Non riesco ad accedere ai siti degli antivirus

[HAYATOWIND1]

Ciao anche io ho lo stesso problemino e poco tempo per risolverlo ti prego aiutami
Grazie
di seguito il responso di combofix




ComboFix 10-02-20.03 - Hayatowind1 21/02/2010 0.44.20.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.1.1252.39.1040.18.1535.1116 [GMT 1:00]
Eseguito da: c:\documents and settings\Hayatowind1\desktop\abc.exe
Opzioni usate :: /killall
* Resident AV is active


ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\khq
c:\windows\system32\images
c:\windows\system32\images\accessinghvnoprop.jpg
c:\windows\system32\images\accessingmdesk.jpg
c:\windows\system32\images\ati_logo.jpg
c:\windows\system32\images\hvdm.jpg
c:\windows\system32\images\hvhotkeys.jpg
c:\windows\system32\images\hvsystray.jpg
c:\windows\system32\images\hvsystray2.jpg
c:\windows\system32\index.html
c:\windows\system32\wj.exe
M:\autorun.inf
M:\khq

c:\windows\system32\qmgr.dll . . . è infetto!!

.
((((((((((((((((((((((((( Files Creati Da 2010-01-20 al 2010-02-20 )))))))))))))))))))))))))))))))))))
.

2010-02-21 07:51 . 2010-02-21 07:51 -------- dc----w- C:\VProRecovery
2010-02-20 23:44 . 2010-02-20 23:44 -------- dc----w- c:\documents and settings\Hayatowind1\Impostazioni locali\Dati applicazioni\ESET
2010-02-20 23:41 . 2008-04-14 17:10 626167 -csha-r- C:\maeboi.exe
2010-02-20 23:24 . 2010-02-20 23:24 -------- dc----w- c:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\ESET
2010-02-20 22:57 . 2001-08-30 19:41 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-02-20 22:57 . 2001-08-30 19:41 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2010-02-20 22:56 . 2002-09-09 12:50 20480 ----a-w- c:\windows\system32\hidserv.dll
2010-02-20 22:56 . 2002-09-09 12:50 20480 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-02-20 22:56 . 2001-08-30 18:53 14080 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-02-20 22:56 . 2001-08-30 18:53 14080 ----a-w- c:\windows\system32\dllcache\kbdhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-20 23:51 . 2001-08-31 16:00 62440 ----a-w- c:\windows\system32\perfc010.dat
2010-02-20 23:51 . 2001-08-31 16:00 416648 ----a-w- c:\windows\system32\perfh010.dat
2010-01-02 01:21 . 2006-03-04 21:09 -------- dc----w- c:\programmi\K-Lite Codec Pack
2010-01-02 01:08 . 2010-01-02 01:08 0 -c--a-w- c:\windows\nsreg.dat
2010-01-02 00:57 . 2010-01-02 00:57 -------- dc----w- c:\programmi\Realtek AC97
2010-01-01 23:25 . 2010-01-01 23:25 -------- dc----w- c:\documents and settings\Hayatowind1\Dati applicazioni\ATI
2010-01-01 23:21 . 2006-03-22 18:03 -------- dc----w- c:\programmi\File comuni\Wise Installation Wizard
2010-01-01 23:17 . 2010-01-01 23:11 -------- dc----w- c:\programmi\AdunanzA
2010-01-01 22:42 . 2010-01-01 22:42 -------- dc----w- c:\programmi\ESET
2010-01-01 22:42 . 2010-01-01 22:42 -------- dc----w- c:\documents and settings\All Users\Dati applicazioni\ESET
2010-01-01 22:32 . 2010-01-01 22:31 -------- dc----w- c:\programmi\ATI Technologies
2010-01-01 22:31 . 2006-01-26 20:28 -------- dc-h--w- c:\programmi\InstallShield Installation Information
2010-01-01 22:29 . 2006-01-26 20:45 -------- dc----w- c:\programmi\VIA
2010-01-01 22:19 . 2010-01-01 22:17 -------- dc----w- c:\programmi\Driver Genius
2002-09-09 11:50 . 2002-09-09 11:50 165616 --sha-r- c:\windows\system32\rlscbzcv.dll
.

------- Sigcheck -------

[-] 2002-09-09 . 827F6DF5C0FD2035EFB0A4D3934741AD . 5376512 . . [6.00.2800.1106] . . c:\windows\system32\mshtml.dll
[-] 2002-09-09 . 827F6DF5C0FD2035EFB0A4D3934741AD . 5376512 . . [6.00.2800.1106] . . c:\windows\system32\dllcache\mshtml.dll

[-] 2002-09-09 . 1E92AC65ED34D281658DAEBB244075D5 . 750080 . . [6.00.2800.1106] . . c:\windows\system32\wininet.dll
[-] 2002-09-09 . 1E92AC65ED34D281658DAEBB244075D5 . 750080 . . [6.00.2800.1106] . . c:\windows\system32\dllcache\wininet.dll

[-] 2002-09-09 . CF229C3E24D85BA25B483D173280A1BF . 2088448 . . [6.00.2800.1106] . . c:\windows\explorer.exe
[-] 2002-09-09 . CF229C3E24D85BA25B483D173280A1BF . 2088448 . . [6.00.2800.1106] . . c:\windows\system32\dllcache\explorer.exe



c:\windows\System32\wscntfy.exe ... è mancante !!
c:\windows\System32\xmlprov.dll ... è mancante !!
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\lib\NMBgMonitor.exe" [2005-09-08 94208]
"eMuleAutoStart"="c:\programmi\AdunanzA\eMule_AdnzA.exe" [2008-12-14 5459968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\System32\NeroCheck.exe" [2001-07-09 155648]
"DiskeeperSystray"="c:\programmi\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 221184]
"DataLayer"="c:\programmi\File comuni\PCSuite\DataLayer\DataLayer.exe" [2005-03-31 1106944]
"AttuneClientEngine"="c:\progra~1\Aveo\Attune\bin\attune_ce.exe" [2000-07-24 356728]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2006-09-24 282624]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"DAEMON Tools-1033"="c:\programmi\D-Tools\daemon.exe" [2003-12-15 81920]
"RemoteControl"="c:\programmi\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"LanguageShortcut"="c:\programmi\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152]
"VIARaidUtl"="c:\programmi\VIA\RAID\raid_tool.exe" [2009-02-19 4918936]
"ATICCC"="c:\programmi\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"egui"="c:\programmi\ESET\ESET NOD32 Antivirus\egui.exe" [2008-10-24 1451264]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-09 13312]

c:\documents and settings\Hayatowind1\Menu Avvio\Programmi\Esecuzione automatica\
Stardock ObjectDock.lnk - c:\windows\BricoPacks\Longhorn Inspirat\ObjectDock\ObjectDock.exe [2005-2-21 1826885]
Y'z Toolbar.lnk - c:\windows\BricoPacks\Longhorn Inspirat\YzToolBar\YzToolBar.exe [2002-9-29 90112]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma Loader.exe.lnk - c:\programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2006-3-1 113664]
Tasto di scelta rapida per l'avvio di AutoCAD.lnk - c:\programmi\File comuni\Autodesk Shared\acstart16.exe [2005-3-5 10872]

[HKLM\~\startupfolder\C:^Documents and Settings^Hayatowind1^Menu Avvio^Programmi^Esecuzione automatica^dBpowerAMP.lnk]
backup=c:\windows\pss\dBpowerAMP.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
2002-04-12 03:06 282624 -c--a-w- c:\windows\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
2005-03-31 08:30 1106944 -c--a-w- c:\programmi\File comuni\PCSuite\DataLayer\DataLayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
2005-03-22 08:39 167936 -c--a-w- c:\programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
2005-03-30 16:31 847872 -c--a-w- c:\programmi\Nokia\Nokia PC Suite 6\PcSync2.exe

R0 d343bus;d343bus;c:\windows\system32\drivers\d343bus.sys [17/05/2007 21.53.58 136704]
R0 d343port;d343port;c:\windows\system32\drivers\d343port.sys [17/05/2007 21.53.58 5632]
R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [03/06/2003 15.52.24 123957]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [26/01/2006 21.45.58 77056]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [24/10/2008 20.53.28 34824]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [03/06/2003 15.52.20 46900]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [02/02/2007 14.54.26 41176]
R2 ekrn;Eset Service;c:\programmi\ESET\ESET NOD32 Antivirus\ekrn.exe [24/10/2008 20.51.16 468224]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [02/02/2007 14.35.06 1235032]
R2 VRAID Log Service;VRAID Log Service;c:\programmi\VIA\RAID\vialogsv.exe [01/01/2010 23.30.32 52888]
R3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [01/11/2006 5.01.56 3328]
S2 erjxlyj;Image Monitor;c:\windows\system32\svchost.exe -k netsvcs [31/08/2001 17.00.00 12800]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [31/08/2001 17.00.00 3584]
S3 usb2vcom;Nokia CA-42 USB;c:\windows\system32\drivers\usb2vcom.sys [21/03/2006 22.21.33 22760]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
erjxlyj
.
Contenuto della cartella 'Scheduled Tasks'

2007-05-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2006-09-19 15:36]
.
.
------- Scansione supplementare -------
.
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
FF - ProfilePath - c:\documents and settings\Hayatowind1\Dati applicazioni\Mozilla\Firefox\Profiles\cfgl2b6u.default\
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKLM-Run-NWEReboot - (no file)
HKLM-Run-HydarVisionDesktopManager - (no file)
HKLM-Run-Corel Reminder - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-21 00:50
Windows 5.1.2600 Service Pack 1 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
VIARaidUtl = c:\programmi\VIA\RAID\raid_tool.exe?1\Documenti\Dr

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89618868]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf766baac
\Driver\ACPI -> ACPI.sys @ 0xf758e740
\Driver\atapi -> 0x89618868
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7970d84
PacketIndicateHandler -> NDIS.sys @ 0xf797d480
SendHandler -> NDIS.sys @ 0xf795e933
Warning: possible MBR rootkit infection !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\erjxlyj]
"ServiceDll"="c:\windows\System32\rlscbzcv.dll"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\windows\System32\MSGINA.dll
c:\windows\System32\ODBC32.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(972)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(3240)
c:\windows\BricoPacks\Longhorn Inspirat\ObjectDock\DockShellHook.dll
c:\windows\System32\msi.dll
c:\windows\System32\ntshrui.dll
c:\windows\System32\ATL.DLL
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\stobject.dll
c:\windows\system32\MSASN1.dll
c:\windows\System32\printui.dll
c:\programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\programmi\Diskeeper Corporation\Diskeeper\DkService.exe
c:\programmi\CyberLink\Shared Files\RichVideo.exe
c:\programmi\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
c:\windows\System32\rserver30\FamItrfc.Exe
c:\progra~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
c:\windows\SOUNDMAN.EXE
c:\programmi\iPod\bin\iPodService.exe
.
**************************************************************************
.
Ora fine scansione: 2010-02-21 00:54:16 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-02-20 23:54

Pre-Run: 23.367.745.536 byte disponibili
Post-Run: 23.411.847.168 byte disponibili

- - End Of File - - 55727CB9CF5647C0EFD005AC6A428CBD

[Luke57]

Ciao, prepara un file di testo, al suo interno copia e incolla il seguente testo:

Codice: Seleziona tutto

NetSvcs::
erjxlyj

Driver::
erjxlyj

File::
c:\windows\System32\rlscbzcv.dll

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\erjxlyj]

salvalo obbligatoriamente con il nome di CFScript.txt sul desktop. Trascinalo con il puntatore del mouse sull'icona di combofix ; il programma avvierà una nuova scansione come la precedente.
Al termine di essa, posta il nuovo report prodotto.

[HAYATOWIND1]

Grazie mille sei stato super adesso funziona di nuovo grazie ancora ecco il report


ComboFix 10-02-20.03 - Hayatowind1 21/02/2010 1.40.21.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.1.1252.39.1040.18.1535.971 [GMT 1:00]
Eseguito da: c:\documents and settings\Hayatowind1\Documenti\Download\ComboFix.exe
Opzioni usate :: c:\documents and settings\Hayatowind1\Desktop\CFScript.txt
* Resident AV is active


ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!

FILE ::
"c:\windows\System32\rlscbzcv.dll"
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\rlscbzcv.dll

La copia infetta di c:\windows\system32\qmgr.dll è stata trovata e disinfettata
ipristinata copia da - c:\windows\ERDNT\cache\qmgr.dll

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ERJXLYJ
-------\Service_erjxlyj


((((((((((((((((((((((((( Files Creati Da 2010-01-21 al 2010-02-21 )))))))))))))))))))))))))))))))))))
.

2010-02-21 07:51 . 2010-02-21 07:51 -------- dc----w- C:\VProRecovery
2010-02-21 00:17 . 2004-08-10 16:05 14240 ----a-w- c:\windows\system32\drivers\wg6n.sys
2010-02-21 00:17 . 2004-08-10 16:05 14240 ----a-w- c:\windows\system32\drivers\wg5n.sys
2010-02-21 00:17 . 2004-08-10 16:05 14240 ----a-w- c:\windows\system32\drivers\wg4n.sys
2010-02-21 00:17 . 2004-08-10 16:05 14240 ----a-w- c:\windows\system32\drivers\wg3n.sys
2010-02-21 00:17 . 2004-08-10 15:53 21075 ----a-w- c:\windows\system32\drivers\wpsdrvnt.sys
2010-02-21 00:17 . 2004-08-10 15:51 59984 ----a-w- c:\windows\system32\drivers\Teefer.sys
2010-02-21 00:17 . 2004-08-10 16:05 83096 ----a-w- c:\windows\system32\SSSensor.dll
2010-02-21 00:17 . 2010-02-21 00:17 -------- dc----w- c:\programmi\Sygate
2010-02-20 23:44 . 2010-02-20 23:44 -------- dc----w- c:\documents and settings\Hayatowind1\Impostazioni locali\Dati applicazioni\ESET
2010-02-20 23:41 . 2008-04-14 17:10 626167 -csha-r- C:\maeboi.exe
2010-02-20 23:24 . 2010-02-20 23:24 -------- dc----w- c:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\ESET
2010-02-20 22:57 . 2001-08-30 19:41 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-02-20 22:57 . 2001-08-30 19:41 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2010-02-20 22:56 . 2002-09-09 12:50 20480 ----a-w- c:\windows\system32\hidserv.dll
2010-02-20 22:56 . 2002-09-09 12:50 20480 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-02-20 22:56 . 2001-08-30 18:53 14080 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-02-20 22:56 . 2001-08-30 18:53 14080 ----a-w- c:\windows\system32\dllcache\kbdhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-20 23:51 . 2001-08-31 16:00 62440 ----a-w- c:\windows\system32\perfc010.dat
2010-02-20 23:51 . 2001-08-31 16:00 416648 ----a-w- c:\windows\system32\perfh010.dat
2010-01-02 01:21 . 2006-03-04 21:09 -------- dc----w- c:\programmi\K-Lite Codec Pack
2010-01-02 01:08 . 2010-01-02 01:08 0 -c--a-w- c:\windows\nsreg.dat
2010-01-02 00:57 . 2010-01-02 00:57 -------- dc----w- c:\programmi\Realtek AC97
2010-01-01 23:25 . 2010-01-01 23:25 -------- dc----w- c:\documents and settings\Hayatowind1\Dati applicazioni\ATI
2010-01-01 23:21 . 2006-03-22 18:03 -------- dc----w- c:\programmi\File comuni\Wise Installation Wizard
2010-01-01 23:17 . 2010-01-01 23:11 -------- dc----w- c:\programmi\AdunanzA
2010-01-01 22:42 . 2010-01-01 22:42 -------- dc----w- c:\programmi\ESET
2010-01-01 22:42 . 2010-01-01 22:42 -------- dc----w- c:\documents and settings\All Users\Dati applicazioni\ESET
2010-01-01 22:32 . 2010-01-01 22:31 -------- dc----w- c:\programmi\ATI Technologies
2010-01-01 22:31 . 2006-01-26 20:28 -------- dc-h--w- c:\programmi\InstallShield Installation Information
2010-01-01 22:29 . 2006-01-26 20:45 -------- dc----w- c:\programmi\VIA
2010-01-01 22:19 . 2010-01-01 22:17 -------- dc----w- c:\programmi\Driver Genius
.

------- Sigcheck -------

[-] 2002-09-09 . 827F6DF5C0FD2035EFB0A4D3934741AD . 5376512 . . [6.00.2800.1106] . . c:\windows\system32\mshtml.dll
[-] 2002-09-09 . 827F6DF5C0FD2035EFB0A4D3934741AD . 5376512 . . [6.00.2800.1106] . . c:\windows\system32\dllcache\mshtml.dll

[-] 2002-09-09 . 1E92AC65ED34D281658DAEBB244075D5 . 750080 . . [6.00.2800.1106] . . c:\windows\system32\wininet.dll
[-] 2002-09-09 . 1E92AC65ED34D281658DAEBB244075D5 . 750080 . . [6.00.2800.1106] . . c:\windows\system32\dllcache\wininet.dll

[-] 2002-09-09 . CF229C3E24D85BA25B483D173280A1BF . 2088448 . . [6.00.2800.1106] . . c:\windows\explorer.exe
[-] 2002-09-09 . CF229C3E24D85BA25B483D173280A1BF . 2088448 . . [6.00.2800.1106] . . c:\windows\system32\dllcache\explorer.exe



c:\windows\System32\wscntfy.exe ... è mancante !!
c:\windows\System32\xmlprov.dll ... è mancante !!
.
((((((((((((((((((((((((((((( SnapShot@2010-02-20_23.49.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-21 00:46 . 2010-02-21 00:46 16384 c:\windows\temp\Perflib_Perfdata_7fc.dat
+ 2010-02-21 00:19 . 2010-02-21 00:19 16384 c:\windows\temp\Perflib_Perfdata_5d4.dat
+ 2004-08-10 16:05 . 2004-08-10 16:05 99480 c:\windows\system32\FwsVpn.dll
- 2006-01-26 19:57 . 2010-02-20 22:52 32768 c:\windows\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
+ 2006-01-26 19:57 . 2010-02-21 00:45 32768 c:\windows\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
+ 2006-01-26 19:57 . 2010-02-21 00:45 32768 c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
- 2006-01-26 19:57 . 2010-02-20 22:52 32768 c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
+ 2006-01-26 19:57 . 2010-02-21 00:45 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-01-26 19:57 . 2010-02-20 22:52 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-02-21 00:17 . 2010-02-21 00:17 4608 c:\windows\Installer\{BF448A52-C83E-455D-B5D3-FD9E964C9419}\IconC989D247.exe
+ 2004-08-10 19:39 . 2004-08-10 19:39 218264 c:\windows\system32\SetAid.dll
+ 2010-02-21 00:17 . 2010-02-21 00:17 986112 c:\windows\Installer\1a8522.msi
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\lib\NMBgMonitor.exe" [2005-09-08 94208]
"eMuleAutoStart"="c:\programmi\AdunanzA\eMule_AdnzA.exe" [2008-12-14 5459968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\System32\NeroCheck.exe" [2001-07-09 155648]
"DiskeeperSystray"="c:\programmi\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 221184]
"DataLayer"="c:\programmi\File comuni\PCSuite\DataLayer\DataLayer.exe" [2005-03-31 1106944]
"AttuneClientEngine"="c:\progra~1\Aveo\Attune\bin\attune_ce.exe" [2000-07-24 356728]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2006-09-24 282624]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"DAEMON Tools-1033"="c:\programmi\D-Tools\daemon.exe" [2003-12-15 81920]
"RemoteControl"="c:\programmi\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"LanguageShortcut"="c:\programmi\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152]
"VIARaidUtl"="c:\programmi\VIA\RAID\raid_tool.exe" [2009-02-19 4918936]
"ATICCC"="c:\programmi\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"egui"="c:\programmi\ESET\ESET NOD32 Antivirus\egui.exe" [2008-10-24 1451264]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-08-13 2532576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-09 13312]

c:\documents and settings\Hayatowind1\Menu Avvio\Programmi\Esecuzione automatica\
Stardock ObjectDock.lnk - c:\windows\BricoPacks\Longhorn Inspirat\ObjectDock\ObjectDock.exe [2005-2-21 1826885]
Y'z Toolbar.lnk - c:\windows\BricoPacks\Longhorn Inspirat\YzToolBar\YzToolBar.exe [2002-9-29 90112]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma Loader.exe.lnk - c:\programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2006-3-1 113664]
Tasto di scelta rapida per l'avvio di AutoCAD.lnk - c:\programmi\File comuni\Autodesk Shared\acstart16.exe [2005-3-5 10872]

[HKLM\~\startupfolder\C:^Documents and Settings^Hayatowind1^Menu Avvio^Programmi^Esecuzione automatica^dBpowerAMP.lnk]
backup=c:\windows\pss\dBpowerAMP.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
2002-04-12 03:06 282624 -c--a-w- c:\windows\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
2005-03-31 08:30 1106944 -c--a-w- c:\programmi\File comuni\PCSuite\DataLayer\DataLayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
2005-03-22 08:39 167936 -c--a-w- c:\programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
2005-03-30 16:31 847872 -c--a-w- c:\programmi\Nokia\Nokia PC Suite 6\PcSync2.exe

R0 d343bus;d343bus;c:\windows\system32\drivers\d343bus.sys [17/05/2007 21.53.58 136704]
R0 d343port;d343port;c:\windows\system32\drivers\d343port.sys [17/05/2007 21.53.58 5632]
R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [03/06/2003 15.52.24 123957]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [26/01/2006 21.45.58 77056]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [24/10/2008 20.53.28 34824]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [03/06/2003 15.52.20 46900]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [02/02/2007 14.54.26 41176]
R2 ekrn;Eset Service;c:\programmi\ESET\ESET NOD32 Antivirus\ekrn.exe [24/10/2008 20.51.16 468224]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [02/02/2007 14.35.06 1235032]
R2 VRAID Log Service;VRAID Log Service;c:\programmi\VIA\RAID\vialogsv.exe [01/01/2010 23.30.32 52888]
R3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [01/11/2006 5.01.56 3328]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [31/08/2001 17.00.00 3584]
S3 usb2vcom;Nokia CA-42 USB;c:\windows\system32\drivers\usb2vcom.sys [21/03/2006 22.21.33 22760]
.
Contenuto della cartella 'Scheduled Tasks'

2007-05-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2006-09-19 15:36]
.
.
------- Scansione supplementare -------
.
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
FF - ProfilePath - c:\documents and settings\Hayatowind1\Dati applicazioni\Mozilla\Firefox\Profiles\cfgl2b6u.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-21 01:47
Windows 5.1.2600 Service Pack 1 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
VIARaidUtl = c:\programmi\VIA\RAID\raid_tool.exe?1\Documenti\Dr

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89511F00]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf766baac
\Driver\ACPI -> ACPI.sys @ 0xf758e740
\Driver\atapi -> 0x89511f00
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x80559f4b
ParseProcedure -> ntoskrnl.exe @ 0x805829d5
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x80559f4b
ParseProcedure -> ntoskrnl.exe @ 0x805829d5
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(920)
c:\windows\System32\MSGINA.dll
c:\windows\System32\ODBC32.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\SSSensor.dll

- - - - - - - > 'lsass.exe'(980)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(1624)
c:\windows\BricoPacks\Longhorn Inspirat\ObjectDock\DockShellHook.dll
c:\windows\BricoPacks\Longhorn Inspirat\YzToolBar\YzToolBar.dll
c:\windows\System32\SSSensor.dll
c:\windows\System32\ntshrui.dll
c:\windows\System32\ATL.DLL
c:\windows\System32\msi.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\WININET.dll
c:\windows\system32\stobject.dll
c:\windows\System32\printui.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\programmi\Sygate\SPF\smc.exe
c:\windows\system32\Ati2evxx.exe
c:\programmi\Diskeeper Corporation\Diskeeper\DkService.exe
c:\programmi\CyberLink\Shared Files\RichVideo.exe
c:\programmi\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
c:\windows\System32\rserver30\FamItrfc.Exe
c:\progra~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
c:\windows\SOUNDMAN.EXE
c:\programmi\iPod\bin\iPodService.exe
c:\windows\SoftwareDistribution\Download\a2c8f709dd0237a7e496be18e0ba404e\WindowsInstaller-KB893803-v2-x86.exe
.
**************************************************************************
.
Ora fine scansione: 2010-02-21 01:51:29 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-02-21 00:51
ComboFix2.txt 2010-02-20 23:54

Pre-Run: 23.412.920.320 byte disponibili
Post-Run: 23.304.761.344 byte disponibili

- - End Of File - - 208972F87704C36D02ED5634B74C45FF

[MikePortnoy]

Buongiorno...............Idem..............

con l'unica differenza che non riesco manco a scaricare il Combofix ...o meglio..una volta scaricato il programmino mandandolo in esecuzione per il completo download e l'installazione rimane bloccato (proprio perchè le connessioni con i siti antivirus appaiono tutte bloccate).

Ho scansionato con MalwareBytes' anti-malware....ha trovato 4 file infetti e li ha rimossi...
Provato Cwshredder e non ha trovato alcuna infezione
Con Hijackthis ho rimosso manualmente un file sospetto: bill301.exe (o qualcosa del genere)
Avast mi ha messo in quarantena sys50191.exe, captcha21.dll e webserver.exe

Ma ancora niente....
Dal msconfig e task manager non vedo alcun processo strano in esecuzione, ma anche con l'hijackthis non trovo alcuna cosa che faccia pensare a un virus........eppureeeeeeeee............quando mi collego ai siti (avast, hijackthis, combofix, trendmicro etc etc) o si blocca la connessione dandomi un Bad Request o viene effettuato un REDIRECT a siti non affidabili che fortunatamente avast blocca.

Ciò accade con firefox, internet explorer, chrome e opera

Che faccio? Formatto?

O provo a scaricare combofix dal muletto?

Vi ringrazio anticipatamente

p.s. in realtà mi son accorto che lo stavo prendendo il Virus poichè ieri ho avuto un messaggio sospetto su facebook da una persona che cmq ho nei miei contatti....e mi sa che lui sia infettato poichè ogni 5 min. mandava messaggi del genere a tutti i suoi amici.....ahimè....il firewall e l'antivirus erano disattivati perchè stavo testando alcune cose Attenti a facebook

[Luke57]

Ciao, combofix non si installa, si esegue direttamente. Elimina il combofix.exe che hai nel computer, scaricalo nuovamente sul desktop da qui:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
devi rinominare il file prima di salvarlo sul desktop in abc.exe
(per rinominare il file, quando lo scarichi ti chiede dove salvarlo e ti compare la casella "nome file" ,basta che cambi il nome che ti appare in abc.exe)
Fatto questo, clicca su start>esegui, nel box bianco copia e incolla questo comando, virgolette comprese:

"%userprofile%\desktop\abc.exe" /killall

Premi OK, se tutto va bene parte il programma che potrebbe impiegare molto (non fare altre manovre durante la scansione),una volta terminata, se tutto è andato bene, in C:\ dovresti trovare il file combofix.txt , riavvia in modalità normale e posta il contenuto del file o allegalo.

[MikePortnoy]

già ma il problema, come ti dicevo, è proprio quello descritto in precedenza

Spiacenti! Questo link non sembra essere funzionante.
Suggerimenti:
Vai alla pagina bleepingcomputer . com
Vai alla sitemap di www. bleepingcomputer . com/ sitemap. php
Effettua la ricerca

mi vengono bloccate tutte le connessioni verso siti di antivirus o altro....pare proprio che ci siano dei Blocchi per certi siti....l'han studiato bene questo virus eh?

[MikePortnoy]

provo a scaricarlo riaccendendo in modalità provvisoria?

[MikePortnoy]

Son riuscito a farmelo inviare tramite email.

Ho lanciato Combofix e salvato il report che riporto qui di seguito:

ComboFix 10-03-10.07 - Mike Portnoy 11/03/2010 12.02.00.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.447.186 [GMT 1:00]
Eseguito da: c:\documents and settings\Mike Portnoy\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\Install.inf
c:\windows\Downloaded Program Files\RdxIE.dll
c:\windows\system32\2
c:\windows\system32\2\BiMMonNT.dll
c:\windows\system32\drivers\imapioko.sys
c:\windows\system32\erokosvc.dll

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CPQOKO6
-------\Legacy_WEBSERVER
-------\Service_cpqoko6
-------\Legacy_apto6ko
-------\Service_apto6ko


((((((((((((((((((((((((( Files Creati Da 2010-02-11 al 2010-03-11 )))))))))))))))))))))))))))))))))))
.

2010-03-11 08:48 . 2010-03-11 08:48 -------- d-----w- c:\documents and settings\Mike Portnoy\Dati applicazioni\Malwarebytes
2010-03-11 08:48 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-11 08:48 . 2010-03-11 08:48 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2010-03-11 08:48 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 08:48 . 2010-03-11 08:48 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2010-03-10 16:32 . 2010-03-10 16:32 -------- d--h--w- c:\documents and settings\All Users\Dati applicazioni\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-10 16:31 . 2010-03-10 16:31 -------- d-----w- c:\programmi\Lavasoft
2010-03-10 16:31 . 2010-03-10 16:31 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Lavasoft
2010-03-10 10:53 . 2010-03-10 10:53 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Alwil Software
2010-03-05 08:37 . 2010-03-05 08:37 -------- d-----w- C:\FOUND.050

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-09 11:24 . 2007-11-08 14:18 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-09 11:24 . 2007-11-08 14:18 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 11:12 . 2007-11-08 14:18 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-09 11:12 . 2008-05-15 08:57 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-09 11:09 . 2007-11-08 14:18 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-09 11:08 . 2007-11-08 14:18 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-09 11:08 . 2007-11-08 14:18 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-09 11:08 . 2008-05-15 08:57 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-09 11:08 . 2007-11-08 14:18 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-05 16:29 . 2005-02-10 12:17 125224 ----a-w- c:\documents and settings\Mike Portnoy\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-01-13 17:07 . 2010-01-13 17:07 -------- d-----w- c:\programmi\Total Video Converter
2010-01-05 09:53 . 1979-12-31 23:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 09:53 . 1979-12-31 23:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 09:53 . 1979-12-31 23:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 1979-12-31 23:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-17 07:40 . 2004-12-24 10:27 346112 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 1979-12-31 23:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2005-02-25 16:03 . 2005-02-25 16:03 8348824 ----a-w- c:\programmi\winamp508e_full_silvertide_emusic-7plus.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\programmi\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\programmi\mozilla firefox\plugins\ssldivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\programmi\opera\program\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\programmi\opera\program\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2008-04-13 19:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Mike Portnoy\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-10-27 73728]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
"nwiz"="nwiz.exe" [2004-10-29 921600]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-10-29 86016]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-02-25 148888]
"SetDefPrt"="c:\programmi\Brother\Brmflp03\BrStDvPt.exe" [2003-03-28 45056]
"LogonStudio"="c:\programmi\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"ISUSScheduler"="c:\programmi\File comuni\InstallShield\UpdateService\issch.exe" [2007-07-31 372736]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Mike Portnoy\Menu Avvio\Programmi\Esecuzione automatica\
OpenOffice.org 2.4.lnk - c:\programmi\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2005-5-12 135680]
Acrobat Assistant.lnk - c:\programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2005-12-16 49254]
PrintAndFax.lnk - c:\programmi\Fastweb\PrintAndFax\FaxMonitor.exe [2005-11-3 970856]
Avvio veloce di Adobe Reader.lnk - c:\programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
BTTray.lnk - c:\programmi\WIDCOMM\Software Bluetooth\BTTray.exe [2005-9-19 581693]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^SmartUI.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\SmartUI.lnk
backup=c:\windows\pss\SmartUI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike Portnoy^Menu Avvio^Programmi^Esecuzione automatica^C'è Posta.lnk]
path=c:\documents and settings\Mike Portnoy\Menu Avvio\Programmi\Esecuzione automatica\C'è Posta.lnk
backup=c:\windows\pss\C'è Posta.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Captcha21]
rundll [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
2009-12-06 10:43 3699600 ----a-w- c:\programmi\Babylon\Babylon-Pro\Babylon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-03 10:03 133104 ----a-w- c:\documents and settings\Mike Portnoy\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2002-08-12 15:49 36864 ----a-w- c:\programmi\Scansoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-01-15 02:22 267048 ----a-w- c:\programmi\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MOD]
2002-05-29 11:24 73728 ----a-w- c:\programmi\Microangelo\muamgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2002-08-12 15:21 45108 ----a-w- c:\programmi\Scansoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
2006-06-27 15:21 1449984 ----a-w- c:\programmi\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-08-01 08:23 68856 ----a-w- c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 15:45 313472 ----a-w- c:\programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2006-09-26 15:49 35328 ----a-w- c:\programmi\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PAVSRV"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Messenger\\MSMSGS.EXE"=
"c:\\mIRC\\mirc.exe"=
"c:\\Programmi\\Macromedia\\Flash MX\\Flash.exe"=
"c:\\Programmi\\Microangelo\\studio.exe"=
"c:\\Programmi\\AdunanzA\\eMule_AdnzA.exe"=
"c:\\Programmi\\mIRC\\mirc.exe"=
"c:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\rtcshare.exe"=
"c:\\Programmi\\NetMeeting\\conf.exe"=
"c:\\Programmi\\JSAS\\http_root\\usr\\local\\Apache2\\bin\\Apache.exe"=
"c:\\Programmi\\JSAS\\http_root\\usr\\local\\mysql\\bin\\mysqld-opt.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\eMule AdunanzA\\eMule_AdnzA.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\EasyPHP 3.0\\mysql\\bin\\mysqld.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\Skype\\Plugin Manager\\skypePM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"8085:TCP"= 8085:TCP:OKOToGate
"53:TCP"= 53:TCP:webserver

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [21/02/2007 14.14.18 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [21/02/2007 14.14.18 5248]
R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [28/11/2006 16.03.14 11264]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [15/05/2008 9.57.42 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [15/05/2008 9.57.42 19024]
R3 BrUsbScn;Driver scanner Brother MFC USB;c:\windows\system32\drivers\BrUsbScn.sys [02/05/2005 11.26.21 10368]
S2 gupdate;Google Update Service (gupdate);c:\programmi\Google\Update\GoogleUpdate.exe [21/01/2010 17.57.32 135664]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [24/07/2009 9.44.23 12672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrvs REG_MULTI_SZ cpqoko6
.
Contenuto della cartella 'Scheduled Tasks'

2010-03-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3059158444-697988301-3354459495-1005Core1cab5acf91a145e.job
- c:\documents and settings\Mike Portnoy\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2008-09-03 10:03]

2010-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-01-21 14:24]

2010-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-01-21 14:24]
.
.
------- Scansione supplementare -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.olidata.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Invia a &Bluetooth - c:\programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
IE: Translate this web page with Babylon - c:\programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
IE: {{F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://c:\programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
Trusted Zone: actalis.it
Trusted Zone: corporate.bpergroup.net
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {42C559C0-2E84-11D5-A3C6-00010219529D} - hxxps://portal.actalis.it/CA/Environmen ... nstall.cab
DPF: {A8680DA2-873A-11D4-928C-0050DAC7E112} - hxxp://fwbox.fastwebnet.it/webmail/comp ... plorer.cab
FF - ProfilePath - c:\documents and settings\Mike Portnoy\Dati applicazioni\Mozilla\Firefox\Profiles\bhknp4dn.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://it.start2.mozilla.com/firefox?cl ... t:official
FF - component: c:\programmi\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Mike Portnoy\Impostazioni locali\Dati applicazioni\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\programmi\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programmi\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKLM-Run-ISUSPM Startup - c:\programmi\File comuni\InstallShield\UpdateService\isuspm.exe
MSConfigStartUp-APVXDWIN - c:\programmi\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
MSConfigStartUp-Hiyo - c:\programmi\HiYo\bin\HiYo.exe
MSConfigStartUp-RemoteControl - c:\programmi\CyberLink\PowerDVD\PDVDServ.exe
MSConfigStartUp-SCANINICIO - c:\programmi\Panda Software\Panda Antivirus Platinum\Inicio.exe
MSConfigStartUp-TopoMetro - c:\docume~1\INGECO~1\IMPOST~1\Temp\Directory temporanea 1 per conta_mouse.zip\topometro.exe
AddRemove-7th Sphere 3.0 - c:\sphere\DeIsL1.isu
AddRemove-HijackThis - c:\documents and settings\Mike Portnoy\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-11 12:13
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x844B2AE8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf7416cb8
\Driver\atapi -> 0x844b2ae8
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf732bbb0
PacketIndicateHandler -> NDIS.sys @ 0xf7338a21
SendHandler -> NDIS.sys @ 0xf731687b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(2024)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\NVWRSIT.DLL
c:\windows\system32\nvwddi.dll
c:\programmi\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Alwil Software\Avast5\AvastSvc.exe
c:\programmi\Bonjour\mDNSResponder.exe
c:\windows\system32\Brmfrmps.exe
c:\programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
c:\programmi\File comuni\EPSON\EBAPI\SAgent2.exe
c:\documents and settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S30RP1.EXE
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\BRMFRSMG.EXE
c:\windows\SOUNDMAN.EXE
c:\windows\system32\rundll32.exe
c:\documents and settings\Mike Portnoy\Impostazioni locali\Dati applicazioni\Google\Update\1.2.183.17\GoogleCrashHandler.exe
c:\programmi\OpenOffice.org 2.4\program\soffice.exe
c:\programmi\OpenOffice.org 2.4\program\soffice.BIN
.
**************************************************************************
.
Ora fine scansione: 2010-03-11 12:24:26 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-03-11 11:24

Pre-Run: 2.488.238.080 byte disponibili
Post-Run: 5.314.772.992 byte disponibili

WindowsXP-KB310994-SP2-Home-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - C01E08A195D704BA74980139C12E3E2F

[MikePortnoy]

ho risolto il problema...grazie per l'interessamento

[casaal]

Anche io ho lo stesso problema.
Spero di non sbagliare è da poco che uso il pc ed è la
prima volta che scrivo in un forum.
Se potete aiutarmi sotto riporto il responso di combofix.
Grazie anticipatamente.


ComboFix 10-05-07.07 - Proprietario 08/05/2010 18.44.02.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.511.323 [GMT 2:00]
Eseguito da: c:\documents and settings\Proprietario\desktop\abc.exe
Opzioni usate :: /killall
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Proprietario\Dati applicazioni\inst.exe
c:\documents and settings\Proprietario\Impostazioni locali\Dati applicazioni\hcwqlfy.dat
c:\documents and settings\Proprietario\Impostazioni locali\Dati applicazioni\hcwqlfy.exe
c:\documents and settings\Proprietario\Impostazioni locali\Dati applicazioni\hcwqlfy_nav.dat
c:\documents and settings\Proprietario\Impostazioni locali\Dati applicazioni\hcwqlfy_navps.dat
c:\documents and settings\Proprietario\Impostazioni locali\Dati applicazioni\ntbifmsy.dat
c:\documents and settings\Proprietario\Impostazioni locali\Dati applicazioni\ntbifmsy_navps.dat
c:\programmi\\setup.exe
c:\programmi\Dynamic Toolbar
c:\programmi\Dynamic Toolbar\batch.bat
c:\programmi\Dynamic Toolbar\Cache\go.bmp
c:\programmi\Dynamic Toolbar\Cache\home.bmp
c:\programmi\Dynamic Toolbar\Cache\logo_pb.bmp
c:\programmi\Dynamic Toolbar\Cache\parent_off.bmp
c:\programmi\Dynamic Toolbar\Cache\parent_on.bmp
c:\programmi\Dynamic Toolbar\Cache\pbitv2tb0200.cfg
c:\programmi\Dynamic Toolbar\Cache\popup_off.bmp
c:\programmi\Dynamic Toolbar\Cache\popup_on.bmp
c:\programmi\Dynamic Toolbar\Cache\search.bmp
c:\programmi\Dynamic Toolbar\Cache\services.bmp
c:\programmi\Dynamic Toolbar\Cache\skin.bmp
c:\programmi\Dynamic Toolbar\Cache\skin1.bmp
c:\programmi\Dynamic Toolbar\Cache\skin2.bmp
c:\programmi\Dynamic Toolbar\Cache\skin3.bmp
c:\programmi\Dynamic Toolbar\Cache\skin4.bmp
c:\programmi\Dynamic Toolbar\Cache\skin5.bmp
c:\programmi\Dynamic Toolbar\Cache\store.bmp
c:\programmi\Dynamic Toolbar\Cache\style.css
c:\programmi\Dynamic Toolbar\Cache\support.bmp
c:\programmi\Dynamic Toolbar\Cache\ticker.xml
c:\programmi\Dynamic Toolbar\PBITV2\Cache\_Ticker_ticker.txt
c:\programmi\Dynamic Toolbar\PBITV2\Cache\go.bmp
c:\programmi\Dynamic Toolbar\PBITV2\Cache\home.bmp
c:\programmi\Dynamic Toolbar\PBITV2\Cache\logo_pb.bmp
c:\programmi\Dynamic Toolbar\PBITV2\Cache\parent_off.bmp
c:\programmi\Dynamic Toolbar\PBITV2\Cache\parent_on.bmp
c:\programmi\Dynamic Toolbar\PBITV2\Cache\popup_off.bmp
c:\programmi\Dynamic Toolbar\PBITV2\Cache\popup_on.bmp
c:\programmi\Dynamic Toolbar\PBITV2\Cache\search.bmp
c:\programmi\Dynamic Toolbar\PBITV2\Cache\services.bmp
c:\programmi\Dynamic Toolbar\PBITV2\Cache\skin.bmp
c:\programmi\Dynamic Toolbar\PBITV2\Cache\skin1.bmp
c:\programmi\Dynamic Toolbar\PBITV2\Cache\skin2.bmp
c:\programmi\Dynamic Toolbar\PBITV2\Cache\skin3.bmp
c:\programmi\Dynamic Toolbar\PBITV2\Cache\skin4.bmp
c:\programmi\Dynamic Toolbar\PBITV2\Cache\skin5.bmp
c:\programmi\Dynamic Toolbar\PBITV2\Cache\store.bmp
c:\programmi\Dynamic Toolbar\PBITV2\Cache\style.css
c:\programmi\Dynamic Toolbar\PBITV2\Cache\support.bmp
c:\programmi\Dynamic Toolbar\PBITV2\Cache\ticker.xml
c:\programmi\Dynamic Toolbar\unins000.dat
c:\programmi\Dynamic Toolbar\unins000.exe
c:\programmi\Setup.exe
c:\programmi\SpeedBit Video Downloader\Toolbar\tbhelper.dll
c:\windows\system32\pbITv2.dll
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Creati Da 2010-04-08 al 2010-05-08 )))))))))))))))))))))))))))))))))))
.

2010-05-07 21:52 . 2010-05-07 21:52 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-19 16:58 . 1995-01-13 20:10 149504 ----a-w- c:\windows\system\mfcans32.dll
2010-04-16 11:15 . 1996-01-18 20:40 6144 ----a-w- c:\windows\system32\drivers\crlscsi.sys
2010-04-16 11:15 . 1996-01-18 20:40 151552 ----a-w- c:\windows\crllyrnt.dll
2010-04-16 11:15 . 1996-01-19 19:14 5632 ----a-w- c:\windows\system32\mfcuia32.dll
2010-04-16 11:15 . 1996-01-19 19:14 133904 ----a-w- c:\windows\system32\mfcans32.dll
2010-04-11 17:25 . 2010-05-07 21:50 -------- d-----w- c:\programmi\Microsoft Reader
2010-04-11 17:25 . 2003-06-05 15:15 57436 ----a-w- c:\windows\DASShp.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-08 16:45 . 2004-09-03 10:37 75104 ----a-w- c:\windows\system32\perfc010.dat
2010-05-08 16:45 . 2004-09-03 10:37 449334 ----a-w- c:\windows\system32\perfh010.dat
2010-05-08 16:45 . 2010-05-08 16:45 3304 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-05-08 16:24 . 2009-11-02 16:46 -------- d-----w- c:\programmi\File comuni\Symantec Shared
2010-05-08 16:22 . 2009-11-02 17:13 -------- d-----w- c:\programmi\Alice Mobile
2010-05-07 21:50 . 2010-05-07 21:50 -------- d-----w- c:\programmi\CCleaner
2010-05-07 21:50 . 2010-04-19 17:00 -------- d-----w- c:\programmi\corel
2010-05-07 21:50 . 2010-05-07 21:50 -------- d-----w- c:\windows\Fonts\SIMBOLI
2010-05-07 21:48 . 2010-05-07 21:48 -------- d-----w- c:\programmi\JRE
2010-05-07 21:48 . 2010-02-16 13:20 -------- d-----w- c:\programmi\File comuni\Java
2010-05-07 21:48 . 2009-11-02 16:37 -------- d-----w- c:\programmi\Java
2010-05-07 21:48 . 2010-03-01 18:24 -------- d-----w- c:\programmi\openoffice
2010-05-07 21:46 . 2010-02-19 18:44 -------- d-----w- c:\programmi\Driver Checker
2010-05-07 21:46 . 2010-02-19 21:25 -------- d-----w- c:\documents and settings\Proprietario\Dati applicazioni\ArcSoft
2010-05-07 21:46 . 2010-02-19 20:46 -------- d-----w- c:\programmi\Realtek AC97
2010-05-07 21:46 . 2010-02-19 18:55 -------- d-----w- c:\programmi\Driver Magician
2010-05-07 21:46 . 2010-05-07 21:46 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Driver Whiz
2010-05-07 21:45 . 2010-05-07 21:45 -------- d-----w- c:\programmi\File comuni\ArcSoft
2010-05-07 21:45 . 2010-02-16 13:39 -------- d-----w- c:\programmi\File comuni\PAC207
2010-05-07 21:45 . 2010-05-07 21:45 -------- d-----w- c:\programmi\Trust
2010-05-07 21:45 . 2010-05-07 21:45 -------- d-----w- c:\documents and settings\Proprietario\Dati applicazioni\InstallShield
2010-05-06 18:16 . 2010-02-16 14:21 76064 ----a-w- C:\PA207.DAT
2010-05-06 18:14 . 2010-03-28 09:29 443912 ----a-w- c:\documents and settings\Proprietario\Dati applicazioni\Real\Update\setup3.10\setup.exe
2010-04-30 10:31 . 2009-11-02 18:49 58504 -c--a-w- c:\documents and settings\Proprietario\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-04-27 17:41 . 2010-01-30 19:36 -------- d-----w- c:\programmi\JDownloader
2010-04-11 17:25 . 2009-11-02 16:36 -------- d--h--w- c:\programmi\InstallShield Installation Information
2010-03-01 18:38 . 2010-03-01 18:38 1 ----a-w- c:\documents and settings\Proprietario\Dati applicazioni\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-02-25 17:24 . 2009-11-28 07:03 47360 -c--a-w- c:\documents and settings\Proprietario\Dati applicazioni\pcouffin.sys
2010-02-25 17:24 . 2009-11-28 07:03 47360 -c--a-w- c:\documents and settings\Proprietario\Dati applicazioni\pcouffin.sys
2010-02-16 13:20 . 2010-02-16 13:20 61440 ----a-w- c:\documents and settings\Proprietario\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5e6b990b-n\decora-sse.dll
2010-02-16 13:20 . 2010-02-16 13:20 503808 ----a-w- c:\documents and settings\Proprietario\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3c7bfcc5-n\msvcp71.dll
2010-02-16 13:20 . 2010-02-16 13:20 499712 ----a-w- c:\documents and settings\Proprietario\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3c7bfcc5-n\jmc.dll
2010-02-16 13:20 . 2010-02-16 13:20 348160 ----a-w- c:\documents and settings\Proprietario\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3c7bfcc5-n\msvcr71.dll
2010-02-16 13:20 . 2010-02-16 13:20 12800 ----a-w- c:\documents and settings\Proprietario\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5e6b990b-n\decora-d3d.dll
2010-02-16 13:19 . 2010-02-16 13:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-16 19:44 . 2009-11-04 21:31 231 -c--a-w- c:\programmi\dict.ini
2009-11-12 17:22 . 2009-11-12 17:22 9728 -csha-w- c:\programmi\Thumbs.db
2008-09-30 17:42 . 2008-09-30 17:42 127852561 -c--a-w- c:\programmi\openofficeorg1.cab
2008-09-30 17:09 . 2008-09-30 17:09 217 -c--a-w- c:\programmi\setup.ini
2008-09-30 17:09 . 2008-09-30 17:09 9776640 -c--a-w- c:\programmi\openofficeorg30.msi
2003-11-12 17:42 . 2009-11-04 21:35 120485 -c--a-w- c:\programmi\dict.hlp
2002-03-11 09:06 . 2002-03-11 09:06 1822520 -c--a-w- c:\programmi\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 -c--a-w- c:\programmi\instmsia.exe
2001-10-28 14:52 . 2009-11-04 21:35 37878 -c--a-w- c:\programmi\logo.bmp
2001-10-28 14:27 . 2009-11-04 21:35 182784 -c--a-w- c:\programmi\dict.avi
2001-10-27 17:50 . 2009-11-04 21:35 32 -c--a-w- c:\programmi\language.ini
2000-03-22 09:27 . 2009-11-04 21:35 188416 -c--a-w- c:\programmi\dict.exe
1998-05-15 19:01 . 2009-11-04 21:35 8562 -c--a-w- c:\programmi\right.wav
1998-05-15 19:01 . 2009-11-04 21:35 7754 -c--a-w- c:\programmi\wrong.wav
1996-12-16 23:00 . 2009-11-04 21:35 1758 -c--a-w- c:\programmi\skipped.wav
2009-03-21 14:06 . 2004-09-03 10:36 162487 --sha-r- c:\windows\system32\shksi.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\programmi\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-19 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-19 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-19 455168]
"ATIPTA"="c:\ati technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 339968]
"ccApp"="c:\programmi\File comuni\Symantec Shared\ccApp.exe" [2004-09-06 58488]
"PCMService"="c:\apps\Powercinema\PCMService.exe" [2005-01-28 110740]
"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 24576]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2006-09-01 282624]
"TkBellExe"="c:\programmi\File comuni\Real\Update_OB\realsched.exe" [2009-11-02 180269]
"NeroFilterCheck"="c:\programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"FreePDF Assistant"="c:\programmi\FreePDF_XP\fpassist.exe" [2005-05-27 145920]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Proprietario\Menu Avvio\Programmi\Esecuzione automatica\
OpenOffice.org 3.0.lnk - c:\programmi\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Reader Synchronizer.lnk - c:\programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Avvio veloce di Adobe Reader.lnk - c:\programmi\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Microsoft Office.lnk - c:\programmi\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\APPS\\skype\\phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7140:TCP"= 7140:TCP:bsuwaqy

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27/01/2010 19.02.46 691696]
R2 ONDA Autorun CDROM Monitor;ONDA Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\onda_mon.exe [03/11/2009 17.56.46 86016]
R2 Utilità di pianificazione di LiveUpdate automatico;Utilità di pianificazione di LiveUpdate automatico;c:\programmi\Symantec\LiveUpdate\AluSchedulerSvc.exe [03/11/2009 18.07.17 100032]
R3 PAC207;Trust 100K Series Webcam;c:\windows\system32\drivers\PFC027.SYS [16/02/2010 15.39.10 618112]
S2 xyuhqj;wmuehqez;c:\windows\system32\svchost.exe -k netsvcs [03/09/2004 12.36.50 14336]
S3 hid8101;hid8101;c:\windows\system32\drivers\hid8101.sys [01/03/2010 19.28.00 31899]
S3 ONDAusbmdm6k;ONDA Proprietary USB Driver;c:\windows\system32\drivers\ONDAusbmdm6k.sys [03/11/2009 17.57.20 104960]
S3 ONDAusbnet;ONDA USB-NDIS miniport;c:\windows\system32\drivers\ONDAusbnet.sys [03/11/2009 17.57.20 110080]
S3 ONDAusbnmea;ONDA NMEA Port;c:\windows\system32\drivers\ONDAusbnmea.sys [03/11/2009 17.57.20 104960]
S3 ONDAusbser6k;ONDA Diagnostic Port;c:\windows\system32\drivers\ONDAusbser6k.sys [03/11/2009 17.57.20 104960]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
xyuhqj
.
Contenuto della cartella 'Scheduled Tasks'

2009-11-09 c:\windows\Tasks\HDReg.job
- c:\apps\HDReg\HDRegRem.exe [2009-11-02 09:14]

2009-11-03 c:\windows\Tasks\Promemoria registrazione 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-09-03 18:14]

2009-11-09 c:\windows\Tasks\Promemoria registrazione 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-09-03 18:14]

2009-11-16 c:\windows\Tasks\Promemoria registrazione 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-09-03 18:14]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://it.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.msn.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Proprietario\Dati applicazioni\Mozilla\Firefox\Profiles\jttfs4zi.default\
FF - prefs.js: browser.search.selectedEngine - Trova Rapido
FF - prefs.js: browser.startup.homepage - hxxp://it.yahoo.com/
FF - plugin: c:\programmi\DivX\DivX Plus Web Player\npdivx32.dll

---- FIREFOX POLICIES ----
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKCU-Run-Uniblue RegistryBooster 2 - c:\programmi\Uniblue\RegistryBooster 2\RegistryBooster.exe
HKCU-Run-hcwqlfy - c:\documents and settings\proprietario\impostazioni locali\dati applicazioni\hcwqlfy.exe
HKLM-Run-SunJavaUpdateSched - c:\programmi\Java\jre6\bin\jusched.exe
AddRemove-Adobe Flash Player ActiveX - c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
AddRemove-Adobe Flash Player Plugin - c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
AddRemove-Dynamic Toolbar_is1 - c:\programmi\Dynamic Toolbar\unins000.exe
AddRemove-hcwqlfy - c:\documents and settings\proprietario\impostazioni locali\dati applicazioni\hcwqlfy.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-08 18:56
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spoo.sys >>UNKNOWN [0x8278B938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8707f28
\Driver\ACPI -> ACPI.sys @ 0xf83efcb8
\Driver\atapi -> atapi.sys @ 0xf83aab40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf826fbd4
PacketIndicateHandler -> NDIS.sys @ 0xf825da0d
SendHandler -> NDIS.sys @ 0xf8271b40
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xyuhqj]
"ServiceDll"="c:\windows\system32\shksi.dll"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(3072)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\File comuni\Symantec Shared\ccProxy.exe
c:\programmi\File comuni\Symantec Shared\ccSetMgr.exe
c:\programmi\Norton Internet Security\ISSVC.exe
c:\programmi\File comuni\Symantec Shared\SNDSrvc.exe
c:\programmi\File comuni\Symantec Shared\ccEvtMgr.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
c:\programmi\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\programmi\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\apps\HIDSERVICE\HIDSERVICE.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
c:\programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\apps\ABoard\AOSD.exe
c:\windows\SOUNDMAN.EXE
c:\programmi\OpenOffice.org 3\program\soffice.exe
c:\programmi\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Ora fine scansione: 2010-05-08 19:02:19 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-05-08 17:02

Pre-Run: 14.809.624.576 byte disponibili
Post-Run: 14.791.843.840 byte disponibili

- - End Of File - - E808E81ABE2E58E8712DB33D513F845E

[shel]

apri un file di testo (dal blocco note di windows), al suo interno incollaci il seguente script:

Codice: Seleziona tutto

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\xyuhqj]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\xyuhqj]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\xyuhqj]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\xyuhqj]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\xyuhqj]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xyuhqj]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xyuhqj]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\xyuhqj]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xyuhqj]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\xyuhqj]


NetSvcs
xyuhqj

Driver::
xyuhqj


salva il file nella stessa cartella dove hai messo combofix chiamandolo obbligatoriamente CFScript.txt

Fatto ciò, con il puntatore del mouse, trascina il file sull'icona di combofix. Il programma avvierà una nuova scansione, come la precedente. Non fare e non muovere nulla. Al termine di essa, se non si riavvierà automaticamente il computer, fallo tu. Allega il nuovo file c:\combofix.txt prodotto dalla scansione.


vai sul sito virus total e analizza il file

c:\windows\system32\shksi.dll

[shel]

ooopss....

esegui questo script, ho dimenticato di inserire ::

Codice: Seleziona tutto

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\xyuhqj]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\xyuhqj]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\xyuhqj]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\xyuhqj]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\xyuhqj]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xyuhqj]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xyuhqj]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\xyuhqj]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xyuhqj]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\xyuhqj]


NetSvcs::
xyuhqj

Driver::
xyuhqj

[casaal]

Adesso sembra funzionare a dovere.
Infatti riesco a conneterrmi a windows update e il resto.
Però non trovo il file che mi hai detto di controllare con virus total.
Ho eseguito la ricerca del file in tutto il disco C e non c'è.
Comunque ora sembra essere a posto.
Sotto riporto comunque il nuovo rapporto di combofix se dovesse servire.
Ti ringrazio tantissimo il servio che date è fantastico.

ComboFix 10-05-07.07 - Proprietario 09/05/2010 17.00.08.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.511.273 [GMT 2:00]
Eseguito da: c:\documents and settings\Proprietario\Desktop\abc.exe
Opzioni usate :: c:\documents and settings\Proprietario\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XYUHQJ
-------\Service_xyuhqj


((((((((((((((((((((((((( Files Creati Da 2010-04-09 al 2010-05-09 )))))))))))))))))))))))))))))))))))
.

2010-05-07 21:52 . 2010-05-07 21:52 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-19 16:58 . 1995-01-13 20:10 149504 ----a-w- c:\windows\system\mfcans32.dll
2010-04-16 11:15 . 1996-01-18 20:40 6144 ----a-w- c:\windows\system32\drivers\crlscsi.sys
2010-04-16 11:15 . 1996-01-18 20:40 151552 ----a-w- c:\windows\crllyrnt.dll
2010-04-16 11:15 . 1996-01-19 19:14 5632 ----a-w- c:\windows\system32\mfcuia32.dll
2010-04-16 11:15 . 1996-01-19 19:14 133904 ----a-w- c:\windows\system32\mfcans32.dll
2010-04-11 17:25 . 2010-05-07 21:50 -------- d-----w- c:\programmi\Microsoft Reader
2010-04-11 17:25 . 2003-06-05 15:15 57436 ----a-w- c:\windows\DASShp.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-09 10:04 . 2009-11-02 16:46 -------- d-----w- c:\programmi\File comuni\Symantec Shared
2010-05-08 16:45 . 2004-09-03 10:37 75104 ----a-w- c:\windows\system32\perfc010.dat
2010-05-08 16:45 . 2004-09-03 10:37 449334 ----a-w- c:\windows\system32\perfh010.dat
2010-05-08 16:45 . 2010-05-08 16:45 3304 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-05-08 16:22 . 2009-11-02 17:13 -------- d-----w- c:\programmi\Alice Mobile
2010-05-07 21:50 . 2010-05-07 21:50 -------- d-----w- c:\programmi\CCleaner
2010-05-07 21:50 . 2010-04-19 17:00 -------- d-----w- c:\programmi\corel
2010-05-07 21:50 . 2010-05-07 21:50 -------- d-----w- c:\windows\Fonts\SIMBOLI
2010-05-07 21:48 . 2010-05-07 21:48 -------- d-----w- c:\programmi\JRE
2010-05-07 21:48 . 2010-02-16 13:20 -------- d-----w- c:\programmi\File comuni\Java
2010-05-07 21:48 . 2009-11-02 16:37 -------- d-----w- c:\programmi\Java
2010-05-07 21:48 . 2010-03-01 18:24 -------- d-----w- c:\programmi\openoffice
2010-05-07 21:46 . 2010-02-19 18:44 -------- d-----w- c:\programmi\Driver Checker
2010-05-07 21:46 . 2010-02-19 21:25 -------- d-----w- c:\documents and settings\Proprietario\Dati applicazioni\ArcSoft
2010-05-07 21:46 . 2010-02-19 20:46 -------- d-----w- c:\programmi\Realtek AC97
2010-05-07 21:46 . 2010-02-19 18:55 -------- d-----w- c:\programmi\Driver Magician
2010-05-07 21:46 . 2010-05-07 21:46 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Driver Whiz
2010-05-07 21:45 . 2010-05-07 21:45 -------- d-----w- c:\programmi\File comuni\ArcSoft
2010-05-07 21:45 . 2010-02-16 13:39 -------- d-----w- c:\programmi\File comuni\PAC207
2010-05-07 21:45 . 2010-05-07 21:45 -------- d-----w- c:\programmi\Trust
2010-05-07 21:45 . 2010-05-07 21:45 -------- d-----w- c:\documents and settings\Proprietario\Dati applicazioni\InstallShield
2010-05-06 18:16 . 2010-02-16 14:21 76064 ----a-w- C:\PA207.DAT
2010-05-06 18:14 . 2010-03-28 09:29 443912 ----a-w- c:\documents and settings\Proprietario\Dati applicazioni\Real\Update\setup3.10\setup.exe
2010-04-30 10:31 . 2009-11-02 18:49 58504 -c--a-w- c:\documents and settings\Proprietario\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-04-27 17:41 . 2010-01-30 19:36 -------- d-----w- c:\programmi\JDownloader
2010-04-11 17:25 . 2009-11-02 16:36 -------- d--h--w- c:\programmi\InstallShield Installation Information
2010-03-01 18:38 . 2010-03-01 18:38 1 ----a-w- c:\documents and settings\Proprietario\Dati applicazioni\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-02-25 17:24 . 2009-11-28 07:03 47360 -c--a-w- c:\documents and settings\Proprietario\Dati applicazioni\pcouffin.sys
2010-02-25 17:24 . 2009-11-28 07:03 47360 -c--a-w- c:\documents and settings\Proprietario\Dati applicazioni\pcouffin.sys
2010-02-16 13:20 . 2010-02-16 13:20 61440 ----a-w- c:\documents and settings\Proprietario\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5e6b990b-n\decora-sse.dll
2010-02-16 13:20 . 2010-02-16 13:20 503808 ----a-w- c:\documents and settings\Proprietario\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3c7bfcc5-n\msvcp71.dll
2010-02-16 13:20 . 2010-02-16 13:20 499712 ----a-w- c:\documents and settings\Proprietario\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3c7bfcc5-n\jmc.dll
2010-02-16 13:20 . 2010-02-16 13:20 348160 ----a-w- c:\documents and settings\Proprietario\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3c7bfcc5-n\msvcr71.dll
2010-02-16 13:20 . 2010-02-16 13:20 12800 ----a-w- c:\documents and settings\Proprietario\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5e6b990b-n\decora-d3d.dll
2010-02-16 13:19 . 2010-02-16 13:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-16 19:44 . 2009-11-04 21:31 231 -c--a-w- c:\programmi\dict.ini
2009-11-12 17:22 . 2009-11-12 17:22 9728 -csha-w- c:\programmi\Thumbs.db
2008-09-30 17:42 . 2008-09-30 17:42 127852561 -c--a-w- c:\programmi\openofficeorg1.cab
2008-09-30 17:09 . 2008-09-30 17:09 217 -c--a-w- c:\programmi\setup.ini
2008-09-30 17:09 . 2008-09-30 17:09 9776640 -c--a-w- c:\programmi\openofficeorg30.msi
2003-11-12 17:42 . 2009-11-04 21:35 120485 -c--a-w- c:\programmi\dict.hlp
2002-03-11 09:06 . 2002-03-11 09:06 1822520 -c--a-w- c:\programmi\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 -c--a-w- c:\programmi\instmsia.exe
2001-10-28 14:52 . 2009-11-04 21:35 37878 -c--a-w- c:\programmi\logo.bmp
2001-10-28 14:27 . 2009-11-04 21:35 182784 -c--a-w- c:\programmi\dict.avi
2001-10-27 17:50 . 2009-11-04 21:35 32 -c--a-w- c:\programmi\language.ini
2000-03-22 09:27 . 2009-11-04 21:35 188416 -c--a-w- c:\programmi\dict.exe
1998-05-15 19:01 . 2009-11-04 21:35 8562 -c--a-w- c:\programmi\right.wav
1998-05-15 19:01 . 2009-11-04 21:35 7754 -c--a-w- c:\programmi\wrong.wav
1996-12-16 23:00 . 2009-11-04 21:35 1758 -c--a-w- c:\programmi\skipped.wav
2009-03-21 14:06 . 2004-09-03 10:36 162487 --sha-r- c:\windows\system32\shksi.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\programmi\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-19 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-19 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-19 455168]
"ATIPTA"="c:\ati technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 339968]
"ccApp"="c:\programmi\File comuni\Symantec Shared\ccApp.exe" [2004-09-06 58488]
"PCMService"="c:\apps\Powercinema\PCMService.exe" [2005-01-28 110740]
"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 24576]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2006-09-01 282624]
"TkBellExe"="c:\programmi\File comuni\Real\Update_OB\realsched.exe" [2009-11-02 180269]
"NeroFilterCheck"="c:\programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"FreePDF Assistant"="c:\programmi\FreePDF_XP\fpassist.exe" [2005-05-27 145920]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Proprietario\Menu Avvio\Programmi\Esecuzione automatica\
OpenOffice.org 3.0.lnk - c:\programmi\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Reader Synchronizer.lnk - c:\programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Avvio veloce di Adobe Reader.lnk - c:\programmi\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Microsoft Office.lnk - c:\programmi\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\APPS\\skype\\phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7140:TCP"= 7140:TCP:bsuwaqy

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27/01/2010 19.02.46 691696]
R2 ONDA Autorun CDROM Monitor;ONDA Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\onda_mon.exe [03/11/2009 17.56.46 86016]
R2 Utilità di pianificazione di LiveUpdate automatico;Utilità di pianificazione di LiveUpdate automatico;c:\programmi\Symantec\LiveUpdate\AluSchedulerSvc.exe [03/11/2009 18.07.17 100032]
R3 PAC207;Trust 100K Series Webcam;c:\windows\system32\drivers\PFC027.SYS [16/02/2010 15.39.10 618112]
S3 hid8101;hid8101;c:\windows\system32\drivers\hid8101.sys [01/03/2010 19.28.00 31899]
S3 ONDAusbmdm6k;ONDA Proprietary USB Driver;c:\windows\system32\drivers\ONDAusbmdm6k.sys [03/11/2009 17.57.20 104960]
S3 ONDAusbnet;ONDA USB-NDIS miniport;c:\windows\system32\drivers\ONDAusbnet.sys [03/11/2009 17.57.20 110080]
S3 ONDAusbnmea;ONDA NMEA Port;c:\windows\system32\drivers\ONDAusbnmea.sys [03/11/2009 17.57.20 104960]
S3 ONDAusbser6k;ONDA Diagnostic Port;c:\windows\system32\drivers\ONDAusbser6k.sys [03/11/2009 17.57.20 104960]
.
Contenuto della cartella 'Scheduled Tasks'

2009-11-09 c:\windows\Tasks\HDReg.job
- c:\apps\HDReg\HDRegRem.exe [2009-11-02 09:14]

2009-11-03 c:\windows\Tasks\Promemoria registrazione 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-09-03 18:14]

2009-11-09 c:\windows\Tasks\Promemoria registrazione 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-09-03 18:14]

2009-11-16 c:\windows\Tasks\Promemoria registrazione 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-09-03 18:14]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://it.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.msn.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Proprietario\Dati applicazioni\Mozilla\Firefox\Profiles\jttfs4zi.default\
FF - prefs.js: browser.search.selectedEngine - Trova Rapido
FF - prefs.js: browser.startup.homepage - hxxp://it.yahoo.com/
FF - plugin: c:\programmi\DivX\DivX Plus Web Player\npdivx32.dll

---- FIREFOX POLICIES ----
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-09 17:11
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spin.sys >>UNKNOWN [0x8258B938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf872af28
\Driver\ACPI -> ACPI.sys @ 0xf8412cb8
\Driver\atapi -> atapi.sys @ 0xf83cdb40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf8292bd4
PacketIndicateHandler -> NDIS.sys @ 0xf8280a0d
SendHandler -> NDIS.sys @ 0xf8294b40
user & kernel MBR OK

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(2120)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\File comuni\Symantec Shared\ccProxy.exe
c:\programmi\File comuni\Symantec Shared\ccSetMgr.exe
c:\programmi\Norton Internet Security\ISSVC.exe
c:\programmi\File comuni\Symantec Shared\SNDSrvc.exe
c:\programmi\File comuni\Symantec Shared\ccEvtMgr.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
c:\programmi\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\apps\HIDSERVICE\HIDSERVICE.exe
c:\programmi\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
c:\programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\apps\ABoard\AOSD.exe
c:\windows\SOUNDMAN.EXE
c:\programmi\OpenOffice.org 3\program\soffice.exe
c:\programmi\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Ora fine scansione: 2010-05-09 17:17:03 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-05-09 15:16
ComboFix2.txt 2010-05-08 17:02

Pre-Run: 13.956.173.824 byte disponibili
Post-Run: 14.145.400.832 byte disponibili

- - End Of File - - F0CA6EF4E059B781F14EDE86B337196B

[shel]

facciamo un controllo dell'MBR



scarica mbr.exe direttamente nella Directory C:\

vai in provvisoria >>> Da Start - Esegui - digita C:\mbr.exe e clicca su OK

riesegui mbr.exe digitando: c:\mbr.exe -f ( fai copia\incola per non sbagliare] e posta il rapporto delle due scansioni che troverai in c:\mbr.log

[casaal]

Ecco il primo:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Ecco il secondo:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

[shel]

l'mbr e' a posto

vai qui e analizza questo file

C:\PA207.DAT

[casaal]

Mi dice:

Controllo terminato. 0 su 19 antivirus hanno rilevato malware.

[casaal]

Scusa se ti contatto nuovamente ma dopo aver fatto quello che mi hai detto ho scaricato degli aggiornamenti
da windows update e oggi accendendo il pc compare la scritta:

NTLDR mancante
Premere CTRL+ALT+CANC per rivviare

però quando premo CTRL+ALT+CANC si riavvia e ricompare la stessa scritta.
Il problema può essere stato causato da qualcosa che abbiamo fatto oppure
dipende dagli aggiornamenti eseguiti? o ci sono altre possibili cause?
Cosa ancora + importante c'è un modo semplice x risolvere il problema senza formattare?
Al momento ti sto scrivendo da un altro pc.
Spero in una risposta veloce, grazie anticipatamente.

[mavck]

Ciao a tutti, ovviamente anche io ho quesot problema con le aperture dei siti web x gli antivirus, ho effettuato la scansione con COMBOFIX, ora vi chiedo di controllarme il Log e aiutarmi nella procedura, grazie

Codice: Seleziona tutto

ComboFix 10-06-03.01 - claudio 05/06/2010  16.35.06.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.39.1040.18.766.395 [GMT 2:00]
Eseguito da: c:\documents and settings\claudio\desktop\abc.exe
Opzioni usate :: /killall
AV: Kaspersky PURE *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky PURE *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

(((((((((((((((((((((((((((((((((((((   Altre eliminazioni   )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Thumbs.db

.
(((((((((((((((((((((((((   Files Creati Da 2010-05-05 al 2010-06-05  )))))))))))))))))))))))))))))))))))
.

2010-06-05 14:26 . 2010-06-05 14:26   95259   ----a-w-   c:\windows\system32\drivers\klick.dat
2010-06-05 14:26 . 2010-06-05 14:26   108059   ----a-w-   c:\windows\system32\drivers\klin.dat
2010-06-05 14:25 . 2009-12-14 10:44   39352   ----a-w-   c:\windows\system32\drivers\CSVirtualDiskDrv.sys
2010-06-05 14:25 . 2009-12-14 10:44   88632   ----a-w-   c:\windows\system32\drivers\CSCrySec.sys
2010-06-05 14:24 . 2010-06-05 14:24   --------   d-----w-   c:\programmi\File comuni\InfoWatch
2010-06-05 14:24 . 2010-06-05 14:24   --------   d-----w-   c:\programmi\Kaspersky Lab
2010-06-05 14:24 . 2010-06-05 14:24   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab
2010-06-05 14:22 . 2010-06-05 14:22   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab Setup Files
2010-06-04 17:09 . 2010-06-04 17:09   --------   d-----w-   c:\programmi\MSSOAP
2010-06-04 17:09 . 2010-06-04 17:09   --------   d-----w-   c:\programmi\Webroot
2010-06-04 16:43 . 2010-06-04 16:43   164   ----a-w-   c:\windows\install.dat
2010-06-04 16:28 . 2010-06-04 16:28   --------   d-----w-   c:\programmi\Windows Live Safety Center
2010-06-04 16:08 . 2010-06-04 16:08   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Avg8
2010-06-04 15:23 . 2010-06-04 15:23   --------   d-----w-   c:\documents and settings\claudio\Dati applicazioni\Norman
2010-06-02 20:01 . 2010-06-02 20:01   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Yahoo! Companion
2010-06-02 19:46 . 2010-06-02 19:46   --------   d-----w-   c:\programmi\Yahoo!
2010-06-02 17:50 . 2010-06-02 17:50   --------   d-----w-   c:\programmi\Alwil Software
2010-06-02 17:48 . 2010-06-02 17:48   --------   d-----w-   C:\Software
2010-06-02 17:42 . 2007-04-04 16:53   81768   ----a-w-   c:\windows\system32\xinput1_3.dll
2010-06-02 17:42 . 2006-11-29 11:06   3426072   ----a-w-   c:\windows\system32\d3dx9_32.dll
2010-05-30 10:06 . 2009-07-23 10:57   100480   ----a-r-   c:\windows\system32\drivers\ewusbfake.sys
2010-05-30 08:37 . 2010-05-30 08:37   --------   d-----w-   c:\documents and settings\claudio\Dati applicazioni\FLEXnet
2010-05-30 08:31 . 2009-07-23 10:57   112640   ----a-r-   c:\windows\system32\drivers\ewusbnet.sys
2010-05-30 08:31 . 2009-07-23 10:57   102528   ----a-r-   c:\windows\system32\drivers\ewusbmdm.sys
2010-05-30 08:30 . 2010-06-05 14:25   --------   dc----w-   c:\windows\system32\DRVSTORE
2010-05-30 08:30 . 2010-05-30 08:30   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Vodafone
2010-05-30 08:30 . 2010-05-30 18:38   --------   d-----w-   c:\programmi\Vodafone
2010-05-30 08:30 . 2010-05-30 08:30   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\FLEXnet
2010-05-30 08:29 . 2010-05-30 11:02   --------   d-----w-   c:\windows\SxsCaPendDel
2010-05-30 08:27 . 2010-05-30 08:27   --------   d-----w-   c:\documents and settings\claudio\Impostazioni locali\Dati applicazioni\{E3F35E26-3D56-4841-A4D5-C410B2B069C2}

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-02 20:24 . 2006-10-13 11:53   59736   ----a-w-   c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-06-02 18:17 . 2006-11-28 18:34   --------   d-----w-   c:\programmi\File comuni\Symantec Shared
2010-06-02 18:17 . 2006-11-28 18:34   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Symantec
2010-06-02 17:47 . 2010-06-02 17:46   --------   d-----w-   c:\programmi\K-Lite Codec Pack
2010-03-28 09:06 . 2004-10-25 18:40   74210   ----a-w-   c:\windows\system32\perfc010.dat
2010-03-28 09:06 . 2004-10-25 18:40   447502   ----a-w-   c:\windows\system32\perfh010.dat
2006-07-05 10:56 . 2004-10-25 18:38   169822   --sha-w-   c:\windows\system32\hhlepas.dll
.

(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]
@="{dd230880-495a-11d1-b064-008048ec2fc5}"
[HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]
2009-12-25 14:42   129552   ----a-w-   c:\programmi\Kaspersky Lab\Kaspersky PURE\shellex.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmpcSys"="c:\apps\SMP\SmpSys.exe" [2005-12-08 975360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-07 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-07 455168]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATICCC"="c:\programmi\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 15691264]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 36975]
"Vade Retro Outlook Express"="c:\progra~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe" [2004-10-04 310272]
"DetectorApp"="c:\programmi\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe" [2005-10-20 102400]
"ISUSScheduler"="c:\programmi\File comuni\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-09-07 208952]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"MobileConnect"="c:\programmi\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2009-09-18 2412032]
"AVP"="c:\programmi\Kaspersky Lab\Kaspersky PURE\avp.exe" [2009-12-25 340456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-09-07 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
HP Digital Imaging Monitor.lnk - c:\programmi\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\programmi\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\APPS\\skype\\phone\\Skype.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4010:TCP"= 4010:TCP:ilyjyac

R0 CSCrySec;InfoWatch Encrypt Sector Library driver;c:\windows\system32\drivers\CSCrySec.sys [05/06/2010 16.25.20 88632]
R0 KLBG;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [14/10/2009 20.18.34 36880]
R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;c:\windows\system32\drivers\CSVirtualDiskDrv.sys [05/06/2010 16.25.22 39352]
R2 CSObjectsSrv;Servizio di controllo CryptoStorage;c:\programmi\File comuni\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [21/12/2009 17.34.38 743992]
R2 VMCService;Vodafone Mobile Connect Service;c:\programmi\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [18/09/2009 18.48.28 9216]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [30/05/2010 10.31.25 112640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [14/09/2009 13.42.46 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02/10/2009 18.39.44 19472]
S2 wpycbxai;Task Boot;c:\windows\system32\svchost.exe -k netsvcs [25/10/2004 20.39.34 14336]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [30/05/2010 12.06.23 100480]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [11/02/2010 12.07.47 7680]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [11/02/2010 12.08.26 110080]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [11/02/2010 12.08.19 104960]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
wpycbxai
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-05 16:41
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wpycbxai]
"ServiceDll"="c:\windows\system32\hhlepas.dll"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(1024)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2436)
c:\progra~1\GOTOSO~1\VADERE~1\VrOe_hook.dll
c:\windows\system32\msi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wdfmgr.exe
c:\programmi\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\windows\RTHDCPL.EXE
c:\programmi\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\HPZipm12.exe
.
**************************************************************************
.
Ora fine scansione: 2010-06-05  16:46:37 - Il pc è stato riavviato
ComboFix-quarantined-files.txt  2010-06-05 14:46

Pre-Run: 132.728.274.944 byte disponibili
Post-Run: 132.841.054.208 byte disponibili

- - End Of File - - 1E7A28DCD923DDD6B9DF66DE87E4D4E7



grazie mille per l'aiuto

[-> EleKtrA <-]

Benvenuto mavck.
Ho preparato uno script per risolvere il problema, segui attentamente le istruzioni.

Apri un file di testo sul Desktop
Start > esegui, digita: notepad.exe e poi clicca Ok
Incolla il codice che vedi qui sotto, e salvi il file di testo obbligatoriamente
con il nome CFScript

Codice: Seleziona tutto

Killall::
File::
c:\documents and settings\claudio\Impostazioni locali\Dati applicazioni\{E3F35E26-3D56-4841-A4D5-C410B2B069C2}
c:\windows\system32\hhlepas.dll
   
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4010:TCP"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ilyjyac]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ilyjyac]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ilyjyac]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ilyjyac]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_ilyjyac]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ilyjyac]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ilyjyac]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ilyjyac]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ilyjyac]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\ilyjyac]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_wpycbxai]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_wpycbxai]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_wpycbxai]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_wpycbxai]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_wpycbxai]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wpycbxai]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wpycbxai]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wpycbxai]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wpycbxai]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wpycbxai]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Task Boot]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_Task Boot]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_Task Boot]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_Task Boot]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_Task Boot]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Task Boot]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Task Boot]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Task Boot]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Task Boot]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Task Boot]

Driver::
ilyjyac   
wpycbxai
Task Boot
   
NetSvcs::
wpycbxai
ilyjyac 
Task Boot

Folder::
C:\WINDOWS\temp
C:\WINDOWS\Tasks

Domains::

col mouse trascina il file CFScript.txt sull'icona rossa di combofix

lascia lavorare il programma
finito verrà creato un nuovo log combofix.txt, postalo inserendolo nel tag "code".

Scarica Malwarebytes, installa il programma ed aggiorna le firme.
Nella scheda scansione, seleziona "scansione completa"
Allega il log sempre nel tag code.

Finita la procedura, esegui un log di hijackthis
Scarica ed installa HIjackthis
Clicca su "Do a system scan and save a logfile"
Allega il log.