www.MegaLab.it

da **ste_95** » mer ago 19, 2009 2:49 pm

Il servizio si è ricreato con la relativa dll. Segui le istruzioni di questo articolo:
http://www.MegaLab.it/4346/analisi-e-ri ... onficker-c

da **giovannino60** » mer ago 19, 2009 3:17 pm

Quindi devo scaricare McAfee Stinger e scansionere? E dopo scaricare e scansionare con Combifix?
Grazie

da **ste_95** » mer ago 19, 2009 6:15 pm

Sì, fai come indicato nella guida. [;)]

da **giovannino60** » gio ago 20, 2009 8:45 am

1) Combofix mi chiede di bloccare l'antivirus AVG ma io ho Avast e dopo avere bloccato, quest'ultimo, mi chiede ancora di fermare AVG A) ripeto non ho Avast c'è l'avevo prima ma l'ho disinstallato e da almeno 6 mesi che ho installato AVG B) se ammettiamo che ha sbagliato nome perché mi chiede ancora di bloccarlo se ho bloccato Avast che è l'unico antivirus che ho?

2) nelle istruzioni mi inviata ad inserire la console di emergenza, A) devo procedere con si o no? B) forse l'avevo già inserita in un altra occasione come faccio a sapere se questa console è già inserita?

3) McAfee Stinger ha trovato dei virus che ha indicato in rosso, che ha eliminato e adesso riesco ad accedere in internet, per esempio ho scaricato Combofix che prima non mi lasciava scaricare Non ho ancora provato se collegando un disco esterno mi avvisa tramite Avast che ha trovato un worn autorun.it, come è da un mese mi succede, tutte le volte cancellavo il messaggio e tutte le volte che lo collegavo si ripresentava.

Molte grazie

da **ste_95** » gio ago 20, 2009 10:02 am

giovannino60 ha scritto:1) Combofix mi chiede di bloccare l'antivirus AVG ma io ho Avast e dopo avere bloccato, quest'ultimo, mi chiede ancora di fermare AVG A) ripeto non ho Avast c'è l'avevo prima ma l'ho disinstallato e da almeno 6 mesi che ho installato AVG B) se ammettiamo che ha sbagliato nome perché mi chiede ancora di bloccarlo se ho bloccato Avast che è l'unico antivirus che ho?

Dovrebbe essere possibile ignorare questi messaggi di avviso. Prosegui tranquillamente disattivando l'antivirus installato nel tuo sistema.

2) nelle istruzioni mi inviata ad inserire la console di emergenza, A) devo procedere con si o no? B) forse l'avevo già inserita in un altra occasione come faccio a sapere se questa console è già inserita?

Dagli pure l'ok senza fare nulla.

3) McAfee Stinger ha trovato dei virus che ha indicato in rosso, che ha eliminato e adesso riesco ad accedere in internet, per esempio ho scaricato Combofix che prima non mi lasciava scaricare Non ho ancora provato se collegando un disco esterno mi avvisa tramite Avast che ha trovato un worn autorun.it, come è da un mese mi succede, tutte le volte cancellavo il messaggio e tutte le volte che lo collegavo si ripresentava.

Ottimo! Sarebbe però importante usare anche il Perlovga Removal Tool allo scopo di cancellare i file che ti venivano rilevati quando collegavi l'unità.

da **giovannino60** » gio ago 20, 2009 2:21 pm

Ho dei problemi con Combofix. Ho fatto una scansione alla fine mi ha segnalato dei file esaminati ha riavviato e mi ha fatto il log.
Però mi sono dimenticato di fare scansionare un disco esterno di salvataggio, quindi ho fatto una nuova scansione, ma è uscita una finestrella che dice, un file in C:\windows\temp\logishrd\LVPrcInj01.dll è attaccato da Rootkit quindi mi invitava di annotarlo che sarebbe servito dopo. Si è riavviato il computer ma è partito facendo un scan disck. Adesso è al 30%. Esce un avviso che un cluster di un file è danneggiato e non riesce a recuperare un file di un filmato che avevo archiviato.

AIUTO COSA DEVO FARE!!! COSA STA SUCCEDENDO?

da **ste_95** » gio ago 20, 2009 3:32 pm

Rifai, per l'ennesima volta, la scansione ROOTKIT con GMER.

da **giovannino60** » gio ago 20, 2009 4:56 pm

Il file C:\windows\remp\logishrd\LVPrcInj01.dll adesso che fine a fatto e cosa è stato danneggiato?

da **giovannino60** » gio ago 20, 2009 5:06 pm

[ComboFix 09-08-19.01 - UTENTE 20/08/2009 14.07.29.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.2047.1514 [GMT 2:00]
Eseguito da: f:\aadati\CPU VECCHIO\TESTI\Virus\MegaLab forum\Combofix\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090819-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\UTENTE\Dati applicazioni\wiaserva.log
c:\windows\Fonts\AcadEref.ttf
c:\windows\system32\drivers\str.sys
c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Creati Da 2009-07-20 al 2009-08-20 )))))))))))))))))))))))))))))))))))
.

2009-08-19 15:08 . 2009-08-19 15:08 -------- d-----w- c:\documents and settings\wind98\Impostazioni locali\Dati applicazioni\Identities
2009-08-17 19:57 . 2009-08-17 19:44 71680 -c--a-w- C:\mbr.exe
2009-08-17 17:45 . 2009-08-17 17:45 -------- dc----w- C:\Deckard
2009-08-13 16:58 . 2009-08-13 16:58 117760 ----a-w- c:\documents and settings\wind98\Dati applicazioni\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-13 16:57 . 2009-08-13 16:57 -------- d-----w- c:\documents and settings\wind98\Dati applicazioni\SUPERAntiSpyware.com
2009-08-12 17:25 . 2009-08-12 17:25 1961720 ----a-w- c:\documents and settings\UTENTE\Dati applicazioni\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-08-10 20:58 . 2009-08-14 13:13 -------- d-----w- c:\documents and settings\UTENTE\Dati applicazioni\SUPERAntiSpyware.com
2009-08-04 15:54 . 2009-08-04 15:54 -------- d-----w- c:\programmi\TIAB
2009-07-27 19:57 . 2009-07-27 19:57 -------- d-sh--w- c:\documents and settings\UTENTE\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-20 11:46 . 2009-03-04 19:02 -------- d-----w- c:\documents and settings\UTENTE\Dati applicazioni\skypePM
2009-08-20 05:20 . 2009-03-04 18:58 -------- d-----w- c:\documents and settings\UTENTE\Dati applicazioni\Skype
2009-08-19 16:24 . 2009-03-13 20:28 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-08-19 16:24 . 2009-03-13 20:28 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-08-18 21:29 . 2007-04-07 16:11 -------- d-----w- c:\documents and settings\UTENTE\Dati applicazioni\Acubix PicoBackup Outlook Express Edition
2009-08-18 17:55 . 2007-03-27 17:21 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Google Updater
2009-08-18 15:29 . 2006-10-18 21:10 90112 ----a-w- c:\windows\DUMP5880.tmp
2009-08-18 15:14 . 2006-12-27 21:34 -------- d---a-w- c:\documents and settings\All Users\Dati applicazioni\TEMP
2009-08-18 13:56 . 2008-02-01 13:06 184475 ----a-w- c:\windows\Fonts\AdobeFnt09.lst
2009-08-14 11:05 . 2007-12-07 14:55 -------- d-----w- c:\programmi\XoftSpySE
2009-08-13 16:57 . 2008-07-06 15:00 122288 ----a-w- c:\documents and settings\wind98\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-08-12 12:37 . 2006-10-18 20:04 122288 ----a-w- c:\documents and settings\UTENTE\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-08-11 21:05 . 2006-10-19 06:28 -------- d-----w- c:\programmi\File comuni\Adobe
2009-08-10 13:39 . 2006-10-19 05:39 -------- d-----w- c:\programmi\QuickTime
2009-08-10 13:39 . 2006-10-23 16:30 -------- d-----w- c:\programmi\MemoRex
2009-07-20 15:17 . 2008-01-12 09:08 -------- d-----w- c:\documents and settings\UTENTE\Dati applicazioni\U3
2009-05-04 15:23 . 2009-05-04 15:23 270978 -c--a-w- c:\programmi\La direzione dei lavori.zip
2008-08-10 06:57 . 2008-08-10 06:57 3723454 -c--a-w- c:\programmi\IZArc_Setup.exe
2008-07-17 18:59 . 2008-07-17 19:01 3536683 -c--a-w- c:\programmi\PicoBackupOESetup.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-03-30 14:45 . 2006-03-30 14:45 313472 c:\programmi\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe

2006-10-18 20:23 . 2003-05-05 06:57 143360 c:\programmi\Analog Devices\SoundMAX\bak\SMTray.exe

2006-10-19 05:16 . 2004-06-10 19:10 339968 c:\programmi\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

2006-10-23 13:43 . 2004-05-10 14:54 49152 c:\programmi\Brother\Brmfl04c\bak\BrStDvPt.exe
2009-08-10 13:39 . 2004-05-10 14:54 49152 c:\programmi\Brother\Brmfl04c\BrStDvPt.exe

2003-09-29 23:14 . 2003-09-29 23:14 155648 c:\programmi\File comuni\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe

2007-01-27 18:16 . 2007-01-27 18:16 171448 c:\programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe
2009-08-10 13:39 . 2007-01-27 18:16 171448 c:\programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

2006-02-19 01:41 . 2006-02-19 01:41 49152 c:\programmi\HP\HP Software Update\bak\HPWuSchd2.exe
2006-02-19 00:41 . 2006-02-19 00:41 49152 c:\programmi\HP\HP Software Update\hpwuSchd2.exe

2006-06-15 07:43 . 2006-06-15 07:43 49152 c:\programmi\HP\ToolboxFX\bin\bak\HPTLBXFX.exe
2009-08-10 13:39 . 2006-06-15 07:43 49152 c:\programmi\HP\ToolboxFX\bin\HPTLBXFX.exe

2006-10-22 06:23 . 2005-11-10 11:03 36975 c:\programmi\Java\jre1.5.0_06\bin\bak\jusched.exe
2009-08-10 13:39 . 2005-11-10 11:03 36975 c:\programmi\Java\jre1.5.0_06\bin\jusched.exe

2007-12-11 15:21 . 2007-09-25 00:11 132496 c:\programmi\Java\jre1.6.0_03\bin\bak\jusched.exe
2009-08-10 13:39 . 2007-09-25 00:11 132496 c:\programmi\Java\jre1.6.0_03\bin\jusched.exe

2006-10-23 13:48 . 2003-12-01 09:38 892928 c:\programmi\Logitech\iTouch\bak\iTouch.exe

2006-10-23 16:30 . 2003-07-29 22:37 332288 c:\programmi\MemoRex\bak\MemoRexStart.exe
2009-08-10 13:39 . 2003-07-29 22:37 332288 c:\programmi\MemoRex\MemoRexStart.exe

2006-06-21 02:52 . 2006-06-21 02:52 1211176 c:\programmi\Microsoft ActiveSync\bak\wcescomm.exe
2006-06-21 02:52 . 2006-06-21 02:52 1211176 c:\programmi\Microsoft ActiveSync\wcescomm.exe

2006-09-01 14:57 . 2006-09-01 14:57 282624 c:\programmi\QuickTime\bak\qttask.exe
2009-08-10 13:39 . 2006-09-01 14:57 282624 c:\programmi\QuickTime\qttask.exe

2005-06-17 13:52 . 2005-06-17 13:52 1129472 c:\programmi\Salvataggio outlook express\PicoBackupOE\bak\PicoBackupAgent.exe

2007-01-19 07:27 . 2007-01-29 11:07 3718312 c:\programmi\TomTom HOME\bak\TomTomHOME.exe
2007-05-22 15:07 . 2007-03-14 14:52 3770024 c:\programmi\TomTom HOME\TomTomHOME.exe

2001-08-31 11:00 . 2004-08-19 13:39 15360 c:\windows\system32\bak\ctfmon.exe
2001-08-31 11:00 . 2004-08-19 13:39 15360 c:\windows\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\programmi\Microsoft ActiveSync\wcescomm.exe" [2006-06-21 1211176]
"PicoBackupOE"="c:\programmi\PicoBackupOE\PicoBackupAgent.exe" [2005-06-17 1129472]
"swg"="c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-18 68856]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2009-04-16 24264488]
"LogitechSetup"="D:\setup.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPUsageTracking"="c:\programmi\HP\HP UT\bin\hppusg.exe" [2006-06-14 36864]
"zzzHPSETUP"="E:\Setup.exe" [N/A]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [N/A]
"LogitechCommunicationsManager"="c:\programmi\File comuni\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\programmi\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2006-09-01 282624]
"RRT-Auto"="f:\aadati\CPU VECCHIO\TESTI\Virus\MegaLab forum\RRT.exe" [N/A]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-19 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\programmi\File comuni\logishrd\WUApp32.exe" [2008-12-17 443664]

c:\documents and settings\UTENTE\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma.lnk - c:\programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-19 113664]
Printkey.lnk - C:\Printkey.exe [2006-10-22 514560]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Alice ti aiuta.lnk - c:\programmi\Alice ti aiuta\bin\matcli.exe [2006-10-23 212992]
Avvio rapido HP Photosmart Premier.lnk - c:\programmi\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
HP Digital Imaging Monitor.lnk - c:\programmi\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-24 07:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\programmi\Microsoft ActiveSync\rapimgr.exe"= c:\programmi\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\programmi\Microsoft ActiveSync\wcescomm.exe"= c:\programmi\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\programmi\Microsoft ActiveSync\WCESMgr.exe"= c:\programmi\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Programmi\\JavaSoft\\JRE\\1.3.1_13\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"f:\\Programmi\\Graphisoft\\ArchiCAD 10\\ArchiCAD.exe"=
"c:\\Programmi\\Graphisoft\\ArchiCAD 11\\ArchiCAD.exe"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"c:\\Programmi\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Programmi\\Adobe\\Acrobat 7.0\\Acrobat\\Acrobat.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"9633:TCP"= 9633:TCP:gyira

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [04/08/2008 16.57.48 12552]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [24/04/2009 10.54.10 114768]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [04/08/2008 16.57.43 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [04/08/2008 16.57.47 108552]
R2 ACCAKeyServer;ACCA Key Server v.2.00;c:\acca\ACCAKeyServer\ACCAKeyService.EXE [15/03/2009 19.35.13 528896]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [24/04/2009 10.54.10 20560]
R2 CPUSB;CPUsb.Sys driver;c:\windows\system32\drivers\CPUSB.sys [22/10/2006 10.09.26 17080]
R2 cpwnt;cpwnt;c:\windows\system32\drivers\CPWNT.SYS [21/10/2006 20.08.06 21824]
S1 soqwx32;soqwx32;\??\c:\windows\system32\drivers\soqwx32.sys -->

c:\windows\system32\drivers\soqwx32.sys [?]

S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe -->

c:\progra~1\AVG\AVG8\avgemc.exe [?]

S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe -->

c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]

S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [12/03/2009 18.33.32 33808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
gzemr
ejivo
.
Contenuto della cartella 'Scheduled Tasks'

2009-08-20 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-27 21:40]

2009-08-20 c:\windows\Tasks\XoftSpySE 2.job
- c:\programmi\XoftSpySE\XoftSpy.exe [2007-12-07 16:34]

2009-08-20 c:\windows\Tasks\XoftSpySE.job
- c:\programmi\XoftSpySE\XoftSpy.exe [2007-12-07 16:34]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.virgilio.it/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.virgilio.it/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Converti destinazione link in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti destinazione link in file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti i link selezionati in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Converti i link selezionati in file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Converti in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti nel file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti selezione in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti selezione in file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {667CCFE0-179F-4596-86C5-C5967CC876D0} = 151.99.125.2,151.99.125.3
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\programmi\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\UTENTE\Dati applicazioni\Mozilla\Firefox\Profiles\1awbkkbc.default\
FF - prefs.js: browser.startup.homepage - hxxp://VIRGILIO.IT
FF - component: c:\programmi\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\programmi\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

---- FIREFOX POLICIES ----
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-20 14:17
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-329068152-1343024091-725345543-1003\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-329068152-1343024091-725345543-1003\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-329068152-1343024091-725345543-1003\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-329068152-1343024091-725345543-1003\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-329068152-1343024091-725345543-1003\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000020

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(6284)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\programmi\Logitech\MouseWare\System\LgWndHk.dll
c:\programmi\File comuni\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\programmi\Alwil Software\Avast4\aswUpdSv.exe
c:\programmi\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\brss01a.exe
c:\programmi\File comuni\EPSON\EBAPI\eEBSvc.exe
c:\windows\system32\Brmfrmps.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\programmi\File comuni\EPSON\EBAPI\SAgent2.exe
c:\programmi\File comuni\LightScribe\LSSrvc.exe
c:\programmi\File comuni\LogiShrd\LVCOMSER\LVComSer.exe
c:\programmi\File comuni\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\programmi\Analog Devices\SoundMAX\SMAgent.exe
c:\programmi\Alwil Software\Avast4\ashMaiSv.exe
c:\programmi\Alwil Software\Avast4\ashWebSv.exe
c:\programmi\File comuni\LogiShrd\LVCOMSER\LVComSer.exe
c:\programmi\Logitech\MouseWare\system\EM_EXEC.EXE
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\programmi\File comuni\LogiShrd\LQCVFX\COCIManager.exe
c:\windows\system32\wscntfy.exe
c:\programmi\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Ora fine scansione: 2009-08-20 14.33.23 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-08-20 12:33

Pre-Run: 11 750 973 440 byte disponibili
Post-Run: 11 734 818 816 byte disponibili

333
/LOG]
[LOG]ComboFix 09-08-19.01 - UTENTE 20/08/2009 17.13.27.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.2047.1474 [GMT 2:00]
Eseguito da: f:\aadati\CPU VECCHIO\TESTI\Virus\MegaLab forum\Combofix\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090819-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
I seguenti file sono stati disabilitati durante la scansione:
c:\windows\TEMP\logishrd\LVPrcInj01.dll

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll . . . . Eliminazione Fallita

.
((((((((((((((((((((((((( Files Creati Da 2009-07-20 al 2009-08-20 )))))))))))))))))))))))))))))))))))
.

2009-08-19 15:08 . 2009-08-19 15:08 -------- d-----w- c:\documents and settings\wind98\Impostazioni locali\Dati applicazioni\Identities
2009-08-17 19:57 . 2009-08-17 19:44 71680 -c--a-w- C:\mbr.exe
2009-08-17 17:45 . 2009-08-17 17:45 -------- dc----w- C:\Deckard
2009-08-13 16:58 . 2009-08-13 16:58 117760 ----a-w- c:\documents and settings\wind98\Dati applicazioni\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-13 16:57 . 2009-08-13 16:57 -------- d-----w- c:\documents and settings\wind98\Dati applicazioni\SUPERAntiSpyware.com
2009-08-12 17:25 . 2009-08-12 17:25 1961720 ----a-w- c:\documents and settings\UTENTE\Dati applicazioni\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-08-10 20:58 . 2009-08-14 13:13 -------- d-----w- c:\documents and settings\UTENTE\Dati applicazioni\SUPERAntiSpyware.com
2009-08-04 15:54 . 2009-08-04 15:54 -------- d-----w- c:\programmi\TIAB
2009-07-27 19:57 . 2009-07-27 19:57 -------- d-sh--w- c:\documents and settings\UTENTE\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-20 15:53 . 2009-03-04 19:02 -------- d-----w- c:\documents and settings\UTENTE\Dati applicazioni\skypePM
2009-08-20 05:20 . 2009-03-04 18:58 -------- d-----w- c:\documents and settings\UTENTE\Dati applicazioni\Skype
2009-08-19 16:24 . 2009-03-13 20:28 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-08-19 16:24 . 2009-03-13 20:28 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-08-18 21:29 . 2007-04-07 16:11 -------- d-----w- c:\documents and settings\UTENTE\Dati applicazioni\Acubix PicoBackup Outlook Express Edition
2009-08-18 17:55 . 2007-03-27 17:21 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Google Updater
2009-08-18 15:29 . 2006-10-18 21:10 90112 ----a-w- c:\windows\DUMP5880.tmp
2009-08-18 15:14 . 2006-12-27 21:34 -------- d---a-w- c:\documents and settings\All Users\Dati applicazioni\TEMP
2009-08-18 13:56 . 2008-02-01 13:06 184475 ----a-w- c:\windows\Fonts\AdobeFnt09.lst
2009-08-14 11:05 . 2007-12-07 14:55 -------- d-----w- c:\programmi\XoftSpySE
2009-08-13 16:57 . 2008-07-06 15:00 122288 ----a-w- c:\documents and settings\wind98\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-08-12 12:37 . 2006-10-18 20:04 122288 ----a-w- c:\documents and settings\UTENTE\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-08-11 21:05 . 2006-10-19 06:28 -------- d-----w- c:\programmi\File comuni\Adobe
2009-08-10 13:39 . 2006-10-19 05:39 -------- d-----w- c:\programmi\QuickTime
2009-08-10 13:39 . 2006-10-23 16:30 -------- d-----w- c:\programmi\MemoRex
2009-07-20 15:17 . 2008-01-12 09:08 -------- d-----w- c:\documents and settings\UTENTE\Dati applicazioni\U3
2009-05-04 15:23 . 2009-05-04 15:23 270978 -c--a-w- c:\programmi\La direzione dei lavori.zip
2008-08-10 06:57 . 2008-08-10 06:57 3723454 -c--a-w- c:\programmi\IZArc_Setup.exe
2008-07-17 18:59 . 2008-07-17 19:01 3536683 -c--a-w- c:\programmi\PicoBackupOESetup.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-08-20_12.17.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-20 15:24 . 2009-08-20 15:24 16384 c:\windows\Temp\Perflib_Perfdata_4b4.dat
+ 2009-08-20 15:51 . 2009-08-20 15:51 16384 c:\windows\Temp\Perflib_Perfdata_488.dat
+ 2009-08-20 15:11 . 2009-08-20 15:11 16384 c:\windows\Temp\Perflib_Perfdata_474.dat
- 2009-08-20 12:16 . 2009-08-20 12:16 16384 c:\windows\Temp\Perflib_Perfdata_474.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-03-30 14:45 . 2006-03-30 14:45 313472 c:\programmi\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe

2006-10-18 20:23 . 2003-05-05 06:57 143360 c:\programmi\Analog Devices\SoundMAX\bak\SMTray.exe

2006-10-19 05:16 . 2004-06-10 19:10 339968 c:\programmi\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

2006-10-23 13:43 . 2004-05-10 14:54 49152 c:\programmi\Brother\Brmfl04c\bak\BrStDvPt.exe
2009-08-10 13:39 . 2004-05-10 14:54 49152 c:\programmi\Brother\Brmfl04c\BrStDvPt.exe

2003-09-29 23:14 . 2003-09-29 23:14 155648 c:\programmi\File comuni\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe

2007-01-27 18:16 . 2007-01-27 18:16 171448 c:\programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe
2009-08-10 13:39 . 2007-01-27 18:16 171448 c:\programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

2006-02-19 01:41 . 2006-02-19 01:41 49152 c:\programmi\HP\HP Software Update\bak\HPWuSchd2.exe
2006-02-19 00:41 . 2006-02-19 00:41 49152 c:\programmi\HP\HP Software Update\hpwuSchd2.exe

2006-06-15 07:43 . 2006-06-15 07:43 49152 c:\programmi\HP\ToolboxFX\bin\bak\HPTLBXFX.exe
2009-08-10 13:39 . 2006-06-15 07:43 49152 c:\programmi\HP\ToolboxFX\bin\HPTLBXFX.exe

2006-10-22 06:23 . 2005-11-10 11:03 36975 c:\programmi\Java\jre1.5.0_06\bin\bak\jusched.exe
2009-08-10 13:39 . 2005-11-10 11:03 36975 c:\programmi\Java\jre1.5.0_06\bin\jusched.exe

2007-12-11 15:21 . 2007-09-25 00:11 132496 c:\programmi\Java\jre1.6.0_03\bin\bak\jusched.exe
2009-08-10 13:39 . 2007-09-25 00:11 132496 c:\programmi\Java\jre1.6.0_03\bin\jusched.exe

2006-10-23 13:48 . 2003-12-01 09:38 892928 c:\programmi\Logitech\iTouch\bak\iTouch.exe

2006-10-23 16:30 . 2003-07-29 22:37 332288 c:\programmi\MemoRex\bak\MemoRexStart.exe
2009-08-10 13:39 . 2003-07-29 22:37 332288 c:\programmi\MemoRex\MemoRexStart.exe

2006-06-21 02:52 . 2006-06-21 02:52 1211176 c:\programmi\Microsoft ActiveSync\bak\wcescomm.exe
2006-06-21 02:52 . 2006-06-21 02:52 1211176 c:\programmi\Microsoft ActiveSync\wcescomm.exe

2006-09-01 14:57 . 2006-09-01 14:57 282624 c:\programmi\QuickTime\bak\qttask.exe
2009-08-10 13:39 . 2006-09-01 14:57 282624 c:\programmi\QuickTime\qttask.exe

2005-06-17 13:52 . 2005-06-17 13:52 1129472 c:\programmi\Salvataggio outlook express\PicoBackupOE\bak\PicoBackupAgent.exe

2007-01-19 07:27 . 2007-01-29 11:07 3718312 c:\programmi\TomTom HOME\bak\TomTomHOME.exe
2007-05-22 15:07 . 2007-03-14 14:52 3770024 c:\programmi\TomTom HOME\TomTomHOME.exe

2001-08-31 11:00 . 2004-08-19 13:39 15360 c:\windows\system32\bak\ctfmon.exe
2001-08-31 11:00 . 2004-08-19 13:39 15360 c:\windows\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\programmi\Microsoft ActiveSync\wcescomm.exe" [2006-06-21 1211176]
"PicoBackupOE"="c:\programmi\PicoBackupOE\PicoBackupAgent.exe" [2005-06-17 1129472]
"swg"="c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-18 68856]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2009-04-16 24264488]
"LogitechSetup"="D:\setup.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPUsageTracking"="c:\programmi\HP\HP UT\bin\hppusg.exe" [2006-06-14 36864]
"zzzHPSETUP"="E:\Setup.exe" [N/A]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [N/A]
"LogitechCommunicationsManager"="c:\programmi\File comuni\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\programmi\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2006-09-01 282624]
"RRT-Auto"="f:\aadati\CPU VECCHIO\TESTI\Virus\MegaLab forum\RRT.exe" [N/A]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-19 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\programmi\File comuni\logishrd\WUApp32.exe" [2008-12-17 443664]

c:\documents and settings\UTENTE\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma.lnk - c:\programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-19 113664]
Printkey.lnk - C:\Printkey.exe [2006-10-22 514560]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Alice ti aiuta.lnk - c:\programmi\Alice ti aiuta\bin\matcli.exe [2006-10-23 212992]
Avvio rapido HP Photosmart Premier.lnk - c:\programmi\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
HP Digital Imaging Monitor.lnk - c:\programmi\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-24 07:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\programmi\Microsoft ActiveSync\rapimgr.exe"= c:\programmi\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\programmi\Microsoft ActiveSync\wcescomm.exe"= c:\programmi\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\programmi\Microsoft ActiveSync\WCESMgr.exe"= c:\programmi\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Programmi\\JavaSoft\\JRE\\1.3.1_13\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"f:\\Programmi\\Graphisoft\\ArchiCAD 10\\ArchiCAD.exe"=
"c:\\Programmi\\Graphisoft\\ArchiCAD 11\\ArchiCAD.exe"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"c:\\Programmi\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Programmi\\Adobe\\Acrobat 7.0\\Acrobat\\Acrobat.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"9633:TCP"= 9633:TCP:gyira

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [04/08/2008 16.57.48 12552]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [24/04/2009 10.54.10 114768]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [04/08/2008 16.57.43 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [04/08/2008 16.57.47 108552]
R2 ACCAKeyServer;ACCA Key Server v.2.00;c:\acca\ACCAKeyServer\ACCAKeyService.EXE [15/03/2009 19.35.13 528896]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [24/04/2009 10.54.10 20560]
R2 CPUSB;CPUsb.Sys driver;c:\windows\system32\drivers\CPUSB.sys [22/10/2006 10.09.26 17080]
R2 cpwnt;cpwnt;c:\windows\system32\drivers\CPWNT.SYS [21/10/2006 20.08.06 21824]
S1 soqwx32;soqwx32;\??\c:\windows\system32\drivers\soqwx32.sys -->

c:\windows\system32\drivers\soqwx32.sys [?]

S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe -->

c:\progra~1\AVG\AVG8\avgemc.exe [?]

S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe -->

c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]

S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [12/03/2009 18.33.32 33808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
gzemr
ejivo
.
Contenuto della cartella 'Scheduled Tasks'

2009-08-20 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-27 21:40]

2009-08-20 c:\windows\Tasks\XoftSpySE 2.job
- c:\programmi\XoftSpySE\XoftSpy.exe [2007-12-07 16:34]

2009-08-20 c:\windows\Tasks\XoftSpySE.job
- c:\programmi\XoftSpySE\XoftSpy.exe [2007-12-07 16:34]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.virgilio.it/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.virgilio.it/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Converti destinazione link in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti destinazione link in file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti i link selezionati in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Converti i link selezionati in file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Converti in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti nel file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti selezione in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti selezione in file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {667CCFE0-179F-4596-86C5-C5967CC876D0} = 151.99.125.2,151.99.125.3
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\programmi\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\UTENTE\Dati applicazioni\Mozilla\Firefox\Profiles\1awbkkbc.default\
FF - prefs.js: browser.startup.homepage - hxxp://VIRGILIO.IT
FF - component: c:\programmi\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\programmi\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

---- FIREFOX POLICIES ----
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-20 17:51
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-329068152-1343024091-725345543-1003\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-329068152-1343024091-725345543-1003\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-329068152-1343024091-725345543-1003\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-329068152-1343024091-725345543-1003\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-329068152-1343024091-725345543-1003\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000020

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(3636)
c:\programmi\Logitech\MouseWare\System\LgWndHk.dll
c:\programmi\File comuni\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\programmi\Alwil Software\Avast4\aswUpdSv.exe
c:\programmi\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\brss01a.exe
c:\programmi\File comuni\EPSON\EBAPI\eEBSvc.exe
c:\windows\system32\Brmfrmps.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\programmi\File comuni\EPSON\EBAPI\SAgent2.exe
c:\programmi\File comuni\LightScribe\LSSrvc.exe
c:\programmi\File comuni\LogiShrd\LVCOMSER\LVComSer.exe
c:\programmi\File comuni\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\programmi\Analog Devices\SoundMAX\SMAgent.exe
c:\programmi\Alwil Software\Avast4\ashMaiSv.exe
c:\programmi\Alwil Software\Avast4\ashWebSv.exe
c:\programmi\File comuni\LogiShrd\LVCOMSER\LVComSer.exe
c:\programmi\Logitech\MouseWare\system\EM_EXEC.EXE
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\programmi\File comuni\LogiShrd\LQCVFX\COCIManager.exe
c:\windows\system32\wscntfy.exe
c:\programmi\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Ora fine scansione: 2009-08-20 18.01.48 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-08-20 16:01
ComboFix2.txt 2009-08-20 12:33

Pre-Run: 11 755 876 352 byte disponibili
Post-Run: 11 739 013 120 byte disponibili

339

da **ste_95** » gio ago 20, 2009 6:44 pm

Scarica Avenger
Estrailo in una cartella a tua scelta
Esegui il file avenger.exe con la figura di una spada
Ora incolla queste righe nella box bianca che si è aperta:

Codice: Seleziona tutto: Files to delete: C:\windows\remp\logishrd\LVPrcInj01.dll Files to move: c:\programmi\TomTom HOME\bak\TomTomHOME.exe | c:\programmi\TomTom HOME\TomTomHOME.exe

Togli il segno di spunta dalla voce Scan for Rootkits
Premi il pulsante Execute
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà.

Se Avenger riporta un errore, prova a riscrivere manualmente la prima riga (Files to delete:) ricordando i due punti.

da **giovannino60** » gio ago 20, 2009 10:26 pm

[LOG][GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-20 23:27:05
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xACF0C6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xACF0C574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xACF0CA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xACF0C14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xACF0C64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xACF0C08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xACF0C0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xACF0C76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xACF0C72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xACF0C8AE]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[588] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00370002
IAT C:\WINDOWS\system32\services.exe[588] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00370000
IAT C:\WINDOWS\Explorer.EXE[1712] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00BE2F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1712] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00BE2CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1712] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00BE2D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1712] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00BE2CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Programmi\Logitech\QuickCam\Quickcam.exe[1820] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [026D2F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Programmi\Logitech\QuickCam\Quickcam.exe[1820] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [026D2CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Programmi\Logitech\QuickCam\Quickcam.exe[1820] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [026D2D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Programmi\Logitech\QuickCam\Quickcam.exe[1820] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [026D2CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Programmi\Skype\Phone\Skype.exe[1976] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [03922F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Programmi\Skype\Phone\Skype.exe[1976] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [03922CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Programmi\Skype\Phone\Skype.exe[1976] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [03922D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Programmi\Skype\Phone\Skype.exe[1976] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [03922CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\UTENTE\Desktop\Difesa\gmer.exe[2128] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\UTENTE\Desktop\Difesa\gmer.exe[2128] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\UTENTE\Desktop\Difesa\gmer.exe[2128] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\UTENTE\Desktop\Difesa\gmer.exe[2128] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Programmi\Skype\Plugin Manager\skypePM.exe[3620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00382F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Programmi\Skype\Plugin Manager\skypePM.exe[3620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00382CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Programmi\Skype\Plugin Manager\skypePM.exe[3620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00382D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Programmi\Skype\Plugin Manager\skypePM.exe[3620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00382CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[3984] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[3984] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[3984] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[3984] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- EOF - GMER 1.0.15 ----
/LOG]

da **giovannino60** » gio ago 20, 2009 11:43 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Error: could not open file "C:\windows\remp\logishrd\LVPrcInj01.dll"
Deletion of file "C:\windows\remp\logishrd\LVPrcInj01.dll" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
-->

bad path / the parent directory does not exist

File move operation "c:\programmi\TomTom HOME\bak\TomTomHOME.exe|c:\programmi\TomTom HOME\TomTomHOME.exe" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

da **ste_95** » ven ago 21, 2009 7:48 am

C'era un errore nel percorso, esegui ancora questo:

Codice: Seleziona tutto: Files to delete: C:\windows\temp\logishrd\LVPrcInj01.dll

da **giovannino60** » ven ago 21, 2009 8:05 am

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File "C:\windows\temp\logishrd\LVPrcInj01.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

da **ste_95** » ven ago 21, 2009 8:36 am

Ora dovrebbe essere tutto a posto, da parte tua lo confermi? [:)]

da **giovannino60** » ven ago 21, 2009 9:06 am

1) il file C:\windows\TEMP\logishrd\LPVrcInj01.dll, che dovrebbe essere quello della web cam, che fine a fatto e perché era nei temp?;
2) devo fare la scansione con Perlovga?;
3) io avevo installato SuperantiSpyvare che avevo disinstallato perché non si aggiornava probabilmente adesso reinstalladolo funziona, mi consigli di installarlo?
4) se il problema forse è risolto che accorgimenti posso adottare da adesso in poi per evitare di prendere altri Rootkit?
5) ho lo stesso problema con um computer con windows 2000, procedo facendo scansione con: Avenger, McAfee Stinger, Combofix, o è meglio che ti invii una scansione con Gmer per analizzare il log?

6) ma perché in un cpmputer quando cerco di andare nel forum dopo avere messo i dati e confermati, mi chiede se voglio andare le forum e cliccato, torna ancora nella videata di richiesta dei dati e in nessuma naniera riesco ad entrare. L'unica cosa di diverso degli altri computer e che i dati rimangono memorizzati negli altri computer no.
MOLTE GRAZIE

da **ste_95** » ven ago 21, 2009 1:08 pm

giovannino60 ha scritto:1) il file C:\windows\TEMP\logishrd\LPVrcInj01.dll, che dovrebbe essere quello della web cam, che fine a fatto e perché era nei temp?;

E' stato eliminato, anche se fosse legittimo non abbiamo fatto danni perché tanto era tra i file temporanei.

2) devo fare la scansione con Perlovga?;

Sarebbe cosa buona e giusta.

3) io avevo installato SuperantiSpyvare che avevo disinstallato perché non si aggiornava probabilmente adesso reinstalladolo funziona, mi consigli di installarlo?

Prova.

4) se il problema forse è risolto che accorgimenti posso adottare da adesso in poi per evitare di prendere altri Rootkit?

Che antivirus hai?

5) ho lo stesso problema con um computer con windows 2000, procedo facendo scansione con: Avenger, McAfee Stinger, Combofix, o è meglio che ti invii una scansione con Gmer per analizzare il log?

Vai solo con Mcafee e Combofix, e posta i log.

6) ma perché in un cpmputer quando cerco di andare nel forum dopo avere messo i dati e confermati, mi chiede se voglio andare le forum e cliccato, torna ancora nella videata di richiesta dei dati e in nessuma naniera riesco ad entrare. L'unica cosa di diverso degli altri computer e che i dati rimangono memorizzati negli altri computer no.

Apri un topic in "Benvenuto in MegaLab.it". [;)]

da **giovannino60** » ven ago 21, 2009 9:09 pm

1) io uso avast come antivirus.
2) non c'è niente da fare quando clicco su Perlovga il tasto remove il sofware si cerca di collegare al sito www.sergiva.it e non parte niente.
3) lo scanner non parte più ho rimosso e reinstallato ma mi escono i messaggi che allego con immagine, cosa devo fare?

GRAZIE

da **ste_95** » ven ago 21, 2009 9:51 pm

giovannino60 ha scritto:1) io uso avast come antivirus.

Puoi cambiare in meglio passando ad Avira Antivir.

2) non c'è niente da fare quando clicco su Perlovga il tasto remove il sofware si cerca di collegare al sito http://www.sergiva.it e non parte niente.

Sei dotato di connessione a Internet? Hai provato a riscaricare il software? Per la cronaca, il sito che cerca di contattare è quello ufficiale.

3) lo scanner non parte più ho rimosso e reinstallato ma mi escono i messaggi che allego con immagine, cosa devo fare?

Manca l'immagine. [;)]

da **giovannino60** » ven ago 21, 2009 10:07 pm

1) ecco le immagini;
2) ma perlovga cosè un antispyware?

Grazie

www.MegaLab.it

Chiedo interpretazione log GMER trovare Rootkt

Re: Chiedo interpretazione log GMER trovare Rootkt

Chiedo interpretazione log GMER trovare Rootkt

Re: Chiedo interpretazione log GMER trovare Rootkt

Combofix

Re: Combofix

Re: Chiedo interpretazione log GMER trovare Rootkt

Re: Chiedo interpretazione log GMER trovare Rootkt

Combofix file danneggiato

Allego log Combofix n. 1 e n. 2

Re: Chiedo interpretazione log GMER trovare Rootkt

Log Gmer Rotkit 20.08.2009, dopo problemi con Combofix

Log Avenger 21.08.2009

Re: Chiedo interpretazione log GMER trovare Rootkt

Chiedo interpretazione log GMER trovare Rootkt

Re: Chiedo interpretazione log GMER trovare Rootkt

Chiedo interpretazione log GMER trovare Rootkt

Re: Chiedo interpretazione log GMER trovare Rootkt

Chiedo interpretazione log GMER trovare Rootkt

Re: Chiedo interpretazione log GMER trovare Rootkt

Chiedo interpretazione log GMER trovare Rootkt

Chi c’è in linea