Condividi:        

Aiuto. Trojan Rootkit.gen

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

Aiuto. Trojan Rootkit.gen

Postdi bob20 » 16/02/10 16:15

Ciao.
Ho preso ieri questo trojan :aaah .
Il computer ha cominciato ad andare lentissimo, e poi mi ha segnalato questo trojan con continui messaggi.
Ho fatto una scansione con HiJackThis e ho fixato una voce infetta.
Poi ho fatto la scansione con Antivir, che mi ha trovato il virus, e ho eliminato le relative voci.
Ho fatto la scansione anche con Malwarebytes, che mi ha trovato 9 elementi infetti, e li ha riparati.

Ulteriori scansioni con gli stessi programmi non hanno trovato problemi.

Però durante l'ultima scansione con Malwarebytes è comparso un messaggio di Antivir che mi risegnalava questi Rootkit.gen. E in generale non mi sembra che il pc sia veloce come al solito (anche se forse va meglio di ieri sera e stamattina).

Non ho pututo fare la scansione con Combofix perché adesso il link di download che avete segnalato qui sul forum ( http://download.bleepingcomputer.com/sUBs/ComboFix.exe ) adesso non funziona :(

Posto un po' di log.
HiJackThis:
Codice: Seleziona tutto
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16.12.17, on 16/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\Apoint2K\Apoint.exe
C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
C:\Programmi\Winamp\winampa.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Java\jre1.5.0_04\bin\jusched.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Unlocker\UnlockerAssistant.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Packard Bell Data Secure\PBDataSecure.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmi\Java\jre1.5.0_04\bin\jucheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Programmi\Apoint2K\Apntex.exe
C:\VEXPLITE\viritsvc.exe
C:\PROGRA~1\WIDCOMM\SOFTWA~1\BTSTAC~1.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmi\internet explorer\iexplore.exe
C:\Programmi\Windows NT\Accessori\wordpad.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://liberomail.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programmi\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programmi\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Programmi\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmi\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Packard Bell Data Secure] C:\Programmi\Packard Bell Data Secure\PBDataSecure.exe
O4 - HKCU\..\Run: [swg] "C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Google Sidewiki... - res://C:\Programmi\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O8 - Extra context menu item: Save Flash - res://C:\Programmi\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Programmi\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Google Update Service (gupdate1c9bac9b1d2c2b0) (gupdate1c9bac9b1d2c2b0) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas   www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

--
End of file - 7584 bytes


Malwarebytes:
Codice: Seleziona tutto
Malwarebytes' Anti-Malware 1.44
Versione del database: 3745
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

16/02/2010 15.41.33
mbam-log-2010-02-16 (15-41-33).txt

Tipo di scansione: Scansione completa (C:\|D:\|)
Elementi scansionati: 190900
Tempo trascorso: 55 minute(s), 33 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 0

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
(Nessun elemento malevolo rilevato)


Poi posto anche il log della scansione precedente con Malwarebytes, quando mi aveva trovato 9 elementi infetti. Non so, forse può essere utile:
Codice: Seleziona tutto
Malwarebytes' Anti-Malware 1.44
Versione del database: 3745
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

16/02/2010 14.24.58
mbam-log-2010-02-16 (14-24-53).txt

Tipo di scansione: Scansione completa (C:\|D:\|)
Elementi scansionati: 190958
Tempo trascorso: 32 minute(s), 43 second(s)

Processi delle memoria infetti: 2
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 1
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 6

Processi delle memoria infetti:
C:\WINDOWS\temp\~TM10.tmp (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Downloader) -> No action taken.

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Downloader) -> No action taken.

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
C:\WINDOWS\temp\~TM10.tmp (Trojan.Downloader) -> No action taken.
C:\WINDOWS\temp\~TM301.tmp (Trojan.Downloader) -> No action taken.
C:\WINDOWS\temp\~TM1B.tmp (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Roberto\Dati applicazioni\avdrn.dat (Malware.Trace) -> No action taken.
C:\Documents and Settings\Roberto\Menu Avvio\Programmi\Esecuzione automatica\netuza32.exe (Trojan.Downloader) -> No action taken.
bob20
Utente Senior
 
Post: 238
Iscritto il: 31/03/05 21:06

Sponsor
 

Re: Aiuto. Trojan Rootkit.gen

Postdi Luke57 » 16/02/10 19:32

Ciao, adesso funziona
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10

Re: Aiuto. Trojan Rootkit.gen

Postdi bob20 » 16/02/10 19:32

Ora fortunatamente il link ha ripreso a funzionare, così ho potuto fare la scansione con Combofix.
Questo il report:
Codice: Seleziona tutto
ComboFix 10-02-12.01 - Roberto 16/02/2010  19.21.48.6.1 - FAT32x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.39.1040.18.495.240 [GMT 1:00]
Eseguito da: c:\documents and settings\Roberto\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {00000002-0002-0000-7C25-9E7C08000A00}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-6C25-9E7C08000A00}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

(((((((((((((((((((((((((   Files Creati Da 2010-01-16 al 2010-02-16  )))))))))))))))))))))))))))))))))))
.

2010-02-15 23:30 . 2008-04-13 10:41   8192   ----a-w-   c:\windows\system32\drivers\Changer.sys
2010-02-15 23:30 . 2008-04-13 10:41   8192   ----a-w-   c:\windows\system32\dllcache\changer.sys
2010-02-15 23:29 . 2010-02-16 12:37   116   ----a-w-   c:\windows\system32\fjhdyfhsn.bat
2010-02-11 15:44 . 2010-02-11 15:44   --------   d-sh--w-   c:\documents and settings\Roberto\PrivacIE
2010-02-11 15:37 . 2010-02-11 15:37   --------   d-sh--w-   c:\documents and settings\Roberto\IETldCache
2010-02-11 15:34 . 2010-02-11 15:34   --------   d-----w-   c:\windows\system32\NtmsData
2010-02-11 15:30 . 2010-02-11 15:30   --------   d-----w-   c:\windows\ie8updates
2010-02-11 15:28 . 2010-02-11 15:28   --------   d--h--w-   c:\windows\ie8
2010-02-11 10:39 . 2008-06-14 17:32   272768   ------w-   c:\windows\system32\dllcache\bthport.sys
2010-02-11 10:39 . 2009-12-31 16:50   353792   ------w-   c:\windows\system32\dllcache\srv.sys
2010-02-11 10:38 . 2009-11-21 15:54   471552   ------w-   c:\windows\system32\dllcache\aclayers.dll
2010-02-11 10:36 . 2009-10-15 16:29   81920   ------w-   c:\windows\system32\dllcache\fontsub.dll
2010-02-11 10:36 . 2009-10-15 16:29   119808   ------w-   c:\windows\system32\dllcache\t2embed.dll
2010-02-11 10:35 . 2009-02-06 10:10   227840   ------w-   c:\windows\system32\dllcache\wmiprvse.exe
2010-02-11 10:35 . 2009-03-06 14:19   286208   ------w-   c:\windows\system32\dllcache\pdh.dll
2010-02-11 10:35 . 2009-02-09 11:22   111104   ------w-   c:\windows\system32\dllcache\services.exe
2010-02-11 10:35 . 2009-02-09 10:51   401408   ------w-   c:\windows\system32\dllcache\rpcss.dll
2010-02-11 10:35 . 2009-02-09 10:51   473600   ------w-   c:\windows\system32\dllcache\fastprox.dll
2010-02-11 10:35 . 2009-02-09 10:51   683520   ------w-   c:\windows\system32\dllcache\advapi32.dll
2010-02-11 10:35 . 2009-02-09 10:51   453120   ------w-   c:\windows\system32\dllcache\wmiprvsd.dll
2010-02-11 10:35 . 2009-02-09 10:51   736256   ------w-   c:\windows\system32\dllcache\ntdll.dll
2010-02-11 10:34 . 2009-06-21 21:47   153088   ------w-   c:\windows\system32\dllcache\triedit.dll
2010-02-11 10:34 . 2009-12-04 18:22   455424   ------w-   c:\windows\system32\dllcache\mrxsmb.sys
2010-02-11 10:33 . 2008-05-08 14:02   203136   ------w-   c:\windows\system32\dllcache\rmcast.sys
2010-02-11 10:33 . 2008-05-01 14:34   331776   ------w-   c:\windows\system32\dllcache\msadce.dll
2010-02-11 10:33 . 2009-07-10 13:26   1315328   ------w-   c:\windows\system32\dllcache\msoe.dll
2010-02-11 10:32 . 2008-04-11 19:04   691712   ------w-   c:\windows\system32\dllcache\inetcomm.dll
2010-02-11 10:29 . 2009-08-04 17:26   2148864   ------w-   c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-11 10:29 . 2009-08-04 17:26   2069760   ------w-   c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-11 10:29 . 2009-08-04 17:26   2027520   ------w-   c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-11 10:29 . 2008-10-15 16:36   337408   ------w-   c:\windows\system32\dllcache\netapi32.dll
2010-02-11 10:29 . 2009-07-31 04:32   1172480   ------w-   c:\windows\system32\dllcache\msxml3.dll
2010-02-11 10:29 . 2008-04-21 21:14   219136   ------w-   c:\windows\system32\dllcache\wordpad.exe
2010-02-10 17:29 . 2009-12-11 08:38   69120   ------w-   c:\windows\system32\dllcache\iecompat.dll
2010-02-10 17:29 . 2009-12-21 19:06   594432   ------w-   c:\windows\system32\dllcache\msfeeds.dll
2010-02-10 17:29 . 2009-12-21 19:06   246272   ------w-   c:\windows\system32\dllcache\ieproxy.dll
2010-02-10 17:29 . 2009-12-21 19:06   55296   ------w-   c:\windows\system32\dllcache\msfeedsbs.dll
2010-02-10 17:29 . 2009-12-21 19:06   1985536   ------w-   c:\windows\system32\dllcache\iertutil.dll
2010-02-10 17:29 . 2009-12-21 19:06   12800   ------w-   c:\windows\system32\dllcache\xpshims.dll
2010-02-10 17:29 . 2009-12-21 19:06   11070464   ------w-   c:\windows\system32\dllcache\ieframe.dll
2010-02-10 14:11 . 2010-02-10 14:11   --------   d-----w-   c:\documents and settings\NetworkService\Impostazioni locali\Dati applicazioni\Google
2010-02-10 14:01 . 2010-02-10 14:01   --------   d-----w-   c:\windows\system32\wbem\AutoRecover
2010-02-10 10:52 . 2010-02-10 10:52   --------   d-----w-   c:\windows\ServicePackFiles
2010-02-10 10:40 . 2010-02-10 10:41   --------   d-----w-   c:\windows\EHome
2010-02-09 16:50 . 2010-02-09 16:50   --------   d-----w-   c:\documents and settings\Roberto\Dati applicazioni\Malwarebytes
2010-02-09 16:50 . 2010-01-07 15:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-09 16:50 . 2010-02-09 16:50   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2010-02-09 16:50 . 2010-01-07 15:07   18520   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-02-09 16:50 . 2010-02-09 16:50   --------   d-----w-   c:\programmi\Malwarebytes' Anti-Malware
2010-02-09 14:50 . 2010-02-09 14:50   --------   d-----w-   C:\FOUND.001
2010-02-09 11:49 . 2010-02-09 11:49   388096   ----a-r-   c:\documents and settings\Roberto\Dati applicazioni\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-09 11:49 . 2010-02-09 11:49   --------   d-----w-   c:\programmi\TrendMicro
2010-01-31 23:15 . 2010-01-06 11:08   57856   ----a-w-   c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2010-01-31 23:15 . 2010-01-06 11:08   545280   ----a-w-   c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2010-01-31 23:15 . 2010-01-06 11:08   4726272   ----a-w-   c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\piclens@cooliris.com\libs\cooliris190.dll
2010-01-31 23:15 . 2010-01-06 11:08   4725760   ----a-w-   c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\piclens@cooliris.com\libs\cooliris192.dll
2010-01-31 23:15 . 2010-01-06 11:08   344064   ----a-w-   c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2010-01-31 23:15 . 2010-01-06 11:08   153600   ----a-w-   c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2010-01-31 23:15 . 2010-01-06 11:08   103424   ----a-w-   c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\piclens@cooliris.com\libs\pixomatic.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-16 12:37 . 2010-02-16 12:36   20   ----a-w-   c:\documents and settings\NetworkService\Dati applicazioni\sgcpom.dat
2010-02-16 00:32 . 2010-02-16 00:32   20   ----a-w-   c:\windows\system32\config\systemprofile\Dati applicazioni\sgcpom.dat
2010-02-15 23:43 . 2005-02-18 16:45   21176   ----a-w-   c:\documents and settings\Roberto\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-02-15 23:28 . 2010-02-15 23:28   20   ----a-w-   c:\documents and settings\LocalService\Dati applicazioni\sgcpom.dat
2010-02-13 15:44 . 1979-12-31 23:00   48728   ----a-w-   c:\windows\system32\perfc010.dat
2010-02-13 15:44 . 1979-12-31 23:00   346870   ----a-w-   c:\windows\system32\perfh010.dat
2010-02-10 10:59 . 2003-06-23 17:18   83975   ----a-w-   c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-12-31 16:50 . 1979-12-31 23:00   353792   ------w-   c:\windows\system32\drivers\srv.sys
2009-12-21 19:06 . 2006-04-28 14:09   916480   ------w-   c:\windows\system32\wininet.dll
2009-12-17 07:40 . 2003-06-23 17:15   346112   ----a-w-   c:\windows\system32\mspaint.exe
2009-12-16 13:42 . 2009-12-23 19:42   872960   ----a-w-   c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-16 13:42 . 2009-12-23 19:42   43008   ----a-w-   c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-16 13:42 . 2009-12-23 19:42   340480   ----a-w-   c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-16 13:41 . 2009-12-23 19:42   346624   ----a-w-   c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-14 07:08 . 1979-12-31 23:00   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 1979-12-31 23:00   455424   ------w-   c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:12 . 2003-05-13 09:31   1296896   ----a-w-   c:\windows\system32\quartz.dll
2009-11-27 17:12 . 2001-08-30 22:07   17920   ----a-w-   c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2001-08-30 22:08   8704   ----a-w-   c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2001-08-30 22:07   48128   ----a-w-   c:\windows\system32\iyuv_32.dll
2009-11-27 16:07 . 1979-12-31 23:00   85504   ----a-w-   c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 1979-12-31 23:00   28672   ----a-w-   c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 1979-12-31 23:00   11264   ----a-w-   c:\windows\system32\msrle32.dll
2009-11-21 15:54 . 1979-12-31 23:00   471552   ----a-w-   c:\windows\AppPatch\AcLayers.dll
2003-10-27 19:08 . 2003-10-27 19:08   770048   ----a-w-   c:\programmi\winmx331.exe
2003-10-27 19:03 . 2003-10-27 19:03   3468472   ----a-w-   c:\programmi\winamp3_0-full.exe
.

(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Packard Bell Data Secure"="c:\programmi\Packard Bell Data Secure\PBDataSecure.exe" [2006-06-20 2361856]
"swg"="c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-06-23 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-06-23 114688]
"SoundMan"="SOUNDMAN.EXE" [2003-06-20 55296]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-23 88267]
"Apoint"="c:\programmi\Apoint2K\Apoint.exe" [2002-07-25 151552]
"LManager"="c:\progra~1\LAUNCH~1\CPLBCL53.EXE" [2003-06-27 155648]
"WinampAgent"="c:\programmi\Winamp\winampa.exe" [2008-01-15 37376]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2005-11-05 77824]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 36975]
"TkBellExe"="c:\programmi\File comuni\Real\Update_OB\realsched.exe" [2007-11-11 185632]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"UnlockerAssistant"="c:\programmi\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
WinZip Quick Pick.lnk - c:\programmi\WinZip\WZQKPICK.EXE [2003-11-28 106560]
BTTray.lnk - c:\programmi\WIDCOMM\Software Bluetooth\BTTray.exe [2006-5-12 581693]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 10:58   278528   ----a-w-   c:\programmi\iTunes\iTunesHelper.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Programmi\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\eMule AdunanzA\\eMule_AdnzA.exe"=

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [29/04/2009 11.46.44 22360]
R0 VIRAGTLT;VIRAGTLT;c:\windows\system32\drivers\VIRAGTLT.SYS [06/09/2006 15.06.28 41728]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [29/04/2009 11.46.44 45416]
R2 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [21/02/2008 20.43.26 245248]
S0 aalgxr;aalgxr; [x]
S2 gupdate1c9bac9b1d2c2b0;Google Update Service (gupdate1c9bac9b1d2c2b0);c:\programmi\Google\Update\GoogleUpdate.exe [11/04/2009 19.19.26 133104]
S2 viritsvclite;Virit eXplorer Lite;c:\vexplite\VIRITSVC.EXE [04/09/2009 23.41.15 65536]

--- Altri Servizi/Drivers In Memoria ---

*Deregistered* - tzichq
.
Contenuto della cartella 'Scheduled Tasks'

2010-02-16 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-24 20:57]

2010-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-04-11 18:19]

2010-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-04-11 18:19]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://liberomail.libero.it/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\programmi\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Invia a &Bluetooth - c:\programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
IE: Save Flash - c:\programmi\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
FF - ProfilePath - c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\programmi\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programmi\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\programmi\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\programmi\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\programmi\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\programmi\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\programmi\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\programmi\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\programmi\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\programmi\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: c:\programmi\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\programmi\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\programmi\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-16 19:26
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tzichq]

.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1685927933-2690133624-1694720459-1005\Identities\{F717E46F-20F7-4DB9-BA46-92292829952B}\Software\Microsoft\Outlook Express\5.0\Recent Stationery List]
@DACL=(02 0000)
@SACL=
"File0"="Cielo blu.htm"
"File1"="Natura.htm"
"File2"="Giallo.htm"
"File3"="Girasole.htm"
"File4"="Agrumi.htm"
"File5"="Quadretti bianchi.htm"
"File6"="Foglie.htm"

[HKEY_USERS\S-1-5-21-1685927933-2690133624-1694720459-1005\Identities\{F717E46F-20F7-4DB9-BA46-92292829952B}\Software\Microsoft\Outlook Express\5.0\Shared Settings]
@DACL=(02 0000)
@SACL=

[HKEY_USERS\S-1-5-21-1685927933-2690133624-1694720459-1005\Software\Local AppWizard-Generated Applications\Launch Tool]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\CyberLink\PowerDVD\BuildInfo]
@DACL=(02 0000)
@SACL=
"SR_No"="DVD030423-04"
"Skin"="2420"
"iPower"="030407"
"UG"="1510"
"Setup"="030421"
"Help"="2416"
"RC"="030414"
"Readme"="2416"
"Kernel"="v2834_DS(Acer)"
"UI"="v2824_DDVS_DS(Acer)"
"Filter"="v2834_DS(Acer)"

[HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IEHomePageInfo\RegBackup]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\NodeCLSIDs\{13A7995E-7D8F-45B4-9C77-819265225763}]
@DACL=(02 0000)
"Priority"=dword:00000001
"AutoInsert"=dword:00000001
"Name"="WMPlayer Spectrum Analyzer DMO"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\NodeCLSIDs\{95037DA1-6ED9-4B27-8CFF-9AD3DFB0B2F2}]
@DACL=(02 0000)
"Priority"=dword:fffffffb
"AutoInsert"=dword:00000001
"Name"="WMPlayer SRSWow DMO"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\NodeCLSIDs\{974BF3BF-C9AE-4476-8003-5FE544DF458C}]
@DACL=(02 0000)
"Priority"=dword:fffffffe
"AutoInsert"=dword:00000001
"Name"="WMPlayer Video Processing DMO"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\NodeCLSIDs\{B2DBA270-9F49-4513-AC13-76496D6EBA3A}]
@DACL=(02 0000)
"Priority"=dword:00000002
"AutoInsert"=dword:00000000
"Name"="Speaker Enhancement DMO"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\NodeCLSIDs\{D01BC8E2-70AD-4976-9612-21B37ED5C8E8}]
@DACL=(02 0000)
"Priority"=dword:00000003
"AutoInsert"=dword:00000001
"Name"="WMPlayer Equalizer DMO"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Publish\{1AC8AC62-67E9-4676-BA08-194A6916B145}]
@DACL=(02 0000)
@="WMPlayer CD Burn Publish Provider"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Publish\{F6402585-08FB-498E-877D-2D8EDF05219F}]
@DACL=(02 0000)
@="WMPlayer WMDM Publish Provider"

[HKEY_LOCAL_MACHINE\software\NewTech Infosystems\NTI CD-Maker\6]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\NewTech Infosystems\NTI CD-Maker\OEMUrl]
@DACL=(02 0000)
@SACL=
"Home"="http://global.acer.com"

[HKEY_LOCAL_MACHINE\software\Realtek Semiconductor Corp.\Realtek AC'97 Audio]
@DACL=(02 0000)
@SACL=
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(544)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
.
Ora fine scansione: 2010-02-16  19:28:23
ComboFix-quarantined-files.txt  2010-02-16 18:28

Pre-Run: 2.129.231.872 byte disponibili
Post-Run: 2.127.200.256 byte disponibili

- - End Of File - - D70BF53AA5001E1D60E499A602C2283A
bob20
Utente Senior
 
Post: 238
Iscritto il: 31/03/05 21:06

Re: Aiuto. Trojan Rootkit.gen

Postdi -> EleKtrA <- » 17/02/10 12:41

Ciao bob20, ti ho preparato uno script per combofix che andrà a rimuovere dei servizi illegittimi.

Apri un file di testo sul Desktop
Start > esegui, digita: notepad.exe e poi clicca Ok
Incolla il codice che vedi qui sotto, e salvi il file di testo obbligatoriamente
con il nome CFScript
Codice: Seleziona tutto
Killall::
Driver::
aalgxr
tzichq

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_tzichq]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_tzichq]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_tzichq]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_tzichq]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_tzichq]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tzichq]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tzichq]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tzichq]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tzichq]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\tzichq]

Folder::
C:\WINDOWS\temp
C:\WINDOWS\Tasks

Con il mouse trascina il file CFScript.txt sull'icona rossa di Combofix
Immagine
Lascia lavorare il programma
Verrà creato un nuovo log combofix.txt
Allega il rapporto per un controllo.

Collegati a questa pagina con Internet Explorer ed esegui una scansione completa. *Guida*
Allega il risultato della scansione nella tua prossima risposta.
“Ieri è storia, domani è mistero, ma oggi è un dono... per questo si chiama presente!”.
Avatar utente
-> EleKtrA <-
Moderatore
 
Post: 436
Iscritto il: 11/12/08 12:50

Re: Aiuto. Trojan Rootkit.gen

Postdi bob20 » 17/02/10 22:27

Grazie mille per la dettagliata risposta EleKtrA.

Ho fatto tutto. Durante la scansione con Combifix, dopo il riavvio, mentre Combofix preparava il report, Antivir mi ha segnalato per due volte Rootkit.gen (avevo disattivato Antivir, ma al riavvio si riattiva automaticamente).

Questi sono i risultati delle scansioni.

Combofix:
Codice: Seleziona tutto
ComboFix 10-02-12.01 - Roberto 17/02/2010  19.08.49.7.1 - FAT32x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.39.1040.18.495.200 [GMT 1:00]
Eseguito da: c:\documents and settings\Roberto\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Roberto\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {00000002-0002-0000-7C25-9E7C08000A00}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-6C25-9E7C08000A00}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

(((((((((((((((((((((((((((((((((((((   Altre eliminazioni   )))))))))))))))))))))))))))))))))))))))))))))))))))
.

.
(((((((((((((((((((((((((((((((((((((((   Driver/Servizi   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AALGXR
-------\Legacy_TZICHQ
-------\Service_aalgxr
-------\Service_tzichq


(((((((((((((((((((((((((   Files Creati Da 2010-01-17 al 2010-02-17  )))))))))))))))))))))))))))))))))))
.

2010-02-16 12:37 . 2010-02-17 18:13   792064   ----a-w-   c:\windows\system32\drivers\tzichq.sys
2010-02-15 23:30 . 2008-04-13 10:41   8192   ----a-w-   c:\windows\system32\drivers\Changer.sys
2010-02-15 23:30 . 2008-04-13 10:41   8192   ----a-w-   c:\windows\system32\dllcache\changer.sys
2010-02-15 23:29 . 2010-02-16 12:37   116   ----a-w-   c:\windows\system32\fjhdyfhsn.bat
2010-02-11 15:44 . 2010-02-11 15:44   --------   d-sh--w-   c:\documents and settings\Roberto\PrivacIE
2010-02-11 15:37 . 2010-02-11 15:37   --------   d-sh--w-   c:\documents and settings\Roberto\IETldCache
2010-02-11 15:34 . 2010-02-11 15:34   --------   d-----w-   c:\windows\system32\NtmsData
2010-02-11 15:30 . 2010-02-11 15:30   --------   d-----w-   c:\windows\ie8updates
2010-02-11 15:28 . 2010-02-11 15:28   --------   d--h--w-   c:\windows\ie8
2010-02-11 10:39 . 2008-06-14 17:32   272768   ------w-   c:\windows\system32\dllcache\bthport.sys
2010-02-11 10:39 . 2009-12-31 16:50   353792   ------w-   c:\windows\system32\dllcache\srv.sys
2010-02-11 10:38 . 2009-11-21 15:54   471552   ------w-   c:\windows\system32\dllcache\aclayers.dll
2010-02-11 10:36 . 2009-10-15 16:29   81920   ------w-   c:\windows\system32\dllcache\fontsub.dll
2010-02-11 10:36 . 2009-10-15 16:29   119808   ------w-   c:\windows\system32\dllcache\t2embed.dll
2010-02-11 10:35 . 2009-02-06 10:10   227840   ------w-   c:\windows\system32\dllcache\wmiprvse.exe
2010-02-11 10:35 . 2009-03-06 14:19   286208   ------w-   c:\windows\system32\dllcache\pdh.dll
2010-02-11 10:35 . 2009-02-09 11:22   111104   ------w-   c:\windows\system32\dllcache\services.exe
2010-02-11 10:35 . 2009-02-09 10:51   401408   ------w-   c:\windows\system32\dllcache\rpcss.dll
2010-02-11 10:35 . 2009-02-09 10:51   473600   ------w-   c:\windows\system32\dllcache\fastprox.dll
2010-02-11 10:35 . 2009-02-09 10:51   683520   ------w-   c:\windows\system32\dllcache\advapi32.dll
2010-02-11 10:35 . 2009-02-09 10:51   453120   ------w-   c:\windows\system32\dllcache\wmiprvsd.dll
2010-02-11 10:35 . 2009-02-09 10:51   736256   ------w-   c:\windows\system32\dllcache\ntdll.dll
2010-02-11 10:34 . 2009-06-21 21:47   153088   ------w-   c:\windows\system32\dllcache\triedit.dll
2010-02-11 10:34 . 2009-12-04 18:22   455424   ------w-   c:\windows\system32\dllcache\mrxsmb.sys
2010-02-11 10:33 . 2008-05-08 14:02   203136   ------w-   c:\windows\system32\dllcache\rmcast.sys
2010-02-11 10:33 . 2008-05-01 14:34   331776   ------w-   c:\windows\system32\dllcache\msadce.dll
2010-02-11 10:33 . 2009-07-10 13:26   1315328   ------w-   c:\windows\system32\dllcache\msoe.dll
2010-02-11 10:32 . 2008-04-11 19:04   691712   ------w-   c:\windows\system32\dllcache\inetcomm.dll
2010-02-11 10:29 . 2009-08-04 17:26   2148864   ------w-   c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-11 10:29 . 2009-08-04 17:26   2069760   ------w-   c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-11 10:29 . 2009-08-04 17:26   2027520   ------w-   c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-11 10:29 . 2008-10-15 16:36   337408   ------w-   c:\windows\system32\dllcache\netapi32.dll
2010-02-11 10:29 . 2009-07-31 04:32   1172480   ------w-   c:\windows\system32\dllcache\msxml3.dll
2010-02-11 10:29 . 2008-04-21 21:14   219136   ------w-   c:\windows\system32\dllcache\wordpad.exe
2010-02-10 17:29 . 2009-12-11 08:38   69120   ------w-   c:\windows\system32\dllcache\iecompat.dll
2010-02-10 17:29 . 2009-12-21 19:06   594432   ------w-   c:\windows\system32\dllcache\msfeeds.dll
2010-02-10 17:29 . 2009-12-21 19:06   246272   ------w-   c:\windows\system32\dllcache\ieproxy.dll
2010-02-10 17:29 . 2009-12-21 19:06   55296   ------w-   c:\windows\system32\dllcache\msfeedsbs.dll
2010-02-10 17:29 . 2009-12-21 19:06   1985536   ------w-   c:\windows\system32\dllcache\iertutil.dll
2010-02-10 17:29 . 2009-12-21 19:06   12800   ------w-   c:\windows\system32\dllcache\xpshims.dll
2010-02-10 17:29 . 2009-12-21 19:06   11070464   ------w-   c:\windows\system32\dllcache\ieframe.dll
2010-02-10 14:11 . 2010-02-10 14:11   --------   d-----w-   c:\documents and settings\NetworkService\Impostazioni locali\Dati applicazioni\Google
2010-02-10 14:01 . 2010-02-10 14:01   --------   d-----w-   c:\windows\system32\wbem\AutoRecover
2010-02-10 10:52 . 2010-02-10 10:52   --------   d-----w-   c:\windows\ServicePackFiles
2010-02-10 10:40 . 2010-02-10 10:41   --------   d-----w-   c:\windows\EHome
2010-02-09 16:50 . 2010-02-09 16:50   --------   d-----w-   c:\documents and settings\Roberto\Dati applicazioni\Malwarebytes
2010-02-09 16:50 . 2010-01-07 15:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-09 16:50 . 2010-02-09 16:50   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2010-02-09 16:50 . 2010-01-07 15:07   18520   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-02-09 16:50 . 2010-02-09 16:50   --------   d-----w-   c:\programmi\Malwarebytes' Anti-Malware
2010-02-09 14:50 . 2010-02-09 14:50   --------   d-----w-   C:\FOUND.001
2010-02-09 11:49 . 2010-02-09 11:49   388096   ----a-r-   c:\documents and settings\Roberto\Dati applicazioni\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-09 11:49 . 2010-02-09 11:49   --------   d-----w-   c:\programmi\TrendMicro
2010-01-31 23:15 . 2010-01-06 11:08   57856   ----a-w-   c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2010-01-31 23:15 . 2010-01-06 11:08   545280   ----a-w-   c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2010-01-31 23:15 . 2010-01-06 11:08   4726272   ----a-w-   c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\piclens@cooliris.com\libs\cooliris190.dll
2010-01-31 23:15 . 2010-01-06 11:08   4725760   ----a-w-   c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\piclens@cooliris.com\libs\cooliris192.dll
2010-01-31 23:15 . 2010-01-06 11:08   344064   ----a-w-   c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2010-01-31 23:15 . 2010-01-06 11:08   153600   ----a-w-   c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2010-01-31 23:15 . 2010-01-06 11:08   103424   ----a-w-   c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\piclens@cooliris.com\libs\pixomatic.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-16 12:37 . 2010-02-16 12:36   20   ----a-w-   c:\documents and settings\NetworkService\Dati applicazioni\sgcpom.dat
2010-02-16 00:32 . 2010-02-16 00:32   20   ----a-w-   c:\windows\system32\config\systemprofile\Dati applicazioni\sgcpom.dat
2010-02-15 23:43 . 2005-02-18 16:45   21176   ----a-w-   c:\documents and settings\Roberto\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-02-15 23:28 . 2010-02-15 23:28   20   ----a-w-   c:\documents and settings\LocalService\Dati applicazioni\sgcpom.dat
2010-02-13 15:44 . 1979-12-31 23:00   48728   ----a-w-   c:\windows\system32\perfc010.dat
2010-02-13 15:44 . 1979-12-31 23:00   346870   ----a-w-   c:\windows\system32\perfh010.dat
2010-02-10 10:59 . 2003-06-23 17:18   83975   ----a-w-   c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-12-31 16:50 . 1979-12-31 23:00   353792   ------w-   c:\windows\system32\drivers\srv.sys
2009-12-21 19:06 . 2006-04-28 14:09   916480   ------w-   c:\windows\system32\wininet.dll
2009-12-17 07:40 . 2003-06-23 17:15   346112   ----a-w-   c:\windows\system32\mspaint.exe
2009-12-16 13:42 . 2009-12-23 19:42   872960   ----a-w-   c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-16 13:42 . 2009-12-23 19:42   43008   ----a-w-   c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-16 13:42 . 2009-12-23 19:42   340480   ----a-w-   c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-16 13:41 . 2009-12-23 19:42   346624   ----a-w-   c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-14 07:08 . 1979-12-31 23:00   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 1979-12-31 23:00   455424   ------w-   c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:12 . 2003-05-13 09:31   1296896   ----a-w-   c:\windows\system32\quartz.dll
2009-11-27 17:12 . 2001-08-30 22:07   17920   ----a-w-   c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2001-08-30 22:08   8704   ----a-w-   c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2001-08-30 22:07   48128   ----a-w-   c:\windows\system32\iyuv_32.dll
2009-11-27 16:07 . 1979-12-31 23:00   85504   ----a-w-   c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 1979-12-31 23:00   28672   ----a-w-   c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 1979-12-31 23:00   11264   ----a-w-   c:\windows\system32\msrle32.dll
2009-11-21 15:54 . 1979-12-31 23:00   471552   ----a-w-   c:\windows\AppPatch\AcLayers.dll
2003-10-27 19:08 . 2003-10-27 19:08   770048   ----a-w-   c:\programmi\winmx331.exe
2003-10-27 19:03 . 2003-10-27 19:03   3468472   ----a-w-   c:\programmi\winamp3_0-full.exe
.

(((((((((((((((((((((((((((((   SnapShot@2010-02-16_18.26.30   )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-17 18:15 . 2010-02-17 18:15   16384              c:\windows\temp\Perflib_Perfdata_710.dat
.
(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Packard Bell Data Secure"="c:\programmi\Packard Bell Data Secure\PBDataSecure.exe" [2006-06-20 2361856]
"swg"="c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-06-23 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-06-23 114688]
"SoundMan"="SOUNDMAN.EXE" [2003-06-20 55296]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-23 88267]
"Apoint"="c:\programmi\Apoint2K\Apoint.exe" [2002-07-25 151552]
"LManager"="c:\progra~1\LAUNCH~1\CPLBCL53.EXE" [2003-06-27 155648]
"WinampAgent"="c:\programmi\Winamp\winampa.exe" [2008-01-15 37376]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2005-11-05 77824]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 36975]
"TkBellExe"="c:\programmi\File comuni\Real\Update_OB\realsched.exe" [2007-11-11 185632]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"UnlockerAssistant"="c:\programmi\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
WinZip Quick Pick.lnk - c:\programmi\WinZip\WZQKPICK.EXE [2003-11-28 106560]
BTTray.lnk - c:\programmi\WIDCOMM\Software Bluetooth\BTTray.exe [2006-5-12 581693]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 10:58   278528   ----a-w-   c:\programmi\iTunes\iTunesHelper.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Programmi\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\eMule AdunanzA\\eMule_AdnzA.exe"=

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [29/04/2009 11.46.44 22360]
R0 VIRAGTLT;VIRAGTLT;c:\windows\system32\drivers\VIRAGTLT.SYS [06/09/2006 15.06.28 41728]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [29/04/2009 11.46.44 45416]
R2 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [21/02/2008 20.43.26 245248]
R2 viritsvclite;Virit eXplorer Lite;c:\vexplite\VIRITSVC.EXE [04/09/2009 23.41.15 65536]
S2 gupdate1c9bac9b1d2c2b0;Google Update Service (gupdate1c9bac9b1d2c2b0);c:\programmi\Google\Update\GoogleUpdate.exe [11/04/2009 19.19.26 133104]
.
Contenuto della cartella 'Scheduled Tasks'

2010-02-17 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-24 20:57]

2010-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-04-11 18:19]

2010-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-04-11 18:19]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://liberomail.libero.it/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\programmi\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Invia a &Bluetooth - c:\programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
IE: Save Flash - c:\programmi\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
FF - ProfilePath - c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\o51ze5ma.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\programmi\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programmi\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\programmi\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\programmi\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\programmi\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\programmi\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\programmi\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\programmi\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\programmi\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\programmi\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: c:\programmi\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\programmi\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\programmi\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-17 19:17
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1685927933-2690133624-1694720459-1005\Identities\{F717E46F-20F7-4DB9-BA46-92292829952B}\Software\Microsoft\Outlook Express\5.0\Recent Stationery List]
@DACL=(02 0000)
@SACL=
"File0"="Cielo blu.htm"
"File1"="Natura.htm"
"File2"="Giallo.htm"
"File3"="Girasole.htm"
"File4"="Agrumi.htm"
"File5"="Quadretti bianchi.htm"
"File6"="Foglie.htm"

[HKEY_USERS\S-1-5-21-1685927933-2690133624-1694720459-1005\Identities\{F717E46F-20F7-4DB9-BA46-92292829952B}\Software\Microsoft\Outlook Express\5.0\Shared Settings]
@DACL=(02 0000)
@SACL=

[HKEY_USERS\S-1-5-21-1685927933-2690133624-1694720459-1005\Software\Local AppWizard-Generated Applications\Launch Tool]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\CyberLink\PowerDVD\BuildInfo]
@DACL=(02 0000)
@SACL=
"SR_No"="DVD030423-04"
"Skin"="2420"
"iPower"="030407"
"UG"="1510"
"Setup"="030421"
"Help"="2416"
"RC"="030414"
"Readme"="2416"
"Kernel"="v2834_DS(Acer)"
"UI"="v2824_DDVS_DS(Acer)"
"Filter"="v2834_DS(Acer)"

[HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IEHomePageInfo\RegBackup]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\NodeCLSIDs\{13A7995E-7D8F-45B4-9C77-819265225763}]
@DACL=(02 0000)
"Priority"=dword:00000001
"AutoInsert"=dword:00000001
"Name"="WMPlayer Spectrum Analyzer DMO"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\NodeCLSIDs\{95037DA1-6ED9-4B27-8CFF-9AD3DFB0B2F2}]
@DACL=(02 0000)
"Priority"=dword:fffffffb
"AutoInsert"=dword:00000001
"Name"="WMPlayer SRSWow DMO"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\NodeCLSIDs\{974BF3BF-C9AE-4476-8003-5FE544DF458C}]
@DACL=(02 0000)
"Priority"=dword:fffffffe
"AutoInsert"=dword:00000001
"Name"="WMPlayer Video Processing DMO"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\NodeCLSIDs\{B2DBA270-9F49-4513-AC13-76496D6EBA3A}]
@DACL=(02 0000)
"Priority"=dword:00000002
"AutoInsert"=dword:00000000
"Name"="Speaker Enhancement DMO"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\NodeCLSIDs\{D01BC8E2-70AD-4976-9612-21B37ED5C8E8}]
@DACL=(02 0000)
"Priority"=dword:00000003
"AutoInsert"=dword:00000001
"Name"="WMPlayer Equalizer DMO"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Publish\{1AC8AC62-67E9-4676-BA08-194A6916B145}]
@DACL=(02 0000)
@="WMPlayer CD Burn Publish Provider"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Publish\{F6402585-08FB-498E-877D-2D8EDF05219F}]
@DACL=(02 0000)
@="WMPlayer WMDM Publish Provider"

[HKEY_LOCAL_MACHINE\software\NewTech Infosystems\NTI CD-Maker\6]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\NewTech Infosystems\NTI CD-Maker\OEMUrl]
@DACL=(02 0000)
@SACL=
"Home"="http://global.acer.com"

[HKEY_LOCAL_MACHINE\software\Realtek Semiconductor Corp.\Realtek AC'97 Audio]
@DACL=(02 0000)
@SACL=
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(3276)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Avira\AntiVir Desktop\sched.exe
c:\programmi\Avira\AntiVir Desktop\avguard.exe
c:\programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
c:\windows\System32\wdfmgr.exe
c:\windows\SOUNDMAN.EXE
c:\windows\AGRSMMSG.exe
c:\programmi\Apoint2K\Apntex.exe
c:\progra~1\WIDCOMM\SOFTWA~1\BTSTAC~1.EXE
.
**************************************************************************
.
Ora fine scansione: 2010-02-17  19:20:25 - Il pc è stato riavviato
ComboFix-quarantined-files.txt  2010-02-17 18:20
ComboFix2.txt  2010-02-16 18:28

Pre-Run: 2.169.438.208 byte disponibili
Post-Run: 2.118.549.504 byte disponibili

- - End Of File - - 24A6CE70182A20B00C7032E792373607


Kaspersky:
Codice: Seleziona tutto
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
 Wednesday, February 17, 2010
 Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
 Kaspersky Online Scanner version: 7.0.26.13
 Last database update: Wednesday, February 17, 2010 13:04:39
 Records in database: 3544318
--------------------------------------------------------------------------------

Scan settings:
   scan using the following database: extended
   Scan archives: yes
   Scan e-mail databases: yes

Scan area - My Computer:
   C:\
   D:\
   E:\

Scan statistics:
   Objects scanned: 56187
   Threats found: 4
   Infected objects found: 7
   Suspicious objects found: 0
   Scan duration: 02:23:31


File name / Threat / Threats count
C:\WINDOWS\system32\drivers\tzichq.sys   Infected: Rootkit.Win32.Agent.aioy   1
C:\WINDOWS\system32\fjhdyfhsn.bat   Infected: Trojan.BAT.DelFiles.ez   1
C:\WINDOWS\Installer\1b5c75b.msi   Infected: Trojan-Spy.Win32.Agent.ept   1
C:\Programmi\File comuni\Wise Installation Wizard\WISA9131D1599C14AE1B7789C0A3B6F87A3_1_3_1.MSI   Infected: Trojan-Spy.Win32.Agent.ept   1
C:\System Volume Information\_restore{10DA8896-7ED5-4572-81C0-76222F761DCF}\RP382\A0032040.bat   Infected: Trojan.BAT.DelFiles.ez   1
C:\System Volume Information\_restore{10DA8896-7ED5-4572-81C0-76222F761DCF}\RP383\A0033097.bat   Infected: Trojan.BAT.DelFiles.ez   1
C:\System Volume Information\_restore{10DA8896-7ED5-4572-81C0-76222F761DCF}\RP383\A0033098.exe   Infected: Trojan-Downloader.Win32.Small.apan   1

Selected area has been scanned.
bob20
Utente Senior
 
Post: 238
Iscritto il: 31/03/05 21:06

Re: Aiuto. Trojan Rootkit.gen

Postdi -> EleKtrA <- » 17/02/10 23:05

Ciao

Scarica the Avenger
Lo salvi in una cartella, scompatti il file .zip
Individua avenger.exe, lo avvii
Inserisci questo script nel box bianco

Codice: Seleziona tutto
Drivers to disable:
C:\WINDOWS\system32\drivers\tzichq.sys

Files to delete:
C:\WINDOWS\system32\drivers\tzichq.sys
C:\WINDOWS\system32\fjhdyfhsn.bat
C:\WINDOWS\Installer\1b5c75b.msi
C:\Programmi\File comuni\Wise Installation Wizard\WISA9131D1599C14AE1B7789C0A3B6F87A3_1_3_1.MSI
C:\System Volume Information\_restore{10DA8896-7ED5-4572-81C0-76222F761DCF}\RP382\A0032040.bat
C:\System Volume Information\_restore{10DA8896-7ED5-4572-81C0-76222F761DCF}\RP383\A0033097.bat
C:\System Volume Information\_restore{10DA8896-7ED5-4572-81C0-76222F761DCF}\RP383\A0033098.exe

Folders to delete:
C:\WINDOWS\temp
C:\WINDOWS\Tasks


Clicca su Execute
Il pc dovrebbe riavviarsi (se così non fosse, fallo tu)
Posta il log che verrà creato in C:\Avenger
“Ieri è storia, domani è mistero, ma oggi è un dono... per questo si chiama presente!”.
Avatar utente
-> EleKtrA <-
Moderatore
 
Post: 436
Iscritto il: 11/12/08 12:50

Re: Aiuto. Trojan Rootkit.gen

Postdi bob20 » 17/02/10 23:16

Ok, grazie.

Questo è il log:
Codice: Seleziona tutto
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  could not open driver "C:\WINDOWS\system32\drivers\tzichq.sys"
Disablement of driver "C:\WINDOWS\system32\drivers\tzichq.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\WINDOWS\system32\drivers\tzichq.sys" deleted successfully.
File "C:\WINDOWS\system32\fjhdyfhsn.bat" deleted successfully.
File "C:\WINDOWS\Installer\1b5c75b.msi" deleted successfully.
File "C:\Programmi\File comuni\Wise Installation Wizard\WISA9131D1599C14AE1B7789C0A3B6F87A3_1_3_1.MSI" deleted successfully.
File "C:\System Volume Information\_restore{10DA8896-7ED5-4572-81C0-76222F761DCF}\RP382\A0032040.bat" deleted successfully.
File "C:\System Volume Information\_restore{10DA8896-7ED5-4572-81C0-76222F761DCF}\RP383\A0033097.bat" deleted successfully.
File "C:\System Volume Information\_restore{10DA8896-7ED5-4572-81C0-76222F761DCF}\RP383\A0033098.exe" deleted successfully.
Folder "C:\WINDOWS\temp" deleted successfully.
Folder "C:\WINDOWS\Tasks" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.
bob20
Utente Senior
 
Post: 238
Iscritto il: 31/03/05 21:06

Re: Aiuto. Trojan Rootkit.gen

Postdi -> EleKtrA <- » 19/02/10 17:19

Ciao bob20, i file infetti sono stati cancellati.

Ora per completare il procedimento segui questi step.

Step 1: Pulizia dei file temporanei
Scarica TFC by OldTimer sul desktop
chiudi tutti i programmi
tasto destro su TFC, avvia come amministratore
Clicca su "star", al termine della scansione ti chiederà il riavvio, dai ok.

Step 2: Pulizia e disinstallazione dei tool usati
Scarica OTC by OldTimer sul desktop
Tasto destro, esegui come ammonistratore
clicca su "CleanUP" > "Yes" > "Yes"
Riavvia.

Step 3: Aggiornamento dei software
- Scarica e installa l'ultima versione di Adobe Reader
- Scarica e installa l'ultima versione di Java Sun
- Aggiorna Adobe FlashPlayer:
1. Scarica il programma di disinstallazione di FlashPlayer
2. Scarica l'ultima versione di FlashPlayer per IE
3. Scarica l'ultima versione di FlashPlayer per FF
4. Chiudi tutti i browser (IE, Opera, Firefox, Chrome, etc)
5. Esegui il programma di disinstallazione scaricato al punto 1.
6. Esegui il programma di installazione scaricato al punto 2.
7. Esegui il programma di installazione scaricato al punto 3.

Step 4: Ottimizzazione del Sistema

- Esegui una deframmentazione degli hardisk, puoi usare IObit SmartDefrag.
Oppure con l' utility interna di windows:
Start / Programmi / Accessori / Utilità di sistema / Utilità di deframmentazione dischi.

- Esegui uno Scandisk:
Apri Risorse del computer / Tasto destro sul disco fisso / proprietà / Strumenti / Esegui Scandisk
Seleziona entrambe le opzioni:
correggi automaticamente gli errori del File system,
cerca i settori danneggiati e tenta il ripristino.
Si aprirà una finestra di avvertimento:
Impossibile ottenere accesso esclusivo ad alcuni file di Windows...
Clicca su "SI" per pianificare l'operazione al prossimo avvio.
“Ieri è storia, domani è mistero, ma oggi è un dono... per questo si chiama presente!”.
Avatar utente
-> EleKtrA <-
Moderatore
 
Post: 436
Iscritto il: 11/12/08 12:50

Re: Aiuto. Trojan Rootkit.gen

Postdi bob20 » 28/02/10 14:42

Chiedo scusa se non ho più risposto :oops:
Ci tenevo a ringraziare infinitamente EleKtrA per tutto l'aiuto, sei stata gentilissima!

(P.s. Di Flashplayer ho installato solo la versione "unica" dal sito ufficiale, perché nei link con le due versioni per IE e per Firefox non funzionano i link di download. Con l'aggiornamento di Adobe si è installato anche McAfee, spero non vada in conflitto con Antivir).

Ciao e ancora grazie 1000
bob20
Utente Senior
 
Post: 238
Iscritto il: 31/03/05 21:06

Re: Aiuto. Trojan Rootkit.gen

Postdi -> EleKtrA <- » 01/03/10 09:08

Ciao bob20 , grazie a te del feedback.
McAfee® Security Scan Plus puoi disinstallarlo
da pannello di controllo > installazione applicazioni.
“Ieri è storia, domani è mistero, ma oggi è un dono... per questo si chiama presente!”.
Avatar utente
-> EleKtrA <-
Moderatore
 
Post: 436
Iscritto il: 11/12/08 12:50


Torna a Sicurezza e Privacy


Topic correlati a "Aiuto. Trojan Rootkit.gen":

aiuto windows 10
Autore: mod360
Forum: Software Windows
Risposte: 1
aiuto installazione
Autore: mod360
Forum: Software Windows
Risposte: 3
aiuto x mobili
Autore: MarioLombardi
Forum: Forum off-topic
Risposte: 8

Chi c’è in linea

Visitano il forum: Nessuno e 58 ospiti