www.MegaLab.it

[Amantide]

non ho capito l'utilità del verifier, ho selezionato tutti gli usb e riavviato, non è apparsa alcuna scritta al riavvio, e le pen drive ancora non funzionano!!

Serviva per vedere se qualche driver in particolare aveva dei problemi o poteva creare dei conflitti.

in cosa consiste il ripristino di xp? rischio di perdere dati???

I file di sistema verranno sovrascritti con quelli del cd, quindi, ammeno che non sbagli ad indicare la partizione, verranno sovrascritti solo questi.

ultima domanda: se faccio ripristino configurazione sistema a qualche mese fa che succede? c'è rischio che perdo dei dati importanti?

Può essere che risolvi , così come può essere di no. Sicuramente perderai tutti i programmi installati nella data successiva al punto di ripristino scelto e le varie modifiche apportate.

[john locke]

amantide so che mi odi...
ma facendo il ripristino mi chiede la password di amministratore...ma che cosa è questa password???
e se rinstallo il pacchetto sp2 miglioro qualcosa??
appena risolvo

[Amantide]

ma facendo il ripristino mi chiede la password di amministratore...ma che cosa è questa password???

Nelle istruzioni non c'era scritto di premere semplicemente Invio senza digitare nulla?

[john locke]

dopo un giorno di consultare forum, arrivo in un forum che mi dice che il problema potrebbe essere un rootkit!!!!faccio gmer 1.14 e mi appare una riga rossa
rootkit-like behavior;mbr rootkit code detected!!! e gmer mi si blocca sempre durante la scansione che faccio??? ci sono esperti in questione???
credo sia questo la causa di tutti i miei mali e kaspersky onlune non mi ha trovato niente!!!!!!!!!!! ma porc....putt...

panda anti-rootkit alla versione 1.08 non mi ha trovato niente!!
ora provo con altri programmi

[Amantide]

[XX(]
dopo un giorno di consultare forum, arrivo in un forum che mi dice che il problema potrebbe essere un rootkit!!!!faccio gmer 1.14 e mi appare una riga rossa
rootkit-like behavior;mbr rootkit code detected!!! e gmer mi si blocca sempre durante la scansione che faccio??? ci sono esperti in questione???

Mannaggia!!! E chi avrebbe pensando leggendo della gente che ha risolto reinstallando i driver usb

Scarica mbr.exe e salvalo nella directory C:\
Dopo vai su Start>> Esegui e digita c:\mbr.exe
Mbr.exe metterà qualche secondo a fare la scansione. Fatto ciò postami qui il contenuto del log creato che troverai in c:\mbr.log

[john locke]

ecco qui .... spiegami per cortesia cosa ho fatto .... è tutto risolto??

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
MBR rootkit code detected !
malicious code @ sector 0x12a14c00 size 0x1ab !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.



ma è una cosa grave??? attendo notizie


un attimo mcafee anti-rootikit 1.1 mi indica c:\system volume information\catalog.wci come lo rinomino??? guidami passo passo per favore

[Amantide]

Ti hanno consigliato bene, devo proprio ammetterlo
Praticamente un rootkit si è insediato nella parte MBR del hard disk. Ricordi quando ti ho fatto fare la verifica dei driver non certificati ti è apparso lo schermo blu? Era proprio a causa sua. Ma siccome i rootkit mascherano a perfezzione la propria presenza, non siamo riusciti a vedere a quale driver era dovuto lo schermo blu.

Con il comando mbr.exe ti ho fatto coontrollare mbr ed effettivamente il rootkit è presente, ora per ripulirlo devi eseguire quest'altro comando
c:\mbr.exe -f
Postami anche il secondo log.

[john locke]

il log dovrebbe essere questo

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

per mcafee che mi dici ?? che devo fare ora oltre che farmi benedire??? (non ho capito come funziona...booo dice di rinominare ma non fa scrivere niente)
tren micro rootkitbuster non ha rilevato niente

PS non mi ha consigliato nessuno... ho fatto tutto da solo, onore al merito

[Amantide]

Lascia perdere McAfee.
Hai provato a vedere se ora, dopo il riavvio, le pen drive vengono lette?

Per sicurezza fai un altra scansione antimalware.
Scarica il ComboFix da qui ed esegui la scansione seguendo queste istruzioni (giù in fondo). Al termine della scansione verrà creato il file di report C:\combofix.txt, copia qui il suo contenuto.

P.S. Allora complimenti a te per l'intuito E' stato utile a te e sicuramente sarà utile anche a me nel valutare i futuri "casi".

[john locke]

ecco il log

ComboFix 08-10-17.01 - giacomo 2008-10-20 20.04.42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.1470 [GMT 2:00]
Eseguito da: C:\Downloads\Software\pincopallino.exe
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\All Users\Documenti\avril\Desktop_.ini
C:\Documents and Settings\All Users\Documenti\Immagini\Desktop_.ini
C:\Documents and Settings\All Users\Documenti\Immagini\Immagini campione\Desktop_.ini
C:\Documents and Settings\All Users\Documenti\lost stagione 4\Desktop_.ini
C:\Documents and Settings\All Users\Documenti\monkey\Desktop_.ini
C:\Documents and Settings\All Users\Documenti\Musica\Desktop_.ini
C:\Documents and Settings\giacomo\Preferiti\Videos.url
C:\WINDOWS\backinf.tab
C:\WINDOWS\system32\_003480_.tmp.dll
C:\WINDOWS\system32\_003481_.tmp.dll
C:\WINDOWS\system32\_003482_.tmp.dll
C:\WINDOWS\system32\_003483_.tmp.dll
C:\WINDOWS\system32\_003488_.tmp.dll
C:\WINDOWS\system32\_003489_.tmp.dll
C:\WINDOWS\system32\_003490_.tmp.dll
C:\WINDOWS\system32\_003491_.tmp.dll
C:\WINDOWS\system32\_003492_.tmp.dll
C:\WINDOWS\system32\_003493_.tmp.dll
C:\WINDOWS\system32\_003494_.tmp.dll
C:\WINDOWS\system32\_003495_.tmp.dll
C:\WINDOWS\system32\_003496_.tmp.dll
C:\WINDOWS\system32\_003497_.tmp.dll
C:\WINDOWS\system32\_003499_.tmp.dll
C:\WINDOWS\system32\_003500_.tmp.dll
C:\WINDOWS\system32\_003502_.tmp.dll
C:\WINDOWS\system32\_003503_.tmp.dll
C:\WINDOWS\system32\_003504_.tmp.dll
C:\WINDOWS\system32\_003506_.tmp.dll
C:\WINDOWS\system32\_003509_.tmp.dll
C:\WINDOWS\system32\_003510_.tmp.dll
C:\WINDOWS\system32\_003512_.tmp.dll
C:\WINDOWS\system32\_003513_.tmp.dll
C:\WINDOWS\system32\_003514_.tmp.dll
C:\WINDOWS\system32\_003515_.tmp.dll
C:\WINDOWS\system32\_003516_.tmp.dll
C:\WINDOWS\system32\_003517_.tmp.dll
C:\WINDOWS\system32\_003519_.tmp.dll
C:\WINDOWS\system32\_003520_.tmp.dll
C:\WINDOWS\system32\_003521_.tmp.dll
C:\WINDOWS\system32\_003522_.tmp.dll
C:\WINDOWS\system32\_003523_.tmp.dll
C:\WINDOWS\system32\_003524_.tmp.dll
C:\WINDOWS\system32\_003525_.tmp.dll
C:\WINDOWS\system32\_003526_.tmp.dll
C:\WINDOWS\system32\_003529_.tmp.dll
C:\WINDOWS\system32\_003530_.tmp.dll
C:\WINDOWS\system32\_003531_.tmp.dll
C:\WINDOWS\system32\_003532_.tmp.dll
C:\WINDOWS\system32\_003533_.tmp.dll
C:\WINDOWS\system32\_003534_.tmp.dll
C:\WINDOWS\system32\_003535_.tmp.dll
C:\WINDOWS\system32\_003538_.tmp.dll
C:\WINDOWS\system32\_003539_.tmp.dll
C:\WINDOWS\system32\_003540_.tmp.dll
C:\WINDOWS\system32\_003543_.tmp.dll
C:\WINDOWS\system32\_003546_.tmp.dll
C:\WINDOWS\system32\_003547_.tmp.dll
C:\WINDOWS\system32\_003551_.tmp.dll
C:\WINDOWS\system32\_003552_.tmp.dll
C:\WINDOWS\system32\_003554_.tmp.dll
C:\WINDOWS\system32\_003557_.tmp.dll
C:\WINDOWS\system32\_003559_.tmp.dll
C:\WINDOWS\system32\_003560_.tmp.dll
C:\WINDOWS\system32\_003561_.tmp.dll
C:\WINDOWS\system32\_003562_.tmp.dll
C:\WINDOWS\system32\_003565_.tmp.dll
C:\WINDOWS\system32\_003566_.tmp.dll
C:\WINDOWS\system32\_003567_.tmp.dll
C:\WINDOWS\system32\_003568_.tmp.dll
C:\WINDOWS\system32\_003569_.tmp.dll
C:\WINDOWS\system32\_003574_.tmp.dll
C:\WINDOWS\system32\_003576_.tmp.dll

.
((((((((((((((((((((((((( Files Creati Da 2008-09-20 al 2008-10-20 )))))))))))))))))))))))))))))))))))
.

2008-10-20 19:55 . 2008-10-20 19:55 142,096 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-10-20 19:38 . 2008-10-20 19:38 90 --ahs---- C:\WINDOWS\system32\drivers\aee42.DAT
2008-10-20 19:38 . 2008-10-20 19:38 90 --ahs---- C:\WINDOWS\system32\drivers\8e743.DAT
2008-10-20 19:38 . 2008-10-20 19:38 90 --ahs---- C:\WINDOWS\system32\drivers\02641.DAT
2008-10-20 19:10 . 2008-10-20 19:09 66,048 --a------ C:\mbr.exe
2008-10-20 18:59 . 2008-10-20 18:59 90 --ahs---- C:\WINDOWS\system32\drivers\e3a28.DAT
2008-10-20 18:59 . 2008-10-20 18:59 90 --ahs---- C:\WINDOWS\system32\drivers\d6427.DAT
2008-10-20 18:59 . 2008-10-20 18:59 90 --ahs---- C:\WINDOWS\system32\drivers\02626.DAT
2008-10-20 15:33 . 2001-08-17 21:28 771,581 --a------ C:\WINDOWS\system32\dllcache\winacisa.sys
2008-10-20 15:32 . 2001-08-17 21:28 794,399 --a------ C:\WINDOWS\system32\dllcache\usr1806v.sys
2008-10-20 15:31 . 2001-08-17 21:28 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys
2008-10-20 15:30 . 2001-08-30 23:08 525,568 --a------ C:\WINDOWS\system32\dllcache\tridxp.dll
2008-10-20 15:29 . 2001-08-30 23:07 172,768 --a------ C:\WINDOWS\system32\dllcache\t2r4disp.dll
2008-10-20 15:28 . 2001-08-30 19:49 286,816 --a------ C:\WINDOWS\system32\dllcache\stlnata.sys
2008-10-20 15:27 . 2004-09-07 14:00 465,408 --a------ C:\WINDOWS\system32\dllcache\smtpsvc.dll
2008-10-20 15:26 . 2001-08-30 23:07 386,560 --a------ C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-10-20 15:25 . 2001-08-30 23:07 495,616 --a------ C:\WINDOWS\system32\dllcache\sblfx.dll
2008-10-20 15:24 . 2004-08-04 00:52 397,056 --a------ C:\WINDOWS\system32\dllcache\s3gnb.dll
2008-10-20 15:23 . 2001-08-30 22:10 899,754 --a------ C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-10-20 15:22 . 2004-08-04 00:52 259,328 --a------ C:\WINDOWS\system32\dllcache\perm3dd.dll
2008-10-20 15:21 . 2001-08-17 22:05 351,616 --a------ C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-10-20 15:20 . 2004-09-07 14:00 226,816 --a------ C:\WINDOWS\system32\dllcache\npdrmv2.dll
2008-10-20 15:19 . 2004-08-04 00:52 1,737,856 --a------ C:\WINDOWS\system32\dllcache\mtxparhd.dll
2008-10-20 15:18 . 2001-08-17 21:28 802,683 --a------ C:\WINDOWS\system32\dllcache\ltsm.sys
2008-10-20 15:07 . 2001-08-30 23:07 242,688 --a------ C:\WINDOWS\system32\dllcache\kdsusd.dll
2008-10-20 15:06 . 2004-08-03 22:41 1,041,536 --a------ C:\WINDOWS\system32\dllcache\hsfdpsp2.sys
2008-10-20 15:05 . 2001-08-17 21:28 542,879 --a------ C:\WINDOWS\system32\dllcache\hsf_msft.sys
2008-10-20 15:04 . 2001-08-30 23:07 1,733,120 --a------ C:\WINDOWS\system32\dllcache\g400d.dll
2008-10-20 15:03 . 2001-08-30 21:54 596,159 --a------ C:\WINDOWS\system32\dllcache\es56cvmp.sys
2008-10-20 15:02 . 2001-08-30 21:33 634,166 --a------ C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-10-20 15:01 . 2001-08-17 20:14 952,007 --a------ C:\WINDOWS\system32\dllcache\diwan.sys
2008-10-20 15:00 . 2001-08-30 20:33 980,034 --a------ C:\WINDOWS\system32\dllcache\cicap.sys
2008-10-20 14:59 . 2004-08-04 00:52 1,888,992 --a------ C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-10-20 14:58 . 2004-08-04 00:48 2,184,704 --a------ C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-20 14:14 . 2008-10-20 14:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-20 14:14 . 2008-10-20 14:14 1,409 --a------ C:\WINDOWS\QTFont.for
2008-10-20 09:38 . 2008-10-20 09:34 21,040 --a------ C:\WINDOWS\usbstor.sys
2008-10-19 15:55 . 2004-08-04 00:37 68,736 --a------ C:\WINDOWS\system32\drivers\pci.sys
2008-10-19 15:55 . 2004-08-04 00:37 68,736 --a------ C:\WINDOWS\system32\dllcache\pci.sys
2008-10-19 15:55 . 2007-08-10 16:12 53,248 --a------ C:\WINDOWS\system32\CSVer.dll
2008-10-19 15:55 . 2001-08-30 19:48 36,096 --a------ C:\WINDOWS\system32\drivers\isapnp.sys
2008-10-19 15:55 . 2001-08-30 19:48 36,096 --a------ C:\WINDOWS\system32\dllcache\isapnp.sys
2008-10-19 15:54 . 2008-10-19 15:54 <DIR> d-------- C:\Intel
2008-10-17 18:40 . 2008-10-17 18:40 <DIR> d-------- C:\Programmi\emule extreme
2008-10-17 09:21 . 2008-10-17 09:31 <DIR> d-------- C:\ao3 indiani
2008-10-12 15:35 . 2008-10-12 15:35 <DIR> d-------- C:\Programmi\URUSoft
2008-10-12 15:25 . 2008-10-12 15:30 <DIR> d-------- C:\Programmi\SubRip
2008-10-10 11:09 . 2008-04-13 11:37 2,962,432 --a------ C:\WINDOWS\system32\SET1312.tmp
2008-10-10 11:09 . 2008-04-13 19:13 354,304 --a------ C:\WINDOWS\system32\SET1304.tmp
2008-10-10 11:09 . 2008-04-13 19:12 177,152 --a------ C:\WINDOWS\system32\SET1339.tmp
2008-10-10 11:09 . 2008-04-13 19:13 16,896 --a------ C:\WINDOWS\system32\SET1363.tmp
2008-10-10 11:09 . 2008-04-13 19:13 6,656 --a------ C:\WINDOWS\system32\SET12FC.tmp
2008-10-10 11:04 . 2008-04-13 19:13 519,168 --a------ C:\WINDOWS\system32\SET77B.tmp
2008-10-10 11:04 . 2008-04-13 19:13 95,744 --a------ C:\WINDOWS\system32\SET781.tmp
2008-10-10 11:02 . 2008-04-13 19:13 1,092,096 --a------ C:\WINDOWS\system32\SET539.tmp
2008-10-10 11:01 . 2008-04-13 19:13 3,066,880 --a------ C:\WINDOWS\system32\SET42C.tmp
2008-10-10 11:00 . 2008-04-13 19:13 8,489,984 --a------ C:\WINDOWS\system32\SET2B1.tmp
2008-10-10 10:58 . 2006-12-28 12:01 19,569 --a------ C:\WINDOWS\003088_.tmp
2008-10-10 10:54 . 2007-02-28 18:06 2,141,184 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-10-10 08:25 . 2008-10-10 08:31 90,112 --a------ C:\WINDOWS\DUMP59a9.tmp
2008-10-10 08:25 . 2008-10-10 08:30 90,112 --a------ C:\WINDOWS\DUMP594b.tmp
2008-10-07 16:36 . 2008-10-07 16:36 268 --ah----- C:\sqmdata07.sqm
2008-10-07 16:36 . 2008-10-07 16:36 244 --ah----- C:\sqmnoopt07.sqm
2008-10-03 19:11 . 2008-10-03 19:11 <DIR> d-------- C:\Programmi\File comuni\xing shared
2008-10-03 16:59 . 2008-04-13 11:37 2,962,432 --a------ C:\WINDOWS\system32\SET1277.tmp
2008-10-03 16:59 . 2008-04-13 11:35 195,072 --a------ C:\WINDOWS\system32\SET1278.tmp
2008-10-03 16:59 . 2008-04-13 19:12 177,152 --a------ C:\WINDOWS\system32\SET129E.tmp
2008-10-03 16:59 . 2008-04-13 19:13 16,896 --a------ C:\WINDOWS\system32\SET12C8.tmp
2008-10-03 16:58 . 2008-10-16 20:37 <DIR> d-------- C:\WINDOWS\system32\it-it
2008-10-03 16:58 . 2008-10-10 11:09 <DIR> d-------- C:\WINDOWS\system32\it
2008-10-03 16:58 . 2008-10-10 11:12 <DIR> d-------- C:\WINDOWS\system32\bits
2008-10-03 16:58 . 2008-10-10 11:12 <DIR> d-------- C:\WINDOWS\l2schemas
2008-10-03 16:58 . 2008-04-13 19:13 354,304 --a------ C:\WINDOWS\system32\SET1269.tmp
2008-10-03 16:58 . 2008-04-13 19:13 6,656 --a------ C:\WINDOWS\system32\SET1261.tmp
2008-10-03 16:55 . 2008-04-13 19:13 519,168 --a------ C:\WINDOWS\system32\SET6E0.tmp
2008-10-03 16:55 . 2008-04-13 19:13 95,744 --a------ C:\WINDOWS\system32\SET6E6.tmp
2008-10-03 16:53 . 2008-04-13 19:13 3,066,880 --a------ C:\WINDOWS\system32\SET3E0.tmp
2008-10-03 16:50 . 2006-12-28 12:01 19,569 --a------ C:\WINDOWS\003081_.tmp
2008-10-03 16:47 . 2004-09-07 14:00 71,040 --------- C:\WINDOWS\system32\drivers\_003461_.tmp.dll
2008-10-03 16:44 . 2008-10-03 17:11 <DIR> d-------- C:\backup xp3
2008-10-03 15:46 . 2008-10-03 15:46 63,852 --a------ C:\acadminidump.dmp
2008-09-29 16:28 . 2008-09-29 16:36 <DIR> d-a------ C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-09-29 16:28 . 2004-03-09 00:00 212,240 --a------ C:\WINDOWS\system32\RICHTX32.OCX
2008-09-29 16:20 . 2008-09-29 16:20 <DIR> d-------- C:\Documents and Settings\giacomo\Dati applicazioni\Mc & RENOX
2008-09-20 08:50 . 2008-09-20 08:54 <DIR> d-------- C:\Programmi\SystemRequirementsLab
2008-09-20 08:28 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-09-20 08:28 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-09-20 08:28 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-20 18:08 --------- d-----w C:\Documents and Settings\giacomo\Dati applicazioni\Free Download Manager
2008-10-20 06:46 --------- d-----w C:\Programmi\eMule
2008-10-16 19:52 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-10-13 09:53 --------- d-----w C:\Programmi\eMulemorph
2008-10-11 09:21 --------- d-----w C:\Documents and Settings\giacomo\Dati applicazioni\uTorrent
2008-10-03 17:11 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-10-03 17:11 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-10-03 17:11 --------- d-----w C:\Programmi\File comuni\Real
2008-09-25 17:05 --------- d-----w C:\Programmi\eMuleplus
2008-09-22 20:39 --------- d-----w C:\Documents and Settings\giacomo\Dati applicazioni\dvdcss
2008-09-20 08:46 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab
2008-09-19 20:14 90,112 ----a-w C:\WINDOWS\DUMP5c0a.tmp
2008-09-19 16:07 --------- d-----w C:\Programmi\EA SPORTS
2008-09-16 06:25 --------- d-----w C:\Documents and Settings\giacomo\Dati applicazioni\Lingoes
2008-09-15 13:58 --------- d-----w C:\Programmi\Malwarebytes' Anti-Malware
2008-09-13 21:20 --------- d-----w C:\Documents and Settings\giacomo\Dati applicazioni\Media Player Classic
2008-09-12 16:11 --------- d-----w C:\Programmi\Lavasoft
2008-09-12 16:10 --------- d-----w C:\Programmi\File comuni\Wise Installation Wizard
2008-09-12 06:18 23,600 ----a-w C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-09-09 22:04 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 22:03 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-09-08 12:38 --------- d-----w C:\Programmi\Military Operation
2008-09-06 10:30 --------- d-----w C:\Documents and Settings\giacomo\Dati applicazioni\LimeWire
2008-09-05 18:33 --------- d-----w C:\Programmi\Lavalys
2008-09-05 16:39 --------- d-----w C:\Programmi\ScummVM
2008-09-05 14:06 --------- d-----w C:\Programmi\Canon
2008-09-05 13:20 2,656 ----a-w C:\WINDOWS\system32\io02.sys
2008-09-01 09:37 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-08-27 10:32 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\MailFrontier
2008-08-20 13:48 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Microsoft Help
2008-07-21 22:14 9,728 ----a-w C:\WINDOWS\system32\RtNicProp32.dll
2007-07-22 09:41 98,672 ----a-w C:\Documents and Settings\giacomo\Dati applicazioni\GDIPFONTCACHEV1.DAT
2008-05-30 19:29 2 --shatr C:\WINDOWS\winstart.bat
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe" [2005-11-24 94208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-07 15360]
"NCLaunch"="C:\WINDOWS\NCLAUNCH.EXe" [2007-06-02 65536]
"RocketDock"="C:\Programmi\RocketDock\RocketDock.exe" [2006-08-16 364544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-09-07 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-07 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-07 455168]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 67584]
"SynTPEnh"="C:\Programmi\Synaptics\SynTP\SynTPEnh.exe" [2006-05-12 774233]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-12 7577600]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-12 86016]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-02-23 106496]
"DetectorApp"="C:\Programmi\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe" [2005-10-20 102400]
"ISUSPM Startup"="C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IntelZeroConfig"="C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"avgnt"="C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"TkBellExe"="C:\Programmi\File comuni\Real\Update_OB\realsched.exe" [2008-10-03 185872]
"Collegamento alla pagina delle proprietà di High Definition Audio"="HDAShCut.exe" [2005-01-07 C:\WINDOWS\system32\HdAShCut.exe]
"nwiz"="nwiz.exe" [2006-06-12 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-07 15360]
"Nokia.PCSync"="C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\FILECO~1\ULEADS~1\Vio\Dvacm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
--a------ 2006-05-06 13:57 3227648 C:\Programmi\BearShare\BearShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 18:24 1694208 C:\Programmi\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Programmi\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-03 19:11 185872 C:\Programmi\File comuni\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-03-27 15:22 4670968 C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"Autodesk Licensing Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Programmi\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Programmi\\eMule\\emule.exe"=
"C:\\Programmi\\LimeWire\\LimeWire.exe"=
"C:\\Programmi\\uTorrent\\uTorrent.exe"=
"C:\\Programmi\\eMulemorph\\emule.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Programmi\\Messenger\\msmsgs.exe"=
"C:\\APPS\\skype\\phone\\Skype.exe"=
"C:\\Programmi\\Microsoft Games\\Age of Empires III\\age3.exe"=
"C:\\Programmi\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"C:\\Programmi\\BearShare\\BearShare.exe"=
"C:\\Programmi\\Microsoft Games\\Age of Empires III\\age3x.exe"=

R3 SynMini;USB2.0 VGA WebCam;C:\WINDOWS\system32\Drivers\SynMini.sys [2006-07-03 1056512]
R3 SynScan;USB2.0 VGA WebCam Still Image;C:\WINDOWS\system32\Drivers\SynScan.sys [2006-06-30 8064]
S0 02626;02626;C:\WINDOWS\system32\drivers\02626.SYS [ ]
S0 02641;02641;C:\WINDOWS\system32\drivers\02641.SYS [ ]
S1 aee42;aee42;C:\WINDOWS\system32\drivers\aee42.SYS [ ]
S1 d6427;d6427;C:\WINDOWS\system32\drivers\d6427.SYS [ ]
S2 8e743;8e743;C:\WINDOWS\system32\drivers\8e743.SYS [ ]
S2 e3a28;e3a28;C:\WINDOWS\system32\drivers\e3a28.SYS [ ]
S3 getPlus(R) Helper;getPlus(R) Helper;C:\Programmi\NOS\bin\getPlus_HelperSvc.exe [2008-06-26 31592]
S3 io02;Hardware Access Driver;C:\WINDOWS\system32\io02.sys [2008-09-05 2656]
S3 usbscan;Driver scanner USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S4 AntiyFirewall;AntiyFirewall;C:\WINDOWS\system32\drivers\AntiyFW.sys [2006-09-22 9656]

*Newly Created Service* - 02629
*Newly Created Service* - 02648
*Newly Created Service* - 74B4A
*Newly Created Service* - A5149
*Newly Created Service* - C872B
*Newly Created Service* - CBE2A
.
Contenuto della cartella 'Scheduled Tasks'

2008-10-20 C:\WINDOWS\Tasks\Verifica aggiornamenti per Windows Live Toolbar.job
- C:\Programmi\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
- - - - ORFÃOS REMOVIDOS - - - -

Notify-dimsntfy - (no file)
Notify-WgaLogon - (no file)


.
------- Supplementare di scansione -------
.
FireFox -: Profile - C:\Documents and Settings\giacomo\Dati applicazioni\Mozilla\Firefox\Profiles\kpj17vtd.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - http://www.google.it
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF -: plugin - C:\Programmi\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Programmi\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-20 20:12:28
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
------------------------ Altri processi in esecuzione ------------------------
.
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\Programmi\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Ora fine scansione: 2008-10-20 20:25:04 - macchina è stato riavviato
ComboFix-quarantined-files.txt 2008-10-20 18:24:58

Pre-Run: 20.104.646.656 byte disponibili
Post-Run: 19,860,082,688 byte disponibili

359

1)comunque la prossima volta avvisa che c'è pincopallino...
2)
3)mò che si fa?
4)il log è pulito?
5)sto perdendo la vista
6) in vita mia mai mandati tutti questi post...
7)la pendrive ancora non funziona

[Amantide]

Scarica OtMoveIt3, avvialo ed assicurati che la voce Unregister Dll's and Ocx's sia spuntata.
Nello spazio bianco sotto alla voce Paste Instructions for items to be Moved incolla seguente script e clicca su MoveIt!:

Codice: Seleziona tutto

:files
 C:\WINDOWS\system32\drivers\aee42.DAT
C:\WINDOWS\system32\drivers\8e743.DAT
C:\WINDOWS\system32\drivers\02641.DAT
C:\WINDOWS\system32\drivers\e3a28.DAT
C:\WINDOWS\system32\drivers\d6427.DAT
C:\WINDOWS\system32\drivers\02626.DAT
C:\WINDOWS\system32\SET1312.tmp
C:\WINDOWS\system32\SET1304.tmp
C:\WINDOWS\system32\SET1339.tmp
C:\WINDOWS\system32\SET1363.tmp
C:\WINDOWS\system32\SET12FC.tmp
C:\WINDOWS\system32\SET77B.tmp
C:\WINDOWS\system32\SET781.tmp
C:\WINDOWS\system32\SET539.tmp
C:\WINDOWS\system32\SET42C.tmp
C:\WINDOWS\system32\SET2B1.tmp
C:\WINDOWS\003088_.tmp
C:\WINDOWS\DUMP59a9.tmp
C:\WINDOWS\DUMP594b.tmp
C:\sqmdata07.sqm
C:\sqmnoopt07.sqm
C:\WINDOWS\system32\SET1277.tmp
C:\WINDOWS\system32\SET1278.tmp
C:\WINDOWS\system32\SET129E.tmp
C:\WINDOWS\system32\SET12C8.tmp
:\WINDOWS\system32\SET1269.tmp
C:\WINDOWS\system32\SET1261.tmp
C:\WINDOWS\system32\SET6E0.tmp
C:\WINDOWS\system32\SET6E6.tmp
C:\WINDOWS\system32\SET3E0.tmp
C:\WINDOWS\003081_.tmp
C:\WINDOWS\system32\drivers\_003461_.tmp.dll
C:\WINDOWS\DUMP5c0a.tmp

:services
02626
02641
aee42
d6427
8e743
e3a28
02629
02648
74B4A
A5149
C872B
CBE2A

:commands
[purity]
[emptytemp]

Il log dell'operazione verrà salvato nella cartella C:\_OtMoveIt\MovedFiles sotto la forma del file [nome_e_data].LOG
Copia il suo contenuto ed inseriscilo qui.

P.S. Scusa per il pincopallino , l'ho chiamato così perché tanti virus bloccano l'esecuzione del file con il nome originale

[john locke]

ecco il log

========== FILES ==========
C:\WINDOWS\system32\drivers\aee42.DAT moved successfully.
C:\WINDOWS\system32\drivers\8e743.DAT moved successfully.
C:\WINDOWS\system32\drivers\02641.DAT moved successfully.
C:\WINDOWS\system32\drivers\e3a28.DAT moved successfully.
C:\WINDOWS\system32\drivers\d6427.DAT moved successfully.
C:\WINDOWS\system32\drivers\02626.DAT moved successfully.
C:\WINDOWS\system32\SET1312.tmp moved successfully.
C:\WINDOWS\system32\SET1304.tmp moved successfully.
C:\WINDOWS\system32\SET1339.tmp moved successfully.
C:\WINDOWS\system32\SET1363.tmp moved successfully.
C:\WINDOWS\system32\SET12FC.tmp moved successfully.
C:\WINDOWS\system32\SET77B.tmp moved successfully.
C:\WINDOWS\system32\SET781.tmp moved successfully.
C:\WINDOWS\system32\SET539.tmp moved successfully.
C:\WINDOWS\system32\SET42C.tmp moved successfully.
C:\WINDOWS\system32\SET2B1.tmp moved successfully.
C:\WINDOWS\003088_.tmp moved successfully.
C:\WINDOWS\DUMP59a9.tmp moved successfully.
C:\WINDOWS\DUMP594b.tmp moved successfully.
C:\sqmdata07.sqm moved successfully.
C:\sqmnoopt07.sqm moved successfully.
C:\WINDOWS\system32\SET1277.tmp moved successfully.
C:\WINDOWS\system32\SET1278.tmp moved successfully.
C:\WINDOWS\system32\SET129E.tmp moved successfully.
C:\WINDOWS\system32\SET12C8.tmp moved successfully.
Error: Unable to interpret <:\WINDOWS\system32\SET1269.tmp> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\SET1261.tmp> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\SET6E0.tmp> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\SET6E6.tmp> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\SET3E0.tmp> in the current context!
Error: Unable to interpret <C:\WINDOWS\003081_.tmp> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\drivers\_003461_.tmp.dll> in the current context!
Error: Unable to interpret <C:\WINDOWS\DUMP5c0a.tmp> in the current context!
========== SERVICES/DRIVERS ==========
Service 02626 stopped successfully.
Service 02626 deleted successfully.
Service 02641 stopped successfully.
Service 02641 deleted successfully.
Service aee42 stopped successfully.
Service aee42 deleted successfully.
Service d6427 stopped successfully.
Service d6427 deleted successfully.
Service 8e743 stopped successfully.
Service 8e743 deleted successfully.
Service e3a28 stopped successfully.
Service e3a28 deleted successfully.
Unable to stop service 02629 .
Unable to stop service 02648 .
Unable to stop service 74B4A .
Unable to stop service A5149 .
Unable to stop service C872B .
Unable to stop service CBE2A .
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\giacomo\IMPOST~1\Temp\hsperfdata_giacomo\3848 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\giacomo\IMPOST~1\Temp\avviso assemblea.doc scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\giacomo\IMPOST~1\Temp\etilqs_vwpr299cG3KoGPsSuefQ scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\giacomo\IMPOST~1\Temp\IMG25.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\giacomo\IMPOST~1\Temp\~DF90E5.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\giacomo\IMPOST~1\Temp\~DFCE3B.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\T30DebugLogFile.txt scheduled to be deleted on reboot.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\giacomo\Dati applicazioni\Sun\Java\Deployment\cache\6.0\35\405388a3-6b6bdcb3 scheduled to be deleted on reboot.
Java cache emptied.
File delete failed. C:\Documents and Settings\giacomo\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\kpj17vtd.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\giacomo\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\kpj17vtd.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\giacomo\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\kpj17vtd.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\giacomo\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\kpj17vtd.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\giacomo\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\kpj17vtd.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\giacomo\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\kpj17vtd.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10202008_220200

[Amantide]

Per terminare le pulizie fai anche la scansione con Malwarebytes' Anti-Malware, poi incrocia le dita, riavvia... e vedi se vanno ste benedette pen drive

[john locke]

la scansione è tutta ok!!!
ma la pendrive ancora niente mi da flash disk con pt esclamativo

[john locke]

scansione tutto ok ma di leggere le pendrive ancora niente

[Amantide]

Immagino che hai anche riavviato prima di provare?

[john locke]

allora faccio un esperimento... ho copiato tutti i file usb ( con la funzione cerca) da un computer sano della cartella windows drivers e li ho copiati dentro una cartella del mio portatile (la cartella l'ho chiamata usb sano ) .Poi ho copiato sempre con la funzione cerca tutti i file usb del windows "malato" e li ho messi dentro una cartella (usb malato ). Confrontando le cartelle noto che nella cartella "usb malato" mancano alcune estensioni *usb*.ddl.
Con la speranza che tutti i file usb di windows siano nella cartella drivers ora provo a sovrascrivere... e poi riavvio. mi sembra un tentativo alla disperata ma ormai le ho provate tutte... male che va rimetto i file che c'erano prima...

il tentativo non ha avuto risultato, non ho ne peggiorato ne migliorato niente...

ps per il ripristino dalla console mi chiede la password di amministratore, metto quella del mio account e non l'accetta, faccio invio e non l'accetta...

[Amantide]

ps per il ripristino dalla console mi chiede la password di amministratore, metto quella del mio account e non l'accetta, faccio invio e non l'accetta...

La password richiesta è di Administrator, quindi quella del tuo account non va bene, anche se privileggia dei diritti di amministratore. Ammeno che non hai impostato una password a questo account (che è visibile solo dalla modalità provvisoria) durante l'installazione del XP, questo non dovrebbe esserci, e già che ci sei controlla se riesci ad accedere dalla modalità provvisoria al account Administrator senza inserire alcuna password.

[john locke]

riepilogando, riavvio in modalita provvisoria (facendo f8) e avvio console di ripristino? ma serve il cd? non rischio di peredere niente giusto?

[Amantide]

Devi avviare il pc in modalità provvisoria solo per controllare se l'account Administrator è bloccato da una password.