www.MegaLab.it

[Uomo_Senza_Sonno]

Salve ragazzi, da due giorni sto notando dei rallentamenti improvvisi al pc, inizialmente pensavo che fossero dovuti all'eccessivo numero di donwloads prensenti in emule, ma mi sto ricredendo piano piano... nei controlli preliminari, ho eseguito una scansione con HJT (riporto il log)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15.34.58, on 30/04/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Yzshadow\YzShadow.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\ATKKBService.exe
C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O1 - Hosts: 65.75.216.6 http://www.winmx.com err.winmx.com
O1 - Hosts: 205.238.40.54 http://www.winmx.com err.winmx.com
O1 - Hosts: 65.75.216.6 cache0.winmx.com test3201.winmx.com test3206.winmx.com
O1 - Hosts: 65.75.216.7 cache1.winmx.com test3202.winmx.com test3207.winmx.com
O1 - Hosts: 82.43.229.238 cache2.winmx.com test3203.winmx.com test3208.winmx.com
O1 - Hosts: 205.238.40.1 cache3.winmx.com test3204.winmx.com
O1 - Hosts: 205.238.40.2 cache4.winmx.com test3205.winmx.com
O1 - Hosts: 65.75.216.6 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
O1 - Hosts: 65.75.216.6 winmx-com.winmxgroup.com winmx-com-v30.winmxgroup.com
O1 - Hosts: 205.238.40.54 winmx-com.winmxgroup.com winmx-com-v30.winmxgroup.com
O1 - Hosts: 65.75.216.6 test0.winmxgroup.net test5.winmxgroup.net
O1 - Hosts: 65.75.216.7 test1.winmxgroup.net test6.winmxgroup.net
O1 - Hosts: 82.43.229.238 test2.winmxgroup.net
O1 - Hosts: 205.238.40.1 test3.winmxgroup.net
O1 - Hosts: 205.238.40.2 test4.winmxgroup.net
O1 - Hosts: 65.75.216.6 cache0.winmxgroup.com cache5.winmxgroup.com cache0.winmxgroup.net cache5.winmxgroup.net cache10.winmxgroup.net cache15.winmxgroup.net
O1 - Hosts: 65.75.216.7 cache1.winmxgroup.com cache6.winmxgroup.com cache1.winmxgroup.net cache6.winmxgroup.net cache11.winmxgroup.net cache16.winmxgroup.net
O1 - Hosts: 82.43.229.238 cache2.winmxgroup.com cache7.winmxgroup.com cache2.winmxgroup.net cache7.winmxgroup.net cache12.winmxgroup.net cache17.winmxgroup.net
O1 - Hosts: 205.238.40.1 cache3.winmxgroup.com cache8.winmxgroup.com cache3.winmxgroup.net cache8.winmxgroup.net cache13.winmxgroup.net cache18.winmxgroup.net
O1 - Hosts: 205.238.40.2 cache4.winmxgroup.com cache9.winmxgroup.com cache4.winmxgroup.net cache9.winmxgroup.net cache14.winmxgroup.net cache19.winmxgroup.net
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Programmi\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min /nosplash
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Programmi\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: YzShadow.lnk = C:\Programmi\Yzshadow\YzShadow.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: YzShadow.lnk = C:\Programmi\Yzshadow\YzShadow.exe (User 'Default user')
O4 - Startup: YzShadow.lnk = C:\Programmi\Yzshadow\YzShadow.exe
O8 - Extra context menu item: Aggiungi a PDF esistente - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programmi\vmware\vmware player\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\programmi\vmware\vmware player\vsocklib.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Servizio di Google Update (gupdate) (gupdate) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 12418 bytes

poi ho controllato l'MBR con mbr.exe e non rileva nulla di che (MBR & Kernel OK)

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

più che altro ho trovato qualcosa di interessante con HxD, nei settori intermedi dell'MBR del primo disco, gli altri sono puliti (riporto settori 0, 1, 31, 32, 33, 60, 61, 62, 63 in log per comodità)
Settori iniziali

Settori intermedi

Settori finali

Il mio dubbio è il seguente: dal momento che i primissimi sintomi di infezione sono improvvisi rallentamenti dei programmi, vorrei capire se l'MBR di questo disco è pulito o meno, per agire, nel caso, di conseguenza.
1000 come sempre per il supporto

[Berga95]

Tutti gli O1 (appartenenti al file hosts) sono da eliminare...
Per il resto il log di HJT è pulito...
Aspetta qualcun'altro, ma se noti solamente rallentamenti è per il grande numero di siti contenuti in quel file, che rallentano la navigazione (secondo me pensare a un virus nell'MBR adesso è un po' pessimistico )

[stevens]

bisognera' vedere se una volta eliminate le 01 poi winmx funge.......

[Berga95]

Ehm... scusate la mia ignoranza... cos'è winmx?
EDIT: tramite wiki, ho scoperto che riguarda qualcosa con il filesharing

[Uomo_Senza_Sonno]

Winmx diciamo è il predecessore di emule... comparso dopo la chiusura di Napster (mi pare di aver fatto il corretto quadro cronologico), si è dimostrato una validissima alternativa per il filesharing. In tutti i casi, le voci nel file hosts servono proprio a far funzionare winmx, ci sono dalla sua installazione e fino a due giorni fa il pc non mostrava rallentamenti. Aspetterò che venga esaminato l'MBR, anche perché quando il mio portatile ha iniziato a presentare rallentamenti simili tempo fa, erano dovuti alla presenza di un rootkit nell'MBR.

[stevens]

Uomo_Senza_Sonno fai un controllo con combofix

disattiva momentaneamente l'antivirus e avvialo dal desktop

digita 1
- segui le instruzioni
- finita la scansione portati in C:\ e copia/incolla, nella tua prossima risposta, il contenuto del file di testo Combofix.txt

-
-

[Uomo_Senza_Sonno]

allora ho visto giusto...

ComboFix 10-04-30.03 - ____neo____ 01/05/2010 11.11.49.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.3582.3174 [GMT 2:00]
Eseguito da: c:\documents and settings\____neo____\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {00000002-0002-0000-14EF-9D7C08000A00}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programmi\WindowsUpdate
c:\windows\system32\kernel1.exe
c:\windows\system32\vmnat.exe

.
((((((((((((((((((((((((( Files Creati Da 2010-04-01 al 2010-05-01 )))))))))))))))))))))))))))))))))))
.

2010-05-01 09:07 . 2010-05-01 09:07 397824 ----a-w- c:\windows\system32\CF22019.exe
2010-04-30 13:34 . 2010-04-30 13:34 -------- d-----w- c:\programmi\Trend Micro
2010-04-30 13:29 . 2010-04-30 13:29 -------- d-----w- c:\documents and settings\____neo____\Dati applicazioni\Mael
2010-04-30 13:24 . 2010-04-30 13:24 -------- d-----w- c:\programmi\HxD
2010-04-30 13:19 . 2010-04-30 13:19 -------- d-----w- c:\programmi\MyDefrag v4.2.6
2010-04-28 13:34 . 2010-04-28 13:34 -------- d--h--w- c:\windows\$hf_mig$
2010-04-27 16:35 . 2010-04-27 17:17 -------- d-----w- c:\documents and settings\____neo____\Dati applicazioni\VMware
2010-04-27 16:34 . 2010-01-22 15:13 59952 ----a-r- c:\windows\system32\vnetinst.dll
2010-04-27 16:34 . 2010-01-22 15:13 16560 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys
2010-04-27 16:33 . 2010-01-22 19:56 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe
2010-04-27 16:33 . 2010-01-22 19:57 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2010-04-27 16:33 . 2010-01-22 15:13 18736 ----a-r- c:\windows\system32\drivers\vmnet.sys
2010-04-27 16:33 . 2010-01-22 19:57 760368 ----a-w- c:\windows\system32\vnetlib.dll
2010-04-27 16:33 . 2010-01-22 19:57 23216 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2010-04-27 16:33 . 2010-04-28 15:53 -------- d-----w- c:\documents and settings\LocalService\Dati applicazioni\VMware
2010-04-27 16:32 . 2010-04-27 16:32 -------- d-----w- c:\programmi\Common Files
2010-04-27 16:32 . 2010-04-28 13:41 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\VMware
2010-04-27 16:32 . 2010-04-27 16:32 -------- d-----w- c:\programmi\VMware
2010-04-09 10:47 . 2010-05-01 09:20 -------- d-----w- c:\programmi\File comuni\Akamai

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-01 09:07 . 2009-11-24 13:49 -------- d-----w- c:\documents and settings\____neo____\Dati applicazioni\TeraCopy
2010-04-30 18:26 . 2010-02-27 03:09 -------- d-----w- c:\programmi\EA GAMES
2010-04-30 17:04 . 2009-12-02 16:24 -------- d-----w- c:\programmi\eMule
2010-04-30 14:23 . 2009-11-25 21:14 -------- d-----w- c:\programmi\Mozilla Thunderbird
2010-04-28 12:20 . 2009-12-03 19:52 -------- d-----w- c:\documents and settings\____neo____\Dati applicazioni\phonostar-Player
2010-04-27 16:34 . 2010-04-27 16:34 909320 ----a-w- c:\documents and settings\All Users\Dati applicazioni\VMware\VMware Player\Uninstaller\uninstall.exe
2010-04-27 16:32 . 2004-08-30 20:00 80502 ----a-w- c:\windows\system32\perfc010.dat
2010-04-27 16:32 . 2004-08-30 20:00 481492 ----a-w- c:\windows\system32\perfh010.dat
2010-04-27 16:31 . 2010-04-27 16:34 569344 ----a-w- c:\documents and settings\All Users\Dati applicazioni\VMware\VMware Player\Uninstaller\module_core.dll
2010-04-27 16:31 . 2010-04-27 16:34 331776 ----a-w- c:\documents and settings\All Users\Dati applicazioni\VMware\VMware Player\Uninstaller\module_ws.dll
2010-04-27 16:31 . 2010-04-27 16:34 760368 ----a-w- c:\documents and settings\All Users\Dati applicazioni\VMware\VMware Player\Uninstaller\vnetlib.dll
2010-04-27 16:31 . 2010-04-27 16:34 703024 ----a-w- c:\documents and settings\All Users\Dati applicazioni\VMware\VMware Player\Uninstaller\vnetlib.exe
2010-04-27 16:31 . 2010-04-27 16:34 958000 ----a-w- c:\documents and settings\All Users\Dati applicazioni\VMware\VMware Player\Uninstaller\vnetlib64.dll
2010-04-27 16:31 . 2010-04-27 16:34 922672 ----a-w- c:\documents and settings\All Users\Dati applicazioni\VMware\VMware Player\Uninstaller\vnetlib64.exe
2010-04-27 16:31 . 2010-04-27 16:34 731696 ----a-w- c:\documents and settings\All Users\Dati applicazioni\VMware\VMware Player\Uninstaller\vminstutil.dll
2010-04-19 08:56 . 2009-11-25 20:29 1009792 ----a-w- c:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\FontCache3.0.0.0.dat
2010-04-16 23:54 . 2009-11-25 18:01 -------- d-----w- c:\programmi\File comuni\Adobe
2010-04-14 22:42 . 2009-12-03 17:45 -------- d-----w- c:\programmi\Google
2010-04-09 10:37 . 2009-12-03 13:11 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Autodesk
2010-04-09 10:37 . 2009-12-03 13:11 -------- d-----w- c:\documents and settings\____neo____\Dati applicazioni\Autodesk
2010-03-11 20:00 . 2010-03-11 19:45 -------- d-----w- c:\programmi\WinTV
2010-03-11 19:47 . 2010-03-11 19:47 -------- d-----w- c:\programmi\File comuni\IviSDK
2010-03-11 19:47 . 2009-11-23 01:38 -------- d--h--w- c:\programmi\InstallShield Installation Information
2010-03-10 16:18 . 2010-02-26 15:17 -------- d-----w- c:\programmi\SMSSplitter
2010-03-09 14:51 . 2010-03-09 14:27 -------- d-----w- c:\programmi\Samsung
2010-03-09 14:29 . 2010-02-24 14:49 -------- d-----w- c:\documents and settings\____neo____\Dati applicazioni\Samsung
2010-03-09 14:29 . 2010-03-09 14:29 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\PC Suite
2010-03-09 14:29 . 2010-03-09 14:29 -------- d-----w- c:\documents and settings\____neo____\Dati applicazioni\PC Suite
2010-03-09 14:27 . 2010-03-09 14:27 -------- d-----w- c:\programmi\MSXML 4.0
2010-03-09 14:27 . 2010-02-24 14:43 -------- d-----w- c:\programmi\DIFX
2010-03-09 14:27 . 2010-03-09 14:27 -------- d-----w- c:\programmi\PC Connectivity Solution
2010-03-09 14:26 . 2010-03-09 14:26 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Installations
2010-03-08 19:37 . 2010-03-08 19:37 -------- d-----w- c:\programmi\Avira
2010-03-08 19:37 . 2010-03-08 19:37 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Avira
2010-03-08 19:26 . 2009-11-25 22:51 -------- d-----w- c:\programmi\Kaspersky Lab
2010-03-08 19:26 . 2009-11-25 22:51 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab
2010-03-08 19:26 . 2009-11-25 22:49 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab Setup Files
2010-02-27 03:49 . 2010-02-27 03:48 249856 ------w- c:\windows\Setup1.exe
2010-02-27 03:49 . 2010-02-27 03:48 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-02-25 21:34 . 2010-02-25 21:34 720896 ----a-w- c:\windows\iun6002.exe
2010-02-25 17:26 . 2010-02-25 17:26 503808 ----a-w- c:\documents and settings\____neo____\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-68810198-n\msvcp71.dll
2010-02-25 17:26 . 2010-02-25 17:26 499712 ----a-w- c:\documents and settings\____neo____\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-68810198-n\jmc.dll
2010-02-25 17:26 . 2010-02-25 17:26 348160 ----a-w- c:\documents and settings\____neo____\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-68810198-n\msvcr71.dll
2010-02-25 17:26 . 2010-02-25 17:26 61440 ----a-w- c:\documents and settings\____neo____\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7388beda-n\decora-sse.dll
2010-02-25 17:26 . 2010-02-25 17:26 12800 ----a-w- c:\documents and settings\____neo____\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7388beda-n\decora-d3d.dll
2010-02-25 17:23 . 2010-02-25 17:23 152576 ----a-w- c:\documents and settings\____neo____\Dati applicazioni\Sun\Java\jre1.6.0_16\lzma.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="c:\programmi\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-30 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\programmi\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"nwiz"="nwiz.exe" [2009-01-15 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-30 110592]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-30 15360]

c:\documents and settings\____neo____\Menu Avvio\Programmi\Esecuzione automatica\
YzShadow.lnk - c:\programmi\Yzshadow\YzShadow.exe [2009-11-23 151552]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\programmi\TGTSoft\StyleXP\Logon\CurrentLogon.EXE"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Avvio veloce di Adobe Acrobat.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Avvio veloce di Adobe Acrobat.lnk
backup=c:\windows\pss\Avvio veloce di Adobe Acrobat.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2006-10-22 22:24 620152 ----a-w- c:\programmi\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 01:38 34672 ----a-w- c:\programmi\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 06:58 611712 ----a-w- c:\programmi\File comuni\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2005-10-28 15:25 94208 ----a-w- c:\programmi\File comuni\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhonostarTimer]
2007-06-18 15:59 126976 ----a-w- c:\programmi\phonostar\ps_timer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-01 14:57 282624 ----a-w- c:\programmi\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 14:21 246504 ----a-w- c:\programmi\File comuni\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-12-03 17:10 185896 ----a-w- c:\programmi\File comuni\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]
2010-01-22 19:56 64048 ----a-w- c:\programmi\VMware\VMware Player\hqtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"VMware NAT Service"=2 (0x2)
"VMUSBArbService"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)
"ufad-ws60"=3 (0x3)
"mi-raysat_3dsMax2009_32"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Programmi\\Autodesk\\Backburner\\manager.exe"=
"c:\\Programmi\\Autodesk\\Backburner\\server.exe"=
"c:\\Programmi\\Autodesk\\3ds Max 2009\\3dsmax.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\VMware\\VMware Player\\vmware-authd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1032:TCP"= 1032:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [25/11/2009 19.44.37 140800]
R0 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [25/11/2009 19.44.37 5248]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [30/08/2004 22.00.00 14336]
R2 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [25/11/2009 19.33.34 243200]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [22/01/2010 21.57.54 70704]
S2 gupdate;Servizio di Google Update (gupdate);c:\programmi\Google\Update\GoogleUpdate.exe [03/12/2009 19.49.58 135664]
S3 hcw95bda;Hauppauge MOD7700 Tuner Driver;c:\windows\system32\drivers\hcw95bda.sys [11/03/2010 21.42.30 487424]
S3 hcw95rc;Hauppauge MOD7700 IR Driver;c:\windows\system32\drivers\hcw95rc.sys [11/03/2010 21.42.30 15488]
S4 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 32-bit 32-bit;c:\programmi\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [10/03/2008 1.04.52 65536]
S4 VMUSBArbService;VMware USB Arbitration Service;c:\programmi\Common Files\VMware\USB\vmware-usbarbitrator.exe [22/01/2010 21.00.48 563760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contenuto della cartella 'Scheduled Tasks'

2010-04-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2006-08-29 13:21]

2010-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-12-03 17:49]

2010-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-12-03 17:49]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.tiscali.it/
uInternet Settings,ProxyOverride = local
IE: Aggiungi a PDF esistente - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti destinazione link in Adobe PDF - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti destinazione link in file PDF esistente - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti i link selezionati in Adobe PDF - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Converti i link selezionati in file PDF esistente - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Converti in Adobe PDF - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti selezione in Adobe PDF - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti selezione in file PDF esistente - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\programmi\VMware\VMware Player\vsocklib.dll
FF - ProfilePath - c:\documents and settings\____neo____\Dati applicazioni\Mozilla\Firefox\Profiles\smd0zhxh.default\
FF - prefs.js: browser.startup.homepage - http://www.tiscali.it
FF - component: c:\programmi\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\programmi\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\programmi\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programmi\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
.
------- Associazioni dei file -------
.
.scr=AutoCADScriptFile
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

Notify-dimsntfy - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-01 11:20
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A0A9AE8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bfc3
\Driver\ACPI -> ACPI.sys @ 0xf758bcb8
\Driver\atapi -> 0x8a0a9ae8
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8059ece9
ParseProcedure -> ntoskrnl.exe @ 0x8057e98a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8059ece9
ParseProcedure -> ntoskrnl.exe @ 0x8057e98a
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7848ba0
PacketIndicateHandler -> NDIS.sys @ 0xf7855b21
SendHandler -> NDIS.sys @ 0xf783387b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Programmi/File comuni/Akamai/rswin_3653.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Programmi/File comuni/Akamai/rswin_3653.dll"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\programmi\File comuni\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1596)
c:\programmi\Yzshadow\YzShadow.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\TGTSoft\StyleXP\StyleXPService.exe
c:\programmi\Avira\AntiVir Desktop\sched.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\programmi\Avira\AntiVir Desktop\avguard.exe
c:\windows\ATKKBService.exe
c:\programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
.
**************************************************************************
.
Ora fine scansione: 2010-05-01 11:28:24 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-05-01 09:28

Pre-Run: 34.564.595.712 byte disponibili
Post-Run: 34.418.409.472 byte disponibili

- - End Of File - - 44A74CD70169D500EB3C2E5D5EEC6274

[stevens]

analizza su virus total questo file, non lo conosco

C:/Programmi/File comuni/Akamai/rswin_3653.dll"

[Uomo_Senza_Sonno]

Possibile che sia sovraccarico il sito?

[stevens]

si e' possibile

prova ad analizzarlo qui

nel frattempo fai una scansione con prevx vedi se rileva qualcosa ma per ora non rimuovere niente - posta il risultato

[Uomo_Senza_Sonno]

Su Jotti non ha rilevato nulla (questo è il risultato della scansione)... ora aspetto il risultato su virustotal che finalmente è tornato disponibile.. ad ogni modo è un download manager che probabilmente è stato installato per scaricare la demo di autocad 2011 (infatti nella cartella c'è ancora il file *.part dell'eseguibile di autocad2011)

Risultato di Virustotal

[stevens]

esegui la scansione con prevx

lancia poi drweb cureit

Doppio click su cureit.exe e clicca sull'opzione "Avvia" ti chiederà se vuoi effettuare un controllo rapido rispondi SI(Ok)
Finita la scansione, metti il puntino nella casella "completa scansione" clicca sul tasto "Play" per far partire la scansione, se trova qualcosa di infetto hai la possibilità di rimuoverlo subito oppure a fine scansione, finita la scansione fai rimuovere gli elementi infetti, salva il report di fine scansione clicca su File>Salva lista report, poi posta il report che hai salvato

[Trinità]

OT

allora ho visto giusto...
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programmi\WindowsUpdate

Oggi, in tutti i PC dove ho utilizzato combofix mi ha eliminato WindowsUpdate, spero non sia qualche bug...
/OT

[Uomo_Senza_Sonno]

PrevX non ha trovato nulla come prevedevo... riporto in allegato il log..

Per quanto riguarda drweb, non ha trovato nulla ma ha iniziato a riportare un immediato crash di sistema al suo avvio. Questo quando ho riavviato il programma, perché prima ha avviato la sua scansione normalmente, e dopo 8 ore di scansione non ha rilevato nulla. A questo punto aspetto che venga controllato l'MBR.

a tutti per l'interessamento

[stevens]

se curelt non ha trovato niente dubito che il tuo M.B.R. sia infetto

comunque facciamo la solita scansione per precauzione

da provvisoria ripeti le scansioni con mbr.exe

Da Start - Esegui - digita C:\mbr.exe e dopo aver copiato il risultato fai C:\mbr.exe -f (fai copia\incolla per non sbagliare

se vuoi una risposta in piu' esegui Norman SinowalMBR Cleaner

Avvia il pc in modalità provvisoria.

Doppio click sull'icona di Norman SinowalMBR Cleaner.exe

Clicca su Accept >>> poi su start scan

Al termine della scansione, viene generato un log sul desktop chiamandolo NFix_2008-MM-GG_hh-mm-ss.logp

posta i rapporti

[Uomo_Senza_Sonno]

Questo è il responso di mbr.exe

Codice: Seleziona tutto

start mbr.exe

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

e questo è l'output di questo comando

Codice: Seleziona tutto

start mbr.exe -f

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Praticamente identici... Prima di procedere ed editare manualmente eventuali settori infetti seguendo la procedura scritta in questo post preferisco aspettare, adesso sembra che tutto sia in normalità..

a tutti per l'interessamento e l'aiuto

[stevens]

non stuzzicarlo troppo quel pc, l'M.B.R. sembra a posto

con la visualizzazione dei file nascosti attiva elimina questo file >>> c:\windows\system32\CF22019.exe

disinstalla combofix con OTC by OldTimer

eseguilo
Clicca su CleanUp.
Alla richiesta di riavvio clicca SI

fai pulizia con ccleaner e se tutto va bene naviga un po' e vedi come va

[naploli]

[LOG]ComboFix 10-04-30.03 - Tommy 02/05/2010 13.08.32.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.510.217 [GMT 2:00]
Eseguito da: c:\documents and settings\Tommy\Desktop\ComboFix.exe
AV: AVG Internet Security 3-pack *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programmi\WindowsUpdate
c:\windows\system32\Ijl11.dll

.
((((((((((((((((((((((((( Files Creati Da 2010-04-02 al 2010-05-02 )))))))))))))))))))))))))))))))))))
.

2010-05-01 16:55 . 2009-08-06 17:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-05-01 16:55 . 2009-08-06 17:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-05-01 14:44 . 2010-05-01 14:44 -------- d-----w- c:\documents and settings\Tommy\Impostazioni locali\Dati applicazioni\WMTools Downloaded Files
2010-05-01 14:22 . 2010-05-01 15:38 -------- d-----w- c:\documents and settings\Tommy\Tracing
2010-05-01 14:21 . 2010-05-01 14:21 -------- d-----w- c:\programmi\Microsoft
2010-05-01 14:21 . 2010-05-01 14:21 -------- d-----w- c:\programmi\Windows Live SkyDrive
2010-05-01 14:20 . 2010-05-01 14:21 -------- d-----w- c:\programmi\Windows Live
2010-05-01 14:11 . 2010-05-01 14:11 -------- d-----w- c:\programmi\File comuni\Windows Live
2010-05-01 14:11 . 2010-05-01 14:22 14248 ----a-w- c:\documents and settings\Tommy\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-04-29 21:57 . 2010-05-01 23:32 -------- d-----w- c:\documents and settings\Tommy\Dati applicazioni\vlc
2010-04-29 21:55 . 2010-04-29 21:55 -------- d-----w- c:\programmi\VideoLAN
2010-04-25 20:18 . 2010-04-25 20:18 -------- d-----w- c:\windows\Sun
2010-04-25 20:17 . 2010-04-25 20:17 -------- d-----w- c:\programmi\File comuni\Java
2010-04-25 20:17 . 2010-04-25 20:17 503808 ----a-w- c:\documents and settings\Tommy\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5afadc01-n\msvcp71.dll
2010-04-25 20:17 . 2010-04-25 20:17 499712 ----a-w- c:\documents and settings\Tommy\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5afadc01-n\jmc.dll
2010-04-25 20:17 . 2010-04-25 20:17 348160 ----a-w- c:\documents and settings\Tommy\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5afadc01-n\msvcr71.dll
2010-04-25 20:17 . 2010-04-25 20:17 61440 ----a-w- c:\documents and settings\Tommy\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6238d18e-n\decora-sse.dll
2010-04-25 20:17 . 2010-04-25 20:17 12800 ----a-w- c:\documents and settings\Tommy\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6238d18e-n\decora-d3d.dll
2010-04-25 20:16 . 2010-04-25 20:16 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-25 20:16 . 2010-04-25 20:16 -------- d-----w- c:\programmi\Java
2010-04-22 19:26 . 2010-04-22 19:26 -------- d-sh--w- c:\documents and settings\Tommy\PrivacIE
2010-04-22 19:21 . 2010-04-22 19:21 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-22 19:21 . 2010-04-22 19:21 -------- d-sh--w- c:\documents and settings\Tommy\IETldCache
2010-04-22 19:18 . 2010-02-25 06:16 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-22 19:18 . 2010-02-25 06:16 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-04-22 19:18 . 2010-02-25 06:16 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-04-22 19:18 . 2010-02-25 06:16 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-04-22 19:18 . 2010-02-25 06:16 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-22 19:18 . 2010-02-25 09:46 11070976 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-04-22 19:18 . 2010-04-24 16:17 -------- d-----w- c:\windows\ie8updates
2010-04-22 19:17 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-04-22 19:13 . 2010-04-22 19:16 -------- dc-h--w- c:\windows\ie8
2010-04-22 18:39 . 2010-04-22 18:39 360584 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgtdix.sys
2010-04-22 18:39 . 2010-04-22 18:39 28424 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgmfx86.sys
2010-04-22 18:39 . 2010-04-22 18:39 74760 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\UniversalDD.sys
2010-04-22 18:39 . 2010-04-22 18:39 30216 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\AVGIDSFilter.sys
2010-04-22 18:39 . 2010-04-22 18:39 25736 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\AVGIDSShim.sys
2010-04-22 18:39 . 2010-04-22 18:39 25608 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\AVGIDSxx.sys
2010-04-22 18:39 . 2010-04-22 18:39 122376 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\AVGIDSDriver.sys
2010-04-22 18:39 . 2010-04-22 18:39 333192 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgldx86.sys
2010-04-22 18:39 . 2010-04-22 18:39 161800 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgrkx86.sys
2010-04-22 18:38 . 2010-04-22 18:38 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-22 18:25 . 2010-04-22 18:14 1007896 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgupd.exe
2010-04-22 18:25 . 2010-04-22 18:14 1658136 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgupd.dll
2010-04-22 18:25 . 2010-04-22 18:14 613656 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avgiproxy.exe
2010-04-22 18:25 . 2010-04-22 18:14 800536 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg9\update\backup\avginet.dll
2010-04-22 18:15 . 2010-04-22 18:42 -------- d-----w- C:\$AVG
2010-04-22 18:14 . 2010-04-22 18:38 25096 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-04-22 18:14 . 2010-04-22 18:14 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\avg9
2010-04-22 18:13 . 2010-04-22 18:13 -------- d-----w- c:\windows\SxsCaPendDel
2010-04-22 18:07 . 2010-01-25 13:28 3777816 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Temp\AVG\setup.exe
2010-04-22 18:07 . 2010-04-22 18:07 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Temp
2010-04-22 10:10 . 2008-03-28 08:07 20992 ----a-w- c:\documents and settings\Tommy\Dati applicazioni\Convivea\Bit_Che\languages\compare.exe
2010-04-22 10:10 . 2010-04-22 10:10 -------- d-----w- c:\documents and settings\Tommy\Dati applicazioni\Convivea
2010-04-22 10:10 . 2009-04-10 16:40 118784 ----a-w- c:\documents and settings\Tommy\Dati applicazioni\Convivea\Bit_Che\scripts\x.exe
2010-04-22 10:10 . 2008-03-28 08:02 60928 ----a-w- c:\documents and settings\Tommy\Dati applicazioni\Convivea\Bit_Che\scripts\update.exe
2010-04-22 10:10 . 2007-07-11 17:43 24557 ----a-w- c:\documents and settings\Tommy\Dati applicazioni\Convivea\Bit_Che\scripts\special.exe
2010-04-22 10:10 . 2003-08-19 03:06 80896 ----a-w- c:\documents and settings\Tommy\Dati applicazioni\Convivea\Bit_Che\scripts\x.dll
2010-04-22 10:10 . 2010-04-22 10:10 -------- d-----w- c:\programmi\Bit Che
2010-04-22 09:54 . 2010-05-01 21:36 -------- d-----w- c:\programmi\uTorrent
2010-04-22 09:54 . 2010-04-22 09:54 -------- d-----w- c:\programmi\Conduit
2010-04-22 09:54 . 2010-04-22 09:54 -------- d-----w- c:\documents and settings\Tommy\Impostazioni locali\Dati applicazioni\Conduit
2010-04-22 09:54 . 2010-04-26 18:49 -------- d-----w- c:\documents and settings\Tommy\Impostazioni locali\Dati applicazioni\Softonic-IT
2010-04-22 09:54 . 2010-04-22 10:02 -------- d-----w- c:\programmi\Softonic-IT
2010-04-22 09:53 . 2010-05-02 11:10 -------- d-----w- c:\documents and settings\Tommy\Dati applicazioni\uTorrent
2010-04-22 09:50 . 2010-04-22 09:51 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\DivX
2010-04-22 08:03 . 2010-04-28 18:14 -------- d-----w- c:\documents and settings\Tommy\Impostazioni locali\Dati applicazioni\Temp
2010-04-22 08:03 . 2010-04-22 08:05 -------- d-----w- c:\documents and settings\Tommy\Impostazioni locali\Dati applicazioni\Google
2010-04-22 08:00 . 2010-02-17 12:05 2193664 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-04-22 08:00 . 2010-02-16 19:05 2149888 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-04-22 08:00 . 2010-02-16 19:05 2028032 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-04-22 07:57 . 2008-06-14 17:32 272768 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-04-22 07:57 . 2008-06-14 17:32 272768 ------w- c:\windows\system32\drivers\bthport.sys
2010-04-21 17:57 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-21 15:20 . 2010-04-21 15:20 -------- d-----w- c:\documents and settings\Tommy\Impostazioni locali\Dati applicazioni\Ahead
2010-04-21 15:18 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-04-21 15:17 . 2010-04-21 15:17 -------- d-----w- c:\documents and settings\Tommy\Dati applicazioni\Ahead
2010-04-21 15:15 . 2010-04-21 15:15 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Nero
2010-04-21 15:15 . 2010-04-21 15:17 -------- d-----w- c:\programmi\File comuni\Ahead
2010-04-21 15:15 . 2010-04-21 15:15 -------- d-----w- c:\programmi\Nero
2010-04-21 15:06 . 2010-04-22 18:38 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-04-21 14:56 . 2010-04-22 18:38 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-21 14:55 . 2010-04-22 18:38 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-21 14:55 . 2010-04-22 18:38 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-21 14:55 . 2010-05-02 10:49 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-21 14:55 . 2010-04-22 18:14 -------- d-----w- c:\programmi\AVG
2010-04-21 07:55 . 2009-01-07 16:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-04-21 07:55 . 2010-05-01 17:02 -------- d--h--w- c:\windows\$hf_mig$
2010-04-20 18:22 . 2010-04-20 18:22 -------- d-sh--w- c:\documents and settings\Tommy\UserData
2010-04-20 18:08 . 2008-10-21 03:16 465152 ----a-r- c:\windows\system32\drivers\rt73.sys
2010-04-20 18:06 . 2006-05-24 11:36 110592 ----a-w- c:\documents and settings\Tommy\Dati applicazioni\U3\temp\cleanup.exe
2010-04-20 18:05 . 2010-04-20 18:05 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Office Genuine Advantage
2010-04-20 17:58 . 2010-04-20 17:58 -------- d-----w- c:\documents and settings\Tommy\Impostazioni locali\Dati applicazioni\Help
2010-04-20 17:52 . 2002-09-12 15:29 6016 ----a-w- c:\windows\system32\ntsim.sys
2010-04-20 17:52 . 2008-04-13 09:45 6272 -c--a-w- c:\windows\system32\dllcache\splitter.sys
2010-04-20 17:52 . 2008-04-13 09:45 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-04-20 17:52 . 2008-04-13 10:17 83072 -c--a-w- c:\windows\system32\dllcache\wdmaud.sys
2010-04-20 17:52 . 2008-04-13 10:17 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys
2010-04-20 17:49 . 2010-04-20 17:49 -------- d-----w- c:\windows\Drivers
2010-04-20 17:49 . 2010-04-20 17:49 -------- d-----w- c:\programmi\WLAN a+b+g mini-PCI module
2010-04-20 17:47 . 2003-03-26 05:27 59392 ------w- c:\windows\system32\agrsmdel.exe
2010-04-20 17:46 . 2010-04-20 17:46 -------- d-----w- c:\windows\Options
2010-04-20 17:45 . 2010-04-20 17:46 -------- d-----w- c:\programmi\ATI Technologies
2010-04-20 17:45 . 2010-04-20 17:55 -------- d--h--w- c:\programmi\InstallShield Installation Information
2010-04-20 17:45 . 2010-04-20 17:49 -------- d-----w- c:\programmi\File comuni\InstallShield
2010-04-20 17:44 . 2010-04-20 17:44 -------- d-----w- c:\documents and settings\Tommy\Bluetooth Software
2010-04-20 17:40 . 2010-04-20 17:40 -------- d-----w- c:\programmi\VIA
2010-04-20 17:40 . 2002-12-27 02:41 26880 ----a-w- c:\windows\system32\drivers\VIAAGP1.SYS
2010-04-20 17:40 . 1998-10-29 14:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-04-20 17:23 . 2001-08-30 18:41 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-04-20 17:23 . 2001-08-30 18:41 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-04-20 17:23 . 2008-04-13 09:45 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-04-20 17:23 . 2008-04-13 09:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-04-20 17:21 . 2010-04-21 15:09 -------- d-----w- c:\documents and settings\Tommy\Dati applicazioni\U3
2010-04-20 17:21 . 2008-04-13 09:45 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-24 17:40 . 2004-08-30 20:00 48012 ----a-w- c:\windows\system32\perfc010.dat
2010-04-24 17:40 . 2004-08-30 20:00 345620 ----a-w- c:\windows\system32\perfh010.dat
2010-04-21 19:25 . 2010-04-19 17:35 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-20 17:51 . 2010-04-20 17:51 -------- d-----w- c:\programmi\Realtek Sound Manager
2010-04-20 17:51 . 2010-04-20 17:51 -------- d-----w- c:\programmi\AvRack
2010-04-19 17:36 . 2010-04-19 17:36 -------- d-----w- c:\programmi\microsoft frontpage
2010-04-19 17:34 . 2010-04-19 17:34 -------- d-----w- c:\programmi\Servizi in linea
2010-04-19 17:31 . 2010-04-19 17:31 21840 ----a-w- c:\windows\system32\emptyregdb.dat
2010-03-10 06:15 . 2008-04-13 17:13 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:16 . 2008-04-13 17:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-13 10:17 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 12:05 . 2008-04-13 16:55 2193664 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 19:05 . 2008-04-13 18:55 2070528 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-04-13 17:13 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-13 10:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

------- Sigcheck -------

[-] 2008-06-20 . 3316C8A8EC07A9D4C0BE10310809A9E5 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{e3393495-8103-46a0-8181-270273eddd60}"= "c:\programmi\Softonic-IT\tbSoft.dll" [2010-03-17 2355224]

[HKEY_CLASSES_ROOT\clsid\{e3393495-8103-46a0-8181-270273eddd60}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3393495-8103-46a0-8181-270273eddd60}]
2010-03-17 13:45 2355224 ----a-w- c:\programmi\Softonic-IT\tbSoft.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{e3393495-8103-46a0-8181-270273eddd60}"= "c:\programmi\Softonic-IT\tbSoft.dll" [2010-03-17 2355224]

[HKEY_CLASSES_ROOT\clsid\{e3393495-8103-46a0-8181-270273eddd60}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{E3393495-8103-46A0-8181-270273EDDD60}"= "c:\programmi\Softonic-IT\tbSoft.dll" [2010-03-17 2355224]

[HKEY_CLASSES_ROOT\clsid\{e3393495-8103-46a0-8181-270273eddd60}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"Google Update"="c:\documents and settings\Tommy\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" [2010-04-22 136176]
"uTorrent"="c:\programmi\uTorrent\uTorrent.exe" [2010-05-01 321328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-01 88267]
"SoundMan"="SOUNDMAN.EXE" [2003-05-14 55296]
"NeroFilterCheck"="c:\programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-22 18:38 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Programmi\\AVG\\AVG9\\avgemc.exe"=
"c:\\Programmi\\AVG\\AVG9\\avgupd.exe"=
"c:\\Programmi\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [22/04/2010 20.14.47 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [21/04/2010 17.06.43 52872]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [21/04/2010 16.55.59 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [21/04/2010 16.56.04 242896]
R2 avg9emc;AVG E-mail Scanner;c:\programmi\AVG\AVG9\avgemc.exe [22/04/2010 20.38.25 916760]
R2 avg9wd;AVG WatchDog;c:\programmi\AVG\AVG9\avgwdsvc.exe [22/04/2010 20.38.43 308064]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\programmi\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [22/04/2010 20.14.28 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\programmi\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [22/04/2010 20.14.27 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\programmi\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [22/04/2010 20.14.26 26120]
S3 AVGIDSAgent;AVG9IDSAgent;c:\programmi\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [22/04/2010 20.38.30 5888008]
.
Contenuto della cartella 'Scheduled Tasks'

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-789336058-1202660629-1003Core.job
- c:\documents and settings\Tommy\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2010-04-22 08:03]

2010-05-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-789336058-1202660629-1003UA.job
- c:\documents and settings\Tommy\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2010-04-22 08:03]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://search.conduit.com?SearchSource= ... =CT2530241
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKCU-Run-WGA Agent - c:\windows\system32\mga.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-02 13:11
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2010-05-02 13:13:23
ComboFix-quarantined-files.txt 2010-05-02 11:13

Pre-Run: 72.687.509.504 byte disponibili
Post-Run: 73.504.567.296 byte disponibili

WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 87989AB626458C3BC4F565449B79B2E9
LOG]da un po di tempo mi si è rallentato il pc credo di avere un virus nella cartella di winows potete controllare il mio log grazzie in anticipo

[Uomo_Senza_Sonno]

con la visualizzazione dei file nascosti attiva elimina questo file >>> c:\windows\system32\CF22019.exe

Il file l'ho caricato su virustotal, non è stata rilevata nessuna infezione o traccia di qualche virus (0/41)

fai pulizia con ccleaner e se tutto va bene naviga un po' e vedi come va

Per il momento sembra che tutto proceda per il meglio, non ci sono nè rallentamenti ne intoppi di qualsiasi sorta.. Grazie come sempre per il supporto

[stevens]

Il file l'ho caricato su virustotal, non è stata rilevata nessuna infezione o traccia di qualche virus (0/41)

fai una ricerca su google e guatda a cosa si riferisce quel file

c:\windows\system32\CF22019.exe