VIRUS?

[lupos3]

il mio nod 32 continua a segnalarmi la presenza di una varante win32/injector.KJ trojan sul percorso C:\System Volume Information\_restore\numero di chiave\A0053825.exe, che mi aspetta? e soprattutto che devo fare?
grazie

[shel]

ciao

l'infezione e' localizzata nel ripristino, devi disattivarlo riavviare il pc , riattivare il ripristino e creare un nuovo punto

posta anche un log di hijackthis gia' che ci sei....puoi scaricarlo da qui

mettilo nella directory C dove avrai preparato una cartella con il suo nome.
Lanci l'eseguibile e clicchi su " do a system scan and save a log" alla fine salvi questo file con estensione *.TXT e lo alleghi ad un post sul forum.

[lupos3]

fatto , ti posto il log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12.59.55, on 26/04/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\FamilyKeyLogger\cisvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\QuickTime\QTTask.exe
C:\Programmi\Philips\Philips Device Manager\Bin\DeviceManager.exe
C:\Programmi\File comuni\Java\Java Update\jusched.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Philips\Philips Lime Service\bin\LimeAlive.exe
C:\Programmi\Philips\Philips Lime Service\bin\Lime.exe
C:\WINDOWS\system32\devldr32.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Programmi\Firebird\Firebird_2_1\bin\fbguard.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Macrium\Reflect\ReflectService.exe
C:\Programmi\TeamViewer\Version4\TeamViewer_Service.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\Programmi\TeamViewer\Version4\TeamViewer.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Firebird\Firebird_2_1\bin\fbserver.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Programmi\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTFMon] C:\WINDOWS\system32\CTF\ctfmon.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PhilipsDM] "C:\Programmi\Philips\Philips Device Manager\Bin\DeviceManager.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\File comuni\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [nodenable] C:\Programmi\eset\nodenable.exe /s
O4 - HKCU\..\Run: [PhilipsLime] "C:\Programmi\Philips\Philips Lime Service\bin\LimeAlive.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Programmi\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - FirebirdSQL Project - C:\Programmi\Firebird\Firebird_2_1\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - FirebirdSQL Project - C:\Programmi\Firebird\Firebird_2_1\bin\fbserver.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Programmi\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Programmi\Macrium\Reflect\ReflectService.exe
O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - C:\Programmi\TeamViewer\Version4\TeamViewer_Service.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8299 bytes

[shel]

scarica e installa malwarebytes

1) lo installi
2) lo aggiorni
3) fai una scansione scegliendo la modalità completa
4) NON eliminare per ora le ventuali minacce che rileva
5) finita la scansione seleziona il tabellino log, apri il file di testo e postalo sul forum

[lupos3]

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Versione database: 4036

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

26/04/2010 15.30.51
mbam-log-2010-04-26 (15-30-51).txt

Tipo di scansione: Scansione completa (C:\|E:\|)
Elementi esaminati: 295472
Tempo trascorso: 2 ore, 9 minuti, 54 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 1
Chiavi di registro infette: 0
Valori di registro infetti: 0
Voci infette nei dati di registro: 1
Cartelle infette: 0
File infetti: 0

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
(Non sono stati rilevati elementi nocivi)

Valori di registro infetti:
(Non sono stati rilevati elementi nocivi)

Voci infette nei dati di registro:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Cartelle infette:
(Non sono stati rilevati elementi nocivi)

[shel]

riavvia malwarebytes ed elimina cio' che ha trovato

scarica ccleaner

1) per il download dell'ultima versione clicca a destra in alto sotto la freccia verde
2) installalo
3) clicca su "avvia pulizia", ripeti il procedimento 2 volte

scarica anche questo pulitore e' senza installazione e molto efficace - Avvialo con un doppio click

1) seleziona la casella Select All
2) clicca sul pulsante Empty selected
3) aspetta l'avviso Done Cleaning.
(se non vuoi eliminare le password togli la spunta) - (se usi opera o firefox,spunta anche le loro sezioni)


disattiva il tuo antivirus

scarica combofix sul desktop ed eseguilo

- digita 1
- segui le instruzioni
- finita la scansione portati in C:\ e copia/incolla, nella tua prossima risposta, il contenuto del file di testo Combofix.txt

[lupos3]

eccolo

ComboFix 10-04-21.01 - max 26/04/2010 16.26.54.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.768.523 [GMT 2:00]
Eseguito da: c:\documents and settings\max\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active


ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Thumbs.db
c:\windows\eSellerateEngine.dll
c:\windows\system32\SHELLLNK.TLB
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Creati Da 2010-03-26 al 2010-04-26 )))))))))))))))))))))))))))))))))))
.

2010-04-25 10:48 . 2010-04-25 10:48 -------- d-----w- c:\programmi\File comuni\Java
2010-04-25 10:48 . 2010-04-25 10:48 503808 ----a-w- c:\documents and settings\max\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3b08559b-n\msvcp71.dll
2010-04-25 10:48 . 2010-04-25 10:48 499712 ----a-w- c:\documents and settings\max\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3b08559b-n\jmc.dll
2010-04-25 10:48 . 2010-04-25 10:48 348160 ----a-w- c:\documents and settings\max\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3b08559b-n\msvcr71.dll
2010-04-25 10:48 . 2010-04-25 10:48 61440 ----a-w- c:\documents and settings\max\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-54068842-n\decora-sse.dll
2010-04-25 10:48 . 2010-04-25 10:48 12800 ----a-w- c:\documents and settings\max\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-54068842-n\decora-d3d.dll
2010-04-25 10:47 . 2010-04-12 15:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-04 09:15 . 2010-04-04 09:15 51624 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-01 12:48 . 2010-04-01 12:48 -------- d-----w- C:\MySlideshow
2010-04-01 12:35 . 2010-04-01 12:35 -------- d-----w- C:\virtualdub
2010-03-31 16:25 . 2010-03-31 16:25 -------- d-----w- C:\museo grande torino

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-26 14:14 . 2009-08-31 13:57 -------- d-----w- c:\programmi\CCleaner
2010-04-26 14:10 . 2009-09-09 13:46 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2010-04-25 10:47 . 2010-01-26 15:55 -------- d-----w- c:\programmi\Java
2010-04-24 15:18 . 2009-09-02 13:39 -------- d-----w- c:\documents and settings\max\Dati applicazioni\mIRC
2010-04-24 15:15 . 2009-09-02 13:39 -------- d-----w- c:\programmi\mIRC
2010-04-22 18:21 . 2010-01-13 17:19 -------- d-----w- c:\documents and settings\max\Dati applicazioni\VSO
2010-04-04 16:22 . 2001-08-31 16:00 61450 ----a-w- c:\windows\system32\perfc010.dat
2010-04-04 16:22 . 2001-08-31 16:00 373670 ----a-w- c:\windows\system32\perfh010.dat
2010-04-04 08:42 . 2009-08-31 18:09 956 ----a-w- c:\documents and settings\max\Dati applicazioni\wklnhst.dat
2010-03-31 15:43 . 2009-10-08 22:00 -------- d-----w- c:\documents and settings\max\Dati applicazioni\FileZilla
2010-03-29 22:46 . 2009-09-09 13:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 22:45 . 2009-09-09 13:46 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-26 15:54 . 2010-01-26 15:54 152576 ----a-w- c:\documents and settings\max\Dati applicazioni\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-26 15:52 . 2010-01-26 15:52 79488 ----a-w- c:\documents and settings\max\Dati applicazioni\Sun\Java\jre1.6.0_17\gtapi.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nodenable"="c:\programmi\eset\nodenable.exe" [2008-09-22 326829]
"PhilipsLime"="c:\programmi\Philips\Philips Lime Service\bin\LimeAlive.exe" [2005-09-08 159744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"FamilyKeyLogger"="c:\programmi\FamilyKeyLogger\cisvc.exe" [2003-02-27 70144]
"EPSON Stylus C64 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2003-05-27 99840]
"QuickTime Task"="c:\programmi\QuickTime\QTTask.exe" [2009-11-10 417792]
"PhilipsDM"="c:\programmi\Philips\Philips Device Manager\Bin\DeviceManager.exe" [2005-09-14 512000]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2010-02-18 248040]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2010-01-22 141608]
"egui"="c:\programmi\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-07 1461080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 15:10 35696 ----a-w- c:\programmi\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CnxDslTaskBar]
2003-10-29 13:11 462848 ----a-w- c:\programmi\digicomt\Michelangelo USB ADSL\CnxDslTb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2004-08-22 15:05 81920 ----a-w- c:\programmi\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 17:14 1695232 ----a-w- c:\programmi\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 08:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 22:08 417792 ----a-w- c:\programmi\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-10 23:00 90112 ----a-w- c:\windows\Updreg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\PPStream\\PPStream.exe"=
"c:\\Programmi\\PPLive\\PPLive.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Programmi\\mIRC\\mirc.exe"=
"c:\\Programmi\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\TVAnts\\Tvants.exe"=
"c:\\Programmi\\VoipStunt.com\\VoipStunt\\VoipStunt.exe"=
"c:\\Documents and Settings\\max\\Desktop\\xdccMule\\mIRC.exe"=
"c:\\Programmi\\SpacialAudio\\SAMBC\\SAMBC.exe"=
"c:\\Programmi\\Icecast2 Win32\\Icecast2win.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\WebSite X5 v8 - Evolution\\WebSite.exe"=

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [31/08/2009 13.54.50 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [31/08/2009 13.54.50 5248]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [20/05/2008 10.32.40 15328]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [13/03/2008 17.52.18 35168]
R2 ekrn;Eset Service;c:\programmi\ESET\ESET NOD32 Antivirus\ekrn.exe [07/10/2009 9.16.50 472280]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\programmi\Firebird\Firebird_2_1\bin\fbguard.exe -s DefaultInstance --> c:\programmi\Firebird\Firebird_2_1\bin\fbguard.exe -s DefaultInstance [?]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\programmi\Macrium\Reflect\ReflectService.exe [25/08/2009 13.16.36 220128]
R2 TeamViewer4;TeamViewer 4;c:\programmi\TeamViewer\Version4\TeamViewer_Service.exe [24/08/2009 16.51.46 185640]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\programmi\Firebird\Firebird_2_1\bin\fbserver.exe -s DefaultInstance --> c:\programmi\Firebird\Firebird_2_1\bin\fbserver.exe -s DefaultInstance [?]
S3 CnxEtP;Conexant AccessRunner USB ADSL WAN Adapter Filter Driver;c:\windows\system32\drivers\CnxEtP.sys [10/09/2009 0.54.09 60288]
S3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;c:\windows\system32\drivers\CnxEtU.sys [10/09/2009 0.54.09 646784]
S3 CnxTgN;Conexant AccessRunner USB ADSL WAN Adapter Driver;c:\windows\system32\drivers\CnxTgN.sys [10/09/2009 0.54.08 108675]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\programmi\MAGIX\Common\Database\bin\fbserver.exe [14/12/2009 19.40.13 1527900]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyOverride = local
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\max\Dati applicazioni\Mozilla\Firefox\Profiles\h53elgac.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.myp2p.eu/competition.php?com ... e=football
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\programmi\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\programmi\Veetle\Player\npvlc.dll
FF - plugin: c:\programmi\Veetle\plugins\npVeetle.dll
FF - plugin: c:\programmi\Veetle\VLCBroadcast\npvbp.dll
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

MSConfigStartUp-SysVContoller32 - l:\family_key_logger_v3.02-digerati\crack\svcl32.exe
AddRemove-Windows Drivers - c:\programmi\Creative\SBLive2k\Program\Upddrv2k.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-26 16:37
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82DE9008]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7572f28
\Driver\ACPI -> ACPI.sys @ 0xf74bfcb8
\Driver\atapi -> 0x82de9008
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1390067357-515967899-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D9574D95-7786-E209-05A5-FAFD4541C786}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaifddplelnpbhkldf"=hex:6a,61,64,65,65,70,61,6c,61,67,63,6f,64,65,61,64,70,67,
6c,6d,00,00
"haofjfgaekcncdii"=hex:6a,61,65,65,68,70,6a,66,64,6a,6c,6e,67,6d,65,70,62,69,
64,66,00,ff
"iaegeeggeebemidlcb"=hex:63,61,68,65,63,6f,00,7c

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Setup"="EXPIRED"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(828)
c:\windows\system32\ieframe.dll
c:\programmi\File comuni\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\programmi\File comuni\Adobe\Acrobat\ActiveX\PDFShell.ITA
c:\programmi\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\programmi\Bonjour\mDNSResponder.exe
c:\programmi\Firebird\Firebird_2_1\bin\fbguard.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wdfmgr.exe
c:\programmi\TeamViewer\Version4\TeamViewer.exe
c:\programmi\Firebird\Firebird_2_1\bin\fbserver.exe
c:\windows\system32\devldr32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wscntfy.exe
c:\programmi\Philips\Philips Lime Service\bin\Lime.exe
c:\programmi\iPod\bin\iPodService.exe
.
**************************************************************************
.
Ora fine scansione: 2010-04-26 16:42:16 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-04-26 14:42

Pre-Run: 18.805.501.952 byte disponibili
Post-Run: 18.712.477.696 byte disponibili

- - End Of File - - CB058C55FC9DB3FEF53623436CD87794

[shel]

controlla se hai l'M.B.R. a posto

scarica MBR:EXE direttamente nella Directory C:\

vai in modalita' provvisoria

Da Start - Esegui - digita C:\mbr.exe e clicca su OK

Posta il log che troverai in C:\ come mbr.log

[lupos3]

log di mbr:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

[shel]

vai in C:\ ed elimina il log che hai postato

sempre da provvisoria questa volta digita da Start-->Esegui--> C:\mbrfix.exe -f

(attenzione allo spazio prima di -f) (fai copia\incolla per non sbagliare)

posta il nuovo log

[lupos3]

ho provato in modalita' provvisoria su esegui a fare C:\mbrfix.exe -f
ma non mi trova il percorso

[shel]

scusa ho sbagliato io

digita mbr.exe -f da start\esegui e posta il nuovo log

[shel]

sbagliato , oggi non e' giornata

questo e' quello giusto

C:\mbr.exe -f

[lupos3]

non preoccuparti , capita ai migliori

[lupos3]

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK