3 PAC207;Trust WB-1200p Mini Webcam;c:\windows\system32\drivers\pfc027.sys [24/02/2005 12.29.14 162176]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13.16.28 130384]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [14/08/2011 20.01.34 41272]
S3 VBoxTAP;VirtualBox TAP Adapter;c:\windows\system32\drivers\VBoxTAP.sys [09/11/2008 18.38.54 47184]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13.16.28 753504]
S3 xcpip;Driver protocollo TCP/IP;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]
S3 xpsec;Driver IPSEC;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://it.yahoo.com/
uInternet Settings,ProxyServer = proxy.asf.it:8080
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://it.rd.yahoo.com/customize/ycomp/defaults/su/*http://it.yahoo.com
IE: Scarica con Mipony - file://c:\programmi\MiPony\Browser\IEContext.htm
IE: {{C86FF9FA-AEED-451B-A9CC-39A53173AE2E} - {C86FF9FA-AEED-451B-A9CC-39A53173AE2E} - c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\tbcore3.dll
TCP: DhcpNameServer = 192.168.0.1
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
MSConfigStartUp-ASuite - c:\documents and settings\Administrator\Desktop\Lupo PenSuite v6.64 Full\Launcher\ASuite.exe
MSConfigStartUp-SmartDefrag - c:\programmi\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
MSConfigStartUp-SmartRAM - c:\programmi\IObit\Advanced WindowsCare V2\MemCleaner.exe
AddRemove-conduitEngine - c:\programmi\ConduitEngine\ConduitEngineUninstall.exe
AddRemove-MiniTool Power Data Recovery_is1 - i:\powerdatarecovery\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-15 20:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'explorer.exe'(2812)
d:\documents and settings\Administrator\Impostazioni locali\Temp\7zS2.tmp\App\DockShellHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Sandboxie\SbieSvc.exe
c:\programmi\File comuni\Acronis\Schedule2\schedul2.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\PAStiSvc.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\SOUNDMAN.EXE
c:\windows\system32\wbem\wmiapsrv.exe
c:\programmi\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Ora fine scansione: 2011-08-15 20:05:03 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2011-08-15 18:05
.
Pre-Run: 35.676.700.672 byte disponibili
Post-Run: 35.688.685.568 byte disponibili
.
- - End Of File - - 5471FC8455C4D5A50CE35BC59B115466
Torna in alto
 
shapiro
Inviato: Monday, August 15, 2011 10:25:14 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164


pittina dammi un po' di tempo ho gli occhi che bollono Drool

se non vedi la mia risposta entro stasera dai un'occhiata domani in mattinata
Torna in alto
 
pittina
Inviato: Monday, August 15, 2011 10:28:23 PM
Rank: AiutAmico

Iscritto dal : 5/15/2010
Posts: 230
si si Shapiro riguardo domattina, mi hai già aiutato tantissimo.....buonanotte
Torna in alto
 
shapiro
Inviato: Tuesday, August 16, 2011 10:06:35 AM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164
allora pittina per ora ho trovato questo , vediamo se dopo abbiamo altro da eliminare


Apri il block notes di windows e copia e incolla questo script (non copiare Code: ma solo quello nelloo spazio bianco


Code:
File::
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\tbcore3.dll
d:\documents and settings\Administrator\Impostazioni locali\Temp\7zS2.tmp\App\DockShellHook.dll

Folder::
c:\programmi\AIMP Portable 2.51 Build 328


Redistry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{C86FF9FA-AEED-451B-A9CC-39A53173AE2E}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{C86FF9FA-AEED-451B-A9CC-39A53173AE2E}"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-

Driver::
xcpip
xpsec




Salva il file nella stessa posizione dove è presente combofix.exe e chiamalo CFScript.txt
Adesso trascina il file CFScript.txt su combofix.exe
Riavvia il pc se ti viene richiesto dal programma.
Riavvia e posta il contenuto del file C:\ComboFix.txt
Torna in alto
 
pittina
Inviato: Tuesday, August 16, 2011 6:07:04 PM
Rank: AiutAmico

Iscritto dal : 5/15/2010
Posts: 230
Il mio programmino AIMP si deve togliere ?:-( :-(
Ecco il nuovo txt

ComboFix 11-08-15.07 - Administrator 16/08/2011 15.48.38.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1023.282 [GMT 2:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Creato nuovo punto di ripristino
.
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
FILE ::
"c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\tbcore3.dll"
"d:\documents and settings\Administrator\Impostazioni locali\Temp\7zS2.tmp\App\DockShellHook.dll"
.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programmi\AIMP Portable 2.51 Build 328
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\acdc.jpg
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\amazon.html
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\arrow_refresh.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\basis.xml
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\busca.dll
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\busca_mp3.bmp
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\buscaaaaa.dll
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\Buscamp3 16-x-16.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\buscamp3.bmp
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\buscamp3.dll
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\buscarmp3.dll
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\cabezones.jpg
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\cog.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\computer_delete.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\Copia de busca_icon.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\facebook.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\favicon-2.bmp
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\favicon-3.bmp
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\favicon 1.bmp
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\favicon.bak
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\favicon.ico
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\favicon.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\fondo blanco.bmp
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\gf_icon3.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\goofull_search.jpg
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\goonews.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\goonews_ema.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\goonews_icon.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\goonews2.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\gooo.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\gooofull.bmp
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\gooofullsearch.dll
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\gooofullsearch2.jpg
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\goooNEWS.jpg
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\goooNEWS.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\gsearch.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\gsearch_ema.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\gsearch_icon.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\gsearch2.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\icons.bmp
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\icons.bmp_16.bmp
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\icons.bmp_24.bmp
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\icons.bmp_32.bmp
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\include.xml
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\info.txt
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\jewelpic.bmp
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\jewelpic.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\logo-diane.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\Logo 16px.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\logobuscamp3.bmp
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\mp3.dll
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\PlayerPlug.cfg
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\PlayerPlug.exe
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\PropMgrAsync.cfg
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\PropMgrAsync.exe
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\prueba2.html
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\prueba3.html
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\radio.css
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\radio.html
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\radio_01.gif
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\radio_02.gif
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\radio_03.gif
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\radio_1.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\radio_modelo.html
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\radio_on_01.gif
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\radio_on_02.gif
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\rn.dll
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\roon.dll
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\Roonic-tool-bar.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\roonic.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\roonic_2.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\rooniccccc11.dll
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\rooniiic.dll
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\rooniiic222.dll
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\roonn.dll
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\Search radio.bmp
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\split.gif
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\split_on.gif
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\spliton.gif
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\splitw.gif
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\splitw_on.gif
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\splitwon.gif
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\stations.dll
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\stations.js
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\stations.xml
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\TbCommonUtils.dll
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\tbcore3.dll
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\tbcore3.inf
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\TbHelper2.exe
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\tbs_include_script_001287.js
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\tbs_include_script_008535.js
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\tbs_include_script_009599.js
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\testdevelocidad.bmp
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\testdevelocidad.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\toolbar.dll
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\uninstall.exe
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\update.exe
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\version.txt
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\vol.gif
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\volbg.gif
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\widget.js
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\windows7.bmp
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\windows7.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\ws_30.png
c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\your_logo.png
c:\windows\XSxS
d:\documents and settings\Administrator\Impostazioni locali\Temp\7zS2.tmp\App\DockShellHook.dll
.
.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_xcpip
-------\Service_xpsec
.
.
((((((((((((((((((((((((( Files Creati Da 2011-07-16 al 2011-08-16 )))))))))))))))))))))))))))))))))))
.
.
2011-08-14 20:51 . 2011-08-14 20:51 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\NeoSmart_Technologies
2011-08-14 20:46 . 2011-08-15 09:31 -------- d-----w- c:\programmi\NeoSmart Technologies
2011-08-14 18:02 . 2011-08-14 18:02 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Malwarebytes
2011-08-14 18:01 . 2011-07-06 17:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-14 18:01 . 2011-08-14 18:01 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2011-08-14 18:01 . 2011-07-06 17:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-14 18:01 . 2011-08-14 18:53 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2011-08-14 17:15 . 2011-08-14 19:55 -------- d-----w- c:\programmi\HJ
2011-08-14 17:02 . 2011-08-14 17:02 89088 ----a-w- C:\mbr.exe
2011-08-10 06:58 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 06:58 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-10 06:52 . 2011-08-10 06:52 -------- d-----w- c:\programmi\CCleaner
2011-08-10 06:51 . 2011-08-10 06:51 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Soulseek
2011-08-09 05:00 . 2011-08-09 05:00 -------- d-----w- c:\programmi\EPSON
2011-08-08 21:01 . 2011-08-10 07:00 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Adobe
2011-08-08 16:18 . 2007-08-31 16:36 36864 ----a-w- c:\windows\system32\trayicon_handler.ocx
2011-08-08 16:18 . 2003-01-26 11:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2011-08-08 14:22 . 2011-08-10 06:51 -------- d-----w- c:\programmi\SoulseekNS
2011-08-08 11:58 . 2011-08-09 18:15 -------- d-----w- c:\programmi\Innovative Solutions
2011-08-08 11:54 . 2011-08-08 11:54 -------- d-----w- C:\drivex max pro
2011-08-08 10:58 . 2011-08-08 11:00 -------- d-----w- C:\drivermax.pro.5.7
2011-08-08 08:02 . 2011-08-08 08:02 -------- d-----w- C:\spoolerlogs
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-15 13:29 . 2004-08-03 21:15 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2001-08-31 15:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2008-08-13 19:02 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-22 14:14 . 2011-07-03 16:01 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2011-06-22 14:13 . 2011-07-03 16:01 24576 ----a-w- c:\windows\system32\msxml3a.dll
2011-06-21 18:18 . 2004-08-19 13:39 669696 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:18 . 2004-08-19 13:39 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:18 . 2004-08-03 20:59 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-06-21 18:17 . 2004-08-19 13:26 371200 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-19 13:39 293888 ----a-w- c:\windows\system32\winsrv.dll
2011-06-16 15:34 . 2011-05-20 14:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-06 11:35 . 2004-08-19 13:31 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-15_18.02.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-16 15:55 . 2011-08-16 15:55 16384 c:\windows\Temp\Perflib_Perfdata_dec.dat
+ 2011-08-16 13:54 . 2011-08-16 13:54 16384 c:\windows\Temp\Perflib_Perfdata_78c.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{90d46c30-9f25-4104-aea9-35c3f84477ff}"= "c:\programmi\mipony-plugin\tbmip1.dll" [2011-02-22 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{90d46c30-9f25-4104-aea9-35c3f84477ff}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90d46c30-9f25-4104-aea9-35c3f84477ff}]
2011-02-22 18:08 3911776 ----a-w- c:\programmi\mipony-plugin\tbmip1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{90d46c30-9f25-4104-aea9-35c3f84477ff}"= "c:\programmi\mipony-plugin\tbmip1.dll" [2011-02-22 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{90d46c30-9f25-4104-aea9-35c3f84477ff}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{90D46C30-9F25-4104-AEA9-35C3F84477FF}"= "c:\programmi\mipony-plugin\tbmip1.dll" [2011-02-22 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{90d46c30-9f25-4104-aea9-35c3f84477ff}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2008-08-12 21741864]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"TrueImageMonitor.exe"="c:\programmi\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-04-07 1106297]
"AcronisTimounterMonitor"="c:\programmi\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-04-07 1827640]
"Acronis Scheduler2 Service"="c:\programmi\File comuni\Acronis\Schedule2\schedhlp.exe" [2006-04-07 126976]
"egui"="c:\programmi\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2011-04-08 254696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
.
c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\
Stardock ObjectDock.lnk - d:\documents and settings\Administrator\Impostazioni locali\Temp\7zS2.tmp\App\ObjectDock.exe [2008-10-4 3450608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 20:16 39792 ----a-w- c:\programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 20:11 3872080 ----a-w- c:\programmi\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]
2010-10-17 22:42 404200 ----a-w- c:\programmi\Sandboxie\SbieCtrl.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Opera\\opera.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [06/02/2009 14.23.18 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [06/02/2009 14.24.24 93336]
R2 ekrn;ESET Service;c:\programmi\ESET\ESET NOD32 Antivirus\ekrn.exe [06/02/2009 14.23.36 727720]
R3 PAC207;Trust WB-1200p Mini Webcam;c:\windows\system32\drivers\pfc027.sys [24/02/2005 12.29.14 162176]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13.16.28 130384]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [14/08/2011 20.01.34 41272]
S3 VBoxTAP;VirtualBox TAP Adapter;c:\windows\system32\drivers\VBoxTAP.sys [09/11/2008 18.38.54 47184]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13.16.28 753504]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://it.yahoo.com/
uInternet Settings,ProxyServer = proxy.asf.it:8080
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://it.rd.yahoo.com/customize/ycomp/defaults/su/*http://it.yahoo.com
IE: Scarica con Mipony - file://c:\programmi\MiPony\Browser\IEContext.htm
IE: {{C86FF9FA-AEED-451B-A9CC-39A53173AE2E} - {C86FF9FA-AEED-451B-A9CC-39A53173AE2E} - c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\tbcore3.dll
TCP: DhcpNameServer = 192.168.0.1
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
Toolbar-{C86FF9FA-AEED-451B-A9CC-39A53173AE2E} - c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\tbcore3.dll
WebBrowser-{C86FF9FA-AEED-451B-A9CC-39A53173AE2E} - c:\programmi\AIMP Portable 2.51 Build 328\mybarnsm987.tmp\tbcore3.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-16 17:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'explorer.exe'(2704)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Sandboxie\SbieSvc.exe
c:\programmi\File comuni\Acronis\Schedule2\schedul2.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\PAStiSvc.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\SOUNDMAN.EXE
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\programmi\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\DllHost.exe
.
**************************************************************************
.
Ora fine scansione: 2011-08-16 17:57:15 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2011-08-16 15:57
ComboFix2.txt 2011-08-15 18:05
.
Pre-Run: 35.641.266.176 byte disponibili
Post-Run: 35.596.275.712 byte disponibili
.
- - End Of File - - 9332CFB488117FBCFAC1A07146A1B257
Torna in alto
 
shapiro
Inviato: Tuesday, August 16, 2011 6:16:47 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164


dammi il tempo di controllarlo pittina c'e' qualche eliminazione fallita
Torna in alto
 
shapiro
Inviato: Tuesday, August 16, 2011 6:41:13 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164

copia incolla questo in blocco note e salvalo sul desktop come CFScript.txt

Code:
KillAll::

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-


trascina il file CFScript.txt sull'icona di combofix e attendi la fine della scansione

posta il nuovo log
Torna in alto
 
pittina
Inviato: Tuesday, August 16, 2011 7:00:32 PM
Rank: AiutAmico

Iscritto dal : 5/15/2010
Posts: 230
eccolo:

ComboFix 11-08-15.07 - Administrator 16/08/2011 18.49.00.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1023.385 [GMT 2:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\XSxS
.
.
((((((((((((((((((((((((( Files Creati Da 2011-07-16 al 2011-08-16 )))))))))))))))))))))))))))))))))))
.
.
2011-08-14 20:51 . 2011-08-14 20:51 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\NeoSmart_Technologies
2011-08-14 20:46 . 2011-08-15 09:31 -------- d-----w- c:\programmi\NeoSmart Technologies
2011-08-14 18:02 . 2011-08-14 18:02 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Malwarebytes
2011-08-14 18:01 . 2011-07-06 17:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-14 18:01 . 2011-08-14 18:01 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2011-08-14 18:01 . 2011-07-06 17:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-14 18:01 . 2011-08-14 18:53 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2011-08-14 17:15 . 2011-08-14 19:55 -------- d-----w- c:\programmi\HJ
2011-08-14 17:02 . 2011-08-14 17:02 89088 ----a-w- C:\mbr.exe
2011-08-10 06:58 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 06:58 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-10 06:52 . 2011-08-10 06:52 -------- d-----w- c:\programmi\CCleaner
2011-08-10 06:51 . 2011-08-10 06:51 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Soulseek
2011-08-09 05:00 . 2011-08-09 05:00 -------- d-----w- c:\programmi\EPSON
2011-08-08 21:01 . 2011-08-10 07:00 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Adobe
2011-08-08 16:18 . 2007-08-31 16:36 36864 ----a-w- c:\windows\system32\trayicon_handler.ocx
2011-08-08 16:18 . 2003-01-26 11:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2011-08-08 14:22 . 2011-08-10 06:51 -------- d-----w- c:\programmi\SoulseekNS
2011-08-08 11:58 . 2011-08-09 18:15 -------- d-----w- c:\programmi\Innovative Solutions
2011-08-08 11:54 . 2011-08-08 11:54 -------- d-----w- C:\drivex max pro
2011-08-08 10:58 . 2011-08-08 11:00 -------- d-----w- C:\drivermax.pro.5.7
2011-08-08 08:02 . 2011-08-08 08:02 -------- d-----w- C:\spoolerlogs
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-15 13:29 . 2004-08-03 21:15 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2001-08-31 15:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2008-08-13 19:02 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-22 14:14 . 2011-07-03 16:01 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2011-06-22 14:13 . 2011-07-03 16:01 24576 ----a-w- c:\windows\system32\msxml3a.dll
2011-06-21 18:18 . 2004-08-19 13:39 669696 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:18 . 2004-08-19 13:39 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:18 . 2004-08-03 20:59 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-06-21 18:17 . 2004-08-19 13:26 371200 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-19 13:39 293888 ----a-w- c:\windows\system32\winsrv.dll
2011-06-16 15:34 . 2011-05-20 14:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-06 11:35 . 2004-08-19 13:31 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-15_18.02.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-16 16:54 . 2011-08-16 16:54 16384 c:\windows\temp\Perflib_Perfdata_c60.dat
+ 2011-08-16 16:53 . 2011-08-16 16:53 16384 c:\windows\temp\Perflib_Perfdata_7fc.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{90d46c30-9f25-4104-aea9-35c3f84477ff}"= "c:\programmi\mipony-plugin\tbmip1.dll" [2011-02-22 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{90d46c30-9f25-4104-aea9-35c3f84477ff}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90d46c30-9f25-4104-aea9-35c3f84477ff}]
2011-02-22 18:08 3911776 ----a-w- c:\programmi\mipony-plugin\tbmip1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{90d46c30-9f25-4104-aea9-35c3f84477ff}"= "c:\programmi\mipony-plugin\tbmip1.dll" [2011-02-22 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{90d46c30-9f25-4104-aea9-35c3f84477ff}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{90D46C30-9F25-4104-AEA9-35C3F84477FF}"= "c:\programmi\mipony-plugin\tbmip1.dll" [2011-02-22 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{90d46c30-9f25-4104-aea9-35c3f84477ff}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2008-08-12 21741864]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"TrueImageMonitor.exe"="c:\programmi\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-04-07 1106297]
"AcronisTimounterMonitor"="c:\programmi\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-04-07 1827640]
"Acronis Scheduler2 Service"="c:\programmi\File comuni\Acronis\Schedule2\schedhlp.exe" [2006-04-07 126976]
"egui"="c:\programmi\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2011-04-08 254696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
.
c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\
Stardock ObjectDock.lnk - d:\documents and settings\Administrator\Impostazioni locali\Temp\7zS2.tmp\App\ObjectDock.exe [2008-10-4 3450608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 20:16 39792 ----a-w- c:\programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 20:11 3872080 ----a-w- c:\programmi\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]
2010-10-17 22:42 404200 ----a-w- c:\programmi\Sandboxie\SbieCtrl.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Opera\\opera.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [06/02/2009 14.23.18 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [06/02/2009 14.24.24 93336]
R2 ekrn;ESET Service;c:\programmi\ESET\ESET NOD32 Antivirus\ekrn.exe [06/02/2009 14.23.36 727720]
R3 PAC207;Trust WB-1200p Mini Webcam;c:\windows\system32\drivers\pfc027.sys [24/02/2005 12.29.14 162176]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13.16.28 130384]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [14/08/2011 20.01.34 41272]
S3 VBoxTAP;VirtualBox TAP Adapter;c:\windows\system32\drivers\VBoxTAP.sys [09/11/2008 18.38.54 47184]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13.16.28 753504]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://it.yahoo.com/
uInternet Settings,ProxyServer = proxy.asf.it:8080
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://it.rd.yahoo.com/customize/ycomp/defaults/su/*http://it.yahoo.com
IE: Scarica con Mipony - file://c:\programmi\MiPony\Browser\IEContext.htm
TCP: DhcpNameServer = 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-16 18:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'explorer.exe'(3420)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Sandboxie\SbieSvc.exe
c:\programmi\File comuni\Acronis\Schedule2\schedul2.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\PAStiSvc.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\SOUNDMAN.EXE
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\DllHost.exe
.
**************************************************************************
.
Ora fine scansione: 2011-08-16 18:56:52 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2011-08-16 16:56
ComboFix2.txt 2011-08-16 15:57
ComboFix3.txt 2011-08-15 18:05
.
Pre-Run: 35.625.807.872 byte disponibili
Post-Run: 35.650.338.816 byte disponibili
.
- - End Of File - - A0DC880A9A72D37929A9B5CBE36BCD98
Torna in alto
 
shapiro
Inviato: Tuesday, August 16, 2011 7:14:05 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164
bene ora fai un po' di pulizie

rimuovi combofix con OTC by OldTimer

eseguilo
Clicca su CleanUp.
Alla richiesta di riavvio clicca SI

vai in C:\ e controlla se la cartella qoobox e' stata eliminata, altrimenti fallo tu

se non dovessi riuscirci scarica Inherit

mettilo nella stessa directory della cartella BackEnv e poi trascina la stessa cartella sull'icona di inherinit.Aspetta la scritta OK.
Poi potrai eliminare la cartella qoobox.

fai le stesse pulizie con ccleaner come prima registro compreso

ripeti anche atf cleaner

ripeti la scansione completa con malwarebytes da modalita' provvisoria dopo averlo aggiornato e posta il nuovo log
Torna in alto
 
pittina
Inviato: Tuesday, August 16, 2011 7:16:58 PM
Rank: AiutAmico

Iscritto dal : 5/15/2010
Posts: 230
come faccio ad andare in modalità provvisoria ?
Torna in alto
 
Utenti presenti in questo topic
Guest

4 pages: 1 [2] 3 4

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » forse Master Boot Record "rootkit".


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.