Punto informatico Network
Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

[HELP] Trojan Virtumonde,Xema,Tdss,bad_sites

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

[HELP] Trojan Virtumonde,Xema,Tdss,bad_sites

Messaggioda rolcia2 » ven gen 23, 2009 12:43 pm

Salve a tutti,aiutami Ste......Allora incomincio circa 1 settimana fa installai un programma che si kiamava babylon per sbaglio,da li problematiche,allora il mulo quando lo apro mi dice che ci sono fake nei file scaricati e rimangono in hashing per lungo tempo,poi va a rilento tutto,poi con adaware se prof. mi rileva xema trojan e viene cancellato,poi con scan spyware mi rileva bifrost e poi viene cancellato,poi con spybot mi rileva virtumonde e me lo cancella,preciso che ho anche utilizzato anche msfix,virtumonde,e combofix,trovato infezioni rimosse ma ad oggi senza successo.Se ora apro il mulo incomincia tutto ad andare a rilento.Ho visto che ogni tanto il ripristino di sistema(ovviamente emmm di xp pro) viene attivato da solo,e io ovviamente lo disattivo ogni volta.Ultimamente ho installato spyware doctor e mi ha rilevato tdss virtumonde e xema e bad sites know e altri di meno rilevanza tipo adavertings eliminandoli tutti poi riavviando e riapro il mulo ma sempre lo stesso...cpu a 100% rilento tutto e poi si blocca il pc.Ho fatto girare anche ccleaner per cercare di ricomporre il tutto ma senza successo.Ho fatto girare kasper on line e mi trovava infezioni tipo di numero 3 su keygen che ho sempre utilizzato e mai dato problemi....Ste batti un colpo.....Grazie per l'aiuto....
Avatar utente
rolcia2
Aficionado
Aficionado
 
Messaggi: 35
Iscritto il: dom feb 03, 2008 10:13 am

Re: [HELP] Trojan Virtumonde,Xema,Tdss,bad_sites

Messaggioda Amantide » ven gen 23, 2009 12:58 pm

Posta il log di Combofix.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Re: [HELP] Trojan Virtumonde,Xema,Tdss,bad_sites

Messaggioda rolcia2 » ven gen 23, 2009 2:02 pm

ComboFix 09-01-21.04 - Rolex 2009-01-23 13.46.06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1023.393 [GMT 1:00]
Eseguito da: c:\documents and settings\Rolex\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090121-0] *On-access scanning disabled* (Updated)
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Rolex\Impostazioni locali\Dati applicazioni\qiwccca.dat
c:\documents and settings\Rolex\Impostazioni locali\Dati applicazioni\qiwccca.exe
c:\documents and settings\Rolex\Impostazioni locali\Dati applicazioni\qiwccca_nav.dat
c:\documents and settings\Rolex\Impostazioni locali\Dati applicazioni\qiwccca_navps.dat
c:\windows\Tasks\aaupisqo.job

.
((((((((((((((((((((((((( Files Creati Da 2008-12-23 al 2009-01-23 )))))))))))))))))))))))))))))))))))
.

2009-01-22 22:39 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-22 22:39 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-22 22:39 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-22 22:39 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-22 22:38 . 2009-01-22 23:11 <DIR> d-------- c:\programmi\Spyware Doctor
2009-01-22 22:38 . 2009-01-22 22:38 <DIR> d-------- c:\documents and settings\Rolex\Dati applicazioni\PC Tools
2009-01-22 18:23 . 2009-01-22 18:23 <DIR> d-------- c:\programmi\ScanSpyware
2009-01-22 18:23 . 2008-09-07 17:22 8,704 --a------ c:\windows\system32\ssbtsr.exe
2009-01-21 22:30 . 2006-12-28 12:01 19,569 --a------ c:\windows\000001_.tmp
2009-01-17 23:00 . 2009-01-18 09:52 <DIR> d-------- c:\documents and settings\Rolex\Dati applicazioni\Download Manager
2009-01-12 23:57 . 2009-01-13 16:59 22,328 --a------ c:\documents and settings\Rolex\Dati applicazioni\PnkBstrK.sys
2009-01-12 09:53 . 2009-01-12 09:53 <DIR> d-------- C:\VundoFix Backups
2009-01-10 23:02 . 2009-01-10 23:02 <DIR> d-------- c:\programmi\CCleaner
2009-01-10 00:06 . 2009-01-22 23:32 250 --a------ c:\windows\gmer.ini
2009-01-09 22:19 . 2009-01-09 22:19 <DIR> d-------- c:\documents and settings\Rolex\Dati applicazioni\Babylon
2009-01-09 22:19 . 2009-01-09 22:19 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Babylon
2009-01-09 20:58 . 2006-09-12 12:46 227,328 -rahs---- c:\windows\system32\ac3DX.ax
2009-01-09 20:58 . 2008-03-16 14:30 216,064 -rahs---- c:\windows\system32\nbDX.dll
2009-01-09 20:58 . 2006-03-10 22:48 169,472 -rahs---- c:\windows\system32\MatroskaDX.ax
2009-01-09 20:58 . 2006-05-03 11:06 163,328 -rahs---- c:\windows\system32\flvDX.dll
2009-01-09 20:58 . 2005-11-25 21:46 161,792 -rahs---- c:\windows\system32\RealMediaDX.ax
2009-01-09 20:58 . 2006-01-13 00:23 123,904 -rahs---- c:\windows\system32\AVCDX.ax
2009-01-09 20:58 . 2003-11-21 00:00 54,784 -rahs---- c:\windows\system32\RLAPEDec.ax
2009-01-09 20:58 . 2004-04-27 00:00 37,888 -rahs---- c:\windows\system32\RLMPCDec.ax
2009-01-09 20:58 . 2007-02-21 12:47 31,232 -rahs---- c:\windows\system32\msfDX.dll
2009-01-09 12:50 . 2009-01-09 12:50 <DIR> d-------- c:\programmi\ffdshow
2009-01-09 12:50 . 2008-12-17 19:22 57,344 --a------ c:\windows\system32\ff_vfw.dll
2009-01-09 12:50 . 2008-12-11 13:27 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-01-06 22:57 . 2009-01-07 00:00 <DIR> d-------- c:\programmi\Oberon Media
2009-01-06 22:57 . 2009-01-06 22:57 <DIR> d-------- c:\programmi\File comuni\Oberon Media
2008-12-26 11:44 . 2008-12-26 11:44 <DIR> d-------- c:\programmi\TeamViewer
2008-12-23 09:25 . 2008-12-23 09:25 <DIR> d-------- c:\documents and settings\Rolex\Dati applicazioni\Windows Live Writer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-23 12:44 --------- d-----w c:\documents and settings\Rolex\Dati applicazioni\Skype
2009-01-23 12:02 --------- d---a-w c:\documents and settings\All Users\Dati applicazioni\TEMP
2009-01-23 07:30 --------- d-----w c:\documents and settings\Rolex\Dati applicazioni\skypePM
2009-01-23 00:10 --------- d-----w c:\programmi\eMule
2009-01-23 00:10 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-01-21 21:46 --------- d-----w c:\programmi\Microsoft
2009-01-21 11:49 --------- d-----w c:\programmi\ScanSpyware v3.8.0.4
2009-01-16 22:12 --------- d-----w c:\documents and settings\LocalService\Dati applicazioni\TeamViewer
2009-01-13 15:40 --------- d--h--w c:\programmi\InstallShield Installation Information
2008-12-26 21:08 --------- d-----w c:\documents and settings\Rolex\Dati applicazioni\VoipDiscount
2008-12-26 10:44 --------- d-----w c:\programmi\TeamViewer3
2008-12-19 16:18 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-19 16:18 --------- d-----w c:\programmi\Java
2008-12-17 22:14 --------- d-----w c:\programmi\Windows Live
2008-12-17 22:10 --------- d-----w c:\programmi\Windows Live SkyDrive
2008-12-11 15:00 --------- d-----w c:\programmi\Classic PhoneTools
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-09 18:15 --------- d-----w c:\documents and settings\Rolex\Dati applicazioni\U3
2008-12-08 22:32 --------- d-----w c:\documents and settings\Rolex\Dati applicazioni\vlc
2008-12-02 21:37 49,480 ----a-w c:\windows\system32\sirenacm.dll
2008-12-01 20:43 --------- d-----w c:\programmi\Philips
2008-11-23 17:50 --------- d-----w c:\programmi\File comuni\Adobe
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-05-01 11:33 2,554 -c--a-w c:\documents and settings\Rolex\Dati applicazioni\SAS7_000.DAT
2007-11-24 18:05 32 -c--a-w c:\documents and settings\All Users\Dati applicazioni\ezsid.dat
2007-10-19 20:54 61 --sh--w c:\windows\cnerolf.dat
2006-05-03 10:06 163,328 --sha-r c:\windows\system32\flvDX.dll
2008-10-03 09:45 15,014 --sha-w c:\windows\system32\KGyGaAvL.sys
2007-02-21 11:47 31,232 --sha-r c:\windows\system32\msfDX.dll
2008-03-16 13:30 216,064 --sha-r c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\programmi\Windows Live\Messenger\MsnMsgr.Exe" [2008-12-02 3882312]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"VoipDiscount"="f:\documenti rolando\File ricevuti\voipdiscount.exe" [2008-12-05 9073976]
"AlcoholAutomount"="c:\programmi\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]
"AnyDVD"="c:\programmi\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-09-09 2182080]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2008-10-16 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-15 196608]
"LVCOMS"="c:\programmi\File comuni\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"LogitechGalleryRepair"="c:\programmi\Logitech\ImageStudio\ISStart.exe" [2002-12-10 155648]
"LogitechImageStudioTray"="c:\programmi\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 61440]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"OmniPage"="c:\programmi\Caere\OmniPagePro90\opware32.exe" [1998-11-19 44032]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2006-02-08 278528]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2008-01-20 155648]
"TkBellExe"="c:\programmi\File comuni\Real\Update_OB\realsched.exe" [2008-01-29 185896]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2008-12-19 136600]
"ISUSScheduler"="c:\programmi\File comuni\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ISTray"="c:\programmi\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]
"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 c:\windows\LOGI_MWX.EXE]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Rolex\Menu Avvio\Programmi\Esecuzione automatica\
Run VNC Server.lnk - c:\programmi\RealVNC\VNC4\winvnc4.exe [2008-01-14 914808]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio rapido HP Photosmart Premier.lnk - c:\programmi\HP\Digital Imaging\bin\hpqthb08.exe [2005-12-15 73728]
Bluetooth Manager.lnk - c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-21 45056]
HP Digital Imaging Monitor.lnk - c:\programmi\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
Instant Update Reminder.lnk - c:\programmi\U.S. Robotics\ControlCenter\Reminder.exe [2008-11-10 977408]
Server4PC.lnk - c:\programmi\TechniSat DVB\bin\Server4PC.exe [2008-04-13 328968]
Windows Search.lnk - c:\programmi\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]
WinZip Quick Pick.lnk - c:\programmi\WinZip\WZQKPICK.EXE [2007-12-03 394856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\programmi\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.SP53"= SP5X_32.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP59"= SP5X_32.DLL
"VIDC.MJPG"= Pvmjpg30.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Programmi\\TechniSat DVB\\bin\\Server4PC.exe"=
"c:\\Programmi\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Programmi\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\Programmi\\SopCast\\SopCast.exe"=
"c:\\Programmi\\tvants\\Tvants.exe"=
"c:\\Programmi\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\Programmi\\RealVNC\\VNC4\\vncviewer.exe"=
"c:\\Documents and Settings\\Rolex\\Dati applicazioni\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programmi\\PPMate\\ppmate.exe"=
"c:\\Programmi\\PPMate\\ppamnet.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Programmi\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"e:\\PROGRAMMI\\WINMX\\WinMX.exe"=
"c:\\Programmi\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programmi\\VoipStunt.com\\VoipStunt\\VoipStunt.exe"=
"c:\\Programmi\\InternetCalls.com\\InternetCalls\\InternetCalls.exe"=
"c:\\Programmi\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"f:\\Documenti Rolando\\File ricevuti\\VoipDiscount.exe"=
"d:\\Programmi\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=
"d:\\Programmi\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"d:\\Programmi\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"d:\\Programmi\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"d:\\Programmi\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Documents and Settings\\Rolex\\Desktop\\Release\\eTAXI s.r.l.exe"=
"f:\\Programmi\\ProgDVB\\ProgDvbNet.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Programmi\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Programmi\\File comuni\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Programmi\\U.S. Robotics\\ControlCenter\\ctrlcntr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Programmi\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Programmi\\U.S. Robotics\\ControlCenter\\Reminder.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"f:\\Programmi\\PoWeR-Script.0.2.1\\mIRC.exe"=
"c:\\Programmi\\Java\\jre6\\bin\\java.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-05 111184]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [2007-09-23 14095]
R3 SKYNET;TechniSat DVB-PC TV Star PCI;c:\windows\system32\drivers\SkyNET.sys [2007-09-23 419344]
R3 SWUSBFLT;Driver filtro Microsoft SideWinder VIA;c:\windows\system32\drivers\SWUSBFLT.SYS [2007-10-07 3968]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-05 20560]
R4 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2008-11-11 38144]
R4 sdAuxService;PC Tools Auxiliary Service;c:\programmi\Spyware Doctor\pctsAuxs.exe [2009-01-22 356920]
R4 TeamViewer4;TeamViewer 4;c:\programmi\TeamViewer\Version4\TeamViewer_Service.exe [2008-12-23 185640]
S0 xailqqua;xailqqua;c:\windows\system32\drivers\xnuqcefc.sys --> c:\windows\system32\drivers\xnuqcefc.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-11-13 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-11-13 8320]
S3 sagmc07bus;Sagem Communication Mobile Platform MC2007 driver (WDM);c:\windows\system32\drivers\sagmc07bus.sys [2008-02-21 83848]
S3 sagmc07mdfl;Sagem Communication MC2007 WMC CDC Modem Filter;c:\windows\system32\drivers\sagmc07mdfl.sys [2008-02-21 15240]
S3 sagmc07mdm;Sagem Communication MC2007 WMC CDC Modem Driver;c:\windows\system32\drivers\sagmc07mdm.sys [2008-02-21 110088]
S3 sagmc07mgmt;Sagem Communication MC2007 Device Management Drivers (WDM);c:\windows\system32\drivers\sagmc07mgmt.sys [2008-02-21 103304]
S3 sagmc07obex;Sagem Communication MC2007 WMC OBEX;c:\windows\system32\drivers\sagmc07obex.sys [2008-02-21 100104]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [2008-04-25 14848]

--- Altri Servizi/Drivers In Memoria ---

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3788f94a-4df6-11dd-9c18-001060d02731}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a
.
.
------- Scansione supplementare -------
.
uStart Page = http://www.google.it/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mWindow Title =
uInternet Settings,ProxyOverride = localhost
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {9A292BC9-99A0-45BB-ABA8-98D3916B66FA} = 193.70.152.15,193.70.152.25
DPF: {070CA17A-4BD2-4612-83B4-32B1B9159B47} - hxxp://uc.sina.com.con/download/live/weblive2.4.0.0.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/v ... .2.4.2.cab
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-23 13:49:45
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1292428093-606747145-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2C4D5650-C168-F6A0-C50E-695D875DC689}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"pahneiicdalmlenkjgodlilmgoioapab"=hex:6a,61,6f,61,6c,64,6e,6d,6a,61,67,6a,65,
6c,63,61,67,70,6d,6f,00,50
"oajnkdadifbiaenglfkblbkplcalgo"=hex:6a,61,6f,61,6c,64,6e,6d,6a,61,67,6a,65,6c,
63,61,67,70,6d,6f,00,50

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,ee,17,79,b4,b4,
6a,c6,ad,e2,63,26,f1,3f,c8,ff,68,03,4a,36,33,ec,fb,dc,75,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,97,de,d7,d8,57,
43,ce,c7,6a,9c,d6,61,af,45,84,18,f3,59,17,e1,d4,9d,fc,27,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,50,cb,37,82,7b,
b9,d2,f1,ff,7c,85,e0,43,d4,0e,fe,94,4e,1a,47,33,73,f6,68,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,62,9f,9e,3b,21,
99,4f,26,86,8c,21,01,be,91,eb,e7,f9,2b,79,09,7a,25,24,2b,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,4d,97,0d,4b,3f,
12,7b,2e,f5,1d,4d,73,a8,13,5c,05,d1,f2,2f,04,d6,b4,ec,5f,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,f3,e4,3f,be,8d,
8e,60,38,df,20,58,62,78,6b,cf,c8,ad,69,b5,8e,74,f8,63,6e,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,43,dd,a3,84,6c,
95,ab,05,fb,a7,78,e6,12,2f,9a,ea,0e,92,ba,97,42,c4,a0,eb,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,89,34,57,d7,ba,
21,5c,1c,01,3a,48,fc,e8,04,4a,f1,81,a5,9b,b1,bb,dd,84,73,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,1a,9c,f0,d8,16,
eb,76,72,f6,0f,4e,58,98,5b,89,c9,5f,9a,03,2f,12,b4,2c,08,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,2a,18,74,e5,f2,
62,3d,d7,3d,ce,ea,26,2d,45,aa,78,64,9c,41,53,e1,95,4e,71,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,85,a0,42,2d,63,
42,7e,e8,2a,b7,cc,b5,b9,7f,41,e7,a7,3e,74,6a,21,42,87,54,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,bc,3d,4c,af,a4,
d1,cc,3e,6c,43,2d,1e,aa,22,2f,9c,a9,4c,7f,25,fb,e7,6a,58,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
Ora fine scansione: 2009-01-23 13.52.58
ComboFix-quarantined-files.txt 2009-01-23 12:52:31
ComboFix2.txt 2009-01-10 13:02:13

Pre-Run: 10.858.856.448 byte disponibili
Post-Run: 10,836,590,592 byte disponibili

WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=1 LastKnownGood=3 Sets=1,2,3,4
333 --- E O F --- 2009-01-14 11:52:19
Avatar utente
rolcia2
Aficionado
Aficionado
 
Messaggi: 35
Iscritto il: dom feb 03, 2008 10:13 am


Re: [HELP] Trojan Virtumonde,Xema,Tdss,bad_sites

Messaggioda Amantide » ven gen 23, 2009 2:32 pm

Copia ed incolla il seguente testo su blocconote e salva il file su desktop con il nome CFScript.txt.

Codice: Seleziona tutto
File::
c:\windows\system32\ssbtsr.exe
c:\windows\000001_.tmp
c:\windows\cnerolf.dat
c:\windows\system32\drivers\xnuqcefc.sys

Driver::
xailqqua


Ora trascina il file CFScript.txt sull'icona di Combofix.exe ed aspetta il termine della scansione. Posta il nuovo log di Combofix inserendolo tra i tag LOG.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Re: [HELP] Trojan Virtumonde,Xema,Tdss,bad_sites

Messaggioda viktorhugo » ven gen 23, 2009 2:44 pm

usa Malwarebytes che scarichi da www.malwarebytes.org. è molto buobo e mi ha risolto una situazione altamente critica con gli stessi trojan.

ciao, Vik

http://www.download.com/Malwarebytes-An ... tag=button
Avatar utente
viktorhugo
Aficionado
Aficionado
 
Messaggi: 33
Iscritto il: mar apr 25, 2006 12:06 pm

Re: [HELP] Trojan Virtumonde,Xema,Tdss,bad_sites

Messaggioda rolcia2 » ven gen 23, 2009 3:12 pm

Il ripristino di sitema, effettuando le operazioni, devo disattivarlo? Inoltre facendo la scansione mi ha istallato la consolle di ripristino di sistema
e di conseguenza devo lasciarlo attivato o no?
Grazie
Avatar utente
rolcia2
Aficionado
Aficionado
 
Messaggi: 35
Iscritto il: dom feb 03, 2008 10:13 am

Re: [HELP] Trojan Virtumonde,Xema,Tdss,bad_sites

Messaggioda rolcia2 » ven gen 23, 2009 10:31 pm

ComboFix 09-01-21.04 - Rolex 2009-01-23 19.14.38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1023.193 [GMT 1:00]
Eseguito da: c:\documents and settings\Rolex\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Rolex\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090121-0] *On-access scanning disabled* (Updated)
* Creato nuovo punto di ripristino

FILE ::
c:\windows\000001_.tmp
c:\windows\cnerolf.dat
c:\windows\system32\drivers\xnuqcefc.sys
c:\windows\system32\ssbtsr.exe
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\000001_.tmp
c:\windows\cnerolf.dat
c:\windows\system32\ssbtsr.exe

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XAILQQUA
-------\Service_xailqqua


((((((((((((((((((((((((( Files Creati Da 2008-12-23 al 2009-01-23 )))))))))))))))))))))))))))))))))))
.

2009-01-22 22:39 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-22 22:39 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-22 22:39 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-22 22:39 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-22 22:38 . 2009-01-22 23:11 <DIR> d-------- c:\programmi\Spyware Doctor
2009-01-22 22:38 . 2009-01-22 22:38 <DIR> d-------- c:\documents and settings\Rolex\Dati applicazioni\PC Tools
2009-01-22 18:23 . 2009-01-22 18:23 <DIR> d-------- c:\programmi\ScanSpyware
2009-01-17 23:00 . 2009-01-18 09:52 <DIR> d-------- c:\documents and settings\Rolex\Dati applicazioni\Download Manager
2009-01-12 23:57 . 2009-01-13 16:59 22,328 --a------ c:\documents and settings\Rolex\Dati applicazioni\PnkBstrK.sys
2009-01-12 09:53 . 2009-01-12 09:53 <DIR> d-------- C:\VundoFix Backups
2009-01-10 23:02 . 2009-01-10 23:02 <DIR> d-------- c:\programmi\CCleaner
2009-01-10 00:06 . 2009-01-22 23:32 250 --a------ c:\windows\gmer.ini
2009-01-09 22:19 . 2009-01-09 22:19 <DIR> d-------- c:\documents and settings\Rolex\Dati applicazioni\Babylon
2009-01-09 22:19 . 2009-01-09 22:19 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Babylon
2009-01-09 20:58 . 2006-09-12 12:46 227,328 -rahs---- c:\windows\system32\ac3DX.ax
2009-01-09 20:58 . 2008-03-16 14:30 216,064 -rahs---- c:\windows\system32\nbDX.dll
2009-01-09 20:58 . 2006-03-10 22:48 169,472 -rahs---- c:\windows\system32\MatroskaDX.ax
2009-01-09 20:58 . 2006-05-03 11:06 163,328 -rahs---- c:\windows\system32\flvDX.dll
2009-01-09 20:58 . 2005-11-25 21:46 161,792 -rahs---- c:\windows\system32\RealMediaDX.ax
2009-01-09 20:58 . 2006-01-13 00:23 123,904 -rahs---- c:\windows\system32\AVCDX.ax
2009-01-09 20:58 . 2003-11-21 00:00 54,784 -rahs---- c:\windows\system32\RLAPEDec.ax
2009-01-09 20:58 . 2004-04-27 00:00 37,888 -rahs---- c:\windows\system32\RLMPCDec.ax
2009-01-09 20:58 . 2007-02-21 12:47 31,232 -rahs---- c:\windows\system32\msfDX.dll
2009-01-09 12:50 . 2009-01-09 12:50 <DIR> d-------- c:\programmi\ffdshow
2009-01-09 12:50 . 2008-12-17 19:22 57,344 --a------ c:\windows\system32\ff_vfw.dll
2009-01-09 12:50 . 2008-12-11 13:27 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-01-06 22:57 . 2009-01-07 00:00 <DIR> d-------- c:\programmi\Oberon Media
2009-01-06 22:57 . 2009-01-06 22:57 <DIR> d-------- c:\programmi\File comuni\Oberon Media
2008-12-26 11:44 . 2008-12-26 11:44 <DIR> d-------- c:\programmi\TeamViewer
2008-12-23 09:25 . 2008-12-23 09:25 <DIR> d-------- c:\documents and settings\Rolex\Dati applicazioni\Windows Live Writer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-23 18:27 --------- d-----w c:\documents and settings\Rolex\Dati applicazioni\Skype
2009-01-23 18:26 --------- d-----w c:\documents and settings\Rolex\Dati applicazioni\skypePM
2009-01-23 18:24 --------- d---a-w c:\documents and settings\All Users\Dati applicazioni\TEMP
2009-01-23 00:10 --------- d-----w c:\programmi\eMule
2009-01-23 00:10 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-01-21 21:46 --------- d-----w c:\programmi\Microsoft
2009-01-21 11:49 --------- d-----w c:\programmi\ScanSpyware v3.8.0.4
2009-01-16 22:12 --------- d-----w c:\documents and settings\LocalService\Dati applicazioni\TeamViewer
2009-01-13 15:40 --------- d--h--w c:\programmi\InstallShield Installation Information
2008-12-26 21:08 --------- d-----w c:\documents and settings\Rolex\Dati applicazioni\VoipDiscount
2008-12-26 10:44 --------- d-----w c:\programmi\TeamViewer3
2008-12-19 16:18 --------- d-----w c:\programmi\Java
2008-12-17 22:14 --------- d-----w c:\programmi\Windows Live
2008-12-17 22:10 --------- d-----w c:\programmi\Windows Live SkyDrive
2008-12-11 15:00 --------- d-----w c:\programmi\Classic PhoneTools
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-09 18:15 --------- d-----w c:\documents and settings\Rolex\Dati applicazioni\U3
2008-12-08 22:32 --------- d-----w c:\documents and settings\Rolex\Dati applicazioni\vlc
2008-12-01 20:43 --------- d-----w c:\programmi\Philips
2008-11-23 17:50 --------- d-----w c:\programmi\File comuni\Adobe
2008-05-01 11:33 2,554 -c--a-w c:\documents and settings\Rolex\Dati applicazioni\SAS7_000.DAT
2007-11-24 18:05 32 -c--a-w c:\documents and settings\All Users\Dati applicazioni\ezsid.dat
2006-05-03 10:06 163,328 --sha-r c:\windows\system32\flvDX.dll
2008-10-03 09:45 15,014 --sha-w c:\windows\system32\KGyGaAvL.sys
2007-02-21 11:47 31,232 --sha-r c:\windows\system32\msfDX.dll
2008-03-16 13:30 216,064 --sha-r c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-23_13.50.54,20 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-23 07:37:41 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-23 18:22:14 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-23 07:37:41 32,768 -c--a-w c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
+ 2009-01-23 18:22:14 32,768 -c--a-w c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
- 2009-01-23 07:37:41 32,768 -c--a-w c:\windows\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-23 18:22:14 32,768 -c--a-w c:\windows\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-23 18:21:57 16,384 ----atw c:\windows\temp\Perflib_Perfdata_6a4.dat
- 2009-01-23 07:37:19 16,384 ----atw c:\windows\temp\Perflib_Perfdata_794.dat
+ 2009-01-23 18:21:47 16,384 ----atw c:\windows\temp\Perflib_Perfdata_794.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\programmi\Windows Live\Messenger\MsnMsgr.Exe" [2008-12-02 3882312]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"VoipDiscount"="f:\documenti rolando\File ricevuti\voipdiscount.exe" [2008-12-05 9073976]
"AlcoholAutomount"="c:\programmi\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]
"AnyDVD"="c:\programmi\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-09-09 2182080]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2008-10-16 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-15 196608]
"LVCOMS"="c:\programmi\File comuni\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"LogitechGalleryRepair"="c:\programmi\Logitech\ImageStudio\ISStart.exe" [2002-12-10 155648]
"LogitechImageStudioTray"="c:\programmi\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 61440]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"OmniPage"="c:\programmi\Caere\OmniPagePro90\opware32.exe" [1998-11-19 44032]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2006-02-08 278528]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2008-01-20 155648]
"TkBellExe"="c:\programmi\File comuni\Real\Update_OB\realsched.exe" [2008-01-29 185896]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2008-12-19 136600]
"ISUSScheduler"="c:\programmi\File comuni\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ISTray"="c:\programmi\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]
"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 c:\windows\LOGI_MWX.EXE]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Rolex\Menu Avvio\Programmi\Esecuzione automatica\
Run VNC Server.lnk - c:\programmi\RealVNC\VNC4\winvnc4.exe [2008-01-14 914808]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio rapido HP Photosmart Premier.lnk - c:\programmi\HP\Digital Imaging\bin\hpqthb08.exe [2005-12-15 73728]
Bluetooth Manager.lnk - c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-21 45056]
HP Digital Imaging Monitor.lnk - c:\programmi\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
Instant Update Reminder.lnk - c:\programmi\U.S. Robotics\ControlCenter\Reminder.exe [2008-11-10 977408]
Server4PC.lnk - c:\programmi\TechniSat DVB\bin\Server4PC.exe [2008-04-13 328968]
Windows Search.lnk - c:\programmi\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]
WinZip Quick Pick.lnk - c:\programmi\WinZip\WZQKPICK.EXE [2007-12-03 394856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\programmi\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.SP53"= SP5X_32.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP59"= SP5X_32.DLL
"VIDC.MJPG"= Pvmjpg30.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Programmi\\TechniSat DVB\\bin\\Server4PC.exe"=
"c:\\Programmi\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Programmi\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\Programmi\\SopCast\\SopCast.exe"=
"c:\\Programmi\\tvants\\Tvants.exe"=
"c:\\Programmi\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\Programmi\\RealVNC\\VNC4\\vncviewer.exe"=
"c:\\Documents and Settings\\Rolex\\Dati applicazioni\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programmi\\PPMate\\ppmate.exe"=
"c:\\Programmi\\PPMate\\ppamnet.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Programmi\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"e:\\PROGRAMMI\\WINMX\\WinMX.exe"=
"c:\\Programmi\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programmi\\VoipStunt.com\\VoipStunt\\VoipStunt.exe"=
"c:\\Programmi\\InternetCalls.com\\InternetCalls\\InternetCalls.exe"=
"c:\\Programmi\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"f:\\Documenti Rolando\\File ricevuti\\VoipDiscount.exe"=
"d:\\Programmi\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=
"d:\\Programmi\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"d:\\Programmi\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"d:\\Programmi\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"d:\\Programmi\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Documents and Settings\\Rolex\\Desktop\\Release\\eTAXI s.r.l.exe"=
"f:\\Programmi\\ProgDVB\\ProgDvbNet.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Programmi\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Programmi\\File comuni\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Programmi\\U.S. Robotics\\ControlCenter\\ctrlcntr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Programmi\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Programmi\\U.S. Robotics\\ControlCenter\\Reminder.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"f:\\Programmi\\PoWeR-Script.0.2.1\\mIRC.exe"=
"c:\\Programmi\\Java\\jre6\\bin\\java.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-05 111184]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [2007-09-23 14095]
R3 SKYNET;TechniSat DVB-PC TV Star PCI;c:\windows\system32\drivers\SkyNET.sys [2007-09-23 419344]
R3 SWUSBFLT;Driver filtro Microsoft SideWinder VIA;c:\windows\system32\drivers\SWUSBFLT.SYS [2007-10-07 3968]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-05 20560]
R4 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2008-11-11 38144]
R4 sdAuxService;PC Tools Auxiliary Service;c:\programmi\Spyware Doctor\pctsAuxs.exe [2009-01-22 356920]
R4 TeamViewer4;TeamViewer 4;c:\programmi\TeamViewer\Version4\TeamViewer_Service.exe [2008-12-23 185640]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-11-13 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-11-13 8320]
S3 sagmc07bus;Sagem Communication Mobile Platform MC2007 driver (WDM);c:\windows\system32\drivers\sagmc07bus.sys [2008-02-21 83848]
S3 sagmc07mdfl;Sagem Communication MC2007 WMC CDC Modem Filter;c:\windows\system32\drivers\sagmc07mdfl.sys [2008-02-21 15240]
S3 sagmc07mdm;Sagem Communication MC2007 WMC CDC Modem Driver;c:\windows\system32\drivers\sagmc07mdm.sys [2008-02-21 110088]
S3 sagmc07mgmt;Sagem Communication MC2007 Device Management Drivers (WDM);c:\windows\system32\drivers\sagmc07mgmt.sys [2008-02-21 103304]
S3 sagmc07obex;Sagem Communication MC2007 WMC OBEX;c:\windows\system32\drivers\sagmc07obex.sys [2008-02-21 100104]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [2008-04-25 14848]

--- Altri Servizi/Drivers In Memoria ---

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3788f94a-4df6-11dd-9c18-001060d02731}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a
.
.
------- Scansione supplementare -------
.
uStart Page = http://www.google.it/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mWindow Title =
uInternet Settings,ProxyOverride = localhost
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {9A292BC9-99A0-45BB-ABA8-98D3916B66FA} = 193.70.152.15,193.70.152.25
DPF: {070CA17A-4BD2-4612-83B4-32B1B9159B47} - hxxp://uc.sina.com.con/download/live/weblive2.4.0.0.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/v ... .2.4.2.cab
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-23 19:27:40
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1292428093-606747145-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2C4D5650-C168-F6A0-C50E-695D875DC689}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"pahneiicdalmlenkjgodlilmgoioapab"=hex:6a,61,6f,61,6c,64,6e,6d,6a,61,67,6a,65,
6c,63,61,67,70,6d,6f,00,50
"oajnkdadifbiaenglfkblbkplcalgo"=hex:6a,61,6f,61,6c,64,6e,6d,6a,61,67,6a,65,6c,
63,61,67,70,6d,6f,00,50

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,ee,17,79,b4,b4,
6a,c6,ad,e2,63,26,f1,3f,c8,ff,68,03,4a,36,33,ec,fb,dc,75,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,97,de,d7,d8,57,
43,ce,c7,6a,9c,d6,61,af,45,84,18,f3,59,17,e1,d4,9d,fc,27,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,50,cb,37,82,7b,
b9,d2,f1,ff,7c,85,e0,43,d4,0e,fe,94,4e,1a,47,33,73,f6,68,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,62,9f,9e,3b,21,
99,4f,26,86,8c,21,01,be,91,eb,e7,f9,2b,79,09,7a,25,24,2b,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,4d,97,0d,4b,3f,
12,7b,2e,f5,1d,4d,73,a8,13,5c,05,d1,f2,2f,04,d6,b4,ec,5f,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,f3,e4,3f,be,8d,
8e,60,38,df,20,58,62,78,6b,cf,c8,ad,69,b5,8e,74,f8,63,6e,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,43,dd,a3,84,6c,
95,ab,05,fb,a7,78,e6,12,2f,9a,ea,0e,92,ba,97,42,c4,a0,eb,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,89,34,57,d7,ba,
21,5c,1c,01,3a,48,fc,e8,04,4a,f1,81,a5,9b,b1,bb,dd,84,73,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,1a,9c,f0,d8,16,
eb,76,72,f6,0f,4e,58,98,5b,89,c9,5f,9a,03,2f,12,b4,2c,08,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,2a,18,74,e5,f2,
62,3d,d7,3d,ce,ea,26,2d,45,aa,78,64,9c,41,53,e1,95,4e,71,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,85,a0,42,2d,63,
42,7e,e8,2a,b7,cc,b5,b9,7f,41,e7,a7,3e,74,6a,21,42,87,54,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,bc,3d,4c,af,a4,
d1,cc,3e,6c,43,2d,1e,aa,22,2f,9c,a9,4c,7f,25,fb,e7,6a,58,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Alwil Software\Avast4\aswUpdSv.exe
c:\programmi\Alwil Software\Avast4\ashServ.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\programmi\Spyware Doctor\pctsSvc.exe
c:\programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\searchindexer.exe
c:\programmi\TeamViewer\Version4\TeamViewer.exe
c:\programmi\Logitech\MouseWare\system\EM_EXEC.EXE
c:\windows\system32\ntvdm.exe
c:\programmi\iPod\bin\iPodService.exe
c:\windows\system32\rundll32.exe
c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
c:\programmi\HP\Digital Imaging\bin\hpqnrs08.exe
c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
c:\programmi\HP\Digital Imaging\bin\hpqste08.exe
c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
c:\programmi\HP\Digital Imaging\bin\hpqimzone.exe
c:\programmi\Windows Live\Contacts\wlcomm.exe
c:\programmi\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\HPZinw12.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Ora fine scansione: 2009-01-23 19:33:55 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-01-23 18:33:49
ComboFix2.txt 2009-01-23 12:53:01
ComboFix3.txt 2009-01-10 13:02:13

Pre-Run: 10.831.421.440 byte disponibili
Post-Run: 10,791,886,848 byte disponibili

Current=2 Default=2 Failed=1 LastKnownGood=3 Sets=1,2,3,4
371 --- E O F --- 2009-01-14 11:52:19
Avatar utente
rolcia2
Aficionado
Aficionado
 
Messaggi: 35
Iscritto il: dom feb 03, 2008 10:13 am

Re: [HELP] Trojan Virtumonde,Xema,Tdss,bad_sites

Messaggioda rolcia2 » ven gen 23, 2009 10:33 pm

ComboFix 09-01-21.04 - Rolex 2009-01-23 19.14.38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1023.193 [GMT 1:00]
Eseguito da: c:\documents and settings\Rolex\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Rolex\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090121-0] *On-access scanning disabled* (Updated)
* Creato nuovo punto di ripristino

FILE ::
c:\windows\000001_.tmp
c:\windows\cnerolf.dat
c:\windows\system32\drivers\xnuqcefc.sys
c:\windows\system32\ssbtsr.exe
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\000001_.tmp
c:\windows\cnerolf.dat
c:\windows\system32\ssbtsr.exe

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XAILQQUA
-------\Service_xailqqua


((((((((((((((((((((((((( Files Creati Da 2008-12-23 al 2009-01-23 )))))))))))))))))))))))))))))))))))
.

2009-01-22 22:39 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-22 22:39 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-22 22:39 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-22 22:39 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-22 22:38 . 2009-01-22 23:11 <DIR> d-------- c:\programmi\Spyware Doctor
2009-01-22 22:38 . 2009-01-22 22:38 <DIR> d-------- c:\documents and settings\Rolex\Dati applicazioni\PC Tools
2009-01-22 18:23 . 2009-01-22 18:23 <DIR> d-------- c:\programmi\ScanSpyware
2009-01-17 23:00 . 2009-01-18 09:52 <DIR> d-------- c:\documents and settings\Rolex\Dati applicazioni\Download Manager
2009-01-12 23:57 . 2009-01-13 16:59 22,328 --a------ c:\documents and settings\Rolex\Dati applicazioni\PnkBstrK.sys
2009-01-12 09:53 . 2009-01-12 09:53 <DIR> d-------- C:\VundoFix Backups
2009-01-10 23:02 . 2009-01-10 23:02 <DIR> d-------- c:\programmi\CCleaner
2009-01-10 00:06 . 2009-01-22 23:32 250 --a------ c:\windows\gmer.ini
2009-01-09 22:19 . 2009-01-09 22:19 <DIR> d-------- c:\documents and settings\Rolex\Dati applicazioni\Babylon
2009-01-09 22:19 . 2009-01-09 22:19 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Babylon
2009-01-09 20:58 . 2006-09-12 12:46 227,328 -rahs---- c:\windows\system32\ac3DX.ax
2009-01-09 20:58 . 2008-03-16 14:30 216,064 -rahs---- c:\windows\system32\nbDX.dll
2009-01-09 20:58 . 2006-03-10 22:48 169,472 -rahs---- c:\windows\system32\MatroskaDX.ax
2009-01-09 20:58 . 2006-05-03 11:06 163,328 -rahs---- c:\windows\system32\flvDX.dll
2009-01-09 20:58 . 2005-11-25 21:46 161,792 -rahs---- c:\windows\system32\RealMediaDX.ax
2009-01-09 20:58 . 2006-01-13 00:23 123,904 -rahs---- c:\windows\system32\AVCDX.ax
2009-01-09 20:58 . 2003-11-21 00:00 54,784 -rahs---- c:\windows\system32\RLAPEDec.ax
2009-01-09 20:58 . 2004-04-27 00:00 37,888 -rahs---- c:\windows\system32\RLMPCDec.ax
2009-01-09 20:58 . 2007-02-21 12:47 31,232 -rahs---- c:\windows\system32\msfDX.dll
2009-01-09 12:50 . 2009-01-09 12:50 <DIR> d-------- c:\programmi\ffdshow
2009-01-09 12:50 . 2008-12-17 19:22 57,344 --a------ c:\windows\system32\ff_vfw.dll
2009-01-09 12:50 . 2008-12-11 13:27 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-01-06 22:57 . 2009-01-07 00:00 <DIR> d-------- c:\programmi\Oberon Media
2009-01-06 22:57 . 2009-01-06 22:57 <DIR> d-------- c:\programmi\File comuni\Oberon Media
2008-12-26 11:44 . 2008-12-26 11:44 <DIR> d-------- c:\programmi\TeamViewer
2008-12-23 09:25 . 2008-12-23 09:25 <DIR> d-------- c:\documents and settings\Rolex\Dati applicazioni\Windows Live Writer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-23 18:27 --------- d-----w c:\documents and settings\Rolex\Dati applicazioni\Skype
2009-01-23 18:26 --------- d-----w c:\documents and settings\Rolex\Dati applicazioni\skypePM
2009-01-23 18:24 --------- d---a-w c:\documents and settings\All Users\Dati applicazioni\TEMP
2009-01-23 00:10 --------- d-----w c:\programmi\eMule
2009-01-23 00:10 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-01-21 21:46 --------- d-----w c:\programmi\Microsoft
2009-01-21 11:49 --------- d-----w c:\programmi\ScanSpyware v3.8.0.4
2009-01-16 22:12 --------- d-----w c:\documents and settings\LocalService\Dati applicazioni\TeamViewer
2009-01-13 15:40 --------- d--h--w c:\programmi\InstallShield Installation Information
2008-12-26 21:08 --------- d-----w c:\documents and settings\Rolex\Dati applicazioni\VoipDiscount
2008-12-26 10:44 --------- d-----w c:\programmi\TeamViewer3
2008-12-19 16:18 --------- d-----w c:\programmi\Java
2008-12-17 22:14 --------- d-----w c:\programmi\Windows Live
2008-12-17 22:10 --------- d-----w c:\programmi\Windows Live SkyDrive
2008-12-11 15:00 --------- d-----w c:\programmi\Classic PhoneTools
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-09 18:15 --------- d-----w c:\documents and settings\Rolex\Dati applicazioni\U3
2008-12-08 22:32 --------- d-----w c:\documents and settings\Rolex\Dati applicazioni\vlc
2008-12-01 20:43 --------- d-----w c:\programmi\Philips
2008-11-23 17:50 --------- d-----w c:\programmi\File comuni\Adobe
2008-05-01 11:33 2,554 -c--a-w c:\documents and settings\Rolex\Dati applicazioni\SAS7_000.DAT
2007-11-24 18:05 32 -c--a-w c:\documents and settings\All Users\Dati applicazioni\ezsid.dat
2006-05-03 10:06 163,328 --sha-r c:\windows\system32\flvDX.dll
2008-10-03 09:45 15,014 --sha-w c:\windows\system32\KGyGaAvL.sys
2007-02-21 11:47 31,232 --sha-r c:\windows\system32\msfDX.dll
2008-03-16 13:30 216,064 --sha-r c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-23_13.50.54,20 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-23 07:37:41 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-23 18:22:14 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-23 07:37:41 32,768 -c--a-w c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
+ 2009-01-23 18:22:14 32,768 -c--a-w c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
- 2009-01-23 07:37:41 32,768 -c--a-w c:\windows\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-23 18:22:14 32,768 -c--a-w c:\windows\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-23 18:21:57 16,384 ----atw c:\windows\temp\Perflib_Perfdata_6a4.dat
- 2009-01-23 07:37:19 16,384 ----atw c:\windows\temp\Perflib_Perfdata_794.dat
+ 2009-01-23 18:21:47 16,384 ----atw c:\windows\temp\Perflib_Perfdata_794.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\programmi\Windows Live\Messenger\MsnMsgr.Exe" [2008-12-02 3882312]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"VoipDiscount"="f:\documenti rolando\File ricevuti\voipdiscount.exe" [2008-12-05 9073976]
"AlcoholAutomount"="c:\programmi\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]
"AnyDVD"="c:\programmi\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-09-09 2182080]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2008-10-16 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-15 196608]
"LVCOMS"="c:\programmi\File comuni\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"LogitechGalleryRepair"="c:\programmi\Logitech\ImageStudio\ISStart.exe" [2002-12-10 155648]
"LogitechImageStudioTray"="c:\programmi\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 61440]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"OmniPage"="c:\programmi\Caere\OmniPagePro90\opware32.exe" [1998-11-19 44032]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2006-02-08 278528]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2008-01-20 155648]
"TkBellExe"="c:\programmi\File comuni\Real\Update_OB\realsched.exe" [2008-01-29 185896]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2008-12-19 136600]
"ISUSScheduler"="c:\programmi\File comuni\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ISTray"="c:\programmi\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]
"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 c:\windows\LOGI_MWX.EXE]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Rolex\Menu Avvio\Programmi\Esecuzione automatica\
Run VNC Server.lnk - c:\programmi\RealVNC\VNC4\winvnc4.exe [2008-01-14 914808]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio rapido HP Photosmart Premier.lnk - c:\programmi\HP\Digital Imaging\bin\hpqthb08.exe [2005-12-15 73728]
Bluetooth Manager.lnk - c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-21 45056]
HP Digital Imaging Monitor.lnk - c:\programmi\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
Instant Update Reminder.lnk - c:\programmi\U.S. Robotics\ControlCenter\Reminder.exe [2008-11-10 977408]
Server4PC.lnk - c:\programmi\TechniSat DVB\bin\Server4PC.exe [2008-04-13 328968]
Windows Search.lnk - c:\programmi\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]
WinZip Quick Pick.lnk - c:\programmi\WinZip\WZQKPICK.EXE [2007-12-03 394856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\programmi\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.SP53"= SP5X_32.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP59"= SP5X_32.DLL
"VIDC.MJPG"= Pvmjpg30.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Programmi\\TechniSat DVB\\bin\\Server4PC.exe"=
"c:\\Programmi\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Programmi\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\Programmi\\SopCast\\SopCast.exe"=
"c:\\Programmi\\tvants\\Tvants.exe"=
"c:\\Programmi\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\Programmi\\RealVNC\\VNC4\\vncviewer.exe"=
"c:\\Documents and Settings\\Rolex\\Dati applicazioni\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programmi\\PPMate\\ppmate.exe"=
"c:\\Programmi\\PPMate\\ppamnet.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Programmi\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"e:\\PROGRAMMI\\WINMX\\WinMX.exe"=
"c:\\Programmi\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programmi\\VoipStunt.com\\VoipStunt\\VoipStunt.exe"=
"c:\\Programmi\\InternetCalls.com\\InternetCalls\\InternetCalls.exe"=
"c:\\Programmi\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"f:\\Documenti Rolando\\File ricevuti\\VoipDiscount.exe"=
"d:\\Programmi\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=
"d:\\Programmi\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"d:\\Programmi\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"d:\\Programmi\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"d:\\Programmi\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Documents and Settings\\Rolex\\Desktop\\Release\\eTAXI s.r.l.exe"=
"f:\\Programmi\\ProgDVB\\ProgDvbNet.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Programmi\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Programmi\\File comuni\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Programmi\\U.S. Robotics\\ControlCenter\\ctrlcntr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Programmi\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Programmi\\U.S. Robotics\\ControlCenter\\Reminder.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"f:\\Programmi\\PoWeR-Script.0.2.1\\mIRC.exe"=
"c:\\Programmi\\Java\\jre6\\bin\\java.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-05 111184]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [2007-09-23 14095]
R3 SKYNET;TechniSat DVB-PC TV Star PCI;c:\windows\system32\drivers\SkyNET.sys [2007-09-23 419344]
R3 SWUSBFLT;Driver filtro Microsoft SideWinder VIA;c:\windows\system32\drivers\SWUSBFLT.SYS [2007-10-07 3968]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-05 20560]
R4 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2008-11-11 38144]
R4 sdAuxService;PC Tools Auxiliary Service;c:\programmi\Spyware Doctor\pctsAuxs.exe [2009-01-22 356920]
R4 TeamViewer4;TeamViewer 4;c:\programmi\TeamViewer\Version4\TeamViewer_Service.exe [2008-12-23 185640]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-11-13 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-11-13 8320]
S3 sagmc07bus;Sagem Communication Mobile Platform MC2007 driver (WDM);c:\windows\system32\drivers\sagmc07bus.sys [2008-02-21 83848]
S3 sagmc07mdfl;Sagem Communication MC2007 WMC CDC Modem Filter;c:\windows\system32\drivers\sagmc07mdfl.sys [2008-02-21 15240]
S3 sagmc07mdm;Sagem Communication MC2007 WMC CDC Modem Driver;c:\windows\system32\drivers\sagmc07mdm.sys [2008-02-21 110088]
S3 sagmc07mgmt;Sagem Communication MC2007 Device Management Drivers (WDM);c:\windows\system32\drivers\sagmc07mgmt.sys [2008-02-21 103304]
S3 sagmc07obex;Sagem Communication MC2007 WMC OBEX;c:\windows\system32\drivers\sagmc07obex.sys [2008-02-21 100104]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [2008-04-25 14848]

--- Altri Servizi/Drivers In Memoria ---

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3788f94a-4df6-11dd-9c18-001060d02731}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a
.
.
------- Scansione supplementare -------
.
uStart Page = www.google.it/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mWindow Title =
uInternet Settings,ProxyOverride = localhost
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {9A292BC9-99A0-45BB-ABA8-98D3916B66FA} = 193.70.152.15,193.70.152.25
DPF: {070CA17A-4BD2-4612-83B4-32B1B9159B47} - hxxp://uc.sina.com.con/download/live/weblive2.4.0.0.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/v ... .2.4.2.cab
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-23 19:27:40
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1292428093-606747145-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2C4D5650-C168-F6A0-C50E-695D875DC689}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"pahneiicdalmlenkjgodlilmgoioapab"=hex:6a,61,6f,61,6c,64,6e,6d,6a,61,67,6a,65,
6c,63,61,67,70,6d,6f,00,50
"oajnkdadifbiaenglfkblbkplcalgo"=hex:6a,61,6f,61,6c,64,6e,6d,6a,61,67,6a,65,6c,
63,61,67,70,6d,6f,00,50

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,ee,17,79,b4,b4,
6a,c6,ad,e2,63,26,f1,3f,c8,ff,68,03,4a,36,33,ec,fb,dc,75,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,97,de,d7,d8,57,
43,ce,c7,6a,9c,d6,61,af,45,84,18,f3,59,17,e1,d4,9d,fc,27,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,50,cb,37,82,7b,
b9,d2,f1,ff,7c,85,e0,43,d4,0e,fe,94,4e,1a,47,33,73,f6,68,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,62,9f,9e,3b,21,
99,4f,26,86,8c,21,01,be,91,eb,e7,f9,2b,79,09,7a,25,24,2b,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,4d,97,0d,4b,3f,
12,7b,2e,f5,1d,4d,73,a8,13,5c,05,d1,f2,2f,04,d6,b4,ec,5f,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,f3,e4,3f,be,8d,
8e,60,38,df,20,58,62,78,6b,cf,c8,ad,69,b5,8e,74,f8,63,6e,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,43,dd,a3,84,6c,
95,ab,05,fb,a7,78,e6,12,2f,9a,ea,0e,92,ba,97,42,c4,a0,eb,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,89,34,57,d7,ba,
21,5c,1c,01,3a,48,fc,e8,04,4a,f1,81,a5,9b,b1,bb,dd,84,73,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,1a,9c,f0,d8,16,
eb,76,72,f6,0f,4e,58,98,5b,89,c9,5f,9a,03,2f,12,b4,2c,08,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,2a,18,74,e5,f2,
62,3d,d7,3d,ce,ea,26,2d,45,aa,78,64,9c,41,53,e1,95,4e,71,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,85,a0,42,2d,63,
42,7e,e8,2a,b7,cc,b5,b9,7f,41,e7,a7,3e,74,6a,21,42,87,54,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,bc,3d,4c,af,a4,
d1,cc,3e,6c,43,2d,1e,aa,22,2f,9c,a9,4c,7f,25,fb,e7,6a,58,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Alwil Software\Avast4\aswUpdSv.exe
c:\programmi\Alwil Software\Avast4\ashServ.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\programmi\Spyware Doctor\pctsSvc.exe
c:\programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\searchindexer.exe
c:\programmi\TeamViewer\Version4\TeamViewer.exe
c:\programmi\Logitech\MouseWare\system\EM_EXEC.EXE
c:\windows\system32\ntvdm.exe
c:\programmi\iPod\bin\iPodService.exe
c:\windows\system32\rundll32.exe
c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
c:\programmi\HP\Digital Imaging\bin\hpqnrs08.exe
c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
c:\programmi\HP\Digital Imaging\bin\hpqste08.exe
c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
c:\programmi\HP\Digital Imaging\bin\hpqimzone.exe
c:\programmi\Windows Live\Contacts\wlcomm.exe
c:\programmi\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\HPZinw12.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Ora fine scansione: 2009-01-23 19:33:55 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-01-23 18:33:49
ComboFix2.txt 2009-01-23 12:53:01
ComboFix3.txt 2009-01-10 13:02:13

Pre-Run: 10.831.421.440 byte disponibili
Post-Run: 10,791,886,848 byte disponibili

Current=2 Default=2 Failed=1 LastKnownGood=3 Sets=1,2,3,4
371 --- E O F --- 2009-01-14 11:52:19
Avatar utente
rolcia2
Aficionado
Aficionado
 
Messaggi: 35
Iscritto il: dom feb 03, 2008 10:13 am

Re: [HELP] Trojan Virtumonde,Xema,Tdss,bad_sites

Messaggioda rolcia2 » ven gen 23, 2009 11:02 pm

Scusate per il primo log,ho sbagliato ad inserirlo,comunque e' il secondo log...
Avatar utente
rolcia2
Aficionado
Aficionado
 
Messaggi: 35
Iscritto il: dom feb 03, 2008 10:13 am

Re: [HELP] Trojan Virtumonde,Xema,Tdss,bad_sites

Messaggioda rolcia2 » ven gen 23, 2009 11:09 pm

Vi posto anche il log di malwarebyte's

Malwarebytes' Anti-Malware 1.33
Versione del database: 1684
Windows 5.1.2600 Service Pack 3

23/01/2009 23.10.02
mbam-log-2009-01-23 (23-10-02).txt

Tipo di scansione: Scansione rapida
Elementi scansionati: 55544
Tempo trascorso: 8 minute(s), 9 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 0

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
(Nessun elemento malevolo rilevato)


Dimenticavo il mulo continua a rallentarmi tutto e poi i file continuano a rimanermi in hashing...
Avatar utente
rolcia2
Aficionado
Aficionado
 
Messaggi: 35
Iscritto il: dom feb 03, 2008 10:13 am

Re: [HELP] Trojan Virtumonde,Xema,Tdss,bad_sites

Messaggioda rolcia2 » sab gen 24, 2009 12:57 am

Vi allego anche il post di scanspyware

Application Information

=======================



Application Version: ScanSpyware v3.8 build 3.8.0.4

Original Database: pests12-19-04.db

Updated Database: ssdb011709.db

Current Date: Saturday, January 24, 2009 12:48:31 AM

__________________________________________________



Directories recognized:

=======================



__________________________________________________



Files recognized:

=================



__________________________________________________



Registry keys recognized:

=========================



[Bifrose.AJ]

HKEY_CURRENT_USER\SOFTWARE\Wget



__________________________________________________



Registry values recognized:

===========================



__________________________________________________



Cookies recognized:

===================



[Tracking Cookies]

c:\documents and settings\rolex\cookies\rolex@ad.yieldmanager[2].txt



[Serv]

c:\documents and settings\rolex\cookies\rolex@bs.serving-sys[2].txt



[Tracking Cookies]

c:\documents and settings\rolex\cookies\rolex@bs.serving-sys[2].txt



[Tracking Cookies]

c:\documents and settings\rolex\cookies\rolex@com[1].txt



[Tracking Cookies]

c:\documents and settings\rolex\cookies\rolex@doubleclick[1].txt



[Sonic]

c:\documents and settings\rolex\cookies\rolex@panasonic[2].txt



[Serv]

c:\documents and settings\rolex\cookies\rolex@quantserve[2].txt



[Serv]

c:\documents and settings\rolex\cookies\rolex@serving-sys[2].txt



[TradeDoubler]

c:\documents and settings\rolex\cookies\rolex@tradedoubler[1].txt



[TradeDoubler]

c:\documents and settings\rolex\cookies\rolex@tradedoubler[1].txt



[AdService]

c:\documents and settings\rolex\cookies\rolex@www.googleadservices[1].txt



[DSE]

c:\documents and settings\rolex\cookies\rolex@www.googleadservices[1].txt



[Serv]

c:\documents and settings\rolex\cookies\rolex@www.googleadservices[1].txt



__________________________________________________


Che tra l'altro mi e' riuscito fuori sto benedetto bifrose.aj
Avatar utente
rolcia2
Aficionado
Aficionado
 
Messaggi: 35
Iscritto il: dom feb 03, 2008 10:13 am

Re: [HELP] Trojan Virtumonde,Xema,Tdss,bad_sites

Messaggioda Amantide » sab gen 24, 2009 2:51 pm

Che tra l'altro mi e' riuscito fuori sto benedetto bifrose.aj

Si tratterà di qualche rimasuglio... puoi tranquillamente eliminarla con lo stesso programma con il quale è stato rilevato.
Per il resto il pc dovrebbe essere pulito, nei log non si vede niente.
A questo punto ti posso solo consigliare di disinstallare eMule, svuotare la cartella di file temporanei e reinstallarlo daccapo importando soltanto i file relativi ai crediti.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Re: [HELP] Trojan Virtumonde,Xema,Tdss,bad_sites

Messaggioda rolcia2 » sab gen 24, 2009 4:16 pm

Grazie Amantide,allora il problema sembra essersi risolto,cioe' mi spiego meglio,quando apro il mulo tutto si rallenta,pero' se cambio le cartelle condivise ritorna tutto normale,allora io penso che ci sia qualcosa dentro nelle cartelle del mulo che pero' purtroppo avast e kasper online non rileva nulla.comunque grazie mille per l'aiuto fin qui datomi e se hai alternative fammi sapere intanto rifaccio esclusivamente una scansione online di solo quella cartella del mulo e vediamo cosa mi dice.Grazie.
Avatar utente
rolcia2
Aficionado
Aficionado
 
Messaggi: 35
Iscritto il: dom feb 03, 2008 10:13 am


Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Nessuno e 8 ospiti

cron
Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising