www.MegaLab.it

[comodoforever]

potrbbe essere che lo strumento di aggiornamento automatico si sia corrotto, compromettendo l'aggiornamento automatico, ma non quello manuale.

[Pct]

non saprei, il virus potrebbe compromettere l'aggiornamento automatico; l'importante, per ora , è che funzioni quello manuale.

Adesso la scansione con Antivir te la lascia eseguire? Se si, esegui una scansione completa e metti in quarantena o rimuovi tutto ciò che rileva.

Quindi , cancella il combofix che hai scaricato in precedenza, e riscaricalo rinominandolo, e guarda se questa volta te lo lascia eseguire (incrociamo le dita)

[osammot]

sono riuscito a fare lo scan con combofix.. ecco il log..

ComboFix 10-06-24.03 - ast 25/06/2010 9.49.05.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.1022.721 [GMT 2:00]
Eseguito da: c:\documents and settings\ast\Desktop\123abc.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {00000002-0002-0000-3C24-9E7C08000A00}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-5C25-4E0008000A00}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
D:\2ul.exe
D:\Autorun.inf
G:\2ul.exe
G:\Autorun.inf

.
((((((((((((((((((((((((( Files Creati Da 2010-05-25 al 2010-06-25 )))))))))))))))))))))))))))))))))))
.

2010-06-22 08:27 . 2010-06-22 13:20 63488 ----a-w- c:\documents and settings\ast\Dati applicazioni\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-22 08:27 . 2010-06-22 08:27 52224 ----a-w- c:\documents and settings\ast\Dati applicazioni\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-22 08:27 . 2010-06-22 13:20 117760 ----a-w- c:\documents and settings\ast\Dati applicazioni\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-22 08:26 . 2010-06-22 08:26 -------- d-----w- c:\documents and settings\ast\Dati applicazioni\SUPERAntiSpyware.com
2010-06-22 08:26 . 2010-06-22 08:26 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2010-06-22 08:26 . 2010-06-22 08:26 -------- d-----w- c:\programmi\SUPERAntiSpyware
2010-06-21 17:56 . 2010-06-21 17:56 388096 ----a-r- c:\documents and settings\ast\Dati applicazioni\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-21 17:56 . 2010-06-21 17:56 -------- d-----w- c:\programmi\Trend Micro
2010-06-21 17:49 . 2009-11-25 09:19 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-06-21 17:49 . 2009-03-30 07:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-06-21 17:49 . 2009-02-13 09:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-06-21 17:49 . 2009-02-13 09:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-06-21 17:49 . 2010-06-21 17:49 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Avira
2010-06-21 16:51 . 2010-06-22 08:12 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-21 16:51 . 2010-06-22 08:14 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Hitman Pro
2010-06-21 16:51 . 2010-06-21 16:51 -------- d-----w- c:\programmi\Hitman Pro 3.5
2010-06-21 15:03 . 2009-06-30 07:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-06-21 15:02 . 2010-06-21 15:02 -------- d-----w- c:\programmi\Panda Security
2010-06-21 12:48 . 2010-06-21 12:48 -------- d-----w- C:\Poker
2010-06-20 17:27 . 2010-06-21 14:23 -------- d-----w- C:\FyK
2010-06-17 17:32 . 2010-06-17 19:03 -------- d-----w- c:\windows\BDOSCAN8
2010-06-17 17:15 . 2010-06-17 17:16 -------- d-----w- c:\windows\system32\NtmsData
2010-06-17 16:33 . 2010-06-17 16:33 -------- d-----w- c:\documents and settings\ast\Dati applicazioni\Malwarebytes
2010-06-17 16:33 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-17 16:33 . 2010-06-17 16:33 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2010-06-17 16:33 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-17 16:33 . 2010-06-17 16:34 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2010-06-17 15:06 . 2010-06-21 14:49 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2010-06-17 15:06 . 2010-06-17 15:10 -------- d-----w- c:\programmi\Spybot - Search & Destroy
2010-06-16 11:27 . 2004-08-19 13:39 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-06-16 11:27 . 2001-08-30 21:07 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-06-15 13:05 . 2010-06-15 13:31 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-06-15 11:07 . 2010-06-15 11:07 -------- d-----w- c:\windows\system32\KB905474
2010-06-15 10:50 . 2010-06-15 10:50 -------- d-----w- c:\documents and settings\ast\Impostazioni locali\Dati applicazioni\Identities
2010-06-14 13:36 . 2010-06-14 13:36 -------- d-----w- c:\documents and settings\NetworkService\Impostazioni locali\Dati applicazioni\Google
2010-06-14 13:31 . 2010-06-16 17:36 -------- d-----w- c:\documents and settings\ast\Impostazioni locali\Dati applicazioni\Temp
2010-06-14 13:31 . 2010-06-14 13:31 -------- d-----w- c:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\Google
2010-06-14 13:31 . 2010-06-14 13:33 -------- d-----w- c:\programmi\Google
2010-06-14 13:31 . 2010-06-14 13:31 -------- d-----w- c:\documents and settings\ast\Impostazioni locali\Dati applicazioni\Google
2010-06-14 07:03 . 2010-06-14 07:03 -------- d-----w- c:\documents and settings\ast\Dati applicazioni\EPSON
2010-06-14 06:38 . 2010-06-14 06:38 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\UDL
2010-06-14 06:35 . 2010-06-14 06:36 -------- d-----w- c:\programmi\ABBYY FineReader 6.0 Sprint
2010-06-14 06:32 . 2010-06-14 06:32 -------- d-----w- c:\documents and settings\ast\Dati applicazioni\InstallShield
2010-06-14 06:32 . 2007-01-11 04:02 113664 ----a-w- c:\documents and settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S40RP7.EXE
2010-06-14 06:32 . 2010-06-14 06:32 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\EPSON
2010-06-14 06:32 . 2004-09-10 20:12 49152 ----a-w- c:\windows\system32\E_DCINST.DLL
2010-06-14 06:32 . 2006-12-08 02:04 76800 ----a-w- c:\windows\system32\E_FLBCDE.DLL
2010-06-14 06:32 . 2006-04-19 02:00 62976 ----a-w- c:\windows\system32\E_FD4BCDE.DLL
2010-06-14 06:30 . 2010-06-14 06:37 -------- d-----w- c:\programmi\epson
2010-06-14 06:28 . 2007-03-26 22:00 67072 ----a-w- c:\windows\system32\escwiad.dll
2010-06-14 06:28 . 2004-08-03 20:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-06-12 15:03 . 2010-06-12 15:03 -------- d-----w- c:\programmi\FDF
2010-06-11 12:40 . 2009-10-21 05:50 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2010-06-11 12:40 . 2009-10-21 05:50 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2010-06-11 12:40 . 2009-10-20 14:41 265728 ------w- c:\windows\system32\dllcache\http.sys
2010-06-10 17:17 . 2010-06-10 17:17 -------- d-----w- c:\programmi\Microsoft Silverlight
2010-06-10 08:38 . 2010-06-10 08:38 -------- d-----w- c:\windows\ServicePackFiles
2010-06-10 08:37 . 2010-06-10 08:37 -------- d-----w- c:\programmi\MSXML 6.0
2010-06-10 08:35 . 2008-07-09 07:42 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-06-10 08:32 . 2010-06-10 08:32 -------- d-----w- c:\programmi\MSXML 4.0
2010-06-10 07:53 . 2009-06-15 11:37 82432 ------w- c:\windows\system32\dllcache\tlntsess.exe
2010-06-10 07:53 . 2009-06-15 11:37 78336 ------w- c:\windows\system32\dllcache\telnet.exe
2010-06-10 07:53 . 2009-10-12 13:51 69632 ------w- c:\windows\system32\dllcache\raschap.dll
2010-06-10 07:53 . 2009-10-12 13:51 112640 ------w- c:\windows\system32\dllcache\rastls.dll
2010-06-10 07:53 . 2010-03-09 11:09 430080 ------w- c:\windows\system32\dllcache\vbscript.dll
2010-06-10 07:53 . 2008-07-07 20:31 253952 ------w- c:\windows\system32\dllcache\es.dll
2010-06-10 07:53 . 2009-12-14 07:35 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2010-06-10 07:53 . 2009-12-08 09:11 474624 ------w- c:\windows\system32\dllcache\shlwapi.dll
2010-06-10 07:53 . 2009-06-10 06:26 134144 ------w- c:\windows\system32\dllcache\wkssvc.dll
2010-06-10 07:53 . 2009-08-26 08:14 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2010-06-10 07:53 . 2009-05-07 15:41 346112 ------w- c:\windows\system32\dllcache\localspl.dll
2010-06-10 07:52 . 2008-06-12 14:16 956928 ------w- c:\windows\system32\dllcache\msdtctm.dll
2010-06-10 07:52 . 2008-06-12 14:16 91648 ------w- c:\windows\system32\dllcache\mtxoci.dll
2010-06-10 07:52 . 2008-06-12 14:16 66560 ------w- c:\windows\system32\dllcache\mtxclu.dll
2010-06-10 07:52 . 2008-06-12 14:16 58880 ------w- c:\windows\system32\dllcache\msdtclog.dll
2010-06-10 07:52 . 2008-06-12 14:16 428032 ------w- c:\windows\system32\dllcache\msdtcprx.dll
2010-06-10 07:52 . 2008-06-12 14:16 161792 ------w- c:\windows\system32\dllcache\msdtcuiu.dll
2010-06-10 07:52 . 2009-09-04 20:45 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2010-06-10 07:52 . 2009-11-27 17:33 17920 ------w- c:\windows\system32\dllcache\msyuv.dll
2010-06-10 07:52 . 2009-07-17 18:56 58880 ------w- c:\windows\system32\dllcache\atl.dll
2010-06-10 07:51 . 2010-05-02 07:56 1859968 ------w- c:\windows\system32\dllcache\win32k.sys
2010-06-10 07:51 . 2008-07-03 13:14 8483840 ------w- c:\windows\system32\dllcache\shell32.dll
2010-06-10 07:48 . 2009-04-15 15:16 584192 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2010-06-10 07:48 . 2010-03-05 14:55 65536 ------w- c:\windows\system32\dllcache\asycfilt.dll
2010-06-10 07:48 . 2009-12-17 07:58 346112 ------w- c:\windows\system32\dllcache\mspaint.exe
2010-06-10 07:47 . 2009-08-25 09:46 352256 ------w- c:\windows\system32\dllcache\winhttp.dll
2010-06-10 07:47 . 2009-08-05 09:05 205312 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2010-06-10 07:47 . 2010-02-05 18:39 1296384 ------w- c:\windows\system32\dllcache\quartz.dll
2010-06-10 07:41 . 2009-08-13 15:15 512000 ------w- c:\windows\system32\dllcache\jscript.dll
2010-06-10 07:34 . 2008-06-14 17:59 272768 ------w- c:\windows\system32\drivers\bthport.sys
2010-06-10 07:34 . 2008-06-14 17:59 272768 ------w- c:\windows\system32\dllcache\bthport.sys
2010-06-10 07:33 . 2009-12-31 15:06 352640 ------w- c:\windows\system32\dllcache\srv.sys
2010-06-10 07:31 . 2010-02-24 12:48 457216 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-10 07:28 . 2008-05-08 12:14 203008 ------w- c:\windows\system32\dllcache\rmcast.sys
2010-06-10 07:28 . 2008-05-01 14:31 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2010-06-10 07:28 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-06-10 07:26 . 2008-10-15 16:54 339456 ------w- c:\windows\system32\dllcache\netapi32.dll
2010-06-10 07:26 . 2009-07-31 04:57 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2010-06-10 07:24 . 2008-04-21 21:26 219136 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-06-09 22:39 . 2010-06-25 07:33 -------- d-----w- c:\documents and settings\ast\Tracing
2010-06-09 22:39 . 2010-06-09 22:39 -------- d-----w- c:\programmi\Microsoft Sync Framework
2010-06-09 22:38 . 2010-06-09 22:38 -------- d-----w- c:\programmi\Microsoft
2010-06-09 22:38 . 2010-06-09 22:38 -------- d-----w- c:\programmi\Windows Live SkyDrive
2010-06-09 22:37 . 2010-06-09 22:39 -------- d-----w- c:\programmi\Windows Live
2010-06-09 22:25 . 2010-06-09 22:25 -------- d-----w- c:\programmi\File comuni\Windows Live
2010-06-09 15:24 . 2010-06-09 15:24 -------- d-----w- c:\documents and settings\ast\Impostazioni locali\Dati applicazioni\Ahead
2010-06-09 15:09 . 2010-06-11 22:00 -------- d--h--w- c:\windows\$hf_mig$
2010-06-09 14:40 . 2007-04-09 11:23 28552 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2010-06-09 14:40 . 2007-04-09 11:23 28040 ----a-w- c:\windows\system32\mdimon.dll
2010-06-09 14:40 . 2010-06-09 14:40 -------- d-----w- c:\programmi\Microsoft.NET
2010-06-09 14:38 . 2010-06-09 14:40 -------- d-----w- c:\windows\SHELLNEW
2010-06-09 14:36 . 2010-06-09 14:36 -------- d-----r- C:\MSOCache
2010-06-09 14:35 . 2004-08-03 21:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-06-09 14:18 . 2010-06-09 14:18 -------- d-----w- c:\documents and settings\ast\Dati applicazioni\Ahead
2010-06-09 14:17 . 2010-06-09 14:17 -------- d-----w- c:\programmi\Nero
2010-06-09 14:17 . 2010-06-09 14:17 -------- d-----w- c:\programmi\File comuni\Ahead
2010-06-09 14:12 . 2010-06-09 14:12 -------- d-----w- c:\programmi\D-Tools
2010-06-09 14:12 . 2004-08-22 14:31 5248 ----a-w- c:\windows\system32\drivers\d347prt.sys
2010-06-09 14:12 . 2004-08-22 14:31 155136 ----a-w- c:\windows\system32\drivers\d347bus.sys
2010-06-09 14:11 . 2010-06-09 14:11 -------- d-----w- c:\windows\Downloaded Installations
2010-06-09 11:44 . 2010-06-09 14:25 -------- d-----w- c:\documents and settings\ast\Impostazioni locali\Dati applicazioni\Adobe
2010-06-09 11:44 . 2010-06-09 11:44 -------- d-----w- c:\programmi\File comuni\Adobe
2010-06-09 11:07 . 2010-06-09 11:07 -------- d-----w- c:\programmi\uTorrent
2010-06-09 11:06 . 2010-06-15 14:01 -------- d-----w- c:\documents and settings\ast\Dati applicazioni\uTorrent
2010-06-09 10:55 . 2010-06-09 11:03 -------- d-----w- c:\programmi\eMule

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-17 15:24 . 2010-06-09 08:15 42752 ----a-w- c:\documents and settings\ast\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-06-14 06:43 . 2010-06-09 08:01 -------- d--h--w- c:\programmi\InstallShield Installation Information
2010-06-14 06:41 . 2010-06-09 08:01 -------- d-----w- c:\programmi\File comuni\InstallShield
2010-06-12 15:51 . 2010-06-09 07:43 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-06-12 10:18 . 2001-08-31 11:00 47592 ----a-w- c:\windows\system32\perfc010.dat
2010-06-12 10:18 . 2001-08-31 11:00 345010 ----a-w- c:\windows\system32\perfh010.dat
2010-06-09 08:19 . 2010-06-09 08:19 -------- d-----w- c:\programmi\Avira
2010-06-09 07:42 . 2010-06-09 07:42 -------- d-----w- c:\programmi\Servizi in linea
2010-06-09 07:39 . 2010-06-09 07:39 21840 ----a-w- c:\windows\system32\emptyregdb.dat
2010-06-09 07:39 . 2010-06-09 07:39 -------- d-----w- c:\programmi\Windows Media Connect 2
2010-05-04 17:16 . 2007-01-03 10:56 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:15 . 2007-01-03 10:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:15 . 2007-01-03 10:55 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 07:56 . 2007-01-03 10:52 1859968 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:46 . 2004-08-19 13:37 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 20:12 . 2010-04-16 20:12 48464 ----a-w- c:\windows\system32\sirenacm.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 4314623FD836E96A51343CE5C74B48A8 . 77824 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\073a8e9684d59d4923c2eb2e44aa36af\browser.dll
[-] 2007-01-03 . 39128B5A743545BAEDD3984C210F00A8 . 77824 . . [5.1.2600.2586] . . c:\windows\system32\browser.dll

[-] 2008-04-14 . B6FCBB157E9C8ABDCA4134C535535A8B . 62464 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\073a8e9684d59d4923c2eb2e44aa36af\cryptsvc.dll
[-] 2007-01-03 . 87F3E2D2A3231F820F9248DB90090F42 . 62464 . . [5.1.2600.2845] . . c:\windows\system32\cryptsvc.dll

[-] 2008-04-14 . 99B69A5697F622A192B2C1E0D55B48AB . 19968 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\073a8e9684d59d4923c2eb2e44aa36af\linkinfo.dll
[-] 2007-01-03 . 212DEC5056523F8727C7B4E7E86782D5 . 19968 . . [5.1.2600.2839] . . c:\windows\system32\linkinfo.dll

[-] 2008-04-14 . FE5A5329CCFC33D645C33077FF04F052 . 296960 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\073a8e9684d59d4923c2eb2e44aa36af\termsrv.dll
[-] 2007-01-03 . F959D929A6A22D78E3A6851A9361CE18 . 296960 . . [5.1.2600.2627] . . c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2010-05-04 124928]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programmi\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\programmi\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="c:\programmi\Windows Live\Messenger\msnmsgr.exe" /background
"dso32"=c:\docume~1\ast\IMPOST~1\Temp\dsoqq.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
"EPSON Stylus DX7400 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICDE.EXE /FU "c:\windows\TEMP\E_S101.tmp" /EF "HKCU"
"SUPERAntiSpyware"=c:\programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMan"=SOUNDMAN.EXE
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"DAEMON Tools-1033"="c:\programmi\D-Tools\daemon.exe" -lang 1033

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [09/06/2010 16.12.02 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [09/06/2010 16.12.02 5248]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [21/06/2010 17.03.00 28552]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [09/06/2010 10.01.00 13696]
R1 SASDIFSV;SASDIFSV;c:\programmi\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 20.25.48 12872]
R1 SASKUTIL;SASKUTIL;c:\programmi\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 20.41.30 67656]
S2 gupdate;Servizio di Google Update (gupdate);c:\programmi\Google\Update\GoogleUpdate.exe [14/06/2010 15.31.16 136176]
.
Contenuto della cartella 'Scheduled Tasks'

2010-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-06-14 13:31]

2010-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-06-14 13:31]

2010-06-25 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-06-15 20:18]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.com/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: {CE47CBAC-2AF4-4727-8A38-5DDD1D9E3250} = 208.67.222.222,208.67.220.220
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKCU-Run-FAST Defrag - (no file)
HKLM-Run-NWEReboot - (no file)
AddRemove-pokersnai_real - c:\poker\Poker Snai\_SetupPoker_22c[1].exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-25 09:56
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86481008]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7674f10
\Driver\ACPI -> ACPI.sys @ 0xf74c1cb8
\Driver\atapi -> 0x86481008
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7347ba0
PacketIndicateHandler -> NDIS.sys @ 0xf7354b21
SendHandler -> NDIS.sys @ 0xf733287b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
malicious code @ sector 0x0E4F8124 !
PE file found in sector at 0x0E4F813A !

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\(–€|ÿÿÿÿg•€|ù•Ñw*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\SHSVCS.dll
c:\programmi\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\CLBCATQ.DLL

- - - - - - - > 'lsass.exe'(820)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
.
Ora fine scansione: 2010-06-25 09:58:11
ComboFix-quarantined-files.txt 2010-06-25 07:58

Pre-Run: 41.601.294.336 byte disponibili
Post-Run: 41.774.817.280 byte disponibili

- - End Of File - - 81D572AF6B2779D72716B85A34BE990F

[Pct]

Vedo che ti ha eliminato altri file infetti; il resto del log di Combofix non lo so analizzare.

Adesso scarica Kaspersky Virus removal tool, da qua : http://devbuilds.kaspersky-labs.com/dev ... _19-45.exe

Installalo, fagli eseguire uno scan, quindi elimina ciò che trova.

Dopodichè, riavvia il pc. Quindi elimina tutte le copie di Hijackthis che avevi scaricato;dopo riscaricalo,rinominandolo con un nome a caso, da qua : http://www.trendmicro.com/ftp/products/ ... ckThis.exe

Aprilo; se non è alla pagina principale, clicca in basso su "Main Menu", quindi clicca su "Do a system scan and save a log file", e posta qui il log che viene generato, sperando che adesso te lo faccia aprire.

[markinson]

Come ho imparato seguendo gli interventi di stevens ( ), credo che il MBR sia infetto:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86481008]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7674f10
\Driver\ACPI -> ACPI.sys @ 0xf74c1cb8
\Driver\atapi -> 0x86481008
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7347ba0
PacketIndicateHandler -> NDIS.sys @ 0xf7354b21
SendHandler -> NDIS.sys @ 0xf733287b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
malicious code @ sector 0x0E4F8124 !
PE file found in sector at 0x0E4F813A !

Dovresti scaricare mbr.exe, da QUI (QUESTO per il download diretto).
Per capire cosa eventualmente ti aspetta, dai invece una occhiatina QUA.

[Uomo_Senza_Sonno]

credo che il MBR sia infetto

Mi sono perso il thread, mannaggia .... ma in tutti i casi, si, non c'è ombra di dubbio, c'è una infezione nell'MBR .

Come prima cosa scarica mbr.exe come suggerito, e posta il log che viene generato. In linea di massima, questo sarà il risultato (ma potrebbe anche risultare tutto ok):

Codice: Seleziona tutto

user & kernel MBR OK
malicious code @ sector 0x0E4F8124 !
PE file found in sector at 0x0E4F813A !

La prima domanda: il disco rigido è da 250GB?
Seconda domanda: hai altri dischi nel pc?

In questo post e successivi è presente un metodo che ti permette di eliminare l'infezione senza ricorrere ad uno zerofilling da linux o una formattazione a basso livello.
Ovviamente, è necessario individuare con estrema precisione i settori infettati e prima di procedere posta le immagini di alcuni settori che ti chiederò.

[stevens]

segui le indicazioni che ti hanno dato markinson e Uomo_Senza_Sonno

controlla anche questo andrebbe eliminato insieme al valore dell chiave

c:\docume~1\ast\IMPOST~1\Temp\dsoqq.exe

[osammot]

la scansione con kaspersky non l'ho fatta perche il link non funzionava...
ho fatto con hjackthis, ecco il log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11.37.48, on 28/06/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Windows Live\Messenger\msnmsgr.exe
C:\Programmi\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\ast\Impostazioni locali\Temporary Internet Files\Content.IE5\KWOKTDNG\HijackThis[1].exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll__PointstoneDisabled (file missing)
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll__PointstoneDisabled (file missing)
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE47CBAC-2AF4-4727-8A38-5DDD1D9E3250}: NameServer = 208.67.222.222,208.67.220.220
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Servizio di Google Update (gupdate) (gupdate) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe

--
End of file - 4694 bytes

ho un hard disk interno da 120gb e uno esterno da 460gb...

[osammot]

questo il log con gmer

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x0E4F8124 !
PE file found in sector at 0x0E4F813A !

[Uomo_Senza_Sonno]

Ancora una domanda: il disco esterno è stato utilizzato nei giorni successivi alla scoperta dell'infezione? A questo punto è necessario approfondire:

scarica HxD, scompattalo, installalo e segui queste indicazioni per eseguire uno screenshot dei settori del disco infetto.
Per iniziare posta il settore 0

[osammot]

scusate so che sono venuto qui per ascoltare gli esperti però è cosi complicato rimuovere questa infezione...
mi spiegate di cosa si tratta e cosa provooca?

[stevens]

ecco il regalo che riesce a fare

MBR Rootkit

[osammot]

questo è il disco C: che è la partizione dove si trova windows...non so se dovevo mettere questa..
http://yfrog.com/86screenshotebnp

[Uomo_Senza_Sonno]

Potresti per cortesia postare nuovamente lo screenshot con una risoluzione maggiore? Non si capisce molto così

[osammot]

cosi non si vede, però sotto la foto c'è il pulsante ingrandirla...accanto alle due freccette (una destra e una sinistra)..

[Uomo_Senza_Sonno]

scusami tanto, con firefox non ne voleva sapere di ingrandirlo, ora lo vedo meglio con chrome. Ma dovresti postare nuovamente lo screenshot del disco fisico e non logico.

[osammot]

scusami, eccole

http://img28.imageshack.us/img28/7582/immagine1zt.png
http://img84.imageshack.us/img84/5325/immagine2xt.png

[Uomo_Senza_Sonno]

Procediamo per gradi: soffermiamoci sul primo disco da circa 120 GB, quindi scollega il secondo, su quello ci torniamo in un secondo momento.

Posta i settori
60
61
62
63
240091428 (settore dove è rilevato il codice maligno)
240091450 (settore dove è stata eseguita la copia sana dell'MBR)
240121727
240121728

[Uomo_Senza_Sonno]

240091450 (settore dove è stata eseguita la copia sana dell'MBR)

ah la fretta ... nel log di mbr.exe non è rilevata nessuna copia dell'MBR sano, solo dove è situato il codice del rootkit
Chiedo perdono

[osammot]

http://img228.imageshack.us/img228/558/settore60.png
http://img16.imageshack.us/img16/1331/settore63.png
http://img293.imageshack.us/img293/8612 ... 091428.png
il 61 e il 62 e 240121727 erano uguali al 60 (cioè tutti zero e niente di scritto)....
invece il settore 240121728 non c'è, l'ultimo settore è quello precedente...

allora come siamo messi :)