www.MegaLab.it

[SUMMERBOY]

Mi controllate il log per favore????Il pc da stamttina se apro alcune cose tipo webcam,skipe ecc nn va.Cioè appare una schermata blu d'errore parlando di modifiche hardware(mai fatte).Vipo posto il log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13.15.58, on 11/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\sub.exe
C:\WINDOWS\dllcache.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\winmgrs.exe
C:\Programmi\AVG\AVG8\avgcsrvx.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programmi\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe
C:\WINDOWS\twain_32\CIS600X\WATCH.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
D:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Programmi\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Dynamic Library Cache] dllcache.exe
O4 - HKLM\..\Run: [Windows UDP Control Center] winmgrs.exe
O4 - HKLM\..\Run: [PromoReg] C:\sub.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LiveSearchNotification] "C:\Programmi\Techno Design IP\LiveSearch Notification.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Utilità adattatore wireless ZyXEL G-202.lnk = ?
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\CIS600X\WATCH.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF78D79F-4AAF-4551-9C95-BDF9EAA4D278}: NameServer = 213.156.54.80,213.156.54.81
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmi\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 5765 bytes

[crazy.cat]

Non uno, ma forse tre
O4 - HKLM\..\Run: [Windows Dynamic Library Cache] dllcache.exe
O4 - HKLM\..\Run: [Windows UDP Control Center] winmgrs.exe
O4 - HKLM\..\Run: [PromoReg] C:\sub.exe

Falli analizzare sul sito www.virustotal.com prima di vaporizzarli.

[SUMMERBOY]

Grazie provvedo subito e ti faccio sapere.

[SUMMERBOY]

Li ho eliminatiti.Ora post il nuovo Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.28.59, on 11/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\AVG\AVG8\avgcsrvx.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programmi\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe
C:\WINDOWS\twain_32\CIS600X\WATCH.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
D:\Programmi\Opera\opera.exe
D:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Programmi\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LiveSearchNotification] "C:\Programmi\Techno Design IP\LiveSearch Notification.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Utilità adattatore wireless ZyXEL G-202.lnk = ?
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\CIS600X\WATCH.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF78D79F-4AAF-4551-9C95-BDF9EAA4D278}: NameServer = 213.156.54.80,213.156.54.81
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmi\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 5502 bytes

Ora è ok??

[ste_95]

Nessun problema visibile.

[SUMMERBOY]

Però mi da ancora problemi .Ho notato che risultano istallate 4 Unità CD .Che devo fare???

[crazy.cat]

Ho notato che risultano istallate 4 Unità CD .Che devo fare???

Stai usando daemon tools o qualche virtualizzatore di cdrom?
E' meglio se fai una scansione con questo http://www.MegaLab.it/2894/kaspersky-virus-removal-tool

[SUMMERBOY]

Nn sto usando niente del genere.Ho inserito dei cd e risulta che le due Unità Cd sono state tipo duplicate.Lo stesso contenuto lo visualizzo su due porte.

[Amantide]

Scarica ComboFix , salvandolo sul desktop con un nome di fantasia, ed esegui la scansione seguendo queste istruzioni (giù in fondo). Al termine della scansione verrà creato il file di report C:\combofix.txt, copia qui il suo contenuto inserendolo tra i tag LOG, in questo modo:

Codice: Seleziona tutto

[LOG]qui va inserito il log[/LOG]

[SUMMERBOY]

Ho provato ad usare combofix,ma quando stava facendo il punto di ripristino mi è uscita la schermata blu d'errore.Mi esce la stessa schermata anche se provo ad aprire la webcam.

[Amantide]

Riesci a riportare l'errore della schermata blu?

[SUMMERBOY]

Ecco ora la metto:

MI ESCE ANCHE QUANDO APRO ES. SKYPE.

[Amantide]

Lo schermo blu Driver_IRQL.... di solito si riferisce al problema/conflitto con qualche driver di perifericha o software, o perché no, anche qualche virus installati. Nel tuo caso c'è il problema che dopo lo STOP:... non viene menzionato il nome del driver colpevole.

Per escludere la causa virus prova ad eseguire la scansione con Avira RescueCD.

[SUMMERBOY]

Vuoi che ti posto l'immagien rimpicciolita??comunque adesso sto facendo la scansione con AVG 8.5 e per il momento nn risulta niente.comunque io nn ho apportato nessuna modifica.Cioè io poco prima usavo il pc normalmente ,dopo 5 minuti sono iniziati i problemi.

[Amantide]

Vuoi che ti posto l'immagien rimpicciolita??

Non serve, di solito se c'è il riferimento a qualche file, quello va menzionato immediatamente sotto alla riga STOP:...

comunque adesso sto facendo la scansione con AVG 8.5 e per il momento nn risulta niente.

Non è granché come l'antivirus, e visto che già nel log di Hijackthis si vedevano un bel po' di schifezze, sarà meglio se ritenterai di eseguire la scansione con Combofix dalla modalità provvisoria oppure se fai la scansione con Avira RescueCD.

[SUMMERBOY]

Allora dopo 4 ore e mezza di scansione mi ha trovato 1 file infetto:
C:\\WINDOWS\temp\dfsinstall.exe e mi dice che è un Trojan Horse SHeur2.APXF.Se lo elimino dovrei risolvere qualcosa??

[Amantide]

Allora dopo 4 ore e mezza di scansione mi ha trovato 1 file infetto:C:\\WINDOWS\temp\dfsinstall.exe e mi dice che è un Trojan Horse SHeur2.APXF.

Anche se il nome di questo file non sembra tanto sospetto, eliminalo lo stesso, visto che si trova nella cartella dei file temporanei.

Se lo elimino dovrei risolvere qualcosa??

No saprei , però sinceramente non credo.

Vedi comunque se riesci ad eseguiere la scansione con Combofix dalla modalità provvisoria.

[SUMMERBOY]

FINALMENTE sono riuscito a fare la sncasione con Combofix in modalita provvisoria .
Ecco il log:

ComboFix 09-07-09.08 - User 12/07/2009 17.23.47.4.1 - NTFSx86 MINIMAL
Eseguito da: c:\documents and settings\User\Desktop\Combofix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User\Impostazioni locali\Temporary Internet Files\lsn_6FBA808F-2580-48c3-8C6B-C08BBB800B8E.xml
c:\windows\dllcache.exe
c:\windows\system32\drivers\hjgruixrtqhxvn.sys
c:\windows\system32\hjgruikibairyf.dat
c:\windows\system32\hjgruimqlisrtu.dat
c:\windows\system32\hjgruirjixfqxn.dll
c:\windows\system32\hjgruirkmjpqfv.dll
c:\windows\winmgrs.exe

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiowpdwqpp


((((((((((((((((((((((((( Files Creati Da 2009-06-12 al 2009-07-12 )))))))))))))))))))))))))))))))))))
.

2009-07-11 16:27 . 2009-06-17 08:54 906520 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgemc.exe
2009-07-02 16:29 . 2009-07-02 16:29 463360 ----a-w- c:\documents and settings\User\Dati applicazioni\Techno Design IP\LiveSearch Notification.exe
2009-07-02 16:29 . 2009-07-02 16:29 -------- d-----w- c:\documents and settings\User\Dati applicazioni\Techno Design IP
2009-06-30 10:42 . 2009-06-30 10:30 2052376 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgcorex.dll
2009-06-27 10:09 . 2009-06-27 10:12 -------- d-----w- c:\windows\system32\NtmsData
2009-06-27 09:38 . 2009-06-27 09:38 -------- d-----w- c:\documents and settings\User\Impostazioni locali\Dati applicazioni\Opera
2009-06-17 09:02 . 2009-06-17 08:54 829208 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgcfgx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-11 16:27 . 2008-05-23 15:45 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-11 14:51 . 2008-12-20 16:05 3561743 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-11 12:37 . 2000-01-01 15:46 90112 ----a-w- c:\windows\DUMP5346.tmp
2009-07-11 10:41 . 2008-02-01 16:33 -------- d-----w- c:\documents and settings\User\Dati applicazioni\Skype
2009-07-10 11:23 . 2008-02-01 17:05 -------- d-----w- c:\documents and settings\User\Dati applicazioni\skypePM
2009-07-06 10:27 . 2008-01-05 18:12 -------- d-----w- c:\programmi\eMule
2009-06-17 09:27 . 2008-12-02 15:11 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 09:27 . 2008-12-02 15:11 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-17 08:54 . 2000-01-01 15:40 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-17 08:54 . 2009-06-12 11:21 3298072 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\setup.exe
2009-06-17 08:50 . 2009-06-12 11:11 1454360 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgupd.dll
2009-06-11 18:00 . 2009-06-11 18:00 248566 ----a-w- C:\cc_20090611_1959.reg
2009-06-08 19:50 . 2009-06-08 19:50 19165248 ----a-w- c:\documents and settings\User\Dati applicazioni\TomTom\HOME\Profiles\u1fppxy6.default\Updates\v2_6_2_1586_win.exe
2009-05-16 18:15 . 2008-08-02 18:58 -------- d-----w- c:\documents and settings\User\Dati applicazioni\gtk-2.0
2009-05-12 17:34 . 2008-01-06 18:19 2608 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-08 10:27 . 2008-08-07 14:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-08 10:27 . 2008-05-23 15:45 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 15:41 . 2004-08-19 12:00 346112 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 19:23 . 2000-01-01 15:40 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-04-29 19:23 . 2000-01-01 15:40 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-04-29 04:51 . 2004-08-19 12:00 662016 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:51 . 2004-08-19 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-19 20:08 . 2004-08-19 12:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 11:27 . 2004-08-19 12:00 345382 ----a-w- c:\windows\system32\perfh010.dat
2009-04-16 11:27 . 2004-08-19 12:00 47814 ----a-w- c:\windows\system32\perfc010.dat
2009-04-15 15:16 . 2004-08-19 12:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
.

------- Sigcheck -------

[7] 2005-03-02 18:20 578048 488019BFE2B0F9F8CD8394276D5B664A c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[7] 2007-03-08 15:48 579072 BAB4F995E526484A235A276E269AAF7F c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[7] 2004-08-19 12:00 578048 08447BDFCE5D1B1956F962602381F5C1 c:\windows\$NtUninstallKB890859$\user32.dll
[7] 2005-03-02 18:10 578048 14B5D6B20467DBA209853D65D1F6A124 c:\windows\$NtUninstallKB925902$\user32.dll
[-] 2008-04-14 02:13 579584 FA94696C0727BD59E517C674CD6E7C72 c:\windows\SoftwareDistribution\Download\fc12fb9dc078edc471023573f97c4e40\user32.dll
[-] 2008-04-14 02:13 579584 FA94696C0727BD59E517C674CD6E7C72 c:\windows\system32\user32.dll

[-] 2008-04-14 02:14 510464 9259170D29B5A256735FCB8B80280857 c:\windows\SoftwareDistribution\Download\fc12fb9dc078edc471023573f97c4e40\winlogon.exe
[-] 2000-01-01 16:31 504832 1DBD3966123AC2F6ADE783F7F17F8C7F c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PE2CKFNT SE"="c:\programmi\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 25088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2008-12-03 413696]
"TkBellExe"="c:\programmi\File comuni\Real\Update_OB\realsched.exe" [2009-04-29 198160]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-19 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Bluetooth Manager.lnk - c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-5-22 2756608]
Utilit… adattatore wireless ZyXEL G-202.lnk - c:\programmi\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe [2008-11-6 10907648]
Watch.lnk - c:\windows\twain_32\CIS600X\WATCH.exe [2008-2-2 356352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-08 10:27 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Nero BackItUp Scheduler 3"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programmi\\LimeWire\\LimeWire.exe"=
"c:\\Programmi\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programmi\\DAP\\DAP.exe"=
"c:\\Programmi\\ZyXEL\\ZyXEL G-202 Wireless Adapter Utility\\ZyXEL G-202.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [23/05/2008 17.45.12 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [23/05/2008 17.45.12 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [07/08/2008 16.03.59 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [07/08/2008 16.03.56 298776]
R2 SFC4;SFC4;c:\windows\system32\drivers\sfc4.sys [02/02/2008 11.22.34 41472]
R3 phil2vid;Fotocamera VGA USB Philip;c:\windows\system32\drivers\philcam2.sys [05/01/2008 18.32.22 173696]
R3 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;c:\windows\system32\ZDCndis5.sys [28/10/2008 14.01.44 19072]
R3 ZY202_XP;ZyXEL 802.11g XG202 1211 Driver;c:\windows\system32\drivers\WlanUZXP.SYS [28/10/2008 14.27.18 437760]
S3 AX88178;Sitecom USB Gigabit LAN LN-028;c:\windows\system32\drivers\ax88178.sys [01/01/2000 18.50.57 22144]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [28/10/2008 14.01.44 20608]
.
Contenuto della cartella 'Scheduled Tasks'

2009-07-12 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-23 20:18]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKCU-Run-LiveSearchNotification - c:\programmi\Techno Design IP\LiveSearch Notification.exe


.
------- Scansione supplementare -------
.
uStart Page = hxxp://it.msn.com
IE: &Download with &DAP - c:\progra~1\DAP\dapextie.htm
TCP: {AF78D79F-4AAF-4551-9C95-BDF9EAA4D278} = 213.156.54.80,213.156.54.81
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: HTTPS\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-12 17:40
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(1960)
c:\progra~1\TEXTBR~1.0\Bin\TBMHOOK.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\wdfmgr.exe
c:\programmi\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\programmi\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
c:\windows\system32\rundll32.exe
c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
.
**************************************************************************
.
Ora fine scansione: 2009-07-12 17.49.05 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-07-12 15:48
ComboFix2.txt 2008-12-02 19:12
ComboFix3.txt 2008-12-02 14:58
ComboFix4.txt 2008-12-02 13:12

Pre-Run: 7.697.399.808 byte disponibili
Post-Run: 7.801.769.984 byte disponibili

170 --- E O F --- 2009-06-11 11:16

[Amantide]

Ora come va il pc?
Combofix ha rimosso un malware abbastanza insidioso che forse con il suo driver causava lo schermo blu.

[SUMMERBOY]

Pare meglio.Le unità cd in più sono scomparse.La webcam adesso è ok.L'unico problema è che Vlc nn mi si apre.