www.MegaLab.it

[Drugo_BG]

ciao ragazzi
è un paio di giorni che il pc si blocca totalmente costringendomi a riavviare manualmente.
Questo mi succede dopo pochi minuti che avvio un Browser di navigazione (utilizzo firefox o opera)... e anche con una sola finestra aperta ho notato che il consumo di memoria continua ad aumentare fino a far andare in blocco il sistema.
Scansione di Avira e Malwarebytes hanno dato esito negativo.
Vi posto il log di HijackThis.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17.28.03, on 05/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Raxco\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\Search Settings\SearchSettings.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe
C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe
C:\Programmi\Lavalys\EVEREST Ultimate Edition\everest.exe
C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
C:\Programmi\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66008
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_custo ... TbId=66008
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Programmi\Search Settings\kb127\SearchSettings.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Programmi\Search Settings\kb127\SearchSettings.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Programmi\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [SearchSettings] C:\Programmi\Search Settings\SearchSettings.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EVEREST AutoStart] C:\Programmi\Lavalys\EVEREST Ultimate Edition\everest.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Avvio veloce di Adobe Acrobat.lnk = ?
O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Libro dei ritagli HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Programmi\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Selezione intelligente HP - {700259D7-1666-479a-93B1-3250410481E8} - C:\Programmi\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0666813750
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DF3F366-FC76-4E08-9EB5-BC49485A3C50}: NameServer = 85.37.17.40 85.38.28.85
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Programmi\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Programmi\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe

--
End of file - 9566 bytes

Ma il processo SearchSettings.exe è normale?

Potete aiutarmi? Grazie

[crazy.cat]

Ma il processo SearchSettings.exe è normale?

non sembra essere niente di buono
http://www.prevx.com/filenames/22351543 ... S.EXE.html

[Drugo_BG]

come posso intervenire???
qualche idea? questi blocchi stanno diventando sempre più insistenti...

[gioia271965]

Cerca la cartella dove è allocato il file, utilizzando il servizio "cerca" e eliminalo. Se è collegato a un qualche programma, individualo e disinstallalo, cercando di rimuovere eventuali tracce nel registro di sistema e nelle cartelle nascoste di windows. Poi fai una scansione col tuo antivirus ed eventualmente con l'ottimo malwarebites...

[Drugo_BG]

SearchSetting l'ho eliminato compreso chiavi di registro ecc.
Però adesso l'AntivirGuard mi continua a segnalare il trojan TR/Click.Yabector.A.6 che continuo a mettere in quarantena...
Come posso eliminarlo alla fonte???
Grazie ragazzi

[crazy.cat]

In quali file te lo segnala?

[Drugo_BG]

C:\System Volume Information\_restore{C741A4A2-FE10-4A5F-9EA3-ECE85677C14C}\

e i blocchi sempre più insistenti adesso...

grazie in anticipo crazy.cat....

[crazy.cat]

disattiva il ripristino della configurazione e riavvia il pc
http://www.MegaLab.it/2330/come-disatti ... di-sistema

[Drugo_BG]

disattivato... riavviato e ho effettuato la scansione con avira...eppure niente!
utilizzando opera riesco a lavorarci qualche minuto prima che vada in blocco... con firefox praticamente è impossibile... come l'avvio il consumo di memoria continua a crescere...
ho scoperto però nei report di avira di 2 giorni fa questi...

Virus or unwanted program 'HTML/Crypted.Gen [virus]'
detected in file 'C:\Documents and Settings\Dario\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\ddgciahe.default\Cache\C5512990d01
Action performed: Deny access

Virus or unwanted program 'TR/Rootkit.Gen [trojan]'
detected in file 'C:\WINDOWS\Temp\26.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/Rootkit.Gen [trojan]'
detected in file 'C:\WINDOWS\Temp\2D.tmp.
Action performed: Deny access

Come mi muovo??? Ma come è possibile che per avira e Malwarebytes è tutto ok?

[crazy.cat]

Fai una scansione con combofix e posta il suo log.

Se hai delle estensioni o dei temi su firefox prova a disinstallarle una alla volta per vedere se trovi quella che possa darti il problema.

[Drugo_BG]

firefox l'ho disistallato completamente... add, segnalibri, ecc e reinstallato ex novo...
appena avviato combofix mi è apparso subito il messaggio attività di rootkit in corso e pc ci è riavviato... ed ecco il log...

ComboFix 09-11-05.05 - Dario 06/11/2009 17.02.10.3.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.3327.2902 [GMT 1:00]
Eseguito da: c:\documents and settings\Dario\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dario\Dati applicazioni\Desktopicon

La copia infetta di c:\windows\system32\drivers\atapi.sys è stata trovata e disinfettata
ipristinata copia da - Kitty ate it :p
.
((((((((((((((((((((((((( Files Creati Da 2009-10-06 al 2009-11-06 )))))))))))))))))))))))))))))))))))
.

2009-11-05 17:24 . 2009-11-05 17:24 4045527 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-04 17:59 . 2009-11-04 17:59 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2009-11-04 17:59 . 2009-11-04 17:59 -------- d-----w- c:\documents and settings\HelpAssistant\Phone Browser
2009-11-04 17:56 . 2009-11-04 17:58 -------- d--h--r- c:\documents and settings\HelpAssistant\Dati applicazioni
2009-11-04 17:56 . 2008-05-12 22:54 -------- d--h--w- c:\documents and settings\HelpAssistant\Risorse di stampa
2009-11-04 17:56 . 2008-05-12 22:54 -------- d--h--w- c:\documents and settings\HelpAssistant\Risorse di rete
2009-11-04 17:56 . 2008-05-12 15:12 -------- d--h--w- c:\documents and settings\HelpAssistant\Modelli
2009-10-25 10:31 . 2009-10-25 10:31 72704 ----a-w- c:\windows\cadkasdeinst01i.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 15:34 . 2008-05-15 12:18 -------- d-----w- c:\programmi\Mozilla Thunderbird
2009-11-06 14:45 . 2008-11-09 10:17 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-11-05 19:35 . 2009-09-14 19:05 -------- d-----w- c:\documents and settings\Dario\Dati applicazioni\vlc
2009-11-05 18:44 . 2008-11-30 13:57 -------- d-----w- c:\documents and settings\Dario\Dati applicazioni\uTorrent
2009-11-05 18:05 . 2008-11-09 10:17 -------- d-----w- c:\programmi\Spybot - Search & Destroy
2009-11-05 17:43 . 2008-08-10 09:34 -------- d-----w- c:\documents and settings\Dario\Dati applicazioni\dvdcss
2009-11-05 17:25 . 2009-02-15 18:31 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2009-11-05 11:33 . 2009-07-10 17:23 -------- d-----w- c:\programmi\VS Revo Group
2009-11-04 20:10 . 2008-05-15 09:45 -------- d-----w- c:\documents and settings\Dario\Dati applicazioni\stickies
2009-10-25 09:35 . 2001-08-31 10:00 82212 ----a-w- c:\windows\system32\perfc010.dat
2009-10-25 09:35 . 2001-08-31 10:00 483714 ----a-w- c:\windows\system32\perfh010.dat
2009-10-22 14:14 . 2009-07-02 13:26 1 ----a-w- c:\documents and settings\Dario\Dati applicazioni\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-10-04 14:54 . 2009-05-11 17:48 -------- d-----w- c:\programmi\Avidemux 2.4
2009-10-04 14:51 . 2009-04-09 17:00 -------- d-----w- c:\documents and settings\Dario\Dati applicazioni\foobar2000
2009-09-29 17:59 . 2008-11-06 20:36 -------- d-----w- c:\documents and settings\Dario\Dati applicazioni\gtk-2.0
2009-09-18 16:39 . 2009-07-05 09:18 -------- d-----w- c:\programmi\File comuni\Autodesk Shared
2009-09-18 16:30 . 2009-09-09 11:29 -------- d-----w- c:\documents and settings\Dario\Dati applicazioni\.purple
2009-09-14 10:47 . 2009-09-14 10:47 -------- d-----w- c:\documents and settings\Dario\Dati applicazioni\DivX
2009-09-13 15:09 . 2009-09-13 15:08 -------- d-----w- c:\programmi\DivX
2009-09-13 15:09 . 2009-09-13 15:08 -------- d-----w- c:\programmi\File comuni\DivX Shared
2009-09-11 09:33 . 2009-09-10 17:53 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\NOS
2009-09-10 17:54 . 2009-09-10 17:54 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\McAfee Security Scan
2009-09-10 17:54 . 2009-09-10 17:53 1925024 ----a-w- c:\documents and settings\All Users\Dati applicazioni\NOS\Adobe_Downloads\install_flash_player.exe
2009-09-10 13:54 . 2009-02-15 18:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2009-02-15 18:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 11:42 . 2009-09-09 11:42 1201 ----a-w- c:\documents and settings\Dario\Dati applicazioni\.purple\certificates\x509\tls_peers\login.facebook.com
2009-09-09 11:39 . 2009-09-09 11:28 -------- d-----w- c:\programmi\Pidgin
2009-09-09 11:35 . 2009-09-09 11:35 2141 ----a-w- c:\documents and settings\Dario\Dati applicazioni\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2009-09-09 11:31 . 2009-09-09 11:31 2095 ----a-w- c:\documents and settings\Dario\Dati applicazioni\.purple\certificates\x509\tls_peers\login.live.com
2009-09-09 11:28 . 2009-09-09 11:28 -------- d-----w- c:\programmi\File comuni\GTK
2009-09-08 20:38 . 2008-05-12 17:06 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Microsoft Help
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\programmi\opera\program\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\programmi\opera\program\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-13 10:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\drivers\system32\DRIVERS\atapi.sys
[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-24 13524992]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-03-24 86016]
"NBKeyScan"="c:\programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Acrobat Assistant 7.0"="c:\programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"Malwarebytes Anti-Malware (reboot)"="c:\programmi\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-03-24 1626112]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-08-10 16384000]
"AdslTaskBar"="stmctrl.dll" - c:\windows\system32\stmctrl.dll [2003-03-27 151552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Adobe Acrobat.lnk - c:\windows\Installer\{AC76BA86-1034-4700-7760-000000000002}\SC_Acrobat.exe [2008-6-9 25214]

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^Dario^Menu Avvio^Programmi^Esecuzione automatica^Stickies.lnk]
path=c:\documents and settings\Dario\Menu Avvio\Programmi\Esecuzione automatica\Stickies.lnk
backup=c:\windows\pss\Stickies.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Programmi\\NovaLogic\\Delta Force Black Hawk Down\\DFBHD.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Programmi\\NovaLogic\\Delta Force Black Hawk Down\\UPDATE.EXE"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"60447:TCP"= 60447:TCP:eMule_TCP
"60983:UDP"= 60983:UDP:eMule_UDP
"3389:TCP"= 3389:TCP:Remote Desktop

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\programmi\Avira\AntiVir Desktop\sched.exe [27/03/2009 23.22.31 108289]
R2 PD91Agent;PD91Agent;c:\programmi\Raxco\PerfectDisk2008\PD91Agent.exe [16/04/2008 12.00.10 689416]
R3 Stmatm;ATM/ADSL miniport;c:\windows\system32\drivers\stmatm.sys [18/06/2008 17.43.27 59466]
R3 TaurusUsb;ADSL Modem USB Service;c:\windows\system32\drivers\torususb.sys [18/06/2008 17.43.27 538925]
S2 cpwnt;cpwnt;c:\windows\system32\drivers\CPWNT.SYS [15/08/2008 16.19.01 21824]
S3 axskbus;axskbus;c:\windows\system32\DRIVERS\axskbus.sys c:\windows\system32\DRIVERS\axskbus.sys
S3 PD91Engine;PD91Engine;c:\programmi\Raxco\PerfectDisk2008\PD91Engine.exe [16/04/2008 12.00.12 894216]

--- Altri Servizi/Drivers In Memoria ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\programmi\File comuni\LightScribe\LSRunOnce.exe"
.
Contenuto della cartella 'Scheduled Tasks'
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://search.babylon.com/home
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
IE: Converti destinazione link in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti destinazione link in file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti i link selezionati in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Converti i link selezionati in file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Converti in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti nel file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti selezione in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti selezione in file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Dario\Dati applicazioni\Mozilla\Firefox\Profiles\nbz9r1xi.default\
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\programmi\Opera\program\plugins\npdivx32.dll

---- FIREFOX POLICIES ----
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKLM-Run-<NO NAME> - (no file)
AddRemove-{A9547F93-3477-4057-8BA3-AB85BA5FA4FE} - c:\documents and settings\Dario\Impostazioni locali\Dati applicazioni\{7C24407D-548F-4211-9AD3-2549A100B03D}\Local Cooling Setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 17:07
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x899B4E40]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x899b4e40
\Driver\atapi -> 0x8a304838
NDIS: Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller -> SendCompleteHandler -> 0x899f1800
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x03A384C41
malicious code @ sector 0x03A384C44 !
PE file found in sector at 0x03A384C5A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1645522239-1454471165-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1645522239-1454471165-725345543-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-1645522239-1454471165-725345543-1003)
@Allowed: (Read) (S-1-5-21-1645522239-1454471165-725345543-1003)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Ora fine scansione: 2009-11-06 17.09.12
ComboFix-quarantined-files.txt 2009-11-06 16:09
ComboFix2.txt 2009-02-16 19:07

Pre-Run: 64.479.936.512 byte disponibili
Post-Run: 64.474.873.856 byte disponibili

WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 6DA3DDDFD1E46064FBF5AF061121C2FF

La situazione però non è migliorata....

[crazy.cat]

Segui le istruzioni e i vari tool usati
sicurezza/problema-rootkit-t58559.html

Fai analizzare questo file c:\windows\cadkasdeinst01i.exe sul sito www.virustotal.com e vedi di cosa si tratta.

[Drugo_BG]

il file c:\windows\cadkasdeinst01i.exe è pulito per virus total...
poi ho utilizzato i due tool
- Norman Sinowal Cleaner: mi segnala c:\Programmi\Nero\Nero8\Nero BackItUp\Nero BackItUp_ImageTool\root.img (possible archive bomb) ma penso a un falso positivo no?
- FixMebroot: non ha individuato niente

poi ho scaricato mbr.exe
e infatti

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x899aee40
\Driver\atapi -> 0x8a501790
NDIS: Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller -> SendCompleteHandler -> 0x899eb800
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x03A384C41
malicious code @ sector 0x03A384C44 !
PE file found in sector at 0x03A384C5A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

ho utilizzato il comando mbr.exe -f
e forse adex è ok...speriamo
adex sto a vedere...

comunque crazy fra un po' passo al bar mi sa che una birra te la devo offrire...

[crazy.cat]

ti è andata bene allora, ad altri non era riuscito neanche a toglierlo.
In questi giorni è parecchio diffusa questa infezione.