www.MegaLab.it

[f1192]

salve a tutti , io avevo un virus sul pc : io siccome non utilizzo antivirus ma uso combofix ..ecc ogni tanto .
Praticamente questo virus non mi faceva visualizzare le cartelle nascoste:
cioe andavo a modificare su strumenti opzioni cartella .... e mettevo il puntino su visualizza cartelle nascoste e cliccavo ok .
solo che quando ci ritornavo il puntino stava ancora su non visualizzare cartelle nascoste .
Tramite hjackthis non mi rilevava niente di anomalo... poi ho effettuato una scansione con combofix e lo ha eliminato solo che sono andato a effettuare una scansione con gmer e mi ha trovato un rooting su svchost.exe l' ho disabilitato ed eliminato .
Il fatto e che il virus si e trasferito sullla pennetta .. me ne sono accorto perche 1 l' icona era diversa dal normale , 2 non mi faceva vedere le cartelle nascoste .
Inoltre non so se e collegabile alla presenza del virus ,ma da na decina di gioni quando apro il turbo pascal o quando apro il cmd ... mi fa prima un rumore tipo un biip , poi per qualche istante genera sulla finestra i caratteri della tabella asci e poi mi fa partire il programma con i tasti invertiti!!!!!!
1- vorrei sapere che tipo di virus puo essere dalla descrizione effettuata ?
2- vorrei sapere se ce un modo per cercare di ripristinare i vari tasti della tastiera quando lavoro sul dos (il pc e suddiviso in tre partizioni, l' autoexec.bat si trova solo su una )

[Amantide]

io siccome non utilizzo antivirus ma uso combofix

... ed ecco i risultati!!!

Puoi postare almeno il log di Combofix?

[f1192]

emmhh... vi posso dare il log di quando ho effettuato la scansione sulla penna usb , non ho quell' altro perche mi si e sovrascritto ^^

ComboFix 09-02-15.01 - fabietto 2009-02-16 19.06.50.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.2046.1538 [GMT 1:00]
Eseguito da: m:\documents and settings\fabietto\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

L:\autorun.inf

.
((((((((((((((((((((((((( Files Creati Da 2009-01-16 al 2009-02-16 )))))))))))))))))))))))))))))))))))
.

2009-02-14 22:00 . 2009-02-14 22:00 14 --a------ m:\documents and settings\fabietto\file.bat
2009-02-12 15:15 . 2009-02-12 15:15 <DIR> d-------- m:\documents and settings\fabietto\Dati applicazioni\AeroSnapApp
2009-02-12 15:08 . 2009-02-12 15:08 <DIR> d-------- m:\programmi\AeroSnap
2009-02-11 22:14 . 2008-06-18 17:20 1,292,856 --------- m:\windows\ripple.CAB
2009-02-11 22:14 . 2009-02-11 22:14 829 --a------ m:\windows\ST6UNST.001
2009-02-11 22:14 . 2009-02-11 22:14 303 --a------ m:\windows\ST6UNST.000
2009-02-11 14:53 . 2009-02-11 14:53 53,312 --a------ m:\windows\system32\drivers\pssdklbf.sys
2009-02-11 14:53 . 2009-02-11 14:53 36,928 --a------ m:\windows\system32\drivers\pssdk41.sys
2009-02-10 21:50 . 2009-02-10 22:02 <DIR> d-------- m:\programmi\Deeds
2009-02-10 21:49 . 2009-02-10 21:49 <DIR> d-------- m:\programmi\Karnaugh Map Minimizer
2009-02-10 15:32 . 2009-02-10 15:32 <DIR> d-------- m:\documents and settings\fabietto\Dati applicazioni\fretsonfire
2009-02-08 14:09 . 2009-02-15 15:34 <DIR> d-------- m:\programmi\eMule
2009-02-07 16:47 . 2009-02-07 16:48 <DIR> d-------- m:\documents and settings\fabietto\Dati applicazioni\SPORE
2009-02-07 16:46 . 2009-02-07 16:46 <DIR> dr-h----- m:\documents and settings\fabietto\Dati applicazioni\SecuROM
2009-02-07 16:46 . 2009-02-07 16:46 107,888 --a------ m:\windows\system32\CmdLineExt.dll
2009-02-07 16:39 . 2009-02-07 16:39 <DIR> d-------- m:\programmi\Electronic Arts
2009-02-07 16:08 . 2009-02-07 16:08 <DIR> d-------- m:\programmi\MultiProxy
2009-02-06 18:39 . 2009-02-07 14:05 <DIR> d-------- m:\documents and settings\fabietto\Dati applicazioni\Hamachi
2009-02-06 18:39 . 2009-02-06 18:39 25,280 --a------ m:\windows\system32\drivers\hamachi.sys
2009-02-06 15:17 . 2009-02-15 16:36 <DIR> d-------- M:\cache
2009-02-06 14:46 . 2009-02-16 14:26 <DIR> d-------- m:\programmi\Google
2009-02-05 15:46 . 2009-02-05 15:46 <DIR> d-------- m:\programmi\Microsoft Games
2009-01-31 23:24 . 2009-02-15 11:58 <DIR> d-------- m:\programmi\Online TV Player 4
2009-01-31 23:24 . 2009-01-31 23:24 10 --a------ m:\windows\system32\810429tv4-test.jun
2009-01-30 18:06 . 2009-01-30 18:06 <DIR> d-------- m:\programmi\Avira
2009-01-29 08:00 . 2009-01-29 08:00 <DIR> d-------- m:\programmi\Stormregion
2009-01-24 15:33 . 2009-01-24 15:33 <DIR> d-------- m:\programmi\K-Lite Codec Pack
2009-01-24 15:33 . 2009-01-24 15:33 <DIR> d-------- m:\documents and settings\fabietto\Dati applicazioni\Media Player Classic
2009-01-24 15:33 . 2007-09-04 17:56 164,352 --a------ m:\windows\system32\unrar.dll
2009-01-24 15:33 . 2008-07-30 20:09 38 --a------ m:\windows\avisplitter.ini
2009-01-24 15:18 . 2009-02-14 15:34 <DIR> d-------- m:\documents and settings\fabietto\Dati applicazioni\LimeWire
2009-01-23 17:41 . 2009-01-23 17:42 <DIR> d-------- m:\documents and settings\All Users\Dati applicazioni\Bluetooth
2009-01-23 17:40 . 2009-01-23 17:42 32 --a------ m:\windows\0
2009-01-23 17:40 . 2009-01-23 17:40 0 --a------ m:\windows\system32\0
2009-01-23 15:20 . 1999-03-23 08:12 299,520 --a------ m:\windows\uninst.exe
2009-01-21 17:49 . 2009-01-21 17:48 64,160 --a------ m:\windows\system32\drivers\Lbd.sys
2009-01-21 17:45 . 2009-02-15 11:57 <DIR> d-------- m:\programmi\Lavasoft
2009-01-21 17:45 . 2009-02-15 11:57 <DIR> d-------- m:\documents and settings\All Users\Dati applicazioni\Lavasoft
2009-01-21 17:28 . 2009-01-21 17:38 <DIR> d-------- m:\programmi\SUPERAntiSpyware
2009-01-21 17:28 . 2009-01-21 17:28 <DIR> d-------- m:\documents and settings\fabietto\Dati applicazioni\SUPERAntiSpyware.com
2009-01-21 17:28 . 2009-01-21 17:28 <DIR> d-------- m:\documents and settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2009-01-21 17:27 . 2009-01-21 17:27 <DIR> d-------- m:\programmi\File comuni\Wise Installation Wizard
2009-01-20 21:10 . 2009-02-14 23:12 <DIR> d--h----- m:\documents and settings\fabietto\.idelhwwr-00ihef
2009-01-20 21:10 . 2009-02-14 23:12 <DIR> d-------- m:\documents and settings\fabietto\.borland
2009-01-20 21:07 . 2009-01-20 21:07 <DIR> d-------- m:\programmi\File comuni\Borland Shared
2009-01-20 21:07 . 2009-01-20 21:07 <DIR> d-------- m:\programmi\Borland
2009-01-20 21:06 . 2009-01-20 21:06 <DIR> d-------- m:\programmi\MSXML 4.0
2009-01-20 20:33 . 2009-01-20 20:33 <DIR> d-------- m:\programmi\Microsoft.NET
2009-01-20 20:33 . 2009-01-20 20:33 <DIR> d-------- m:\programmi\Microsoft Visual Studio .NET 2003
2009-01-20 20:33 . 2009-01-20 21:37 <DIR> d-------- m:\documents and settings\All Users\Dati applicazioni\Microsoft Help
2009-01-20 19:18 . 2009-01-20 19:18 <DIR> d-------- m:\windows\system32\URTTemp
2009-01-19 16:04 . 2009-01-19 16:04 <DIR> d-------- m:\documents and settings\fabietto\http%3a%2f%2fwww.goh4.com%2fcygwin%2f
2009-01-19 16:04 . 2009-01-19 16:11 <DIR> d-------- M:\cygwin
2009-01-18 13:59 . 2009-01-18 13:59 <DIR> d-------- m:\programmi\Windows Live SkyDrive
2009-01-17 15:19 . 2009-01-17 15:19 <DIR> d-------- m:\programmi\Vidalia Bundle
2009-01-17 15:19 . 2009-02-16 14:28 <DIR> d-------- m:\documents and settings\fabietto\Dati applicazioni\Vidalia
2009-01-17 15:19 . 2009-02-16 19:03 <DIR> d-------- m:\documents and settings\fabietto\Dati applicazioni\tor
2009-01-16 15:41 . 2000-05-16 10:40 83,968 --a------ m:\windows\UnGins.exe
2009-01-16 15:38 . 2009-01-16 15:38 <DIR> d-------- m:\documents and settings\All Users\Dati applicazioni\Messenger Plus!
2009-01-16 14:43 . 2009-02-06 15:54 <DIR> d-------- m:\programmi\Messenger Plus! Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-15 15:53 --------- d-----w m:\programmi\Mother
2009-02-08 17:57 517 ---ha-w M:\os629005.bin
2009-02-08 12:59 --------- d-----w m:\documents and settings\fabietto\Dati applicazioni\uTorrent
2009-02-07 15:38 --------- d--h--w m:\programmi\InstallShield Installation Information
2009-02-06 17:57 --------- d-----w m:\programmi\Teamspeak2_RC2
2009-01-31 16:22 --------- d-----w m:\programmi\Metin2.us
2009-01-31 14:54 --------- d-----w m:\programmi\Metin2
2009-01-12 16:47 --------- d-----w m:\programmi\Analog Devices
2009-01-08 13:37 --------- d-----w m:\documents and settings\LocalService\Dati applicazioni\TeamViewer
2009-01-06 18:19 --------- d-----w m:\programmi\TeamViewer
2009-01-06 18:19 --------- d-----w m:\documents and settings\fabietto\Dati applicazioni\TeamViewer
2009-01-01 22:13 --------- d-----w m:\programmi\CCleaner
2008-12-31 16:17 --------- d-----w m:\programmi\LittleFighter2
2008-12-27 14:28 --------- d-----w m:\programmi\cFosSpeed
2008-12-25 18:43 --------- d-----w m:\programmi\Windows Media Connect 2
2008-12-22 13:06 --------- d-----w m:\programmi\Serious Sam 2
2008-12-22 13:06 --------- d-----w m:\programmi\Java
2008-12-22 13:04 --------- d-----w m:\programmi\WebSite X5 Smart
2008-12-22 13:00 --------- d-----w m:\programmi\MessengerDiscovery
2008-12-12 14:10 74,752 ------w m:\windows\ST6UNST.EXE
2008-12-12 14:10 253,952 ------w m:\windows\Setup1.exe
2008-04-14 02:13 161,768 --sha-r m:\windows\system32\qsdddsnu.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-02-13_15.35.46,45 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-30 09:31:11 16,384 ----a-w m:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-15 18:02:15 16,384 ----a-w m:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-30 09:31:11 32,768 ----a-w m:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
+ 2009-02-15 18:02:15 32,768 ----a-w m:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
- 2009-01-30 09:31:11 32,768 ----a-w m:\windows\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-15 18:02:15 32,768 ----a-w m:\windows\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="m:\programmi\Windows Live\Messenger\MsnMsgr.Exe" [2009-01-05 5724184]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]
"DAEMON Tools Lite"="m:\programmi\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"ctfmon.exe"="m:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Vidalia"="m:\programmi\Vidalia Bundle\Vidalia\vidalia.exe" [2008-11-11 4033618]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="m:\windows\system32\NvCpl.dll" [2007-02-23 7774208]
"NvMediaCenter"="m:\windows\system32\NvMcTray.dll" [2007-02-23 81920]
"SunJavaUpdateSched"="m:\programmi\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SoundMAXPnP"="m:\programmi\Analog Devices\Core\smax4pnp.exe" [2006-10-05 868352]
"nwiz"="nwiz.exe" [2007-02-23 m:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="m:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

m:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Privoxy.lnk - m:\programmi\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 250368]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "m:\programmi\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 m:\programmi\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Service Host Driver]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Users\\fabietto\\Desktop\\ROBE VARIE\\fil1\\metin2.bin"=
"m:\\Programmi\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"m:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"m:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"m:\\Programmi\\TeamViewer\\Version4\\TeamViewer.exe"=
"m:\\Programmi\\Metin2.us\\metin2.bin"=
"m:\\Programmi\\Vidalia Bundle\\Tor\\tor.exe"=
"m:\\Programmi\\Vidalia Bundle\\Tor\\tor-resolve.exe"=
"m:\\Programmi\\Stormregion\\S.W.I.N.E\\swine.exe"=
"m:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"m:\\Programmi\\Microsoft Games\\Halo\\halo.exe"=
"m:\\Programmi\\Teamspeak2_RC2\\server_windows.exe"=
"m:\\Programmi\\MultiProxy\\MProxy.exe"=
"m:\\Programmi\\eMule\\emule.exe"=
"m:\\Programmi\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2406:TCP"= 2406:TCP:kzkutz
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"22:TCP"= 22:TCP:My_SSH (22)

R0 hotcore3;hotcore3;m:\windows\system32\drivers\hotcore3.sys [2008-11-03 38448]
R0 Lbd;Lbd;m:\windows\system32\drivers\Lbd.sys [2009-01-21 64160]
R1 SASDIFSV;SASDIFSV;m:\programmi\SUPERAntiSpyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;m:\programmi\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 32256]
R2 sshd;CYGWIN sshd;m:\cygwin\bin\cygrunsrv.exe [2009-01-19 68096]
R2 TeamViewer4;TeamViewer 4;m:\programmi\TeamViewer\Version4\TeamViewer_Service.exe [2008-12-23 185640]
R3 teamviewervpn;TeamViewer VPN Adapter;m:\windows\system32\drivers\teamviewervpn.sys [2008-01-07 25088]
S2 gupdate1c98861d69b2c8e;Google Update Service (gupdate1c98861d69b2c8e);m:\programmi\Google\Update\GoogleUpdate.exe [2009-02-06 133104]
S2 rvyfkuhl;Server Helper;m:\windows\system32\svchost.exe -k netsvcs [2006-03-02 14336]
S2 Service Host Driver;Service Host Driver;\??\m:\docume~1\fabietto\IMPOST~1\Temp\svchost.sys m:\docume~1\fabietto\IMPOST~1\Temp\svchost.sys
S3 PsSdk41;PsSdk41;m:\windows\system32\drivers\pssdk41.sys [2009-02-11 36928]
S3 PsSdkLBF;PsSdkLBF;m:\windows\system32\drivers\pssdklbf.sys [2009-02-11 53312]
S3 SASENUM;SASENUM;m:\programmi\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
qpwnjvei
jrfdebu
rvyfkuhl

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dff4bd70-b581-11dd-aee4-00184d708d31}]
\Shell\AutoRun\command - WD_Windows_Tools\setup.exe
.
Contenuto della cartella 'Scheduled Tasks'

2009-02-16 m:\windows\Tasks\Ad-Aware Update (Weekly).job
- m:\programmi\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-02-16 m:\windows\Tasks\GoogleUpdateTaskMachine.job
- m:\programmi\Google\Update\GoogleUpdate.exe [2009-02-06 14:50]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
TCP: {CE617B4C-07C1-4B94-A0F4-6BEBACA7A571} = 208.67.222.222,208.67.220.220
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/ ... ontrol.cab
FF - ProfilePath - m:\documents and settings\fabietto\Dati applicazioni\Mozilla\Firefox\Profiles\89vgmb6f.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: keyword.URL - hxxp://kwtb.search.imgag.com/?c=GNKIW29 ... 3043ede&q=
FF - component: m:\programmi\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
FF - plugin: m:\documents and settings\fabietto\Dati applicazioni\Mozilla\Firefox\Profiles\89vgmb6f.default\extensions\OberonGameHost@OberonGames.com\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll
FF - plugin: m:\programmi\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: m:\programmi\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: m:\programmi\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 19:13:28
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\rvyfkuhl]
"ServiceDll"="m:\windows\system32\qsdddsnu.dll"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1275210071-688789844-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:b7,8f,4a,85,b1,43,88,b8,36,f4,09,5f,e3,50,6b,b6,78,3f,b9,1f,47,
92,df,4a,82,b5,e1,72,ef,6f,da,3f,7f,20,4f,9b,c4,29,1c,9a,a7,60,9f,59,4d,ac,\
"rkeysecu"=hex:39,39,8e,44,f4,9c,f1,b7,00,84,4d,a6,6a,e2,a0,a5
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(900)
m:\programmi\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
m:\programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
m:\windows\system32\nvsvc32.exe
m:\cygwin\usr\sbin\sshd.exe
m:\programmi\TeamViewer\Version4\TeamViewer.exe
m:\windows\system32\rundll32.exe
m:\programmi\Vidalia Bundle\Tor\tor.exe
m:\programmi\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Ora fine scansione: 2009-02-16 19:15:30 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-02-16 18:15:28
ComboFix2.txt 2009-02-15 18:01:14
ComboFix3.txt 2009-02-15 15:34:42
ComboFix4.txt 2009-02-15 10:52:02
ComboFix5.txt 2009-02-16 18:06:24

Pre-Run: 256.629.760.000 byte disponibili
Post-Run: 256,615,948,288 byte disponibili

Current=4 Default=4 Failed=1 LastKnownGood=2 Sets=1,2,3,4
245 --- E O F --- 2008-12-26 18:01:14

[f1192]

emmhh... vi posso dare il log di quando ho effettuato la scansione sulla penna usb , non ho quell' altro perche mi si e sovrascritto ^^

ComboFix 09-02-15.01 - fabietto 2009-02-16 19.06.50.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.2046.1538 [GMT 1:00]
Eseguito da: m:\documents and settings\fabietto\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

L:\autorun.inf

.
((((((((((((((((((((((((( Files Creati Da 2009-01-16 al 2009-02-16 )))))))))))))))))))))))))))))))))))
.

2009-02-14 22:00 . 2009-02-14 22:00 14 --a------ m:\documents and settings\fabietto\file.bat
2009-02-12 15:15 . 2009-02-12 15:15 <DIR> d-------- m:\documents and settings\fabietto\Dati applicazioni\AeroSnapApp
2009-02-12 15:08 . 2009-02-12 15:08 <DIR> d-------- m:\programmi\AeroSnap
2009-02-11 22:14 . 2008-06-18 17:20 1,292,856 --------- m:\windows\ripple.CAB
2009-02-11 22:14 . 2009-02-11 22:14 829 --a------ m:\windows\ST6UNST.001
2009-02-11 22:14 . 2009-02-11 22:14 303 --a------ m:\windows\ST6UNST.000
2009-02-11 14:53 . 2009-02-11 14:53 53,312 --a------ m:\windows\system32\drivers\pssdklbf.sys
2009-02-11 14:53 . 2009-02-11 14:53 36,928 --a------ m:\windows\system32\drivers\pssdk41.sys
2009-02-10 21:50 . 2009-02-10 22:02 <DIR> d-------- m:\programmi\Deeds
2009-02-10 21:49 . 2009-02-10 21:49 <DIR> d-------- m:\programmi\Karnaugh Map Minimizer
2009-02-10 15:32 . 2009-02-10 15:32 <DIR> d-------- m:\documents and settings\fabietto\Dati applicazioni\fretsonfire
2009-02-08 14:09 . 2009-02-15 15:34 <DIR> d-------- m:\programmi\eMule
2009-02-07 16:47 . 2009-02-07 16:48 <DIR> d-------- m:\documents and settings\fabietto\Dati applicazioni\SPORE
2009-02-07 16:46 . 2009-02-07 16:46 <DIR> dr-h----- m:\documents and settings\fabietto\Dati applicazioni\SecuROM
2009-02-07 16:46 . 2009-02-07 16:46 107,888 --a------ m:\windows\system32\CmdLineExt.dll
2009-02-07 16:39 . 2009-02-07 16:39 <DIR> d-------- m:\programmi\Electronic Arts
2009-02-07 16:08 . 2009-02-07 16:08 <DIR> d-------- m:\programmi\MultiProxy
2009-02-06 18:39 . 2009-02-07 14:05 <DIR> d-------- m:\documents and settings\fabietto\Dati applicazioni\Hamachi
2009-02-06 18:39 . 2009-02-06 18:39 25,280 --a------ m:\windows\system32\drivers\hamachi.sys
2009-02-06 15:17 . 2009-02-15 16:36 <DIR> d-------- M:\cache
2009-02-06 14:46 . 2009-02-16 14:26 <DIR> d-------- m:\programmi\Google
2009-02-05 15:46 . 2009-02-05 15:46 <DIR> d-------- m:\programmi\Microsoft Games
2009-01-31 23:24 . 2009-02-15 11:58 <DIR> d-------- m:\programmi\Online TV Player 4
2009-01-31 23:24 . 2009-01-31 23:24 10 --a------ m:\windows\system32\810429tv4-test.jun
2009-01-30 18:06 . 2009-01-30 18:06 <DIR> d-------- m:\programmi\Avira
2009-01-29 08:00 . 2009-01-29 08:00 <DIR> d-------- m:\programmi\Stormregion
2009-01-24 15:33 . 2009-01-24 15:33 <DIR> d-------- m:\programmi\K-Lite Codec Pack
2009-01-24 15:33 . 2009-01-24 15:33 <DIR> d-------- m:\documents and settings\fabietto\Dati applicazioni\Media Player Classic
2009-01-24 15:33 . 2007-09-04 17:56 164,352 --a------ m:\windows\system32\unrar.dll
2009-01-24 15:33 . 2008-07-30 20:09 38 --a------ m:\windows\avisplitter.ini
2009-01-24 15:18 . 2009-02-14 15:34 <DIR> d-------- m:\documents and settings\fabietto\Dati applicazioni\LimeWire
2009-01-23 17:41 . 2009-01-23 17:42 <DIR> d-------- m:\documents and settings\All Users\Dati applicazioni\Bluetooth
2009-01-23 17:40 . 2009-01-23 17:42 32 --a------ m:\windows\0
2009-01-23 17:40 . 2009-01-23 17:40 0 --a------ m:\windows\system32\0
2009-01-23 15:20 . 1999-03-23 08:12 299,520 --a------ m:\windows\uninst.exe
2009-01-21 17:49 . 2009-01-21 17:48 64,160 --a------ m:\windows\system32\drivers\Lbd.sys
2009-01-21 17:45 . 2009-02-15 11:57 <DIR> d-------- m:\programmi\Lavasoft
2009-01-21 17:45 . 2009-02-15 11:57 <DIR> d-------- m:\documents and settings\All Users\Dati applicazioni\Lavasoft
2009-01-21 17:28 . 2009-01-21 17:38 <DIR> d-------- m:\programmi\SUPERAntiSpyware
2009-01-21 17:28 . 2009-01-21 17:28 <DIR> d-------- m:\documents and settings\fabietto\Dati applicazioni\SUPERAntiSpyware.com
2009-01-21 17:28 . 2009-01-21 17:28 <DIR> d-------- m:\documents and settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2009-01-21 17:27 . 2009-01-21 17:27 <DIR> d-------- m:\programmi\File comuni\Wise Installation Wizard
2009-01-20 21:10 . 2009-02-14 23:12 <DIR> d--h----- m:\documents and settings\fabietto\.idelhwwr-00ihef
2009-01-20 21:10 . 2009-02-14 23:12 <DIR> d-------- m:\documents and settings\fabietto\.borland
2009-01-20 21:07 . 2009-01-20 21:07 <DIR> d-------- m:\programmi\File comuni\Borland Shared
2009-01-20 21:07 . 2009-01-20 21:07 <DIR> d-------- m:\programmi\Borland
2009-01-20 21:06 . 2009-01-20 21:06 <DIR> d-------- m:\programmi\MSXML 4.0
2009-01-20 20:33 . 2009-01-20 20:33 <DIR> d-------- m:\programmi\Microsoft.NET
2009-01-20 20:33 . 2009-01-20 20:33 <DIR> d-------- m:\programmi\Microsoft Visual Studio .NET 2003
2009-01-20 20:33 . 2009-01-20 21:37 <DIR> d-------- m:\documents and settings\All Users\Dati applicazioni\Microsoft Help
2009-01-20 19:18 . 2009-01-20 19:18 <DIR> d-------- m:\windows\system32\URTTemp
2009-01-19 16:04 . 2009-01-19 16:04 <DIR> d-------- m:\documents and settings\fabietto\http%3a%2f%2fwww.goh4.com%2fcygwin%2f
2009-01-19 16:04 . 2009-01-19 16:11 <DIR> d-------- M:\cygwin
2009-01-18 13:59 . 2009-01-18 13:59 <DIR> d-------- m:\programmi\Windows Live SkyDrive
2009-01-17 15:19 . 2009-01-17 15:19 <DIR> d-------- m:\programmi\Vidalia Bundle
2009-01-17 15:19 . 2009-02-16 14:28 <DIR> d-------- m:\documents and settings\fabietto\Dati applicazioni\Vidalia
2009-01-17 15:19 . 2009-02-16 19:03 <DIR> d-------- m:\documents and settings\fabietto\Dati applicazioni\tor
2009-01-16 15:41 . 2000-05-16 10:40 83,968 --a------ m:\windows\UnGins.exe
2009-01-16 15:38 . 2009-01-16 15:38 <DIR> d-------- m:\documents and settings\All Users\Dati applicazioni\Messenger Plus!
2009-01-16 14:43 . 2009-02-06 15:54 <DIR> d-------- m:\programmi\Messenger Plus! Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-15 15:53 --------- d-----w m:\programmi\Mother
2009-02-08 17:57 517 ---ha-w M:\os629005.bin
2009-02-08 12:59 --------- d-----w m:\documents and settings\fabietto\Dati applicazioni\uTorrent
2009-02-07 15:38 --------- d--h--w m:\programmi\InstallShield Installation Information
2009-02-06 17:57 --------- d-----w m:\programmi\Teamspeak2_RC2
2009-01-31 16:22 --------- d-----w m:\programmi\Metin2.us
2009-01-31 14:54 --------- d-----w m:\programmi\Metin2
2009-01-12 16:47 --------- d-----w m:\programmi\Analog Devices
2009-01-08 13:37 --------- d-----w m:\documents and settings\LocalService\Dati applicazioni\TeamViewer
2009-01-06 18:19 --------- d-----w m:\programmi\TeamViewer
2009-01-06 18:19 --------- d-----w m:\documents and settings\fabietto\Dati applicazioni\TeamViewer
2009-01-01 22:13 --------- d-----w m:\programmi\CCleaner
2008-12-31 16:17 --------- d-----w m:\programmi\LittleFighter2
2008-12-27 14:28 --------- d-----w m:\programmi\cFosSpeed
2008-12-25 18:43 --------- d-----w m:\programmi\Windows Media Connect 2
2008-12-22 13:06 --------- d-----w m:\programmi\Serious Sam 2
2008-12-22 13:06 --------- d-----w m:\programmi\Java
2008-12-22 13:04 --------- d-----w m:\programmi\WebSite X5 Smart
2008-12-22 13:00 --------- d-----w m:\programmi\MessengerDiscovery
2008-12-12 14:10 74,752 ------w m:\windows\ST6UNST.EXE
2008-12-12 14:10 253,952 ------w m:\windows\Setup1.exe
2008-04-14 02:13 161,768 --sha-r m:\windows\system32\qsdddsnu.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-02-13_15.35.46,45 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-30 09:31:11 16,384 ----a-w m:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-15 18:02:15 16,384 ----a-w m:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-30 09:31:11 32,768 ----a-w m:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
+ 2009-02-15 18:02:15 32,768 ----a-w m:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
- 2009-01-30 09:31:11 32,768 ----a-w m:\windows\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-15 18:02:15 32,768 ----a-w m:\windows\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="m:\programmi\Windows Live\Messenger\MsnMsgr.Exe" [2009-01-05 5724184]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]
"DAEMON Tools Lite"="m:\programmi\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"ctfmon.exe"="m:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Vidalia"="m:\programmi\Vidalia Bundle\Vidalia\vidalia.exe" [2008-11-11 4033618]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="m:\windows\system32\NvCpl.dll" [2007-02-23 7774208]
"NvMediaCenter"="m:\windows\system32\NvMcTray.dll" [2007-02-23 81920]
"SunJavaUpdateSched"="m:\programmi\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SoundMAXPnP"="m:\programmi\Analog Devices\Core\smax4pnp.exe" [2006-10-05 868352]
"nwiz"="nwiz.exe" [2007-02-23 m:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="m:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

m:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Privoxy.lnk - m:\programmi\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 250368]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "m:\programmi\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 m:\programmi\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Service Host Driver]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Users\\fabietto\\Desktop\\ROBE VARIE\\fil1\\metin2.bin"=
"m:\\Programmi\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"m:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"m:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"m:\\Programmi\\TeamViewer\\Version4\\TeamViewer.exe"=
"m:\\Programmi\\Metin2.us\\metin2.bin"=
"m:\\Programmi\\Vidalia Bundle\\Tor\\tor.exe"=
"m:\\Programmi\\Vidalia Bundle\\Tor\\tor-resolve.exe"=
"m:\\Programmi\\Stormregion\\S.W.I.N.E\\swine.exe"=
"m:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"m:\\Programmi\\Microsoft Games\\Halo\\halo.exe"=
"m:\\Programmi\\Teamspeak2_RC2\\server_windows.exe"=
"m:\\Programmi\\MultiProxy\\MProxy.exe"=
"m:\\Programmi\\eMule\\emule.exe"=
"m:\\Programmi\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2406:TCP"= 2406:TCP:kzkutz
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"22:TCP"= 22:TCP:My_SSH (22)

R0 hotcore3;hotcore3;m:\windows\system32\drivers\hotcore3.sys [2008-11-03 38448]
R0 Lbd;Lbd;m:\windows\system32\drivers\Lbd.sys [2009-01-21 64160]
R1 SASDIFSV;SASDIFSV;m:\programmi\SUPERAntiSpyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;m:\programmi\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 32256]
R2 sshd;CYGWIN sshd;m:\cygwin\bin\cygrunsrv.exe [2009-01-19 68096]
R2 TeamViewer4;TeamViewer 4;m:\programmi\TeamViewer\Version4\TeamViewer_Service.exe [2008-12-23 185640]
R3 teamviewervpn;TeamViewer VPN Adapter;m:\windows\system32\drivers\teamviewervpn.sys [2008-01-07 25088]
S2 gupdate1c98861d69b2c8e;Google Update Service (gupdate1c98861d69b2c8e);m:\programmi\Google\Update\GoogleUpdate.exe [2009-02-06 133104]
S2 rvyfkuhl;Server Helper;m:\windows\system32\svchost.exe -k netsvcs [2006-03-02 14336]
S2 Service Host Driver;Service Host Driver;\??\m:\docume~1\fabietto\IMPOST~1\Temp\svchost.sys m:\docume~1\fabietto\IMPOST~1\Temp\svchost.sys
S3 PsSdk41;PsSdk41;m:\windows\system32\drivers\pssdk41.sys [2009-02-11 36928]
S3 PsSdkLBF;PsSdkLBF;m:\windows\system32\drivers\pssdklbf.sys [2009-02-11 53312]
S3 SASENUM;SASENUM;m:\programmi\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
qpwnjvei
jrfdebu
rvyfkuhl

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dff4bd70-b581-11dd-aee4-00184d708d31}]
\Shell\AutoRun\command - WD_Windows_Tools\setup.exe
.
Contenuto della cartella 'Scheduled Tasks'

2009-02-16 m:\windows\Tasks\Ad-Aware Update (Weekly).job
- m:\programmi\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-02-16 m:\windows\Tasks\GoogleUpdateTaskMachine.job
- m:\programmi\Google\Update\GoogleUpdate.exe [2009-02-06 14:50]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
TCP: {CE617B4C-07C1-4B94-A0F4-6BEBACA7A571} = 208.67.222.222,208.67.220.220
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/ ... ontrol.cab
FF - ProfilePath - m:\documents and settings\fabietto\Dati applicazioni\Mozilla\Firefox\Profiles\89vgmb6f.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: keyword.URL - hxxp://kwtb.search.imgag.com/?c=GNKIW29 ... 3043ede&q=
FF - component: m:\programmi\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
FF - plugin: m:\documents and settings\fabietto\Dati applicazioni\Mozilla\Firefox\Profiles\89vgmb6f.default\extensions\OberonGameHost@OberonGames.com\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll
FF - plugin: m:\programmi\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: m:\programmi\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: m:\programmi\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 19:13:28
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\rvyfkuhl]
"ServiceDll"="m:\windows\system32\qsdddsnu.dll"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1275210071-688789844-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:b7,8f,4a,85,b1,43,88,b8,36,f4,09,5f,e3,50,6b,b6,78,3f,b9,1f,47,
92,df,4a,82,b5,e1,72,ef,6f,da,3f,7f,20,4f,9b,c4,29,1c,9a,a7,60,9f,59,4d,ac,\
"rkeysecu"=hex:39,39,8e,44,f4,9c,f1,b7,00,84,4d,a6,6a,e2,a0,a5
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(900)
m:\programmi\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
m:\programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
m:\windows\system32\nvsvc32.exe
m:\cygwin\usr\sbin\sshd.exe
m:\programmi\TeamViewer\Version4\TeamViewer.exe
m:\windows\system32\rundll32.exe
m:\programmi\Vidalia Bundle\Tor\tor.exe
m:\programmi\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Ora fine scansione: 2009-02-16 19:15:30 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-02-16 18:15:28
ComboFix2.txt 2009-02-15 18:01:14
ComboFix3.txt 2009-02-15 15:34:42
ComboFix4.txt 2009-02-15 10:52:02
ComboFix5.txt 2009-02-16 18:06:24

Pre-Run: 256.629.760.000 byte disponibili
Post-Run: 256,615,948,288 byte disponibili

Current=4 Default=4 Failed=1 LastKnownGood=2 Sets=1,2,3,4
245 --- E O F --- 2008-12-26 18:01:14

opss scusate doppio messaggio ^^ comunque sia cosa ne pensate?

[Amantide]

Copia ed incolla il seguente testo su blocconote e salva il file su desktop con il nome CFScript.txt.

Codice: Seleziona tutto

File::
m:\docume~1\fabietto\IMPOST~1\Temp\svchost.sys
m:\windows\system32\qsdddsnu.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetSvcs]
"qpwnjvei"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetSvcs]
"jrfdebu"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetSvcs]
"rvyfkuhl"=-

Driver::
Service Host Driver
rvyfkuhl

Controlla anche su www.virustotal.com questi file:
m:\documents and settings\fabietto\file.bat
m:\windows\0
m:\windows\system32\0
m:\windows\uninst.exe
m:\windows\UnGins.exe

Anche questa cartella mi risulta sospetta:
m:\documents and settings\fabietto\http%3a%2f%2fwww.goh4.com%2fcygwin%2f

[f1192]

allora : per quanto riguarda file .bat l' ho fatto io ... altro non so cosa dirti ...