MegaLab.it

Inviato: **sab mag 08, 2010 11:30 am**

Ciao,
lavoro con un Windows Vista Buisness SP2, 4GB RAM, Pentium Dual Core @2.00GHz. Uso Avira, aggiornato. Uso windows firewall e Windows defender. Uso regolarmente CCleaner.
recentemente ho accusato alcuni problemi: alle volte una finestra di explorer si blocca, e provandola a chiudere mi si blocca il sistema. Se provo a interrompere il processo da task manager mi compare una schermata blu.
Altro sintomo: nella mia chiavetta USB e' presente un autorun.inf, il cui accesso mi e' negato. Smanettando, sono riuscito a leggerne il contenuto, risportato qui sotto. Cercando su internet questo fantomatico BALKAN.exe, o FATA.exe ho trovato un collegamento a csrss.exe, ma non riesco a capire se si tratta del processo di Windows, o di un virus. A seguire, anche log di highjackthis!

[autorun]
&äêôÑÀëôŽ×ÀÑëäôžœ÷äôëïøœãëŽŒÅôÌÊfkASDL?DL?WLDP?WQFMâëÔÛÄÂÄÇÖÉÕÝÄÀÇÝÖÉÀËÁÛÝôñáÔÛÝÆÄñÔÛÝÆÄâÇÝÖÉâäàÝÖÉäàÝÖÉÇÂÆÖÉÝÂÆÕÖÉÂäôûýÄÆÀÄÂÝÀëäàýÇÖÉëýÖÄÉÝÀÖÉÄÝÖÉäàçõýöéëäàÇÕÝÖÉÄÀÝÆÔëüàôûýæÂÄÀàÇÝÖÉÆÀËÇÕÝÖÉÀËÄÙÖÉÕÝÄÀÝÖÉ
shellexecute=MILAN\\\\\\\\\\\\BALKAN.exe
~àôûâäÝÖÉäæàýöéäàýöéâôûýàëäáÔÛÂÄÝÔlD
shell\explore\command=MILAN\\\\\\\\\\\\BALKAN.exe
^ôàñôœëŠÄŽŒ×šÆØŒŠëŽÔœ
open=MILAN\\\\\\\\\\BALKAN.exe
(dasflWQ?D?WQ??FLwq
$icon=sanremo\\\\\\\\\\\fata.exe
"ôûàöéçýäÀÄÖÉÇÂÝËÀÜôûýìàôû
action=Open folder to view files using Windows Explorer
?ìñÿ÷ìÿëÄäàëÝÖÉäùàÝÖÉ
USEAUTOPLAY=1
!åóöéóøùçö
$ÀÔÛÀËÄÆà
shell\open\command=MILAN\\\\\\\\\\\\BALKAN.exe
%àôûâëäæÝÀôäÝÆàô
Shell\open\command=MILAN\\\\\\\\\\\\BALKAN.exe
~ÿ÷ìëüä÷ìäæý÷ÿäñÿýæ÷ì
icon=%SystemRoot%\system32\SHELL32.dll,4
&öéóàâìâïëóíùçõæïëóáÀôé

LOG DI HIGHJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:28:42, on 08/05/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Windows\System32\ThpSrv.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Opera\opera.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [ThpSrv] C:\Windows\system32\thpsrv /logon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: TRDCReminder.lnk = C:\Program Files\Toshiba\TRDCReminder\TRDCReminder.exe (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4 (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Jumpstart\jswpsapi.exe
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
O23 - Service: SmartFaceVWatchSrv - Toshiba - C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\Windows\system32\ThpSrv.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6869 bytes

Inviato: **sab mag 08, 2010 12:39 pm**

Ciao dovresti mettere il risultato che hai postato all'interno del tag [LOG][/LOG] [;)]

Inviato: **sab mag 08, 2010 12:44 pm**

ludogamma ha scritto:Uso windows firewall e Windows defender.

Comincia a procurarti due programmi più decenti per stare più sicuro.
Poi una bella scansione con questo http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/ e una formatta alla chiavetta per togliere i virus presenti.

Inviato: **sab mag 08, 2010 12:45 pm**

Collega tutte le tue chiavette, poi segui queste istruzioni.

Scarica ComboFix , salvandolo sul desktop con un nome di fantasia, ed esegui la scansione seguendo queste istruzioni (giù in fondo). Al termine della scansione verrà creato il file di report C:\combofix.txt, copia qui il suo contenuto inserendolo tra i tag LOG, in questo modo:

Codice: Seleziona tutto: [LOG]qui va inserito il log[/LOG]

Inviato: **sab mag 08, 2010 1:52 pm**

Ste95 ha scritto
Collega tutte le tue chiavette, poi segui queste istruzioni.

Nelle istruzioni parli di PRT - Perlovega removal tool. Il link reindirizza a un Sergiwa removal tool... siamo sicuri?

Purtroppo mi connetto da un posto remoto (mooooolto remoto!), uso una connessione satellitare, quindi per scaricare anche solo 1 MB mi ci vuole una mezzoretta...

Grazie comunque, appena finisco di scaricare posto il log

Inviato: **sab mag 08, 2010 1:55 pm**

ludogamma ha scritto:Purtroppo mi connetto da un posto remoto (mooooolto remoto!), uso una connessione satellitare, quindi per scaricare anche solo 1 MB mi ci vuole una mezzoretta...

È questo qui:
http://www.sergiwa.com/modules/mydownlo ... p?cid=2#l5 [^]

Inviato: **sab mag 08, 2010 2:19 pm**

Allora,
PRT non ha risolto il problema nella chiavetta USB. poco male, la formattero.
Qui di seguito il log combofix. All'inizio, mi diceva che la licenza era expired, e quindi avrebbe funzionato in modalita a funzionalita ridotta. Speriamo non sia grave...
Ho fatto due scansioni. Nella prima, con chiavetta USB inserita, e' ricomparsa la schermata blu, e il sistemaha crashato. dopo riavvio, senza chiavetta, ho riprovato e questo e' il risultato.

ComboFix 10-04-30.03 - South Sudan 08/05/2010 16:11:09.2.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.44.1033.18.2908.1935 [GMT 3:00]
Running from: e:\programmi\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2010-04-08 to 2010-05-08 )))))))))))))))))))))))))))))))
.

2010-05-08 13:12 . 2010-05-08 13:12 -------- d-----w- c:\users\South Sudan\AppData\Local\temp
2010-05-08 13:12 . 2010-05-08 13:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-08 07:51 . 2010-05-08 07:51 -------- d-----w- c:\program files\Trend Micro
2010-04-26 13:16 . 2010-04-20 12:29 153088 --sh--r- c:\users\South Sudan\csrss.exe
2010-04-20 07:46 . 2007-12-04 04:22 57344 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\zimfprnt.dll
2010-04-20 07:42 . 2010-04-20 07:42 -------- d-----w- c:\users\South Sudan\{c80cecdc-0a7a-415d-824c-95795d3cd6fd}
2010-04-20 07:42 . 2010-04-20 07:42 -------- d-----w- c:\users\South Sudan\{8a4ad7f8-e78e-4cfd-a795-34fa05afb187}
2010-04-20 07:25 . 2007-12-18 07:45 221184 ----a-r- c:\windows\brprs.exe
2010-04-14 07:12 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 07:12 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 07:12 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 07:12 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 07:12 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 07:12 . 2010-03-04 17:33 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 05:36 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 05:36 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 05:36 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 05:34 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 05:34 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-09 05:59 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-04-09 05:59 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-04-09 05:59 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-04-08 14:00 . 2006-10-24 05:47 534528 ------w- c:\programdata\HP\Installer\Temp\dpinst_x32\dpinst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-08 09:20 . 2009-12-04 15:00 -------- d-----w- c:\users\South Sudan\AppData\Roaming\Skype
2010-05-03 15:57 . 2010-04-04 07:39 -------- d-----w- c:\program files\CCleaner
2010-05-02 16:43 . 2009-12-04 14:44 -------- d-----w- c:\program files\Opera
2010-04-28 08:43 . 2010-01-03 18:05 27 ----a-w- c:\windows\clofghls.dll
2010-04-20 07:41 . 2010-01-13 15:09 -------- d-----w- c:\program files\HP
2010-04-20 07:25 . 2010-01-13 15:07 -------- d-----w- c:\programdata\HP
2010-04-20 07:25 . 2010-02-02 14:14 -------- d-----w- c:\users\South Sudan\AppData\Roaming\HP
2010-04-09 11:48 . 2010-03-03 19:14 -------- d-----w- c:\users\South Sudan\AppData\Roaming\TOSHIBA
2010-04-08 14:15 . 2010-04-08 07:28 137659 ----a-w- c:\windows\HPHins15.dat
2010-04-08 07:33 . 2009-12-04 10:18 99864 ----a-w- c:\users\South Sudan\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-08 07:14 . 2008-08-25 19:51 -------- d-----w- c:\programdata\Microsoft Help
2010-04-01 07:22 . 2010-03-27 16:56 -------- d-----w- c:\program files\Safaricom Broadband
2010-03-29 10:17 . 2010-03-29 10:17 0 ----a-w- c:\windows\nsreg.dat
2010-03-29 08:27 . 2010-03-29 08:27 -------- d-----w- c:\program files\DG ECHO
2010-03-24 06:29 . 2010-03-19 07:30 -------- d-----w- c:\users\South Sudan\AppData\Roaming\Apple Computer
2010-03-24 05:39 . 2010-03-19 07:27 -------- d-----w- c:\programdata\Apple
2010-03-19 07:30 . 2010-03-19 07:29 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-19 07:30 . 2010-03-19 07:29 -------- d-----w- c:\program files\iTunes
2010-03-19 07:29 . 2010-03-19 07:29 -------- d-----w- c:\program files\iPod
2010-03-19 07:29 . 2010-03-19 07:27 -------- d-----w- c:\program files\Common Files\Apple
2010-03-19 07:29 . 2010-03-19 07:28 -------- d-----w- c:\programdata\Apple Computer
2010-03-19 07:29 . 2010-03-19 07:28 -------- d-----w- c:\program files\QuickTime
2010-03-16 05:22 . 2010-03-16 05:22 -------- d-----w- c:\program files\Thuraya
2010-03-09 16:25 . 2010-04-01 07:30 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42 . 2010-04-01 07:31 834048 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 07:16 . 2009-12-12 16:32 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 23:06 . 2010-03-10 13:09 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-10 13:09 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-10 13:09 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-15 15:41 . 2010-02-15 15:41 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-12 10:32 . 2010-03-06 15:19 293376 ----a-w- c:\windows\system32\browserchoice.exe
2008-01-21 02:23 . 2008-01-21 02:23 397312 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6001.18000_none_f1582d884fb532fb\WinMail.exe
2008-01-21 02:23 . 2008-01-21 02:23 397312 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6002.18005_none_f343a6944cd6fe47\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-29 417792]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-12-15 184320]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-4-15 2979144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google EULA Launcher]
2008-05-28 11:40 20480 ----a-w- c:\program files\Google\Google EULA\GoogleEULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 20:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2008-01-25 13:33 509816 ----a-w- c:\program files\Toshiba\SmoothView\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Registration]
2008-01-11 02:07 574864 ----a-w- c:\program files\Toshiba\Registration\ToshibaRegistration.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):60,f8,d7,b5,88,81,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3342735296-1385822533-4066459999-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

R3 ap_gvbus;Thuraya XT USB Composite Driver;c:\windows\system32\DRIVERS\ap_gvbus.sys [2008-09-05 25088]
R3 ap_gvm2k;Thuraya XT USB Modem Drivers;c:\windows\system32\DRIVERS\ap_gvm2k.sys [2008-09-05 41216]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2007-10-30 937984]
S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [2008-01-11 28280]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2007-09-04 13336]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2007-08-31 20352]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-03 126976]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-04-15 51160]
S3 QIOMem;Generic IO & Memory Access;c:\windows\system32\DRIVERS\QIOMem.sys [2007-04-09 8192]
S3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe [2008-08-25 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain ... bmod=TSEA;
mStart Page = hxxp://www.google.com/ig/redirectdomain ... &bmod=TSEA
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: {{76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-08 16:12
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-05-08 16:15:58
ComboFix-quarantined-files.txt 2010-05-08 13:15

Pre-Run: 16,842,264,576 bytes free
Post-Run: 16,794,054,656 bytes free

- - End Of File - - 6973C78302CF0C27E9411467C91722F5

Inviato: **sab mag 08, 2010 2:31 pm**

ludogamma ha scritto:2010-04-20 07:25 . 2007-12-18 07:45 221184 ----a-r- c:\windows\brprs.exe

Questo mandalo su VirusTotal.

Scarica Avenger
Estrailo in una cartella a tua scelta
Esegui il file avenger.exe con la figura di una spada
Ora incolla queste righe nella box bianca che si è aperta:

Codice: Seleziona tutto: Files to delete: c:\users\South Sudan\csrss.exe

Togli il segno di spunta dalla voce Scan for Rootkits
Premi il pulsante Execute
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà.

Se Avenger riporta un errore, prova a riscrivere manualmente la prima riga (Files to delete:) ricordando i due punti.

Inviato: **sab mag 08, 2010 4:02 pm**

Ciao,
virustotal dice che e' tutto a posto.
Ecco il logo di avenger. E@ tutto a posto ora?

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File "c:\users\South Sudan\csrss.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Inviato: **sab mag 08, 2010 4:03 pm**

Va meglio?

Inviato: **sab mag 08, 2010 6:05 pm**

Ciao,
direi che ora va tutto bene, speriamo solo nelle schermate blu.
SOlo una cosa: tra i servizi, ci sono due csrss.exe in esecuzione, mentre dovrebbe essere solo uno se non sbaglio.
Grazie comunque, come al soluto MegaLab non tradisce mai (e non sono certo un neo iscritto.. ma forse solo un po' "silenzioso..")

Inviato: **sab mag 08, 2010 6:13 pm**

ludogamma ha scritto:SOlo una cosa: tra i servizi, ci sono due csrss.exe in esecuzione, mentre dovrebbe essere solo uno se non sbaglio.

Riesci a individuare il percorso a cui puntano i due servizi?

Inviato: **dom mag 09, 2010 1:56 pm**

ste_95 ha scritto:Riesci a individuare il percorso a cui puntano i due servizi?

No, da task manager non ci riesco. Per gli altri servizi non c'e' problema, ma per questi due non ho reazioni quando clicco su "open file location" oppure "go to service(s)". C'e' un altro modo di controllare?

Inviato: **dom mag 09, 2010 5:20 pm**

Forse dal gestore dei servizi di Windows si riesce (Start -> Esegui -> services.msc -> Invio). Altrimenti dovresti smanettare un po' nel registro di sistema, ma è altre sì probabile che i servizi siano rimasti orfani, ovvero i file a cui facevano riferimento siano stati rimossi. [;)]

MegaLab.it

problema possibile virus BALKAN.EXE o FATA.EXE

problema possibile virus BALKAN.EXE o FATA.EXE

Re: problema possibile virus BALKAN.EXE o FATA.EXE

Re: problema possibile virus BALKAN.EXE o FATA.EXE

Re: problema possibile virus BALKAN.EXE o FATA.EXE

Re: problema possibile virus BALKAN.EXE o FATA.EXE

Re: problema possibile virus BALKAN.EXE o FATA.EXE

Re: problema possibile virus BALKAN.EXE o FATA.EXE

Re: problema possibile virus BALKAN.EXE o FATA.EXE

Re: problema possibile virus BALKAN.EXE o FATA.EXE

Re: problema possibile virus BALKAN.EXE o FATA.EXE

Re: problema possibile virus BALKAN.EXE o FATA.EXE

Re: problema possibile virus BALKAN.EXE o FATA.EXE

Re: problema possibile virus BALKAN.EXE o FATA.EXE

Re: problema possibile virus BALKAN.EXE o FATA.EXE