AIUTO!!! STO VIRUS NON SE NE VUOLE ANDARE!!!

[Luke57]

Ciao, alla faccia dell'infezione adesso apri un file di testo, al suo interno copiaci il seguente testo.

Codice: Seleziona tutto

Driver::
cvjser5usjfyigsfhjhswybn4wgss80
dfgdjhse5rjfmkfsderhkldtd576ogd80;
ns6r4w84w35i4hq3h4jhq4wj64wqnasd80;
cvjser5usjfyigsfhjhswybn4wgss81
dfgdjhse5rjfmkfsderhkldtd576ogd81
ns6r4w84w35i4hq3h4jhq4wj64wqnasd81

File::
c:\windows\dfgdjhse5rjfmkfsderhkldtd576ogd81.exe
c:\windows\soc_1248896819.exe
c:\windows\[u]0[/u]10112010146118114.dat
c:\windows\ld10.exe
c:\windows\ns6r4w84w35i4hq3h4jhq4wj64wqnasd81.exe
c:\documents and settings\Administrator\system.exe
c:\windows\system32\xfpyalez.dll
c:\windows\system32\pbvcselg.dll
C:\lbpywwp.exe
c:\windows\system32\tsqsldkw.dat
c:\windows\system32\nmquddsw.dat
c:\windows\system32\ouxzaqin.dat
c:\windows\system32\jznytkcp.dat
C:\yjpyso.exe
C:\gbcjdrqu.exe
c:\windows\dfgdjhse5rjfmkfsderhkldtd576ogd81.exe
c:\windows\cvjser5usjfyigsfhjhswybn4wgss81.exe
c:\windows\system32\a247286bcfaf320fd2296054b4f5693b.sys
c:\windows\system32\_a247286bcfaf320fd2296054b4f5693b.sys_.vir
c:\windows\system32\48d27777c461b296554c5a7ec0d2d834.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{000eb29f-90dd-41df-bca5-614124613bc6}]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"kell"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4af18a94-59d9-11de-abcb-00196638e0ce}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e57e710e-5b13-11de-abd5-00196638e0ce}]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\a247286bcfaf320fd2296054b4f5693b]
"ImagePath"=-

salvalo sul desktop con il nome obbligatorio di CFScript.txt

trascina con il puntatore del mouse sull'icona di combofix ; il programma avvierà una nuova scansione. Al termine di essa, riavvia e posta il nuovo report.

[mat90]

ecco il log:

Codice: Seleziona tutto

ComboFix 09-06-20.04 - Administrator 21/06/2009 22.49.12.3 - NTFSx86 MINIMAL
Microsoft Windows XP Professional  5.1.2600.3.1252.39.1040.18.1023.846 [GMT 2:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!

FILE ::
"c:\documents and settings\Administrator\system.exe"
"C:\gbcjdrqu.exe"
"C:\lbpywwp.exe"
"c:\windows\[u]0[/u]10112010146118114.dat"
"c:\windows\cvjser5usjfyigsfhjhswybn4wgss81.exe"
"c:\windows\dfgdjhse5rjfmkfsderhkldtd576ogd81.exe"
"c:\windows\ld10.exe"
"c:\windows\ns6r4w84w35i4hq3h4jhq4wj64wqnasd81.exe"
"c:\windows\soc_1248896819.exe"
"c:\windows\system32\_a247286bcfaf320fd2296054b4f5693b.sys_.vir"
"c:\windows\system32\48d27777c461b296554c5a7ec0d2d834.exe"
"c:\windows\system32\a247286bcfaf320fd2296054b4f5693b.sys"
"c:\windows\system32\jznytkcp.dat"
"c:\windows\system32\nmquddsw.dat"
"c:\windows\system32\ouxzaqin.dat"
"c:\windows\system32\pbvcselg.dll"
"c:\windows\system32\tsqsldkw.dat"
"c:\windows\system32\xfpyalez.dll"
"C:\yjpyso.exe"
.

(((((((((((((((((((((((((((((((((((((   Altre eliminazioni   )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Matteo\Impostazioni locali\temp\559.exe
c:\documents and settings\Matteo\Impostazioni locali\temp\SKYNETobvnesmusi.tmp
c:\documents and settings\Matteo\Impostazioni locali\temp\systemp.exe
c:\recycler\S-1-5-21-0401711360-1006769114-670012001-1680
c:\recycler\S-1-5-21-9030369247-9660177804-646831928-5382
c:\recycler\S-1-5-21-9499893965-5217713961-344135481-4273
c:\documents and settings\Administrator\system.exe
C:\gbcjdrqu.exe
C:\lbpywwp.exe
c:\recycler\S-1-5-21-0401711360-1006769114-670012001-1680\Desktop.ini
c:\recycler\S-1-5-21-9030369247-9660177804-646831928-5382\Desktop.ini
c:\recycler\S-1-5-21-9499893965-5217713961-344135481-4273\Desktop.ini
c:\recycler\S-1-5-21-9499893965-5217713961-344135481-4273\nissan.exe
c:\windows\cvjser5usjfyigsfhjhswybn4wgss81.exe
c:\windows\dfgdjhse5rjfmkfsderhkldtd576ogd81.exe
c:\windows\ld10.exe
c:\windows\ns6r4w84w35i4hq3h4jhq4wj64wqnasd81.exe
c:\windows\soc_1248896819.exe
c:\windows\system32\drivers\SKYNETgplxtlwx.sys
c:\windows\system32\jznytkcp.dat
c:\windows\system32\kdpini.dll
c:\windows\system32\nmquddsw.dat
c:\windows\system32\ouxzaqin.dat
c:\windows\system32\pbvcselg.dll
c:\windows\system32\SKYNETlvrhooev.dat
c:\windows\system32\SKYNETprnfvmep.dll
c:\windows\system32\SKYNETyuypdqxe.dll
c:\windows\system32\tsqsldkw.dat
c:\windows\system32\xfpyalez.dll
C:\yjpyso.exe

c:\windows\system32\drivers\null.sys . . . is missing!!

.
(((((((((((((((((((((((((((((((((((((((   Driver/Servizi   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_cvjser5usjfyigsfhjhswybn4wgss80
-------\Legacy_dhcpsrv
-------\Legacy_driver
-------\Legacy_driverdrv
-------\Legacy_isadisk
-------\Legacy_msncache
-------\Legacy_sopidkc
-------\Service_cvjser5usjfyigsfhjhswybn4wgss80
-------\Legacy_dfgdjhse5rjfmkfsderhkldtd576ogd80
-------\Legacy_ns6r4w84w35i4hq3h4jhq4wj64wqnasd80
-------\Service_dfgdjhse5rjfmkfsderhkldtd576ogd80
-------\Service_ns6r4w84w35i4hq3h4jhq4wj64wqnasd80


(((((((((((((((((((((((((   Files Creati Da 2009-05-21 al 2009-06-21  )))))))))))))))))))))))))))))))))))
.

2009-07-29 19:56 . 2009-07-29 19:56   --------   d-----w-   c:\windows\Motive
2009-07-29 19:55 . 2009-07-29 19:55   --------   d-----w-   c:\programmi\File comuni\Motive
2009-07-29 19:55 . 2009-07-29 19:55   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Motive
2009-07-29 19:54 . 2009-07-29 19:54   --------   d-----w-   c:\programmi\Common Files
2009-07-29 19:53 . 2009-06-21 20:49   39936   ----a-w-   c:\windows\system32\a247286bcfaf320fd2296054b4f5693b.sys
2009-07-29 19:53 . 2009-07-29 19:54   --------   d-----w-   c:\programmi\Motive
2009-07-29 19:53 . 2009-07-29 19:56   --------   d-----w-   c:\programmi\Alice ti aiuta
2009-07-29 19:50 . 2009-07-29 19:50   --------   d-----w-   c:\programmi\Telecom Italia
2009-07-29 19:46 . 2009-07-29 19:46   2   ----a-w-   c:\windows\[u]0[/u]10112010146118114.dat
2009-07-29 19:46 . 2009-06-15 19:25   641304   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgupd.exe
2009-07-29 19:46 . 2009-06-15 19:25   1082624   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgupd.dll
2009-07-29 19:46 . 2009-06-15 19:25   583960   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avginet.dll
2009-07-29 19:46 . 2009-06-15 19:25   443672   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgiproxy.exe
2009-07-29 15:51 . 2009-07-29 15:51   --------   d-----w-   c:\programmi\Activision
2009-07-29 15:49 . 2009-07-29 15:49   --------   d-sh--w-   c:\windows\ftpcache
2009-06-21 11:42 . 2009-06-21 11:42   --------   d-----w-   c:\windows\system32\xircom
2009-06-21 11:42 . 2009-06-21 11:42   --------   d-----w-   c:\windows\system32\wbem\snmp
2009-06-21 11:42 . 2009-06-21 11:42   --------   d-----w-   c:\programmi\microsoft frontpage
2009-06-21 11:34 . 2009-06-21 20:51   39936   ----a-w-   c:\windows\system32\_a247286bcfaf320fd2296054b4f5693b.sys_.vir
2009-06-21 10:01 . 2009-06-21 10:04   --------   d--h--w-   C:\$AVG8.VAULT$
2009-06-20 19:45 . 2009-06-20 19:43   233   ----a-w-   C:\fix.reg
2009-06-20 16:58 . 2009-06-20 16:58   --------   d-----w-   c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Ahead
2009-06-20 14:52 . 2009-06-21 09:31   --------   d-----w-   C:\VEXPLITE
2009-06-19 13:45 . 2009-06-15 19:25   97928   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgldx86.sys
2009-06-19 13:45 . 2009-06-15 19:25   76040   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgtdix.sys
2009-06-19 13:45 . 2009-06-15 19:25   10520   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgrsstx.dll
2009-06-19 13:45 . 2009-06-15 19:25   287000   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgrsx.exe
2009-06-19 13:45 . 2009-06-15 19:25   26824   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgmfx86.sys
2009-06-18 23:08 . 2009-06-18 23:08   --------   d-----r-   c:\documents and settings\LocalService\Preferiti
2009-06-16 16:59 . 2009-06-16 17:00   --------   d-----w-   c:\documents and settings\Matteo\Impostazioni locali\Dati applicazioni\Adobe
2009-06-16 16:21 . 2009-06-16 16:21   --------   d-----w-   c:\documents and settings\Matteo\Dati applicazioni\Apple Computer
2009-06-16 16:21 . 2009-03-19 14:32   23400   ----a-w-   c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-16 16:21 . 2008-04-17 10:12   107368   ----a-w-   c:\windows\system32\GEARAspi.dll
2009-06-16 16:21 . 2009-06-16 16:21   --------   d-----w-   c:\programmi\iPod
2009-06-15 20:33 . 2009-06-15 20:33   17848   ----a-w-   c:\documents and settings\Matteo\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-06-15 20:31 . 2009-06-15 20:32   --------   d-----w-   c:\documents and settings\Matteo\Dati applicazioni\Xfire
2009-06-15 20:30 . 2009-06-15 20:31   --------   d-----w-   c:\programmi\Xfire
2009-06-15 20:30 . 2009-06-15 20:30   --------   d-----w-   c:\windows\system32\LogFiles
2009-06-15 20:30 . 2009-06-15 20:30   --------   d-----w-   c:\windows\system32\drivers\umdf
2009-06-15 20:30 . 2006-05-09 18:00   22752   ----a-w-   c:\windows\system32\spupdsvc.exe
2009-06-15 20:28 . 2009-06-15 20:28   --------   d-----w-   c:\programmi\WinAVI MP4 Converter
2009-06-15 20:27 . 2009-06-15 20:27   0   ----a-w-   c:\windows\nsreg.dat
2009-06-15 20:27 . 2009-06-15 20:27   --------   d-----w-   c:\documents and settings\Matteo\Impostazioni locali\Dati applicazioni\Mozilla
2009-06-15 20:26 . 2009-06-15 20:26   --------   d-----w-   c:\programmi\FreePOPs
2009-06-15 20:25 . 2009-06-15 20:25   --------   d-----w-   c:\programmi\CCleaner
2009-06-15 20:25 . 2009-06-15 20:25   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\SlySoft
2009-06-15 20:24 . 2009-06-15 20:24   --------   d-----w-   c:\programmi\SlySoft
2009-06-15 20:23 . 2009-06-15 20:23   --------   d-----w-   c:\programmi\File comuni\Adobe
2009-06-15 20:21 . 2009-06-15 20:21   --------   d-----w-   c:\programmi\Elaborate Bytes
2009-06-15 20:21 . 2009-06-15 20:21   --------   d-----w-   c:\programmi\Real Alternative
2009-06-15 20:20 . 2009-06-15 20:20   --------   d-----w-   c:\documents and settings\Matteo\Impostazioni locali\Dati applicazioni\Ahead
2009-06-15 20:20 . 2003-06-18 23:31   17920   ----a-w-   c:\windows\system32\mdimon.dll
2009-06-15 20:19 . 2009-06-15 20:19   --------   d-----w-   c:\programmi\Microsoft.NET
2009-06-15 20:19 . 2009-06-15 20:19   --------   d-----w-   c:\windows\SHELLNEW
2009-06-15 20:08 . 2008-04-30 15:27   442368   ----a-w-   c:\windows\system32\NVUNINST.EXE
2009-06-15 20:07 . 2009-06-15 20:07   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\nView_Profiles
2009-06-15 20:04 . 2009-06-15 20:04   --------   d-----w-   c:\documents and settings\Matteo\Dati applicazioni\Ahead
2009-06-15 20:03 . 2009-06-15 20:03   --------   d-----w-   c:\programmi\Nero
2009-06-15 20:03 . 2009-06-15 20:03   --------   d-----w-   c:\programmi\File comuni\Ahead
2009-06-15 19:41 . 2009-06-15 19:41   619   ----a-w-   c:\windows\unins000.dat
2009-06-15 19:33 . 2009-06-15 20:09   --------   d-----w-   c:\windows\nvidia icons
2009-06-15 19:32 . 2009-06-15 20:14   --------   d-----w-   c:\windows\nview
2009-06-15 19:31 . 2009-06-15 19:31   --------   d-----w-   C:\NVIDIA
2009-06-15 19:25 . 2009-06-19 13:44   11952   ----a-w-   c:\windows\system32\avgrsstx.dll
2009-06-15 19:25 . 2009-06-19 13:44   108552   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2009-06-15 19:25 . 2009-06-19 13:44   325896   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2009-06-15 19:25 . 2009-06-19 13:44   27784   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2009-06-15 19:25 . 2009-06-21 11:52   --------   d-----w-   c:\windows\system32\drivers\Avg
2009-06-15 19:25 . 2009-06-15 19:25   --------   d-----w-   c:\programmi\AVG
2009-06-15 19:25 . 2009-06-21 11:43   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\avg8

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-29 19:53 . 2009-07-29 19:53   2232   ----a-w-   c:\windows\java\Packages\Data\1VZHRHFH.DAT
2009-07-29 19:53 . 2009-07-29 19:53   155995   ----a-w-   c:\windows\java\Packages\YZRDNDBV.ZIP
2009-07-29 19:53 . 2009-07-29 19:53   2678   ----a-w-   c:\windows\java\Packages\Data\AHVZB75Z.DAT
2009-07-29 19:52 . 2009-07-29 19:52   2678   ----a-w-   c:\windows\java\Packages\Data\37333ZPN.DAT
2009-07-29 19:52 . 2009-07-29 19:52   2678   ----a-w-   c:\windows\java\Packages\Data\3VZLRBXV.DAT
2009-07-29 19:52 . 2009-07-29 19:52   2678   ----a-w-   c:\windows\java\Packages\Data\2HJ7NTJT.DAT
2009-07-29 19:52 . 2009-07-29 19:52   2678   ----a-w-   c:\windows\java\Packages\Data\RJ7TFH7F.DAT
2009-07-29 19:51 . 2009-06-15 17:55   --------   d--h--w-   c:\programmi\InstallShield Installation Information
2009-06-21 11:29 . 2001-08-31 15:00   348160   ----a-w-   c:\windows\system32\msvcr71.dll
2009-06-21 11:29 . 2001-08-31 15:00   196608   ----a-w-   c:\windows\system32\libssl32.dll
2009-06-21 11:29 . 2001-08-31 15:00   1015808   ----a-w-   c:\windows\system32\libeay32.dll
2009-06-21 11:29 . 2001-08-31 15:00   --------   d-----w-   c:\programmi\File comuni\Mozilla Shared
2009-06-16 16:21 . 2009-06-16 16:21   --------   d-----w-   c:\programmi\iTunes
2009-06-16 16:21 . 2009-06-16 16:21   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-16 16:21 . 2009-06-16 16:21   --------   d-----w-   c:\programmi\Bonjour
2009-06-16 16:21 . 2009-06-16 16:20   --------   d-----w-   c:\programmi\QuickTime
2009-06-16 16:20 . 2009-06-16 16:20   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Apple Computer
2009-06-16 16:20 . 2009-06-16 16:20   --------   d-----w-   c:\programmi\Apple Software Update
2009-06-16 16:19 . 2009-06-16 16:19   --------   d-----w-   c:\programmi\File comuni\Apple
2009-06-16 16:19 . 2009-06-16 16:19   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Apple
2009-06-15 18:17 . 2009-06-15 18:17   --------   d-----w-   c:\programmi\File comuni\Ulead Systems
2009-06-15 18:15 . 2009-06-15 18:15   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Ulead Systems
2009-06-15 18:15 . 2009-06-15 18:15   --------   d-----w-   c:\programmi\WinFast
2009-06-15 18:05 . 2009-06-15 17:55   --------   d-----w-   c:\programmi\File comuni\InstallShield
2009-06-15 18:04 . 2009-06-15 18:04   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\UDL
2009-06-15 18:03 . 2009-06-15 18:01   --------   d-----w-   c:\programmi\EPSON
2009-06-15 17:57 . 2009-06-15 17:57   --------   d-----w-   c:\programmi\C-Media 3D Audio
2009-06-15 17:52 . 2009-06-15 17:52   --------   d-----w-   c:\programmi\Intel
2009-06-15 17:08 . 2009-06-15 16:32   86327   ----a-w-   c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-15 16:40 . 2001-08-31 15:00   47592   ----a-w-   c:\windows\system32\perfc010.dat
2009-06-15 16:40 . 2001-08-31 15:00   345010   ----a-w-   c:\windows\system32\perfh010.dat
2009-06-15 16:31 . 2009-06-15 16:31   --------   d-----w-   c:\programmi\Servizi in linea
2009-06-15 16:29 . 2009-06-15 16:29   21840   ----a-w-   c:\windows\system32\emptyregdb.dat
2009-06-05 11:57 . 2009-06-05 11:57   75048   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-05 09:42 . 2009-06-16 16:20   39424   ----a-w-   c:\windows\system32\drivers\usbaapl.sys
2009-06-05 09:42 . 2009-06-16 16:20   2060288   ----a-w-   c:\windows\system32\usbaaplrc.dll
2009-07-29 19:54 . 2009-07-29 19:54   66576   ----a-w-   c:\programmi\mozilla firefox\components\edfbafcd.dll
.

------- Sigcheck -------

[-] 2008-05-12 18:59   361344   ACCF5A9A1FFAA490F33DBA1C632B95E1   c:\windows\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((((((   SnapShot@2009-06-21_11.44.50   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-15 16:34 . 2009-06-21 12:07   32768              c:\windows\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-15 16:34 . 2009-06-21 11:27   32768              c:\windows\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-15 16:34 . 2009-06-21 12:07   32768              c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
- 2009-06-15 16:34 . 2009-06-21 11:27   32768              c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
+ 2009-06-15 16:34 . 2009-06-21 12:07   16384              c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-06-15 16:34 . 2009-06-21 11:27   16384              c:\windows\system32\config\systemprofile\Cookies\index.dat
.
(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-04-13 101888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R240 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE" [2005-04-25 98304]
"WinFast Schedule"="c:\programmi\WinFast\WFTVFM\WFWIZ.exe" [2005-09-30 319488]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-19 1947928]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"VirtualCloneDrive"="c:\programmi\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2008-06-29 52168]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\programmi\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Motive SmartBridge"="c:\progra~1\ALICET~1\SMARTB~1\MotiveSB.exe" [2006-04-21 438359]
"VIRIT LITE MONITOR"="c:\vexplite\MONLITE.EXE" [2009-06-20 262144]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-03 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-04-13 101888]

c:\documents and settings\Matteo\Menu Avvio\Programmi\Esecuzione automatica\
FreePOPs.lnk - c:\programmi\FreePOPs\freepopsd.exe [2008-6-11 49152]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\edfbafcd]
2005-06-19 07:29   312847   ----a-w-   c:\windows\system32\edfbafcd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-19 13:44   11952   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgupd.exe"=
"f:\\Programmi\\eMule Extreme\\emule.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list]
"8085:TCP"= 8085:TCP:driver

S0 a247286bcfaf320fd2296054b4f5693b;a247286bcfaf320fd2296054b4f5693b; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [15/06/2009 21.25.29 325896]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [15/06/2009 21.25.34 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [15/06/2009 21.25.08 908568]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [15/06/2009 21.25.07 298776]
S3 WFIOCTL;WFIOCTL;c:\programmi\WinFast\WFTVFM\WFIOCTL.sys [15/06/2009 20.15.30 9446]
.
Contenuto della cartella 'Scheduled Tasks'

2009-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

BHO-{000eb29f-90dd-41df-bca5-614124613bc6} - (no file)
BHO-{0010131b-384c-469f-9243-80430e69c14a} - (no file)


.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.malwarelist.org/
TCP: {9ea652ab-c2dc-4f79-9ae2-dca36fe50b54} = 85.37.17.12 85.38.28.79
DPF: microsoft xml parser for java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-21 22:56
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(300)
c:\windows\system32\edfbafcd.dll
.
Ora fine scansione: 2009-06-21 22.59.02 - Il pc è stato riavviato
ComboFix-quarantined-files.txt  2009-06-21 20:58
ComboFix2.txt  2009-06-21 11:48

Pre-Run: 11.192.279.040 byte disponibili
Post-Run: 11.182.473.216 byte disponibili

294


potete spiegarmi come mai tutti questi virus appena formattato il pc? al primo collegamento a internet?

sto usando combofix in modalità provvisoria, va bene lo stesso?
grazie x il grande aiuto...

[shel]

la simpatia che i virus hanno per il tuo pc potrebbe dipendere anche dal fatto che il tuo S.O. non abbia installata la versione aggiornata del service pack 3 ....l'hai installata?


apri il registro start\esegui\regedit

segui questo percorso

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

quando sei su Winlogon tasto destro e scegli esporta

salva il file sul desktop come win.reg - tutti i file e caricalo qui ====> www.wikisend.com

[Luke57]

Ciao, adesso ritorna a un post già inserito da Shel, scarica malwarebytes e segui le istruzioni del post medesimo.

[mat90]

si si ho il service pack 3,
ho paura che sia colpa dei miei documenti che però sono sull'altro hard disk (F) che non è mai stato il percorso dei virus che mi sono apparsi o dei vari errori che riguardano tutti le cartelle C:\WINDOWS, C:\WINDOWS\system32, C:\, ecc...

Questo mi fa sperare che non siano infetti, però è strano perchè il pc era formattato, come nuovo...
Ho pensato pure di riformattare tutto, e collegare internet prima di rispostare i miei file sul pc (che sono salvati anche sull'hard disk esterno di un mio amico), che ne dite

Comunque ora faccio come mi avete detto, non ho però capito che cosa intende Luke57,

grazie a tutti!!!!!

[Luke57]

Intendevo questo, già suggerito da Shel:
Scarica e installa
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
Aggiornalo e fai una scansione completa del computer. Posta il rapporto ottenuto. Per ora non rimuovere nessuna eventuale minaccia rilevata

[shel]

Comunque ora faccio come mi avete detto, non ho però capito che cosa intende Luke57,

Luke 57 ti ha chiesto di eseguire la scansione con malwarebytes

esportami anche quel winlogon, e' un'operazione che richiede due minuti scarsi

[mat90]

il winlogon lo trovate qui: http://wikisend.com/download/578708/win.reg

invece mbam non me lo installa, come l'altra volta, il virus chiude la finestra di installazione.
che ne dite della prova che vi ho descritto prima?
di formattare di nuovo senza mettere i miei documenti finchè non collego internet, questo perchè non mi è chiaro come mai questo benedetto virus sia entrano appena formattato il pc...

grazie...

[shel]

sei sicuro di non averlo gia' installato nel pc? guarda bene nel pannello di controllo

[mat90]

sicuro, guarda tra le prime risposte, già mi avevi detto di usare questo programma e ti ho detto che non me lo faceva installare... non so cosa fare.

Per favore, mi dici cosa ne pensi di quella prova che avevo in mente io descritta nelle risposte precedenti???

grazie

[shel]

prova ad usare questo programma, non ha bisogno di installazione

ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
Doppio click su cureit.exe e clicca sull'opzione "Avvia" ti chiederà se vuoi effettuare un controllo rapido rispondi SI(Ok)
Finita la scansione, metti il puntino nella casella "completa scansione" clicca sul tasto "Play" per far partire la scansione, se trova qualcosa di infetto hai la possibilità di rimuoverlo subito oppure a fine scansione, finita la scansione fai rimuovere gli elementi infetti, salva il report di fine scansione clicca su File>Salva lista report, poi posta il report che hai salvato

[mat90]

qui trovate il report: http://wikisend.com/download/573534/DrWeb.csv

Grazie

[Luke57]

Ciao, nel file CFScript.txt, salvando le modifiche, sovrascrivi questo script:

Codice: Seleziona tutto

Driver::
a247286bcfaf320fd2296054b4f5693b;a247286bcfaf320fd2296054b4f5693b

File::
c:\windows\system32\a247286bcfaf320fd2296054b4f5693b.sys
c:\windows\system32\_a247286bcfaf320fd2296054b4f5693b.sys_.vir
c:\programmi\mozilla firefox\components\edfbafcd.dll
c:\windows\system32\edfbafcd.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\edfbafcd]

solito trascinamento e scansione sull'icona di combofix.Fatto ciò guarda se riesci a installare nalwarebytes e a fare la scansione.

[mat90]

sono riuscito ad installare mbam GRAZIE , allora:

ecco il report di ComboFix:

Codice: Seleziona tutto

ComboFix 09-06-20.04 - Administrator 22/06/2009 20.00.15.4 - NTFSx86 MINIMAL
Microsoft Windows XP Professional  5.1.2600.3.1252.39.1040.18.1023.832 [GMT 2:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!

FILE ::
"c:\programmi\mozilla firefox\components\edfbafcd.dll"
"c:\windows\system32\_a247286bcfaf320fd2296054b4f5693b.sys_.vir"
"c:\windows\system32\a247286bcfaf320fd2296054b4f5693b.sys"
"c:\windows\system32\edfbafcd.dll"
.

(((((((((((((((((((((((((((((((((((((   Altre eliminazioni   )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\edfbafcd.dll
c:\programmi\mozilla firefox\components\edfbafcd.dll
c:\windows\system32\_a247286bcfaf320fd2296054b4f5693b.sys_.vir
c:\windows\system32\a247286bcfaf320fd2296054b4f5693b.sys

c:\windows\system32\drivers\null.sys . . . is missing!!

.
(((((((((((((((((((((((((   Files Creati Da 2009-05-22 al 2009-06-22  )))))))))))))))))))))))))))))))))))
.

2009-07-29 19:56 . 2009-07-29 19:56   --------   d-----w-   c:\windows\Motive
2009-07-29 19:55 . 2009-07-29 19:55   --------   d-----w-   c:\programmi\File comuni\Motive
2009-07-29 19:55 . 2009-07-29 19:55   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Motive
2009-07-29 19:54 . 2009-07-29 19:54   --------   d-----w-   c:\programmi\Common Files
2009-07-29 19:53 . 2009-07-29 19:54   --------   d-----w-   c:\programmi\Motive
2009-07-29 19:53 . 2009-07-29 19:56   --------   d-----w-   c:\programmi\Alice ti aiuta
2009-07-29 19:50 . 2009-07-29 19:50   --------   d-----w-   c:\programmi\Telecom Italia
2009-07-29 19:46 . 2009-07-29 19:46   2   ----a-w-   c:\windows\[u]0[/u]10112010146118114.dat
2009-07-29 19:46 . 2009-06-15 19:25   641304   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgupd.exe
2009-07-29 19:46 . 2009-06-15 19:25   1082624   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgupd.dll
2009-07-29 19:46 . 2009-06-15 19:25   583960   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avginet.dll
2009-07-29 19:46 . 2009-06-15 19:25   443672   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgiproxy.exe
2009-07-29 15:51 . 2009-07-29 15:51   --------   d-----w-   c:\programmi\Activision
2009-07-29 15:49 . 2009-07-29 15:49   --------   d-sh--w-   c:\windows\ftpcache
2009-06-22 13:28 . 2009-06-22 13:28   --------   d-----w-   c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Mozilla
2009-06-22 13:25 . 2009-06-22 13:31   --------   d-----w-   c:\documents and settings\Administrator\DoctorWeb
2009-06-21 11:42 . 2009-06-21 11:42   --------   d-----w-   c:\windows\system32\xircom
2009-06-21 11:42 . 2009-06-21 11:42   --------   d-----w-   c:\windows\system32\wbem\snmp
2009-06-21 11:42 . 2009-06-21 11:42   --------   d-----w-   c:\programmi\microsoft frontpage
2009-06-21 10:01 . 2009-06-21 10:04   --------   d--h--w-   C:\$AVG8.VAULT$
2009-06-20 19:45 . 2009-06-20 19:43   233   ----a-w-   C:\fix.reg
2009-06-20 16:58 . 2009-06-20 16:58   --------   d-----w-   c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Ahead
2009-06-20 14:52 . 2009-06-21 09:31   --------   d-----w-   C:\VEXPLITE
2009-06-19 13:45 . 2009-06-15 19:25   97928   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgldx86.sys
2009-06-19 13:45 . 2009-06-15 19:25   76040   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgtdix.sys
2009-06-19 13:45 . 2009-06-15 19:25   10520   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgrsstx.dll
2009-06-19 13:45 . 2009-06-15 19:25   287000   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgrsx.exe
2009-06-19 13:45 . 2009-06-15 19:25   26824   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgmfx86.sys
2009-06-18 23:08 . 2009-06-18 23:08   --------   d-----r-   c:\documents and settings\LocalService\Preferiti
2009-06-16 16:59 . 2009-06-16 17:00   --------   d-----w-   c:\documents and settings\Matteo\Impostazioni locali\Dati applicazioni\Adobe
2009-06-16 16:21 . 2009-06-16 16:21   --------   d-----w-   c:\documents and settings\Matteo\Dati applicazioni\Apple Computer
2009-06-16 16:21 . 2009-03-19 14:32   23400   ----a-w-   c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-16 16:21 . 2008-04-17 10:12   107368   ----a-w-   c:\windows\system32\GEARAspi.dll
2009-06-16 16:21 . 2009-06-16 16:21   --------   d-----w-   c:\programmi\iPod
2009-06-15 20:33 . 2009-06-15 20:33   17848   ----a-w-   c:\documents and settings\Matteo\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-06-15 20:31 . 2009-06-15 20:32   --------   d-----w-   c:\documents and settings\Matteo\Dati applicazioni\Xfire
2009-06-15 20:30 . 2009-06-15 20:31   --------   d-----w-   c:\programmi\Xfire
2009-06-15 20:30 . 2009-06-15 20:30   --------   d-----w-   c:\windows\system32\LogFiles
2009-06-15 20:30 . 2009-06-15 20:30   --------   d-----w-   c:\windows\system32\drivers\umdf
2009-06-15 20:30 . 2006-05-09 18:00   22752   ----a-w-   c:\windows\system32\spupdsvc.exe
2009-06-15 20:28 . 2009-06-15 20:28   --------   d-----w-   c:\programmi\WinAVI MP4 Converter
2009-06-15 20:27 . 2009-06-15 20:27   0   ----a-w-   c:\windows\nsreg.dat
2009-06-15 20:27 . 2009-06-15 20:27   --------   d-----w-   c:\documents and settings\Matteo\Impostazioni locali\Dati applicazioni\Mozilla
2009-06-15 20:26 . 2009-06-15 20:26   --------   d-----w-   c:\programmi\FreePOPs
2009-06-15 20:25 . 2009-06-15 20:25   --------   d-----w-   c:\programmi\CCleaner
2009-06-15 20:25 . 2009-06-15 20:25   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\SlySoft
2009-06-15 20:24 . 2009-06-15 20:24   --------   d-----w-   c:\programmi\SlySoft
2009-06-15 20:23 . 2009-06-15 20:23   --------   d-----w-   c:\programmi\File comuni\Adobe
2009-06-15 20:21 . 2009-06-15 20:21   --------   d-----w-   c:\programmi\Elaborate Bytes
2009-06-15 20:21 . 2009-06-15 20:21   --------   d-----w-   c:\programmi\Real Alternative
2009-06-15 20:20 . 2009-06-15 20:20   --------   d-----w-   c:\documents and settings\Matteo\Impostazioni locali\Dati applicazioni\Ahead
2009-06-15 20:20 . 2003-06-18 23:31   17920   ----a-w-   c:\windows\system32\mdimon.dll
2009-06-15 20:19 . 2009-06-15 20:19   --------   d-----w-   c:\programmi\Microsoft.NET
2009-06-15 20:19 . 2009-06-15 20:19   --------   d-----w-   c:\windows\SHELLNEW
2009-06-15 20:08 . 2008-04-30 15:27   442368   ----a-w-   c:\windows\system32\NVUNINST.EXE
2009-06-15 20:07 . 2009-06-15 20:07   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\nView_Profiles
2009-06-15 20:04 . 2009-06-15 20:04   --------   d-----w-   c:\documents and settings\Matteo\Dati applicazioni\Ahead
2009-06-15 20:03 . 2009-06-15 20:03   --------   d-----w-   c:\programmi\Nero
2009-06-15 20:03 . 2009-06-15 20:03   --------   d-----w-   c:\programmi\File comuni\Ahead
2009-06-15 19:41 . 2009-06-15 19:41   619   ----a-w-   c:\windows\unins000.dat
2009-06-15 19:33 . 2009-06-15 20:09   --------   d-----w-   c:\windows\nvidia icons
2009-06-15 19:32 . 2009-06-15 20:14   --------   d-----w-   c:\windows\nview
2009-06-15 19:31 . 2009-06-15 19:31   --------   d-----w-   C:\NVIDIA
2009-06-15 19:25 . 2009-06-19 13:44   11952   ----a-w-   c:\windows\system32\avgrsstx.dll
2009-06-15 19:25 . 2009-06-19 13:44   108552   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2009-06-15 19:25 . 2009-06-19 13:44   325896   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2009-06-15 19:25 . 2009-06-19 13:44   27784   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2009-06-15 19:25 . 2009-06-21 11:52   --------   d-----w-   c:\windows\system32\drivers\Avg
2009-06-15 19:25 . 2009-06-15 19:25   --------   d-----w-   c:\programmi\AVG
2009-06-15 19:25 . 2009-06-21 11:43   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\avg8

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-29 19:53 . 2009-07-29 19:53   2232   ----a-w-   c:\windows\java\Packages\Data\1VZHRHFH.DAT
2009-07-29 19:53 . 2009-07-29 19:53   155995   ----a-w-   c:\windows\java\Packages\YZRDNDBV.ZIP
2009-07-29 19:53 . 2009-07-29 19:53   2678   ----a-w-   c:\windows\java\Packages\Data\AHVZB75Z.DAT
2009-07-29 19:52 . 2009-07-29 19:52   2678   ----a-w-   c:\windows\java\Packages\Data\37333ZPN.DAT
2009-07-29 19:52 . 2009-07-29 19:52   2678   ----a-w-   c:\windows\java\Packages\Data\3VZLRBXV.DAT
2009-07-29 19:52 . 2009-07-29 19:52   2678   ----a-w-   c:\windows\java\Packages\Data\2HJ7NTJT.DAT
2009-07-29 19:52 . 2009-07-29 19:52   2678   ----a-w-   c:\windows\java\Packages\Data\RJ7TFH7F.DAT
2009-07-29 19:51 . 2009-06-15 17:55   --------   d--h--w-   c:\programmi\InstallShield Installation Information
2009-06-21 11:29 . 2001-08-31 15:00   348160   ----a-w-   c:\windows\system32\msvcr71.dll
2009-06-21 11:29 . 2001-08-31 15:00   196608   ----a-w-   c:\windows\system32\libssl32.dll
2009-06-21 11:29 . 2001-08-31 15:00   1015808   ----a-w-   c:\windows\system32\libeay32.dll
2009-06-21 11:29 . 2001-08-31 15:00   --------   d-----w-   c:\programmi\File comuni\Mozilla Shared
2009-06-16 16:21 . 2009-06-16 16:21   --------   d-----w-   c:\programmi\iTunes
2009-06-16 16:21 . 2009-06-16 16:21   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-16 16:21 . 2009-06-16 16:21   --------   d-----w-   c:\programmi\Bonjour
2009-06-16 16:21 . 2009-06-16 16:20   --------   d-----w-   c:\programmi\QuickTime
2009-06-16 16:20 . 2009-06-16 16:20   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Apple Computer
2009-06-16 16:20 . 2009-06-16 16:20   --------   d-----w-   c:\programmi\Apple Software Update
2009-06-16 16:19 . 2009-06-16 16:19   --------   d-----w-   c:\programmi\File comuni\Apple
2009-06-16 16:19 . 2009-06-16 16:19   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Apple
2009-06-15 18:17 . 2009-06-15 18:17   --------   d-----w-   c:\programmi\File comuni\Ulead Systems
2009-06-15 18:15 . 2009-06-15 18:15   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Ulead Systems
2009-06-15 18:15 . 2009-06-15 18:15   --------   d-----w-   c:\programmi\WinFast
2009-06-15 18:05 . 2009-06-15 17:55   --------   d-----w-   c:\programmi\File comuni\InstallShield
2009-06-15 18:04 . 2009-06-15 18:04   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\UDL
2009-06-15 18:03 . 2009-06-15 18:01   --------   d-----w-   c:\programmi\EPSON
2009-06-15 17:57 . 2009-06-15 17:57   --------   d-----w-   c:\programmi\C-Media 3D Audio
2009-06-15 17:52 . 2009-06-15 17:52   --------   d-----w-   c:\programmi\Intel
2009-06-15 17:08 . 2009-06-15 16:32   86327   ----a-w-   c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-15 16:40 . 2001-08-31 15:00   47592   ----a-w-   c:\windows\system32\perfc010.dat
2009-06-15 16:40 . 2001-08-31 15:00   345010   ----a-w-   c:\windows\system32\perfh010.dat
2009-06-15 16:31 . 2009-06-15 16:31   --------   d-----w-   c:\programmi\Servizi in linea
2009-06-15 16:29 . 2009-06-15 16:29   21840   ----a-w-   c:\windows\system32\emptyregdb.dat
2009-06-05 11:57 . 2009-06-05 11:57   75048   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-05 09:42 . 2009-06-16 16:20   39424   ----a-w-   c:\windows\system32\drivers\usbaapl.sys
2009-06-05 09:42 . 2009-06-16 16:20   2060288   ----a-w-   c:\windows\system32\usbaaplrc.dll
.

------- Sigcheck -------

[-] 2008-05-12 18:59   361344   ACCF5A9A1FFAA490F33DBA1C632B95E1   c:\windows\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((((((   SnapShot@2009-06-21_11.44.50   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-15 16:34 . 2009-06-21 12:07   32768              c:\windows\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-15 16:34 . 2009-06-21 11:27   32768              c:\windows\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-15 16:34 . 2009-06-21 12:07   32768              c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
- 2009-06-15 16:34 . 2009-06-21 11:27   32768              c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
+ 2009-06-15 16:34 . 2009-06-21 12:07   16384              c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-06-15 16:34 . 2009-06-21 11:27   16384              c:\windows\system32\config\systemprofile\Cookies\index.dat
.
(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-04-13 101888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R240 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE" [2005-04-25 98304]
"WinFast Schedule"="c:\programmi\WinFast\WFTVFM\WFWIZ.exe" [2005-09-30 319488]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-19 1947928]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"VirtualCloneDrive"="c:\programmi\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2008-06-29 52168]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Motive SmartBridge"="c:\progra~1\ALICET~1\SMARTB~1\MotiveSB.exe" [2006-04-21 438359]
"VIRIT LITE MONITOR"="c:\vexplite\MONLITE.EXE" [2009-06-20 262144]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-03 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-04-13 101888]

c:\documents and settings\Matteo\Menu Avvio\Programmi\Esecuzione automatica\
FreePOPs.lnk - c:\programmi\FreePOPs\freepopsd.exe [2008-6-11 49152]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-19 13:44   11952   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgupd.exe"=
"f:\\Programmi\\eMule Extreme\\emule.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list]
"8085:TCP"= 8085:TCP:driver

S0 a247286bcfaf320fd2296054b4f5693b;a247286bcfaf320fd2296054b4f5693b; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [15/06/2009 21.25.29 325896]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [15/06/2009 21.25.34 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [15/06/2009 21.25.08 908568]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [15/06/2009 21.25.07 298776]
S3 WFIOCTL;WFIOCTL;c:\programmi\WinFast\WFTVFM\WFIOCTL.sys [15/06/2009 20.15.30 9446]
.
Contenuto della cartella 'Scheduled Tasks'

2009-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

BHO-{000eb29f-90dd-41df-bca5-614124613bc6} - (no file)
BHO-{0010131b-384c-469f-9243-80430e69c14a} - (no file)


.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.malwarelist.org/
TCP: {9ea652ab-c2dc-4f79-9ae2-dca36fe50b54} = 85.37.17.12 85.38.28.79
DPF: microsoft xml parser for java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-22 20:06
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(1452)
c:\programmi\Microsoft Office\OFFICE11\msohev.dll
c:\windows\system32\PortableDeviceApi.dll
c:\programmi\File comuni\Ahead\lib\NeroDigitalExt.dll
.
Ora fine scansione: 2009-06-22 20.09.40 - Il pc è stato riavviato
ComboFix-quarantined-files.txt  2009-06-22 18:09
ComboFix2.txt  2009-06-21 20:59
ComboFix3.txt  2009-06-21 11:48

Pre-Run: 11.080.556.544 byte disponibili
Post-Run: 11.086.688.256 byte disponibili

238


ed ecco quello di mbam:

Codice: Seleziona tutto

Malwarebytes' Anti-Malware 1.38
Versione del database: 2297
Windows 5.1.2600 Service Pack 3

22/06/2009 21.16.33
mbam-log-2009-06-22 (21-16-27).txt

Tipo di scansione: Scansione completa (C:\|F:\|)
Elementi scansionati: 137741
Tempo trascorso: 27 minute(s), 22 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 2
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 33

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\8085:tcp (Malware.Trace) -> No action taken.

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
c:\documents and settings\localservice\impostazioni locali\temporary internet files\Content.IE5\FY2RMTLM\w[1].bin (Trojan.Downloader) -> No action taken.
c:\documents and settings\localservice\impostazioni locali\temporary internet files\Content.IE5\FY2RMTLM\w[2].bin (Trojan.Downloader) -> No action taken.
c:\documents and settings\localservice\impostazioni locali\temporary internet files\Content.IE5\I7KCV8RJ\w[1].bin (Trojan.Downloader) -> No action taken.
c:\programmi\SlySoft\AnyDVD\Crack.exe (Backdoor.Bot) -> No action taken.
c:\Qoobox\quarantine\C\qatrll.exe.vir (Trojan.Downloader) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\system32\6to4v32.dll.vir (Trojan.Agent) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\system32\edfbafcd.dll.vir (Worm.AutoRun) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\system32\Iasv32.dll.vir (Trojan.Agent) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\system32\isadisk.sys.vir (Rootkit.GamesThief) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\system32\kdpini.dll.vir (Trojan.BHO) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\system32\msncache.dll.vir (Backdoor.Bot) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\system32\mukmil.dll.vir (Rogue.Multiple) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\system32\sopidkc.exe.vir (Trojan.Downloader) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\system32\tpsaxyd.exe.vir (Trojan.Downloader) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\system32\tpszxyd.sys.vir (Trojan.Downloader) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\system32\wiwow64.exe.vir (Trojan.Downloader) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\system32\wtukd32.exe.vir (Trojan.Downloader) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\system32\3361\services.exe.vir (Trojan.Downloader) -> No action taken.
c:\system volume information\_restore{9a9b279d-6aa6-4359-a339-4e8b15746bb7}\RP0\A0001095.exe (Trojan.Downloader) -> No action taken.
c:\system volume information\_restore{9a9b279d-6aa6-4359-a339-4e8b15746bb7}\RP0\A0001096.dll (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{9a9b279d-6aa6-4359-a339-4e8b15746bb7}\RP0\A0001101.dll (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{9a9b279d-6aa6-4359-a339-4e8b15746bb7}\RP0\A0001102.sys (Rootkit.GamesThief) -> No action taken.
c:\system volume information\_restore{9a9b279d-6aa6-4359-a339-4e8b15746bb7}\RP0\A0001104.dll (Backdoor.Bot) -> No action taken.
c:\system volume information\_restore{9a9b279d-6aa6-4359-a339-4e8b15746bb7}\RP0\A0001105.dll (Rogue.Multiple) -> No action taken.
c:\system volume information\_restore{9a9b279d-6aa6-4359-a339-4e8b15746bb7}\RP0\A0001106.exe (Trojan.Downloader) -> No action taken.
c:\system volume information\_restore{9a9b279d-6aa6-4359-a339-4e8b15746bb7}\RP0\A0001108.exe (Trojan.Downloader) -> No action taken.
c:\system volume information\_restore{9a9b279d-6aa6-4359-a339-4e8b15746bb7}\RP0\A0001109.sys (Trojan.Downloader) -> No action taken.
c:\system volume information\_restore{9a9b279d-6aa6-4359-a339-4e8b15746bb7}\RP0\A0001111.exe (Trojan.Downloader) -> No action taken.
c:\system volume information\_restore{9a9b279d-6aa6-4359-a339-4e8b15746bb7}\RP0\A0001114.exe (Trojan.Downloader) -> No action taken.
c:\system volume information\_restore{9a9b279d-6aa6-4359-a339-4e8b15746bb7}\RP0\A0001903.exe (Trojan.Downloader) -> No action taken.
c:\system volume information\_restore{9a9b279d-6aa6-4359-a339-4e8b15746bb7}\RP0\A0004058.dll (Trojan.BHO) -> No action taken.
c:\system volume information\_restore{9a9b279d-6aa6-4359-a339-4e8b15746bb7}\RP0\A0004197.dll (Worm.AutoRun) -> No action taken.
c:\WINDOWS\system32\msncav32.dll (Trojan.Agent) -> No action taken.


[mat90]

ah, che faccio cancello le minacce trovate con mbam ???????????????

[mat90]

Ho cancellato le voci di registro, ho riavviato il pc in modalità normale.

Il pc sembra funzionare NORMALMENTE

Mi è apparso un paio di volte "nessun firewall attivo" che ho riattivato da pannello di controllo

ed ho avuto qualche problema con l'hardware e software della scheda televisiva, però dopo vari riavvi del sistema sembra funzionare, ex. mi appariva il wizard di win fast in automatico, o non si vedeva la tv, immagine bloccata ecc..
ma ora sembra funzionare.

incrocio le dita...

GRAZIE RAGAZZI, spero di non chiedervi altro aiuto, o se avete in mente qualcosa che devo ancora fare vi chiedo se potete continuare ad aiutarmi, GRAZIE!!!