www.MegaLab.it

[Pct]

Salve a tutti.

Sul Netbook con Avira Antivir free regolarmente installato e aggiornato, la mia sorellina è riuscita a beccarsi XP Security (non XP Security center,nè XP Security 2010 nè Total XP Security, si chiama solo XP Security,ma credo sia una variante dei suddetti) che è un rogue. Il simpaticone, oltre a tempestarmi di pop-up e fare le solite cose che fanno i rogue, mi impediva l'avvio di numerosi programmi di sicurezza, tra cui Malwarebytes e google updater. Inoltre , mi impediva di navigare con internet explorer, dicendomi che la navigazione non era sicura ; dopo che ho aperto firefox, me lo ha tolto come browser predefinito, lo ha chiuso e ha ripristinato IE come browser predefinito.

Avira non lo ha riconosciuto nè con la protezione in tempo reale, nè con una scansione completa del sistema (stranamente me l'ha lasciata fare).

Così, ho disinstallato Avira e fatto partire Combofix, che lo ha distrutto in meno di dieci minuti.
Dopodichè, ho dato anche una passata con Ccleaner,ho reinstallato Avira e Malwarebytes, gli ho fatto fare uno scan completo (non ha rilevato infezioni) e ora tutto sembra essere tornato alla normalità... almeno in tutti gli utenti, tranne in quello di mia sorella.

Infatti lei non riesce ad aprire nessun programma; anche all'avvio non parte nessun programma, nemmeno l'antivirus. Qualsiasi cosa prova ad aprire gli chiede con cosa aprirlo; ho provato a dirgli di aprirlo con esplora risorse ma non funziona. (e il bello è che la pulizia l'ho fatta con il mio utente,ma nè nel mio utente nè in quello di mio fratello dà questi problemi )

A questo punto ci siamo ingegnati, e abbiamo notato che se gli diciamo di aprire il programma che vogliamo eseguire, con il programma stesso, riusciamo ad avviare l'applicazione. (per esempio, per avviare firefox, diciamo di aprire firefox con "firefox.exe" ; a quel punto il pc dà un errore e poi apre firefox;stessa cosa anche per tutti gli altri programmi che abbiamo provato)

Qualcuno ha qualche idea su come risolvere? Grazie in anticipo . Questi sono i vari log :

Combofix

ComboFix 10-04-10.02 - Fabry 11/04/2010 22.17.36.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.1015.591 [GMT 2:00]
Eseguito da: c:\documents and settings\Fabry\Desktop\Pulizia\Pippofox.exe

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Fabry\Dati applicazioni\Desktopicon
c:\documents and settings\Fabry\Dati applicazioni\Desktopicon\eBay.ico
c:\documents and settings\Fabry\Dati applicazioni\Desktopicon\uninst.exe
c:\documents and settings\Fabry\Impostazioni locali\Dati applicazioni\ave.exe
c:\documents and settings\Silvia\Impostazioni locali\Temporary Internet Files\77aN0n.jpg
c:\documents and settings\Silvia\Impostazioni locali\Temporary Internet Files\qkuyf0C6.jpg
c:\documents and settings\Silvia\Impostazioni locali\Temporary Internet Files\S7C8P.jpg
c:\documents and settings\Silvia\Impostazioni locali\Temporary Internet Files\V1TEJ.jpg
c:\recycler\S-1-5-21-117609710-2025429265-1547161642-1003
c:\recycler\S-1-5-21-1200791401-2173177111-2569383337-1003
c:\recycler\S-1-5-21-3234280684-1396253550-4185536343-1003
c:\recycler\S-1-5-21-55401569-2533582971-3823923958-1003

.
((((((((((((((((((((((((( Files Creati Da 2010-03-11 al 2010-04-11 )))))))))))))))))))))))))))))))))))
.

2013-08-25 23:39 . 2008-08-06 13:51 1200128 -c--a-w- c:\windows\RtlUpd.exe
2013-08-25 23:39 . 2008-06-18 16:01 77824 -c--a-w- c:\windows\SOUNDMAN.EXE
2013-08-25 23:39 . 2007-11-20 16:15 1826816 -c--a-w- c:\windows\SkyTel.exe
2013-08-25 23:39 . 2008-08-12 14:10 4751360 -c--a-w- c:\windows\system32\drivers\RtkHDAud.sys
2013-08-25 23:39 . 2008-06-19 14:27 9715200 -c--a-w- c:\windows\RTLCPL.EXE
2013-08-25 23:39 . 2008-07-31 13:05 16806912 ----a-w- c:\windows\RTHDCPL.EXE
2013-08-25 23:39 . 2013-08-25 23:39 -------- d-----w- c:\programmi\Realtek
2013-08-25 23:39 . 2008-06-19 14:42 2808832 -c--a-w- c:\windows\ALCWZRD.EXE
2013-08-25 23:39 . 2008-06-19 14:20 57344 -c--a-w- c:\windows\ALCMTR.EXE
2013-08-25 23:39 . 2007-06-28 14:44 2165760 -c--a-w- c:\windows\MicCal.exe
2013-08-25 23:39 . 2008-07-29 13:42 528384 -c--a-w- c:\windows\RtlExUpd.dll
2013-08-11 22:34 . 2008-04-14 12:00 221184 -c--a-w- c:\windows\system32\wmpns.dll
2013-08-11 22:33 . 2008-04-13 09:39 5504 -c--a-w- c:\windows\system32\drivers\MSTEE.sys
2013-08-11 22:33 . 2008-04-13 09:39 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2013-08-11 22:33 . 2008-04-13 09:46 10880 -c--a-w- c:\windows\system32\drivers\NdisIP.sys
2013-08-11 22:33 . 2008-04-13 09:46 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
2012-09-12 13:59 . 2012-09-12 13:59 -------- d-----w- c:\programmi\Elantech
2012-09-12 13:59 . 2008-04-08 13:59 10752 -c--a-w- c:\windows\system32\drivers\ASUSACPI.SYS
2012-09-12 13:59 . 2012-09-12 13:59 -------- d-----w- c:\programmi\EeePC
2010-04-11 20:15 . 2010-04-11 20:15 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Google Updater
2010-04-11 20:08 . 2010-04-11 20:08 -------- d-----w- c:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\avG
2010-04-11 20:08 . 2010-04-11 20:08 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\avG
2010-04-11 18:53 . 2010-04-11 20:05 183808 --sha-w- c:\documents and settings\Fabry\Impostazioni locali\Dati applicazioni\3084326767.dll
2010-04-01 10:06 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-03-26 19:00 . 2010-03-26 19:00 152576 ----a-w- c:\documents and settings\Fabry\Dati applicazioni\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-26 19:00 . 2010-03-26 19:00 79488 ----a-w- c:\documents and settings\Fabry\Dati applicazioni\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-25 13:49 . 2010-03-25 13:49 -------- d-----w- c:\documents and settings\Fabry\Dati applicazioni\FastStone
2010-03-25 13:49 . 2010-03-25 13:49 -------- d-----w- c:\programmi\FastStone Photo Resizer
2010-03-25 13:34 . 2010-03-25 13:34 -------- d-----w- c:\programmi\XemiComputers
2010-03-25 13:05 . 2010-03-25 13:05 -------- d-----w- c:\documents and settings\Fabry\Impostazioni locali\Dati applicazioni\Real
2010-03-25 13:05 . 2010-03-25 13:05 45056 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-25 13:05 . 2010-03-25 13:05 45056 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-25 13:05 . 2010-03-25 13:05 45056 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-25 13:05 . 2010-03-25 13:05 45056 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-25 13:04 . 2010-03-25 13:05 49152 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-25 13:04 . 2010-03-25 13:04 308808 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-25 13:04 . 2010-03-25 13:04 14848 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-25 13:04 . 2010-03-25 13:04 40960 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-25 13:04 . 2010-03-25 13:04 341600 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-25 13:04 . 2010-03-25 13:04 -------- d-----w- c:\programmi\File comuni\xing shared
2010-03-25 13:03 . 2010-03-25 13:03 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-25 13:03 . 2010-03-25 13:03 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-16 12:49 . 2008-04-13 17:53 14720 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-03-16 12:49 . 2008-04-13 17:53 14720 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-03-14 13:53 . 2010-03-14 13:53 443912 ----a-w- c:\documents and settings\Silvia\Dati applicazioni\Real\Update\setup3.10\setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-25 23:39 . 2008-08-07 23:26 319488 -c--a-w- c:\windows\HideWin.exe
2010-04-11 20:14 . 2008-12-25 18:02 -------- d---a-w- c:\documents and settings\All Users\Dati applicazioni\TEMP
2010-04-11 20:07 . 2008-12-25 10:22 -------- d-----w- c:\documents and settings\Fabry\Dati applicazioni\Skype
2010-04-11 19:05 . 2009-10-28 13:20 1 ----a-w- c:\documents and settings\Fabry\Dati applicazioni\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-11 18:37 . 2008-12-25 16:10 -------- d-----w- c:\documents and settings\Fabry\Dati applicazioni\skypePM
2010-04-11 10:22 . 2009-10-24 19:35 1 ----a-w- c:\documents and settings\Silvia\Dati applicazioni\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-06 07:06 . 2008-12-30 14:56 29 -c--a-w- c:\programmi\realmlist.wtf
2010-04-05 10:32 . 2008-12-26 10:14 -------- d-----w- c:\programmi\World of Warcraft
2010-03-31 16:16 . 2008-08-07 04:36 84354 ----a-w- c:\windows\system32\perfc010.dat
2010-03-31 16:16 . 2008-08-07 04:36 489648 ----a-w- c:\windows\system32\perfh010.dat
2010-03-26 19:01 . 2009-04-14 13:19 -------- d-----w- c:\programmi\Java
2010-03-25 15:10 . 2009-03-10 18:38 -------- d-----w- c:\programmi\Unlocker
2010-03-25 13:04 . 2008-12-25 21:34 -------- d-----w- c:\programmi\File comuni\Real
2010-03-25 13:04 . 2008-12-25 21:34 -------- d-----w- c:\programmi\Real
2010-03-22 16:17 . 2008-12-25 15:56 -------- d-----w- c:\documents and settings\Silvia\Dati applicazioni\Skype
2010-03-15 19:25 . 2008-12-25 21:03 -------- d-----w- c:\programmi\Warcraft III
2010-03-04 18:58 . 2010-01-18 14:14 -------- d-----w- c:\programmi\Browser Defender
2010-02-25 06:16 . 2008-08-07 04:36 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 03:31 . 2010-01-18 14:14 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-02-23 03:31 . 2010-01-18 14:14 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-02-23 03:31 . 2010-01-18 14:14 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-02-23 03:31 . 2010-01-18 14:14 767952 ----a-w- c:\windows\BDTSupport.dll
2010-02-20 18:26 . 2010-02-20 18:19 45056 ----a-w- c:\windows\NCUNINST.EXE
2010-02-20 18:19 . 2010-02-20 18:19 -------- d-----w- c:\programmi\File comuni\SWF Studio
2010-01-16 13:52 . 2009-02-16 14:14 5115824 -c--a-w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-02 10:27 . 2009-05-02 10:27 309982 -c--a-w- c:\programmi\PC Tools Firewall Plus.rar
2008-05-07 14:34 . 2008-08-08 00:00 15523560 -c--a-w- c:\programmi\U1 Setup.exe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"AsusTray"="c:\programmi\EeePC\ACPI\AsTray.exe" [2008-09-02 106496]
"AsusACPIServer"="c:\programmi\EeePC\ACPI\AsAcpiSvr.exe" [2008-09-02 593920]
"AsusEPCMonitor"="c:\programmi\EeePC\ACPI\AsEPCMon.exe" [2008-05-20 94208]
"ETDWare"="c:\programmi\Elantech\ETDCtrl.exe" [2008-09-03 335872]
"ETDWareDetect"="c:\programmi\Elantech\ETDDect.exe" [2008-08-22 204800]
"VX6000"="c:\windows\vVX6000.exe" [2007-04-10 996712]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Silvia\Menu Avvio\Programmi\Esecuzione automatica\
OpenOffice.org 3.1.lnk - c:\programmi\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
SuperHybridEngine.lnk - c:\programmi\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2012-9-12 311296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NortonUtilities

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopMaestro]
2008-08-01 09:35 3213200 ----a-w- d:\programmi\Desktop Maestro\deskmech.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-04-13 05:07 69632 -c--a-w- c:\programmi\File comuni\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
2010-03-25 13:03 75320 ----a-w- c:\programmi\File comuni\Real\Update_OB\RealOneMessageCenter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 03:17 149280 ----a-w- c:\programmi\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-25 13:03 202256 ----a-w- c:\programmi\File comuni\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Dati applicazioni\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\italian\\setup.exe"=
"c:\\Programmi\\Warcraft III\\Warcraft III.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Gruppi peer-to-peer Windows
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 Browser Defender Update Service;Browser Defender Update Service;c:\programmi\Browser Defender\BDTUpdateService.exe [18/01/2010 16.14.10 112592]
S3 DfSdkS;Defragmentation-Service;d:\programmi\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [25/02/2009 14.55.04 410976]
S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [08/08/2008 1.27.42 625024]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [28/12/2008 15.53.11 2385896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contenuto della cartella 'Scheduled Tasks'

2010-04-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2738360652-44338781-3693438867-1007.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-04-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2738360652-44338781-3693438867-1008.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-04-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2738360652-44338781-3693438867-1007.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-04-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2738360652-44338781-3693438867-1008.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyOverride = 127.0.0.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Fabry\Dati applicazioni\Mozilla\Firefox\Profiles\szs7jiu4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/
FF - component: c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\programmi\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
AddRemove-eBay Icon - c:\documents and settings\Fabry\Dati applicazioni\Desktopicon\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 22:26
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-2738360652-44338781-3693438867-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:60,88,1e,7f,dc,69,c8,44,1d,93,ee,27,5e,09,28,e7,35,7e,70,9e,30,92,92,
a5,58,3f,d1,a2,25,5f,f2,95,1c,bc,3f,6e,11,7a,66,83,44,dd,15,5f,e0,a5,a7,70,\
"??"=hex:34,d8,63,86,45,46,77,75,3a,5e,8f,55,68,ae,4b,53

[HKEY_USERS\S-1-5-21-2738360652-44338781-3693438867-1007\Software\SecuROM\License information*]
"datasecu"=hex:e7,0c,32,5f,b5,e7,34,85,76,84,b1,2e,79,18,8f,f4,ea,e9,9a,4d,54,
ba,da,6e,dc,35,48,ae,77,02,9a,5b,c7,8f,de,cb,bc,d7,71,00,0b,74,2f,2a,73,fe,\
"rkeysecu"=hex:cf,fa,58,0e,28,1b,ad,24,eb,01,b3,2d,bb,0e,4e,51
.
Ora fine scansione: 2010-04-11 22:28:50
ComboFix-quarantined-files.txt 2010-04-11 20:28

Pre-Run: 7.183.077.376 byte disponibili
Post-Run: 8.847.933.440 byte disponibili

- - End Of File - - 47733CED6468FE48CB89D8A29D2E4487

Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16.57.58, on 12/04/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Programmi\Browser Defender\BDTUpdateService.exe
C:\Programmi\File comuni\InterVideo\RegMgr\iviRegMgr.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Programmi\EeePC\ACPI\AsTray.exe
C:\Programmi\EeePC\ACPI\AsAcpiSvr.exe
C:\Programmi\EeePC\ACPI\AsEPCMon.exe
C:\Programmi\Elantech\ETDCtrl.exe
C:\Programmi\Elantech\ETDDect.exe
C:\WINDOWS\vVX6000.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Java\jre6\bin\jusched.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmi\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\WINDOWS\system32\igfxext.exe
C:\Programmi\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Fabry\Desktop\Pulizia\Dirottatiquesto.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Programmi\Browser Defender\PCTBrowserDefender.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programmi\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programmi\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programmi\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Programmi\Browser Defender\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AsusTray] C:\Programmi\EeePC\ACPI\AsTray.exe
O4 - HKLM\..\Run: [AsusACPIServer] C:\Programmi\EeePC\ACPI\AsAcpiSvr.exe
O4 - HKLM\..\Run: [AsusEPCMonitor] C:\Programmi\EeePC\ACPI\AsEPCMon.exe
O4 - HKLM\..\Run: [ETDWare] C:\Programmi\Elantech\ETDCtrl.exe
O4 - HKLM\..\Run: [ETDWareDetect] C:\Programmi\Elantech\ETDDect.exe
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: SuperHybridEngine.lnk = ?
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/Messenger ... 109791.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - http://messenger.zone.msn.com/binary/So ... b56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/Messenger ... E_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - http://messenger.zone.msn.com/binary/Mi ... b56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Programmi\Browser Defender\BDTUpdateService.exe
O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - D:\Programmi\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Programmi\File comuni\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe

--
End of file - 7813 bytes

Malwarebytes e Avira non hanno rilevato infezioni, quindi non li allego.

[Berga95]

Certo... il virus ha modificato questa chiave di registro:

Codice: Seleziona tutto

HKCR\exefile\shell\open\command(Default)

Adesso cerco come fare a modificarlo senza un exe (regedit è un exe)...
Vedo come si fa un file reg e te lo scrivo...
( fonti: topic63545.html)

EDIT: È giusto così? (mi rivolgo ad admin/redattori/mod)

Codice: Seleziona tutto

REGEDIT 4

[HKEY_CLASSES_ROOT\exefile\shell\open\command\(Default)]
"(Default)"=dword:%1 %*

Tutto in un file *.reg...

[Pct]

Ok, grazie! Allora aspetto la conferma che sia corretto ?

[Berga95]

Sì, siccome io non lavoro molto con questi tipi di file, non so se ho compilato questo script bene...
Piuttosto spero di avere avuto l'intuizione giusta... Bye

[Palpas]

ciao, la via migliore è quella indicata da Berga95, comunque ti consiglio di ripristinare tutta la chiave exefile.
Ti ho allegato il file, prima di aprirlo cambia l'estensione da zip a reg
(MLI non permette di allegare file reg)

[Pct]

OK, grazie mille a tutti , ora provo a vi faccio sapere!

[Pct]

Niente, non ha funzionato purtroppo .. avete qualche altra idea?

[crazy.cat]

Prova a usare questo
http://www.wikifortio.com/557394/xp_exe_fix.reg

[Pct]

Grande Crazy , ha funzionato !! Grazie mille!
Grazie anche a tutti gli altri per l'aiuto

[Berga95]

Bello quel file, crazy.cat... praticamente è un file che fixa tutti i vari valori/stringhe/ecc... più utilizzate dai virus per un'azione di questo genere... L'hai fatto te?
EDIT: sto dando un'occhiata con il blocco note

[crazy.cat]

L'hai fatto te?

No.
Trovato su un sito estero (mi sono dimenticato di mettere il loro link)