www.MegaLab.it

[Pct]

Oook! Spero che possa esserti di qualche aiuto.

Ah, ho sbagliato una cosa :

Invialo anche a Threatexpert qua : http://www.threatexpert.com/submit.aspx utilizzando il mio indirizzo e-mail (questo qua : gigieilly5@hotmail.it)

L'indirizzo mail non è corretto, ho sbagliato a scrivere ; quello corretto è : gigielilly5@hotmail.it .. se non ti dispiace rinviarlo con questo indirizzo.. .

Ma i file che ti rileva come infetti,malwarebytes antimalware, non riesce ad eliminarli?

[Klod]

ho fatto quello che mi hai detto ma hitman non mi ha trovato niente e usrreq.exe dopo la disinstallazione di avira non c'è più.. kaspersky conto di farlo oggi... nel frattempo ho installato unhackme che mi ha trovato varie cosette che ha tolto.. mi ha dato anche una schermata con su scritto:
All users run (registry):
windows defender
syntpenh
rthdcvpl
nvsvc
nvcpldaemon
nvmedia center
hp software update
hpqsrmon
sunjavaupdateshed
AVG9_tray
virit lite monitor
Current user run (registry)
WMPNSCFG

ma non so se questi processi sono utili o no... in più ho notato che nella cartella utenti ci sono svariati utenti: default, default user, all users, klod, ospiti, guest e pubblica... è normale???
grazie ancora

[Klod]

ps. mi sono dimenticata di risponderti al fatto che stk.ds non lo elimina... neanche manualmente...grazie

[Klod]

un aggiornamento... stavo provando a fare un po' di scansioni con degli antirootkit ma come al solito non me li fa partire... l'unico che era partito e poi si è fermato è antirootkit revealer e mi ha rilevato questo
HKU:S-1-5-21-415370...1000/CONSOLE description security mismatch
dopodichè non so più niente...
lo sto cercando nel registro di sistema ma non lo trovo.. ma lo dvo cancellare?
grazie

[Klod]

rootkit revealer non ha fatto tutto il suo lavoro perché veniva ripetutamente bloccato però sono riuscita a segnarmi qualcosa che mi ha rilevato:
HKLM:software/microsoft/windows/currentversion/wsman
HKLM:software/microsoft/windows/currentversion/wsman/certmapping
HKLM:software/microsoft/windows/currentversion/wsman/client
HKLM:software/microsoft/windows/currentversion/wsman/listener
HKLM:software/microsoft/windows/currentversion/wsman/service
HKLM:software/microsoft/windows/currentversion/wsman/winrs
HKLM:software/microsoft/windows/currentversion/wsman/winrs/customremoteshell
HKLM:software/microsoft/windowsNT/currentversion/perflib/009/
HKLM:software/microsoft/windowsNT/currentversion/perflib/0010/
HKLM:software/microsoft/windowsNT/currentversion/schedule/taskcache/tasks/cbcdi355-c...1e/dynamicinfo
HKLM:software/swearware/backup/winsock2
HKLM:software/swearware/backup/winsock2/parameters
HKLM:software/swearware/backup/winsock2/parameters/namespace_catalog5HKLM:software/swearware/backup/winsock2/parameters/namespace_catalog5/catalog_entries
HKLM:software/swearware/backup/winsock2/parameters/protocolcatalog9
HKLM:software/swearware/backup/winsock2/parameters/protocolcatalog9/catalog_entries


e tanti altri che non sono riuscita a segnarmi.. ho provato a salvare il log ma quando l'ho aperto era vuoto
Cancello?

[Klod]

rootkit revealer non ha fatto tutto il suo lavoro perché veniva ripetutamente bloccato però sono riuscita a segnarmi qualcosa che mi ha rilevato:
HKLM:software/microsoft/windows/currentversion/wsman
HKLM:software/microsoft/windows/currentversion/wsman/certmapping
HKLM:software/microsoft/windows/currentversion/wsman/client
HKLM:software/microsoft/windows/currentversion/wsman/listener
HKLM:software/microsoft/windows/currentversion/wsman/service
HKLM:software/microsoft/windows/currentversion/wsman/winrs
HKLM:software/microsoft/windows/currentversion/wsman/winrs/customremoteshell
HKLM:software/microsoft/windowsNT/currentversion/perflib/009/
HKLM:software/microsoft/windowsNT/currentversion/perflib/0010/
HKLM:software/microsoft/windowsNT/currentversion/schedule/taskcache/tasks/cbcdi355-c...1e/dynamicinfo
HKLM:software/swearware/backup/winsock2
HKLM:software/swearware/backup/winsock2/parameters
HKLM:software/swearware/backup/winsock2/parameters/namespace_catalog5HKLM:software/swearware/backup/winsock2/parameters/namespace_catalog5/catalog_entries
HKLM:software/swearware/backup/winsock2/parameters/protocolcatalog9
HKLM:software/swearware/backup/winsock2/parameters/protocolcatalog9/catalog_entries


e tanti altri che non sono riuscita a segnarmi.. ho provato a salvare il log ma quando l'ho aperto era vuoto
Cancello?

[Pct]

Cancello?

no. da quanto ho trovato in internet sembra sia un falso positivo Sysinternals rootkit revealer. http://social.answers.microsoft.com/For ... e4469fe02f

http://84.45.57.224/is-this-okay-or-wha ... 18042.html

Ma non ne sono sicuro.

La vedo dura, comunque proviamo a vedere se Kaspersky trova qualcosa.Se c'è modo di salvare un log, salvalo e postalo nel forum. Il fatto che neanche combofix rilevi qualcosa,mi fa pensare che il virus interferisca in qualche modo.

Per ora proviamo kaspersky, al massimo dopo si prova con qualcos'altro.

[Klod]

Sono riuscita a fare una scansione con combofix

ComboFix 10-06-02.03 - Klod 03/06/2010 10.17.14.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.39.1040.18.1919.883 [GMT 2:00]
Eseguito da: c:\users\Klod\Desktop\ComboFix.exe
SP: Avira AntiVir PersonalEdition *enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((( Files Creati Da 2010-05-03 al 2010-06-03 )))))))))))))))))))))))))))))))))))
.

2010-06-03 08:46 . 2010-06-03 08:47 -------- d-----w- c:\users\Klod\AppData\Local\temp
2010-06-03 08:46 . 2010-06-03 08:46 -------- d-----w- c:\users\Ospiti\AppData\Local\temp
2010-06-03 08:46 . 2010-06-03 08:46 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-06-03 08:46 . 2010-06-03 08:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-01 14:26 . 2010-06-01 15:15 45312 ----a-w- c:\windows\system32\drivers\VIRAGTLT.SYS
2010-06-01 09:29 . 2010-06-01 09:29 2 --shatr- c:\windows\winstart.bat
2010-06-01 09:28 . 2010-06-01 12:54 -------- d-----w- c:\program files\UnHackMe
2010-06-01 08:45 . 2009-10-22 11:54 37392 ----a-w- c:\windows\system32\drivers\93499232.sys
2010-06-01 08:45 . 2009-10-09 21:31 311312 ----a-w- c:\windows\system32\drivers\9349923.sys
2010-06-01 08:45 . 2009-09-25 15:59 128016 ----a-w- c:\windows\system32\drivers\93499231.sys
2010-05-31 16:19 . 2010-05-31 16:19 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-31 16:19 . 2010-05-31 16:19 -------- d-----w- c:\programdata\Hitman Pro
2010-05-31 16:19 . 2010-05-31 16:19 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-28 15:24 . 2010-05-28 15:24 -------- d-----w- C:\$AVG
2010-05-28 15:12 . 2010-05-28 15:14 -------- dc-h--w- c:\programdata\{B88B6AD1-D159-4657-94C5-4E8E86C1B94E}
2010-05-28 14:16 . 2010-05-28 14:16 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-28 14:16 . 2010-06-03 08:01 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-28 14:15 . 2010-05-28 14:15 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-28 14:15 . 2010-06-03 08:01 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-28 14:15 . 2010-06-03 07:58 -------- d-----w- c:\windows\system32\drivers\Avg
2010-05-28 14:15 . 2010-05-28 14:15 -------- d-----w- c:\programdata\avg9
2010-05-28 10:15 . 2010-05-28 10:15 -------- d-----w- c:\programdata\Alwil Software
2010-05-28 10:15 . 2010-05-28 10:15 -------- d-----w- c:\program files\Alwil Software
2010-05-28 10:01 . 2010-05-28 10:04 -------- d-----w- c:\program files\PrevxEnterprise
2010-05-28 10:01 . 2010-05-28 10:04 -------- d-----w- C:\PrevxEnterprise
2010-05-27 15:54 . 2010-05-27 15:54 -------- d-----w- c:\program files\Prevx
2010-05-26 12:34 . 2010-05-26 12:34 -------- d-----w- c:\program files\Microsoft
2010-05-26 11:58 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-25 16:03 . 2010-05-25 16:03 -------- d-----w- C:\sh4ldr
2010-05-25 16:03 . 2010-05-25 16:03 -------- d-----w- c:\program files\Enigma Software Group
2010-05-25 16:02 . 2010-05-26 11:54 -------- d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-05-25 16:02 . 2010-05-25 16:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-25 15:08 . 2010-05-27 14:57 -------- d-----w- C:\thinBasic
2010-05-24 10:41 . 2010-05-24 10:42 -------- d-----w- c:\program files\CCleaner
2010-05-21 08:39 . 2010-05-21 08:40 284915 ----a-w- c:\users\Klod\gmer.zip
2010-05-20 13:55 . 2010-06-02 08:58 -------- d-----w- C:\VEXPLite
2010-05-17 12:23 . 2010-05-17 12:23 -------- d-----w- c:\users\Klod\AppData\Roaming\dvdcss
2010-05-15 17:05 . 2010-06-01 15:19 -------- d-----w- c:\programdata\PrevxCSI
2010-05-15 13:56 . 2009-10-22 11:54 37392 ----a-w- c:\windows\system32\drivers\10526002.sys
2010-05-15 13:56 . 2009-10-09 21:31 311312 ----a-w- c:\windows\system32\drivers\1052600.sys
2010-05-15 13:56 . 2009-09-25 15:59 128016 ----a-w- c:\windows\system32\drivers\10526001.sys
2010-05-13 14:55 . 2010-05-13 14:53 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-05-13 14:55 . 2010-05-28 15:29 -------- d-----w- c:\programdata\Avira
2010-05-12 14:52 . 2010-05-19 13:59 -------- d-----w- c:\program files\VS Revo Group
2010-05-12 14:33 . 2010-05-12 14:33 -------- d-----w- c:\users\Klod\AppData\Local\VS Revo Group
2010-05-12 11:16 . 2010-05-12 14:48 -------- d-----w- c:\program files\Yahoo!
2010-05-12 04:34 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-11 15:42 . 2010-05-27 15:54 61440 ----a-w- c:\windows\system32\PxSecure.dll
2010-05-07 12:40 . 2010-05-07 12:40 -------- d-----w- c:\users\Klod\AppData\Local\JollyBear
2010-05-07 12:40 . 2010-05-07 12:40 -------- d-----w- c:\programdata\JollyBear
2010-05-07 12:39 . 2010-05-07 12:40 -------- d-----w- c:\users\Klod\AppData\Roaming\Zylom
2010-05-07 12:39 . 2010-05-07 13:47 -------- d-----w- c:\users\Klod\AppData\Local\Zylom Games
2010-05-06 16:24 . 2010-05-06 16:24 -------- d-----w- c:\users\Klod\AppData\Local\Shareaza

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-03 08:01 . 2010-06-03 08:01 29512 ----a-w- c:\programdata\avg9\update\backup\avgmfx86.sys
2010-06-03 08:01 . 2010-06-03 08:01 242896 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-06-03 07:56 . 2010-04-27 07:40 -------- d-----w- c:\programdata\Kaspersky Lab
2010-06-01 16:12 . 2007-09-11 14:23 12978 ----a-w- c:\users\Klod\AppData\Roaming\nvModes.dat
2010-06-01 10:16 . 2010-04-22 16:15 -------- d-----w- c:\programdata\SecTaskMan
2010-06-01 08:55 . 2010-06-01 08:55 1251 ----a-w- c:\programdata\SecTaskMan\icn_CFD2C1F142D260E3CB8B271543DA9F98.dll
2010-06-01 08:55 . 2010-06-01 08:55 907 ----a-w- c:\programdata\SecTaskMan\icn_3e43b73803c7c394f8a6b2f0402e19c2.dll
2010-05-30 14:38 . 2010-05-20 16:50 84516 ----a-w- c:\windows\WINDOWSUPDATE.LOG.TMP
2010-05-30 14:38 . 2010-05-20 16:50 32524 ----a-w- c:\windows\Tasks\SCHEDLGU.TXT.TMP.TMP
2010-05-30 14:38 . 2010-04-25 07:36 32524 ----a-w- c:\windows\Tasks\SCHEDLGU.TXT.TMP
2010-05-28 14:15 . 2008-07-24 08:59 -------- d-----w- c:\program files\AVG
2010-05-27 15:54 . 2010-04-29 13:35 57248 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-05-27 15:54 . 2010-04-29 13:35 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-05-27 15:54 . 2010-04-29 13:35 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-05-27 13:01 . 2008-01-27 21:58 13072 ----a-w- c:\users\Ospiti\AppData\Roaming\nvModes.dat
2010-05-26 16:45 . 2010-05-26 16:45 73 ----a-w- c:\programdata\SecTaskMan\icn_7CEBB04F4A2C00A4B942A750A5C22526.dll
2010-05-26 16:45 . 2010-05-26 16:45 281 ----a-w- c:\programdata\SecTaskMan\icn_6D4B04801DD7781458326ECF0070FE7B.dll
2010-05-26 12:02 . 2010-05-26 12:02 607013 ----a-w- c:\windows\system32\drivers\HOSTS
2010-05-24 15:45 . 2010-05-28 15:14 2954048 -c--a-w- c:\programdata\{B88B6AD1-D159-4657-94C5-4E8E86C1B94E}\vnlt6659.exe
2010-05-24 09:33 . 2007-09-11 15:46 -------- d-----w- c:\users\Klod\AppData\Roaming\vlc
2010-05-21 08:36 . 2010-05-21 08:36 277 ----a-w- c:\programdata\SecTaskMan\icn_3D8CB5F014732454FA001502A2F93D75.dll
2010-05-20 16:50 . 2010-04-25 07:36 3168 ----a-w- c:\windows\system32\7B296FB0-376B-497E-B012-9C450E1B7327-2P-1.C7483456-A289-439D-8115-601632D005A0.TMP
2010-05-20 16:50 . 2010-04-25 07:36 3168 ----a-w- c:\windows\system32\7B296FB0-376B-497E-B012-9C450E1B7327-2P-0.C7483456-A289-439D-8115-601632D005A0.TMP
2010-05-13 14:36 . 2010-04-08 12:43 -------- d-----w- c:\program files\F-Secure
2010-05-13 14:35 . 2010-04-08 12:44 -------- d-----w- c:\programdata\F-Secure
2010-05-12 14:28 . 2007-03-12 16:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-12 14:27 . 2008-12-26 10:33 -------- d-----w- c:\program files\QuickTime
2010-05-12 14:25 . 2009-09-29 13:20 -------- d-----w- c:\program files\Common Files\Nero
2010-05-12 14:24 . 2009-09-29 13:20 -------- d-----w- c:\programdata\Nero
2010-05-12 14:11 . 2007-03-12 16:30 -------- d-----w- c:\program files\HDReg
2010-05-12 12:33 . 2007-03-12 16:31 -------- d-----w- c:\program files\Google
2010-05-12 12:04 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-12 09:21 . 2009-10-03 13:03 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-11 09:08 . 2007-12-15 15:13 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-05-11 09:05 . 2009-04-18 10:03 -------- d-----w- c:\program files\Startup Inspector for Windows
2010-05-11 09:04 . 2007-03-12 16:30 -------- d-----w- c:\program files\Packard Bell
2010-05-11 08:20 . 2007-03-13 01:04 669974 ----a-w- c:\windows\system32\perfh010.dat
2010-05-11 08:20 . 2007-03-13 01:04 123570 ----a-w- c:\windows\system32\perfc010.dat
2010-05-07 10:26 . 2010-05-28 15:13 360448 -c--a-w- c:\programdata\{B88B6AD1-D159-4657-94C5-4E8E86C1B94E}\OFFLINE\BB22A901\76AC2E42\Scan.dll
2010-05-07 09:12 . 2010-05-28 15:13 278528 -c--a-w- c:\programdata\{B88B6AD1-D159-4657-94C5-4E8E86C1B94E}\OFFLINE\D89A54DE\76AC2E42\MONLITE.exe
2010-05-07 06:32 . 2010-05-28 15:13 438272 -c--a-w- c:\programdata\{B88B6AD1-D159-4657-94C5-4E8E86C1B94E}\OFFLINE\mMSI.dll\mMSIExec.dll
2010-05-07 06:32 . 2010-05-28 15:13 407040 -c--a-w- c:\programdata\{B88B6AD1-D159-4657-94C5-4E8E86C1B94E}\OFFLINE\mWinRun.dll\mWinRunExec.dll
2010-05-04 18:30 . 2008-01-24 13:52 79008 ----a-w- c:\users\Ospiti\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-30 01:30 . 2010-04-30 01:30 -------- d-----w- c:\program files\Windows Portable Devices
2010-04-30 01:29 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-04-30 01:29 . 2010-04-30 01:29 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-04-30 01:28 . 2010-04-30 01:28 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-04-29 19:28 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-04-29 19:28 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-04-29 19:27 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-04-29 19:27 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-04-29 19:27 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-04-29 19:27 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-04-23 13:32 . 2010-04-23 13:32 -------- d-----w- c:\users\Klod\AppData\Roaming\Malwarebytes
2010-04-23 13:32 . 2010-04-23 13:32 -------- d-----w- c:\programdata\Malwarebytes
2010-04-22 18:07 . 2010-04-22 18:07 -------- d-----w- c:\program files\Trend Micro
2010-04-22 15:19 . 2007-09-11 12:57 79008 ----a-w- c:\users\Klod\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-21 14:32 . 2008-01-04 16:21 -------- d-----w- c:\program files\IncrediMail
2010-04-19 10:16 . 2010-04-19 10:16 12 ----a-w- c:\users\Klod\AppData\Roaming\kcmdte.dat
2010-04-13 08:55 . 2010-04-13 08:55 -------- d-----w- c:\users\Klod\AppData\Roaming\HPAppData
2010-04-08 20:46 . 2010-04-08 12:47 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-04-08 12:44 . 2010-04-08 12:44 -------- d-----w- c:\programdata\fssg
2010-04-08 12:39 . 2007-11-06 18:22 -------- d-----w- c:\programdata\Lavasoft
2010-04-08 12:38 . 2009-04-06 13:35 -------- d-----w- c:\program files\Lavasoft
2010-04-08 11:15 . 2010-04-08 11:15 -------- d-----w- c:\users\Ospiti\AppData\Roaming\HPAppData
2010-03-24 13:35 . 2009-05-28 13:51 2485883 ----a-w- c:\programdata\ArcSoft\Global Deploy\CheckUpdate\ArcConnect.exe
2010-03-23 10:27 . 2010-05-28 15:12 819200 -c--a-w- c:\programdata\{B88B6AD1-D159-4657-94C5-4E8E86C1B94E}\OFFLINE\5BF53870\76AC2E42\viritexp.exe
2010-03-23 09:48 . 2010-03-23 09:45 23163 ----a-w- c:\windows\hpqins15.dat
2010-03-12 07:53 . 2010-05-28 15:12 122880 -c--a-w- c:\programdata\{B88B6AD1-D159-4657-94C5-4E8E86C1B94E}\OFFLINE\361580F9\76AC2E42\viritupg.dll
2010-03-05 14:01 . 2010-04-14 10:28 420352 ----a-w- c:\windows\system32\vbscript.dll
2007-03-13 01:07 . 2007-03-13 01:07 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-22 815104]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-20 4018176]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-12-19 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-19 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-19 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"VIRIT LITE MONITOR"="c:\vexplite\MONLITE.EXE" [2010-06-01 278528]

c:\users\Klod\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
setup_9.0.0.722_01.06.2010_11-31.lnk - c:\users\Klod\Desktop\Virus Removal Tool\setup_9.0.0.722_01.06.2010_11-31\startup.exe [2010-6-1 72208]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"UacDisableNotify"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):28,bc,db,d6,d3,e7,ca,01

R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R3 BWSOT;BWSOT;c:\users\Klod\AppData\Local\Temp\BWSOT.exe [x]
R3 JEZVMSB;JEZVMSB;c:\users\Klod\AppData\Local\Temp\JEZVMSB.exe [x]
R3 NDISKIO;NDISKIO;c:\users\Klod\AppData\Local\Temp\00001681.nmc\nse\bin\ndiskio.sys [x]
R3 NHEONHGN;NHEONHGN;c:\users\Klod\AppData\Local\Temp\NHEONHGN.exe [x]
R3 NZBQMZCKDLWFQ;NZBQMZCKDLWFQ;c:\users\Klod\AppData\Local\Temp\NZBQMZCKDLWFQ.exe [x]
R3 OZJQLQ;OZJQLQ;c:\users\Klod\AppData\Local\Temp\OZJQLQ.exe [x]
R3 PAPCFJNJM;PAPCFJNJM;c:\users\Klod\AppData\Local\Temp\PAPCFJNJM.exe [x]
R3 POGASZGLKDFWL;POGASZGLKDFWL;c:\users\Klod\AppData\Local\Temp\POGASZGLKDFWL.exe [x]
S0 10526002;10526002 Boot Guard Driver;c:\windows\system32\DRIVERS\10526002.sys [2009-10-22 37392]
S0 14653202;14653202 Boot Guard Driver;c:\windows\system32\DRIVERS\14653202.sys [2009-10-22 37392]
S0 73996562;73996562 Boot Guard Driver;c:\windows\system32\DRIVERS\73996562.sys [2009-10-22 37392]
S0 93499232;93499232 Boot Guard Driver;c:\windows\system32\DRIVERS\93499232.sys [2009-10-22 37392]
S0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [2010-05-27 30320]
S0 VIRAGTLT;VIRAGTLT;c:\windows\system32\drivers\VIRAGTLT.SYS [2010-06-01 45312]
S1 10526001;10526001;c:\windows\system32\DRIVERS\10526001.sys [2009-09-25 128016]
S1 14653201;14653201;c:\windows\system32\DRIVERS\14653201.sys [2009-09-25 128016]
S1 73996561;73996561;c:\windows\system32\DRIVERS\73996561.sys [2009-09-25 128016]
S1 93499231;93499231;c:\windows\system32\DRIVERS\93499231.sys [2009-09-25 128016]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-05-28 216200]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-06-03 242896]
S1 setup_9.0.0.722_01.06.2010_11-31drv;setup_9.0.0.722_01.06.2010_11-31drv;c:\windows\system32\DRIVERS\9349923.sys [2009-10-09 311312]
S1 setup_9.0.0.722_27.04.2010_17-19drv;setup_9.0.0.722_27.04.2010_17-19drv;c:\windows\system32\DRIVERS\1465320.sys [2009-10-09 311312]
S1 setup_9.0.0.722_29.04.2010_23-20drv;setup_9.0.0.722_29.04.2010_23-20drv;c:\windows\system32\DRIVERS\7399656.sys [2009-10-09 311312]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-05-28 308064]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2010-05-27 6369648]
S2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-05-27 57248]
S2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;c:\windows\System32\StkSrv.exe [2006-09-07 24576]
S3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-05-27 24400]
S3 StkCMini;Syntek AVStream USB2.0 VGA WebCam;c:\windows\system32\DRIVERS\StkCMini.sys [2006-11-10 669568]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contenuto della cartella 'Scheduled Tasks'

2010-06-02 c:\windows\Tasks\User_Feed_Synchronization-{AD3A756D-CAE6-441A-9B5A-77925B071565}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {3985110E-F263-40FD-820F-B86CB0E23E8E} = 208.67.222.222,208.67.220.220
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-03 10:47
Windows 6.0.6002 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Ora fine scansione: 2010-06-03 10:57:47
ComboFix-quarantined-files.txt 2010-06-03 08:57
ComboFix2.txt 2010-05-22 13:14
ComboFix3.txt 2010-05-21 13:38

Pre-Run: 43.892.113.408 byte disponibili
Post-Run: 43.892.011.008 byte disponibili

- - End Of File - - 5AABC2EB726C0E0BF3B5722FBAF89867

inoltre ho notato che ci sono dei processi come MONLITE.EXE, PEV.cfxxe e CF24691.cfxxe che mi usano tanta cpu è normale?
poi un'altra cosa che non ti ho detto riguardo alle "stranezze" del pc (non so se sia importante) è che ogni volta che lo accendo mi appare una schermata di windows installer che mi dice "please wait while windows configures Status" o "hp photosmart essential". In entrambi i casi spingo cancel ma mi appaiono almeno 5 o 6 volte come se non rispondessero al comando cancel. In ogni caso l'installazione non va a buon termine anche perché nel caso di status mi dice che devo inserire un cd per completare l'installazione. MAh! Faccio la scansione con kapersky e ti faccio sapere
Grazie mille per la tua collaborazione

[crazy.cat]

Comincia a fare pulizia di programmi di sicurezza inutili. Quale antivirus e quale antispyware stai usando?

SP: Avira AntiVir PersonalEdition *enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
2010-05-31 16:19 . 2010-05-31 16:19 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-28 14:15 . 2010-05-28 14:15 -------- d-----w- c:\programdata\avg9
2010-05-28 10:01 . 2010-05-28 10:04 -------- d-----w- c:\program files\PrevxEnterprise
2010-05-13 14:36 . 2010-04-08 12:43 -------- d-----w- c:\program files\F-Secure
2010-04-23 13:32 . 2010-04-23 13:32 -------- d-----w- c:\programdata\Malwarebytes

MONLITE.EXE è l'antivirus virit che puoi eliminare, PEV.cfxxe dovrebbe essere prevx che puoi anche rimuovere e CF24691.cfxxe dovrebbe essere combofix (oppure rimane sempre attivo in memoria?)

Riguardo le stranezze che modello di stampante di preciso hai e che sistema operativo?
Magari basta andare sul sito di hp e scaricare i driver giusti.

[Klod]

Virit, avg, f-secure e malware bytes già l'ho tolti, avira non so perché l'ho tolto ma rimangono sue tracce nonostante ho usato revo, il pannello di controllo e la tool necessaria alla sua rimozione, per adesso sto utilizzando solo prevx anche se su windows firewall mi dice che avira lo sta usando come spyware. Il modello della stampante è hp deskjet f2280 all in one e il sistema operativo è windows vista home premium.. riguardo combofix non ho capito che intendi per "oppure rimane sempre attivo in memoria?"...
Grazie

[crazy.cat]

malware bytes

Io tenevo malwarebytes e buttavo adware e windows defender che sono molto peggio.
Con che antivirus sei rimasta?

riguardo combofix non ho capito che intendi per "oppure rimane sempre attivo in memoria?"...

L'ultimo file lo vedi sempre attivo oppure è comparso solo quando usavi combofix?

Per la stampante scarica e installa questo
http://h10025.www1.hp.com/ewfrf/wc/soft ... 7&sw_lang=

[Klod]

L'ho scaricato ma continua a darmi sempre la solita schermata in più mi dice riferendosi a "status"... an installation package for the product Status cannot be found. Try the installation again using a valid copy of the installation package "status.msi". non capisco... perché è così difficile mettere il pc apposto!!!
Ps. ho installato malware bytes, grazie per il consiglio..

[crazy.cat]

Prova a postare il log di hijackthis.

[Klod]

eccolo:

gfile of Trend Micro HijackThis v2.0.4
Scan saved at 10.51.05, on 04/06/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Prevx\prevx.exe
C:\Users\Klod\Desktop\Virus Removal Tool\setup_9.0.0.722_01.06.2010_11-31\setup_9.0.0.722_01.06.2010_11-31.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\Users\Klod\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SafeOnline BHO - {69D72956-317C-44bd-B369-8E44D4EF9801} - C:\Windows\system32\PxSecure.dll
O2 - BHO: Guida per l'accesso a Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: setup_9.0.0.722_01.06.2010_11-31.lnk = Klod\Desktop\Virus Removal Tool\setup_9.0.0.722_01.06.2010_11-31\startup.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Visualizza o nasconde HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3985110E-F263-40FD-820F-B86CB0E23E8E}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{3985110E-F263-40FD-820F-B86CB0E23E8E}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{3985110E-F263-40FD-820F-B86CB0E23E8E}: NameServer = 208.67.222.222,208.67.220.220
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: BWSOT - Unknown owner - C:\Users\Klod\AppData\Local\Temp\BWSOT.exe (file missing)
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: JEZVMSB - Unknown owner - C:\Users\Klod\AppData\Local\Temp\JEZVMSB.exe (file missing)
O23 - Service: NHEONHGN - Unknown owner - C:\Users\Klod\AppData\Local\Temp\NHEONHGN.exe (file missing)
O23 - Service: NZBQMZCKDLWFQ - Unknown owner - C:\Users\Klod\AppData\Local\Temp\NZBQMZCKDLWFQ.exe (file missing)
O23 - Service: OZJQLQ - Unknown owner - C:\Users\Klod\AppData\Local\Temp\OZJQLQ.exe (file missing)
O23 - Service: PAPCFJNJM - Unknown owner - C:\Users\Klod\AppData\Local\Temp\PAPCFJNJM.exe (file missing)
O23 - Service: POGASZGLKDFWL - Unknown owner - C:\Users\Klod\AppData\Local\Temp\POGASZGLKDFWL.exe (file missing)
O23 - Service: Syntek AVStream USB2.0 WebCam Service (StkSSrv) - Syntek America Inc. - C:\Windows\System32\StkSrv.exe

--
End of file - 5974 bytes

[Klod]

[url]http://www.getsysteminfo.com/read.php?file=7ddd49e3561af8cdec825d96a121f821
[/url]

Results of system analysis
Kaspersky Virus Removal Tool 2010 9.0.0.722 (database released 01/06/2010; 06:26)

List of processes
File name PID Description Copyright MD5 Information
c:\program files\atk hotkey\hcontrol.exe
Script: Quarantine, Delete, BC delete, Terminate 1628 HControl Copyright (c) 2003 ?? 220.00 kb, rsAh,
created: 12/03/2007 18.24.21,
modified: 05/01/2007 22.17.28
Command line:
"C:\Program Files\ATK Hotkey\Hcontrol.exe"
Detected:60, recognized as trusted 59
Module name Handle Description Copyright MD5 Used by processes
C:\Program Files\ATK Hotkey\Hcontrol.exe
Script: Quarantine, Delete, BC delete 4194304 HControl Copyright (c) 2003 ?? 1628
Modules detected:595, recognized as trusted 594

Kernel Space Modules Viewer
Module Base address Size in memory Description Manufacturer
C:\Windows\System32\Drivers\dump_diskdump.sys
Script: Quarantine, Delete, BC delete 8EDDA000 00A000 (40960)
C:\Windows\System32\Drivers\dump_nvstor32.sys
Script: Quarantine, Delete, BC delete 8E1C7000 01D000 (118784)
Modules detected - 154, recognized as trusted - 152

Services
Service Description Status File Group Dependencies
BWSOT
Service: Stop, Delete, Disable BWSOT Not started C:\Users\Klod\AppData\Local\Temp\BWSOT.exe
Script: Quarantine, Delete, BC delete
JEZVMSB
Service: Stop, Delete, Disable JEZVMSB Not started C:\Users\Klod\AppData\Local\Temp\JEZVMSB.exe
Script: Quarantine, Delete, BC delete
Nero BackItUp Scheduler 4.0
Service: Stop, Delete, Disable Nero BackItUp Scheduler 4.0 Not started C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
Script: Quarantine, Delete, BC delete RPCSS
NHEONHGN
Service: Stop, Delete, Disable NHEONHGN Not started C:\Users\Klod\AppData\Local\Temp\NHEONHGN.exe
Script: Quarantine, Delete, BC delete
NZBQMZCKDLWFQ
Service: Stop, Delete, Disable NZBQMZCKDLWFQ Not started C:\Users\Klod\AppData\Local\Temp\NZBQMZCKDLWFQ.exe
Script: Quarantine, Delete, BC delete
OZJQLQ
Service: Stop, Delete, Disable OZJQLQ Not started C:\Users\Klod\AppData\Local\Temp\OZJQLQ.exe
Script: Quarantine, Delete, BC delete
PAPCFJNJM
Service: Stop, Delete, Disable PAPCFJNJM Not started C:\Users\Klod\AppData\Local\Temp\PAPCFJNJM.exe
Script: Quarantine, Delete, BC delete
POGASZGLKDFWL
Service: Stop, Delete, Disable POGASZGLKDFWL Not started C:\Users\Klod\AppData\Local\Temp\POGASZGLKDFWL.exe
Script: Quarantine, Delete, BC delete
Detected - 142, recognized as trusted - 134

Drivers
Service Description Status File Group Dependencies
blbdrive
Driver: Unload, Delete, Disable blbdrive Not started C:\Windows\system32\drivers\blbdrive.sys
Script: Quarantine, Delete, BC delete
catchme
Driver: Unload, Delete, Disable catchme Not started C:\Users\Klod\AppData\Local\Temp\catchme.sys
Script: Quarantine, Delete, BC delete Base
IpInIp
Driver: Unload, Delete, Disable IP in IP Tunnel Driver Not started C:\Windows\system32\DRIVERS\ipinip.sys
Script: Quarantine, Delete, BC delete Tcpip
Lbd
Driver: Unload, Delete, Disable Lbd Not started C:\Windows\system32\DRIVERS\Lbd.sys
Script: Quarantine, Delete, BC delete FSFilter Activity Monitor FltMgr
NDISKIO
Driver: Unload, Delete, Disable NDISKIO Not started C:\Users\Klod\AppData\Local\Temp\00001681.nmc\nse\bin\ndiskio.sys
Script: Quarantine, Delete, BC delete
NwlnkFlt
Driver: Unload, Delete, Disable IPX Traffic Filter Driver Not started C:\Windows\system32\DRIVERS\nwlnkflt.sys
Script: Quarantine, Delete, BC delete NwlnkFwd
NwlnkFwd
Driver: Unload, Delete, Disable IPX Traffic Forwarder Driver Not started C:\Windows\system32\DRIVERS\nwlnkfwd.sys
Script: Quarantine, Delete, BC delete
Detected - 240, recognized as trusted - 233

Autoruns
File name Status Startup method Description
C:\Program Files\Avira\AntiVir Desktop\avfwres.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Avira Firewall, EventMessageFile
Delete
C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\F-Secure Gatekeeper, EventMessageFile
Delete
C:\Program Files\F-Secure\Common\AMEHEVN.DLL
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\FSecure-FSecure-F-Secure Anti-Virus, EventMessageFile
Delete
C:\Program Files\F-Secure\Common\AMEHEVN.DLL
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\FSecure-FSecure-F-Secure Management Agent, EventMessageFile
Delete
C:\Program Files\F-Secure\Common\AMEHEVN.DLL
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\FSecure-FSecure-F-Secure System Control, EventMessageFile
Delete
C:\WindowsSystem32\IoLogMsg.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\vsmraid, EventMessageFile
Delete
C:\Windows\SoftwareDistribution\Download\Install\WGAER_M.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\WGA Scanner, EventMessageFile
Delete
C:\Windows\System32\MAGENT~1.SCR
Script: Quarantine, Delete, BC delete Active Registry key HKEY_USERS, S-1-5-21-4153703025-3799483044-3938653554-1000\Control Panel\Desktop, scrnsave.exe
Delete
C:\Windows\System32\MAGENT~1.SCR
Script: Quarantine, Delete, BC delete Active File system.ini C:\Windows\system.ini, boot, SCRNSAVE.EXE
C:\Windows\System32\appmgmts.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters, ServiceDll
Delete
C:\Windows\System32\igmpv2.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile
Delete
C:\Windows\System32\ipbootp.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile
Delete
C:\Windows\System32\iprip2.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile
Delete
C:\Windows\system32\psxss.exe
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
DivX.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, VIDC.DIVX
Delete
MSh263.drv
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, VIDC.I420
Delete
progman.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, shell
Delete
rdpclip
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms
Delete
vgafix.fon
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon
Delete
vgaoem.fon
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon
Delete
vgasys.fon
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon
Delete
Autoruns items detected - 443, recognized as trusted - 422

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)
File name Type Description Manufacturer CLSID
Elements detected - 10, recognized as trusted - 10

Windows Explorer extension modules
File name Destination Description Manufacturer CLSID
IE User Assist {FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75}
Delete
Color Control Panel Applet {b2c761c6-29bc-4f19-9251-e6195265baf1}
Delete
Add New Hardware {7A979262-40CE-46ff-AEEE-7884AC3B6136}
Delete
Get Programs Online {3e7efb4c-faf1-453d-89eb-56026875ef90}
Delete
Taskbar and Start Menu {0DF44EAA-FF21-4412-828E-260A8728E7F1}
Delete
ActiveDirectory Folder {1b24a030-9b20-49bc-97ac-1be4426f9e59}
Delete
ActiveDirectory Folder {34449847-FD14-4fc8-A75A-7432F5181EFB}
Delete
Sam Account Folder {C8494E42-ACDD-4739-B0FB-217361E4894F}
Delete
Sam Account Folder {E29F9716-5C08-4FCD-955A-119FDB5A522D}
Delete
Control Panel command object for Start menu {5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
Delete
Default Programs command object for Start menu {E44E5D18-0652-4508-A4E2-8A090067BCB0}
Delete
Folder Options {6dfd7c5c-2451-11d3-a299-00c04f8ef6af}
Delete
Explorer Query Band {2C2577C2-63A7-40e3-9B7F-586602617ECB}
Delete
View Available Networks {38a98528-6cbf-4ca9-8dc0-b1e1d10f7b1b}
Delete
Contacts folder {0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48}
Delete
Windows Firewall {4026492f-2f69-46b8-b9bf-5654fc07e423}
Delete
Problem Reports and Solutions {fcfeecae-ee1b-4849-ae50-685dcf7717ec}
Delete
iSCSI Initiator {a304259d-52b8-4526-8b1a-a1d6cecc8243}
Delete
.cab or .zip files {911051fa-c21c-4246-b470-070cd8df6dc4}
Delete
Windows Search Shell Service {da67b8ad-e81b-4c70-9b91b417b5e33527}
Delete
Microsoft.ScannersAndCameras {00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3}
Delete
"C:\Windows\System32\rundll32.exe" "C:\Program Files\\Windows Photo Gallery\PhotoViewer.dll",ImageView_COMServer {9D687A4C-1404-41ef-A089-883B6FBECDE6}
Script: Quarantine, Delete, BC delete Windows Photo Gallery Viewer Autoplay Handler {9D687A4C-1404-41ef-A089-883B6FBECDE6}
Delete
Windows Sidebar Properties {37efd44d-ef8d-41b1-940d-96973a50e9e0}
Delete
Windows Features {67718415-c450-4f3c-bf8a-b487642dc39b}
Delete
Windows Defender {d8559eb9-20c0-410e-beda-7ed416aecc2a}
Delete
Mobility Center Control Panel {5ea4f148-308c-46d7-98a9-49041b1dd468}
Delete
"C:\Program Files\\Windows Media Player\wmprph.exe"
Script: Quarantine, Delete, BC delete Windows Media Player Rich Preview Handler {031EE060-67BC-460d-8847-E4A7C5E45A27}
Delete
User Accounts {7A9D77BD-5403-11d2-8785-2E0420524153}
Delete
Shell Extension for Malware scanning {45AC2688-0253-4ED8-97DE-B5370FA7D48A}
Delete
Elements detected - 286, recognized as trusted - 257

Printing system extensions (print monitors, providers)
File name Type Name Description Manufacturer
Elements detected - 8, recognized as trusted - 8

Task Scheduler jobs
File name Job name Job status Description Manufacturer
Elements detected - 1, recognized as trusted - 1

SPI/LSP settings
Namespace providers (NSP) Provider Status EXE file Description GUID
Detected - 6, recognized as trusted - 6
Transport protocol providers (TSP, LSP) Provider EXE file Description
Detected - 24, recognized as trusted - 24
Results of automatic SPI settings check LSP settings checked. No errors detected


TCP/UDP ports
Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 0 [868] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
3389 LISTENING 0.0.0.0 0 [1460] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
5357 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
49152 LISTENING 0.0.0.0 0 [536] c:\windows\system32\wininit.exe
Script: Quarantine, Delete, BC delete, Terminate
49153 LISTENING 0.0.0.0 0 [1012] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49154 LISTENING 0.0.0.0 0 [600] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
49155 LISTENING 0.0.0.0 0 [1088] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49159 LISTENING 0.0.0.0 0 [580] c:\windows\system32\services.exe
Script: Quarantine, Delete, BC delete, Terminate
49656 CLOSE_WAIT 62.41.85.18 80 [2104] c:\program files\common files\java\java update\jusched.exe
Script: Quarantine, Delete, BC delete, Terminate
49670 CLOSE_WAIT 62.41.85.18 80 [5392] c:\program files\common files\java\java update\jucheck.exe
Script: Quarantine, Delete, BC delete, Terminate
50461 CLOSE_WAIT 213.155.157.42 80 [5768] c:\program files\common files\adobe\updater5\adobeupdater.exe
Script: Quarantine, Delete, BC delete, Terminate
50466 CLOSE_WAIT 62.41.85.32 80 [5768] c:\program files\common files\adobe\updater5\adobeupdater.exe
Script: Quarantine, Delete, BC delete, Terminate
51165 ESTABLISHED 127.0.0.1 51166 [3804] c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate
51166 ESTABLISHED 127.0.0.1 51165 [3804] c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
123 LISTENING -- -- [1268] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [1088] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1268] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1268] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [1088] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
5355 LISTENING -- -- [1460] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
62296 LISTENING -- -- [2172] c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate
62975 LISTENING -- -- [1268] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
62976 LISTENING -- -- [1268] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
64722 LISTENING -- -- [3804] c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate

Downloaded Program Files (DPF)
File name Description Manufacturer CLSID Source URL
Microsoft XML Parser for Java
Delete file:///C:/Windows/Java/classes/xmldso.cab
{7530BFB8-7293-4D34-9923-61A11451AFC5}
Delete http://download.eset.com/special/eos/OnlineScanner.cab
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
Delete http://fpdownload.macromedia.com/get/fl ... rashim.cab
Elements detected - 3, recognized as trusted - 0

Control Panel Applets (CPL)
File name Description Manufacturer
Elements detected - 22, recognized as trusted - 22

Active Setup
File name Description Manufacturer CLSID
Elements detected - 9, recognized as trusted - 9

HOSTS file
Hosts file record



127.0.0.1 localhost


::1 localhost



Protocols and handlers
File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Elements detected - 19, recognized as trusted - 16

Suspicious objects
File Description Type
C:\Windows\System32\drivers\pxrts.sys
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook


--------------------------------------------------------------------------------

Main script of analysis
Windows version: Windows Vista (TM) Home Premium, Build=6002, SP="Service Pack 2"
System Restore: enabled
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
IAT modification detected: CreateProcessA - 00B80010<>76031C28
IAT modification detected: GetModuleFileNameA - 00B80080<>7607B6BD
IAT modification detected: GetModuleFileNameW - 00B800F0<>7607B27E
IAT modification detected: CreateProcessW - 00B80160<>76031BF3
IAT modification detected: LoadLibraryW - 00B80240<>76059362
IAT modification detected: LoadLibraryA - 00B80320<>760594DC
IAT modification detected: GetProcAddress - 00B80390<>7607903B
IAT modification detected: FreeLibrary - 00B80400<>76073DB4
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=137B00)
Kernel ntkrnlpa.exe found in memory at address 81E1B000
SDT = 81F52B00
KiST = 81EC784C (391)
Function NtAssignProcessToJobObject (2A) intercepted (81FD8AEF->8DB23A00), hook C:\Windows\System32\drivers\pxrts.sys, driver recognized as trusted
Function NtCreateThread (4E) intercepted (820AC67C->8DB23A50), hook C:\Windows\System32\drivers\pxrts.sys, driver recognized as trusted
Function NtOpenProcess (C2) intercepted (8203BC08->8DB23E10), hook C:\Windows\System32\drivers\pxrts.sys, driver recognized as trusted
Function NtOpenThread (C9) intercepted (8203715A->8DB23CA0), hook C:\Windows\System32\drivers\pxrts.sys, driver recognized as trusted
Function NtProtectVirtualMemory (D2) intercepted (82034F3D->8DB23AF0), hook C:\Windows\System32\drivers\pxrts.sys, driver recognized as trusted
Function NtSetContextThread (121) intercepted (820AD34F->8DB239B0), hook C:\Windows\System32\drivers\pxrts.sys, driver recognized as trusted
Function NtTerminateProcess (14E) intercepted (8200BDA3->8DB23FB0), hook C:\Windows\System32\drivers\pxrts.sys, driver recognized as trusted
Function NtTerminateThread (14F) intercepted (8203718F->8DB23B90), hook C:\Windows\System32\drivers\pxrts.sys, driver recognized as trusted
Function NtWriteVirtualMemory (166) intercepted (8202858D->8DB23BE0), hook C:\Windows\System32\drivers\pxrts.sys, driver recognized as trusted
Functions checked: 391, intercepted: 9, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Analysis for CPU 2
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking of IRP handlers
Checking - complete
>> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
>> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
>> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: terminal connections to the PC are allowed
>> Security: sending Remote Assistant queries is enabled
>> Disable HDD autorun
>> Disable autorun from network drives
>> Disable CD/DVD autorun
>> Disable removable media autorun
>> Windows Explorer - show extensions of known file types
System Analysis in progress
System Analysis - complete

Script commands
Add commands to script:Blocking hooks using Anti-RootkitEnable AVZGuardOperations with AVZPM (true=enable,false=disable)BootCleaner - import list of deleted filesRegistry cleanup after deleting filesBootCleaner - activateRebootInsert template for QuarantineFile() - quarantining fileInsert template for BC_QrFile() - quarantining file via BootCleanerInsert template for DeleteFile() - deleting fileInsert template for DelCLSID() - deleting CLSID item from registryAdditional operations:Performance tweaking: disable service TermService (@%SystemRoot%\System32\termsrv.dll,-268)Performance tweaking: disable service SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)Performance tweaking: disable service Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)Security tweaking: disable CD autorunSecurity tweaking: disable administrative sharesSecurity tweaking: disable anonymous user accessSecurity: prevent terminal connections to the PCSecurity: disable sending Remote Assistant queries--------------------------------------------------------------------------------
File list

non so se sono leggibili e non so se possono esservi utili, ci ho provato...il file era in html quindi ho fatto copia incolla

[Klod]

http://www.mediafire.com/file/tdv1mnzyj ... ysinfo.zip
forse questo è più leggibile...lo spero

[Klod]

prev x mi ha trovato 3 virus:
REGISTRY\Machine\System\ControlSet001\Services\utqwndk3
REGISTRY\Machine\System\CurrentControlSet\Services\utqwndk3
mi dice infected entry [imagepath]
e lo stesso nella cartella drivers
ecco il log
http://www.mediafire.com/file/gyzmidkznnw/log prev.log

[crazy.cat]

Prova a rifare la scansione con hijackthis, selezioni le caselle di queste righe e premi fix checked per eliminarle.
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - Startup: setup_9.0.0.722_01.06.2010_11-31.lnk = Klod\Desktop\Virus Removal Tool\setup_9.0.0.722_01.06.2010_11-31\startup.exe
Riavvia il pc e se ancora c'è l'errore prova a selezionare questa ed eliminala.
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe

Fai pulizia dei servizi inutili http://www.MegaLab.it/2578/ripulire-la- ... di-windows
O23 - Service: BWSOT - Unknown owner - C:\Users\Klod\AppData\Local\Temp\BWSOT.exe (file missing)
O23 - Service: JEZVMSB - Unknown owner - C:\Users\Klod\AppData\Local\Temp\JEZVMSB.exe (file missing)
O23 - Service: NHEONHGN - Unknown owner - C:\Users\Klod\AppData\Local\Temp\NHEONHGN.exe (file missing)
O23 - Service: NZBQMZCKDLWFQ - Unknown owner - C:\Users\Klod\AppData\Local\Temp\NZBQMZCKDLWFQ.exe (file missing)
O23 - Service: OZJQLQ - Unknown owner - C:\Users\Klod\AppData\Local\Temp\OZJQLQ.exe (file missing)
O23 - Service: PAPCFJNJM - Unknown owner - C:\Users\Klod\AppData\Local\Temp\PAPCFJNJM.exe (file missing)
O23 - Service: POGASZGLKDFWL - Unknown owner - C:\Users\Klod\AppData\Local\Temp\POGASZGLKDFWL.exe (file missing)

[Klod]

ma ti è arrivato il messaggio con i virus di prevx e i vari log? perché l'ho mandato poco fa insieme ad altri log ma mi dice che l'ho mandato alle 10.45 di mattina boh!

[crazy.cat]

ma ti è arrivato il messaggio con i virus di prevx e i vari log? !

Si. Ma cerchiamo di risolvere un problema alla volta.
Tutti i 023 che ti ho indicato sono servizi fasulli creati da un virus ormai eliminato.