www.MegaLab.it

[Sabbb]

Link NoVirusThanks Anti-Rootkit:
http://downloads.novirusthanks.org/files/NVTArk_Free_Setup.exe

Scusate,ma è attendibile sto antirootkit? L'ho provato,come provo sempre il nuovo e ancora deve finire ma già mi da :

[torch]

Ecco il log di tdsskiller:

ComboFix 10-11-12.06 - TRH 14/11/2010 12:09:01.12.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.3326.2785 [GMT 1:00]
Eseguito da: c:\documents and settings\TRH\Desktop\pippo.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000000-0000-0000-1200-140000DCFD7F}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000000-0000-0000-1200-140000ECFD7F}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000000-0000-0000-1200-140000FCFD7F}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-6C25-9E7C08000A00}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-7C25-9E7C08000A00}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000010-0000-0000-0000-0000D8023C00}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000010-0000-0000-0000-0000D8023D00}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000040-0000-0000-0000-0000E8013D00}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {0012EE84-FFFC-FFFF-0200-00004FBCC4F1}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {0012EF40-0002-0000-8843-927C00F0FF7F}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {006E0069-0053-0078-5300-5C0000004100}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
ADS - WINDOWS: deleted 0 bytes in 2 streams.

((((((((((((((((((((((((( Files Creati Da 2010-10-14 al 2010-11-14 )))))))))))))))))))))))))))))))))))
.

2010-11-14 10:25 . 2010-11-14 10:45 -------- d-----w- C:\pippo
2010-11-12 20:22 . 2010-11-12 20:22 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-11-12 20:12 . 2010-11-12 20:12 -------- d-----w- c:\programmi\Hitman Pro 3.5
2010-11-12 18:25 . 2010-11-12 18:25 -------- d-----w- c:\programmi\NoVirusThanks
2010-11-12 13:35 . 2010-11-12 13:35 388096 ----a-r- c:\documents and settings\TRH\Dati applicazioni\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-12 12:08 . 2009-10-22 11:54 37392 ----a-w- c:\windows\system32\drivers\10145712.sys
2010-11-12 12:08 . 2009-10-09 21:31 315408 ----a-w- c:\windows\system32\drivers\1014571.sys
2010-11-12 09:40 . 2009-10-22 11:54 37392 ----a-w- c:\windows\system32\drivers\42142092.sys
2010-11-12 09:40 . 2009-10-09 21:31 315408 ----a-w- c:\windows\system32\drivers\4214209.sys
2010-11-12 09:40 . 2009-09-25 15:59 128016 ----a-w- c:\windows\system32\drivers\42142091.sys
2010-11-11 21:41 . 2010-11-11 23:27 -------- d-----w- c:\documents and settings\TRH\Dati applicazioni\Spotify
2010-11-11 21:41 . 2010-11-11 23:24 -------- d-----w- c:\documents and settings\TRH\Impostazioni locali\Dati applicazioni\Spotify
2010-11-11 21:41 . 2010-11-11 21:41 -------- d-----w- c:\programmi\Spotify
2010-11-11 20:59 . 2010-11-11 20:59 76440 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-11-11 20:59 . 2010-11-11 20:59 -------- d-----w- c:\programmi\Prevx
2010-11-11 20:59 . 2010-11-11 21:10 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\PrevxCSI
2010-11-11 20:42 . 2010-11-13 09:07 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-11-11 20:41 . 2010-11-12 20:22 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Hitman Pro
2010-11-10 18:44 . 2010-11-10 18:44 -------- d-----w- c:\documents and settings\TRH\Dati applicazioni\Avira
2010-11-10 15:01 . 2010-11-10 15:01 -------- d-----w- c:\windows\system32\winrm
2010-11-10 15:01 . 2010-11-10 15:01 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2010-11-10 14:59 . 2008-07-11 00:29 92184 ----a-w- c:\windows\system32\SQSRVRES.DLL
2010-11-10 11:08 . 2010-11-10 11:08 -------- d-----w- c:\documents and settings\TRH\Dati applicazioni\MumboJumbo
2010-11-10 11:08 . 2010-11-10 11:08 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\MumboJumbo
2010-11-10 11:08 . 2010-11-10 11:08 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Trymedia
2010-11-10 10:29 . 2010-11-10 10:29 -------- d-----w- c:\programmi\Games
2010-11-10 09:53 . 2010-11-10 09:53 -------- d-----w- c:\programmi\Blast From The Past
2010-11-10 09:53 . 1997-01-18 10:40 299520 ----a-w- c:\windows\uninst.exe
2010-11-10 07:46 . 2009-09-27 08:39 369152 ----a-w- c:\windows\system32\avisynth.dll
2010-11-10 07:46 . 2010-11-10 07:46 -------- d-----w- c:\programmi\AviSynth 2.5
2010-11-10 07:46 . 2004-01-24 23:00 70656 ----a-w- c:\windows\system32\yv12vfw.dll
2010-11-10 07:46 . 2004-01-24 23:00 70656 ----a-w- c:\windows\system32\i420vfw.dll
2010-11-09 23:22 . 2010-11-09 23:22 -------- d-----w- c:\documents and settings\TRH\Dati applicazioni\VideoCharge Studio
2010-11-09 23:21 . 2008-09-30 11:03 438272 ----a-w- c:\windows\system32\vp6vfw.dll
2010-11-09 23:21 . 2010-11-09 23:21 -------- d-----w- c:\programmi\VideoCharge Software
2010-11-09 21:30 . 2010-11-10 07:49 -------- d-----w- C:\video_output
2010-11-09 19:15 . 2010-11-09 19:15 -------- d-----w- c:\documents and settings\TRH\Impostazioni locali\Dati applicazioni\Xilisoft
2010-11-09 19:15 . 2010-11-09 19:15 -------- d-----w- c:\documents and settings\TRH\Dati applicazioni\Xilisoft
2010-11-09 19:14 . 2010-11-09 19:14 -------- d-----w- c:\programmi\Xilisoft
2010-11-09 19:14 . 2010-11-09 19:14 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Xilisoft
2010-11-07 08:52 . 2010-11-07 08:52 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Nikon
2010-11-05 23:53 . 2010-11-05 23:53 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Nik Software
2010-11-05 23:50 . 2010-11-05 23:50 -------- d-----w- c:\programmi\Nik Software
2010-11-05 20:54 . 2010-11-05 20:54 -------- d-----w- c:\documents and settings\TRH\Dati applicazioni\Athentech
2010-11-05 20:51 . 2010-11-05 20:51 -------- d-----w- c:\programmi\Athentech
2010-11-04 17:30 . 2010-11-04 18:05 -------- d-----w- c:\programmi\Nikon
2010-11-04 16:22 . 2010-11-11 10:04 -------- d-----w- c:\programmi\Hard Disk Sentinel
2010-11-03 23:27 . 2010-11-11 10:04 -------- d-----w- c:\programmi\HDD Regenerator
2010-11-02 15:31 . 2010-11-02 15:31 -------- d-----w- c:\programmi\tamasoftware
2010-11-02 11:05 . 2010-11-02 11:05 -------- d-----w- c:\programmi\File comuni\SafeNet Sentinel
2010-11-02 11:05 . 2010-11-02 11:05 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\SafeNet Sentinel
2010-11-02 11:04 . 2010-11-02 11:04 -------- d-----w- c:\programmi\File comuni\Optical Research Associates
2010-11-02 10:59 . 2010-11-02 10:59 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\LightTools
2010-11-01 13:05 . 2010-11-01 13:05 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Logitech
2010-11-01 13:04 . 2010-11-01 13:04 -------- d-----w- c:\documents and settings\TRH\Impostazioni locali\Dati applicazioni\Logishrd
2010-11-01 13:04 . 2010-11-01 13:04 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-11-01 13:04 . 2010-03-18 09:01 10448 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2010-11-01 13:03 . 2010-11-01 13:05 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Logishrd
2010-11-01 12:47 . 2010-11-01 12:47 -------- d-----w- c:\documents and settings\TRH\Dati applicazioni\Logishrd
2010-10-30 15:27 . 2010-10-30 15:27 -------- d-----w- c:\programmi\File comuni\Skype
2010-10-30 14:55 . 2009-10-19 15:30 23848 ----a-w- c:\windows\system32\libcmmn.dll
2010-10-30 14:55 . 2009-10-19 15:30 42280 ----a-w- c:\windows\system32\WebCamKSProxyPlugin.ax
2010-10-30 14:55 . 2009-10-19 15:30 681256 ----a-w- c:\windows\system32\WebCamPropertyWindow.dll
2010-10-30 14:55 . 2008-12-12 16:34 73728 ----a-w- c:\windows\system32\BurnerApLib.dll
2010-10-30 14:55 . 2008-10-09 09:02 102400 ----a-w- c:\windows\system32\st50220.dll
2010-10-30 14:55 . 2003-02-28 16:26 947472 ----a-w- c:\windows\system32\msjava.dll
2010-10-27 09:25 . 2010-10-27 09:25 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\explauncher
2010-10-27 09:25 . 2010-10-27 09:25 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\launcher
2010-10-27 09:24 . 2010-07-13 09:57 40560 ----a-w- c:\windows\system32\drivers\hotcore3.sys
2010-10-27 09:24 . 2010-10-27 09:24 -------- d-----w- c:\programmi\Paragon Software
2010-10-27 08:59 . 2010-08-26 07:32 98696 ----a-w- c:\windows\system32\setupprwdrv03.exe
2010-10-27 08:59 . 2010-08-25 17:39 13064 ----a-w- c:\windows\system32\prwntdrv.sys
2010-10-27 08:59 . 2010-10-27 08:59 -------- d-----w- c:\programmi\EASEUS
2010-10-25 23:17 . 2010-10-25 23:28 -------- d-----w- C:\5b59075a0b5cf0c871191fe7
2010-10-25 22:45 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-25 22:45 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-25 22:45 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-04 17:29 . 2009-01-14 20:46 57344 ----a-r- c:\documents and settings\TRH\Dati applicazioni\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2010-10-16 21:52 . 2010-08-10 08:41 3072 ----a-w- c:\windows\system32\Viveza2FC32.dll
2010-10-04 12:13 . 2010-10-04 12:13 64512 ----a-w- c:\windows\system32\nlssrv32.exe
2010-09-29 08:01 . 2010-06-01 17:00 285480 ----a-w- c:\windows\system32\guard32.dll
2010-09-29 08:01 . 2010-06-01 17:00 91560 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-09-29 08:01 . 2010-06-01 17:00 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-09-29 08:01 . 2010-06-04 09:55 239240 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-09-29 08:01 . 2010-06-01 17:00 15592 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-09-25 18:43 . 2010-09-25 18:43 1724416 ----a-w- c:\windows\system32\gdiplus.dll
2010-09-18 10:23 . 2004-08-19 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-19 12:00 974848 ------w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-19 12:00 954368 ------w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-19 12:00 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-10 05:49 . 2006-03-04 03:34 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:49 . 2004-08-19 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:49 . 2004-08-19 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 09:17 . 2010-09-08 09:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 09:17 . 2010-09-08 09:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 13:22 . 2010-06-20 08:53 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-09-01 13:22 . 2009-09-24 09:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-09-01 11:51 . 2004-08-19 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-09-01 07:54 . 2004-08-19 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-19 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:58 . 2004-08-19 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-27 01:43 . 2008-05-05 05:25 5632 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-26 13:39 . 2004-08-19 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-23 16:12 . 2004-08-19 12:00 617472 ------w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-19 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2009-11-19 19:08 . 2009-11-19 19:08 3749224 ----a-w- c:\programmi\File comuni\adlmint_libFNP.dll
2009-11-19 19:08 . 2009-11-19 19:08 2941288 ----a-w- c:\programmi\File comuni\adlmint.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="e:\masterizzazione\DAEMON Tools\daemon.exe" [2007-09-18 171464]
"i8kfangui"="c:\programmi\I8kfanGUI\I8kfanGUI.exe" [2007-02-16 856064]
"Gadwin PrintScreen Pro"="c:\programmi\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe" [2009-02-28 516096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SigmatelSysTrayApp"="c:\programmi\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Dell QuickSet"="c:\programmi\Dell\QuickSet\Quickset.exe" [2006-08-03 1032192]
"LVCOMS"="c:\programmi\File comuni\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"IntelZeroConfig"="c:\programmi\Intel\WiFi\bin\ZCfgSvc.exe" [2009-11-03 1372160]
"IntelWireless"="c:\programmi\File comuni\Intel\WirelessCommon\iFrmewrk.exe" [2009-11-03 1202448]
"avgnt"="e:\sicurezza\Avira\AntiVir Desktop\avgnt.exe" [2010-09-01 281768]
"COMODO Internet Security"="e:\sicurezza\Comodo\COMODO\COMODO Internet Security\cfp.exe" [2010-09-29 2500552]
"EvtMgr6"="c:\programmi\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-13 7700480]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\TRH\Menu Avvio\Programmi\Esecuzione automatica\
Widget vodafone.lnk - c:\programmi\Widget vodafone.it\Widget vodafone.it.exe [2010-4-18 95232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\programmi\File comuni\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ pdboot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\prwntdrv]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^TRH^Menu Avvio^Programmi^Esecuzione automatica^Ritaglio schermata e avvio di OneNote 2007.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^TRH^Menu Avvio^Programmi^Esecuzione automatica^Widget vodafone.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 09:44 31072 ----a-w- e:\sistema\Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-24 00:10 421160 ----a-w- e:\audio\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-05 21:55 54832 ----a-w- e:\players\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 09:57 1451520 ----a-w- c:\programmi\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-12-06 17:37 69216 ------w- e:\players\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-10-11 14:49 14940040 ----a-r- e:\internet\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Sistema\\Office\\Office12\\OUTLOOK.EXE"=
"e:\\Sistema\\Office\\Office12\\GROOVE.EXE"=
"e:\\Sistema\\Office\\Office12\\ONENOTE.EXE"=
"e:\\Internet\\uTorrent\\uTorrent.exe"=
"e:\\Internet\\Mirc\\mirc.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"e:\\Internet\\eMule\\emule.exe"=
"e:\\Internet\\Firefox\\firefox.exe"=
"c:\\Programmi\\Java\\jre6\\bin\\java.exe"=
"e:\\Internet\\SoulseekNS\\slsk.exe"=
"c:\\Programmi\\File comuni\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Programmi\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"e:\\Architettura\\Rhinoceros_4\\System\\Rhino4.exe"=
"d:\\3dsMax2010\\3dsmax.exe"=
"d:\\3dsMax2010\\mentalray\\satellite\\raysat_3dsmax2010_32server.exe"=
"d:\\3dsMax2010\\mentalray\\satellite\\raysat_3dsmax2010_32.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programmi\\ArchVision\\ArchVision Content Manager\\rpcACMapp.exe"=
"e:\\Architettura\\3dMax2010Design\\3dsmax.exe"=
"e:\\Architettura\\3dMax2010Design\\mentalray\\satellite\\raysat_3dsmax2010_32server.exe"=
"e:\\Architettura\\3dMax2010Design\\mentalray\\satellite\\raysat_3dsmax2010_32.exe"=
"e:\\Internet\\Skype\\Plugin Manager\\skypePM.exe"=
"e:\\Architettura\\3dMax2011\\3dsmax.exe"=
"e:\\Architettura\\3dMax2011\\mentalimages\\satellite\\raysat_3dsmax2011_32server.exe"=
"e:\\Architettura\\3dMax2011\\mentalimages\\satellite\\raysat_3dsmax2011_32.exe"=
"e:\\Architettura\\3dMax2011Design\\3dsmax.exe"=
"e:\\Architettura\\3dMax2011Design\\mentalimages\\satellite\\raysat_3dsmax2011_32.exe"=
"e:\\Architettura\\3dMax2011Design\\mentalimages\\satellite\\raysat_3dsmax2011_32server.exe"=
"e:\\Architettura\\Backburner\\monitor.exe"=
"e:\\Architettura\\Backburner\\manager.exe"=
"e:\\Architettura\\Backburner\\server.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"e:\\Audio\\iTunes\\iTunes.exe"=
"e:\\Internet\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\Crazybump\\cb.exe"=
"c:\\Programmi\\Spotify\\spotify.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM
"3140:TCP"= 3140:TCP:IP-Clamp Licensing Service
"5985:TCP"= 5985:TCP:*:Disabled:Gestione remota Windows

R0 10145712;10145712 Boot Guard Driver;c:\windows\system32\drivers\10145712.sys [12/11/2010 13:08 37392]
R0 42142092;42142092 Boot Guard Driver;c:\windows\system32\drivers\42142092.sys [12/11/2010 10:40 37392]
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [27/10/2010 10:24 40560]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [16/12/2008 14:04 685816]
S0 CFRMD;CFRMD;c:\windows\system32\drivers\CFRMD.sys c:\windows\system32\drivers\CFRMD.sys
S1 10145711;10145711;c:\windows\system32\DRIVERS\10145711.sys c:\windows\system32\DRIVERS\10145711.sys
S1 42142091;42142091;c:\windows\system32\drivers\42142091.sys [12/11/2010 10:40 128016]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [04/06/2010 10:55 239240]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [01/06/2010 18:00 25240]
S1 EterlogicVirtualSerialDriver;EterlogicVirtualSerialDriver;\??\c:\docume~1\TRH\IMPOST~1\Temp\VSPE.sys c:\docume~1\TRH\IMPOST~1\Temp\VSPE.sys
S1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [16/06/2009 23:57 14464]
S1 setup_9.0.0.722_12.11.2010_10-13drv;setup_9.0.0.722_12.11.2010_10-13drv;c:\windows\system32\drivers\1014571.sys [12/11/2010 13:08 315408]
S2 3d-io License Server v2.0;3d-io License Server v2.0;c:\programmi\3d-io plugins\licensing_v2\ActiveLockServerV2.exe [28/01/2009 17:49 45056]
S2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 - Servizio Gestione licenze;e:\scanner\abbyy\NetworkLicenseServer.exe -service e:\scanner\abbyy\NetworkLicenseServer.exe -service
S2 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\ESRI\License\arcgis9x\lmgrd.exe [04/02/2010 18:06 1431440]
S2 ArchVision Content Manager Service;ArchVision Content Manager Service;c:\programmi\ArchVision\ArchVision Content Manager\rpcACMapp.exe --service --path "c:\programmi\ArchVision\ArchVision Content Manager" c:\programmi\ArchVision\ArchVision Content Manager\rpcACMapp.exe --service --path c:\programmi\ArchVision\ArchVision Content Manager
S2 CAMTHWDM;CAMTHWDM;c:\windows\system32\drivers\CAMTHWDM.sys [06/10/2007 09:38 941784]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 130384]
S2 cpwnt;cpwnt;c:\windows\system32\drivers\cpwnt.sys [16/01/2009 22:52 21824]
S2 gupdate;Google Update Service (gupdate);c:\programmi\Google\Update\GoogleUpdate.exe [05/10/2009 14:34 133104]
S2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run c:\windows\system32\hasplms.exe -run
S2 IPClampService;IP-Clamp Licensing by cebas VISUAL TECHNOLOGY Inc.;c:\programmi\cebas\ip-clamp\ipclamp.exe [20/11/2007 10:52 45700]
S2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [01/11/2010 14:04 10448]
S2 LTService;LTService 7.0.0.1;c:\programmi\File comuni\Optical Research Associates\LightTools\ltService.exe [08/02/2010 13:55 761856]
S2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max Design 2010 32-bit 32-bit;e:\architettura\3dMax2010Design\mentalray\satellite\raysat_3dsmax2010_32server.exe [12/03/2009 17:36 86016]
S2 mi-raysat_3dsmax2011_32;mental ray 3.8 Satellite for Autodesk 3ds Max 2011 32-bit 32-bit;e:\architettura\3dMax2011\mentalimages\satellite\raysat_3dsmax2011_32server.exe [10/03/2010 01:10 86016]
S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [04/10/2010 13:13 64512]
S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\programmi\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [11/12/2008 07:08 3575808]
S2 WDDMService;WD SmartWare Drive Manager;c:\programmi\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [05/11/2009 08:44 110592]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\programmi\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [16/06/2009 08:58 20480]
S3 camfilt2;camfilt2;c:\windows\system32\drivers\camfilt2.sys [29/07/2009 18:14 94720]
S3 HPx9G+;HPx9G+ Device USB Driver;c:\windows\system32\drivers\hpx9g2k.sys [06/01/2009 10:24 12658]
S3 hxctlflt;hxctlflt;c:\windows\system32\drivers\hxctlflt.sys [04/05/2010 13:47 99968]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys c:\windows\system32\DRIVERS\ivusb.sys
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/01/2010 05:36 20952]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\11.tmp c:\windows\system32\11.tmp
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [20/08/2010 18:09 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [20/08/2010 18:09 8320]
S3 prwntdrv;prwntdrv;c:\windows\system32\prwntdrv.sys [27/10/2010 09:59 13064]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [17/05/2010 16:30 27064]
S3 SwitchBoard;SwitchBoard;c:\programmi\File comuni\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 12:37 517096]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [11/03/2010 18:50 11520]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [19/08/2004 13:00 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 753504]
S4 MSSQLServerADHelper100;Servizio SQL Server Active Directory Helper;c:\programmi\Microsoft SQL Server\100\Shared\sqladhlp.exe [11/07/2008 01:28 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [30/03/2009 03:09 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\programmi\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [30/03/2009 03:23 366936]

--- Altri Servizi/Drivers In Memoria ---

*NewlyCreated* - LBEEPKE
*NewlyCreated* - MDMXSDK

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contenuto della cartella 'Scheduled Tasks'

2010-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2009-10-22 09:50]

2010-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-10-05 13:34]

2010-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-10-05 13:34]

2010-11-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1383384898-839522115-1003Core.job
- c:\documents and settings\TRH\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2009-09-06 16:54]

2010-11-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1383384898-839522115-1003UA.job
- c:\documents and settings\TRH\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2009-09-06 16:54]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: Append Link Target to Existing PDF - c:\programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with - c:\programmi\Xilisoft\Download YouTube Video\upod_link.HTM
TCP: {B3E33D71-5AA5-40FE-9E7D-22BEC5D6A25C} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\TRH\Dati applicazioni\Mozilla\Firefox\Profiles\wyk38ngl.default\
FF - prefs.js: browser.search.selectedEngine - De Mauro - Sinonimi e contrari
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.as ... ource=2&q=
FF - component: c:\documents and settings\TRH\Dati applicazioni\Mozilla\Firefox\Profiles\wyk38ngl.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\documents and settings\TRH\Dati applicazioni\Mozilla\Firefox\Profiles\wyk38ngl.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
FF - component: c:\programmi\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension\components\FirefoxExtension.dll
FF - plugin: c:\documents and settings\TRH\Dati applicazioni\Mozilla\Firefox\Profiles\wyk38ngl.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\TRH\Dati applicazioni\Mozilla\Firefox\Profiles\wyk38ngl.default\extensions\VisuAllViewer@digitalarts.dk\plugins\npvisuall2.dll
FF - plugin: c:\documents and settings\TRH\Dati applicazioni\Mozilla\Firefox\Profiles\wyk38ngl.default\extensions\VMwareVMRC@vmware.com\plugins\np-vmware-vmrc-2.5.0-122581.dll
FF - plugin: c:\documents and settings\TRH\Impostazioni locali\Dati applicazioni\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\programmi\Earth Resource Mapping\Image Web Server\Firefox Plug-in\NP_NCS6.dll
FF - plugin: c:\programmi\Earth Resource Mapping\Image Web Server\Firefox Plug-in\NP_NCSPB6.dll
FF - plugin: c:\programmi\Earth Resource Mapping\Image Web Server\Firefox Plug-in\NP_NCSTB6.dll
FF - plugin: c:\programmi\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programmi\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\programmi\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\programmi\TVUPlayer\npTVUAx.dll
FF - plugin: c:\programmi\Virtools\3D Life Player\npvirtools.dll
FF - plugin: c:\programmi\Virtual Earth 3D\npVE3D.dll
FF - plugin: e:\audio\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: e:\players\Quicktime\Plugins\npqtplugin.dll
FF - plugin: e:\players\Quicktime\Plugins\npqtplugin2.dll
FF - plugin: e:\players\Quicktime\Plugins\npqtplugin3.dll
FF - plugin: e:\players\Quicktime\Plugins\npqtplugin4.dll
FF - plugin: e:\players\Quicktime\Plugins\npqtplugin5.dll
FF - plugin: e:\players\Quicktime\Plugins\npqtplugin6.dll
FF - plugin: e:\players\Quicktime\Plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
e:\internet\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
e:\internet\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
e:\internet\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
e:\internet\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
e:\internet\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
e:\internet\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
e:\internet\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
e:\internet\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
e:\internet\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
e:\internet\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
e:\internet\Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-14 12:19
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\11.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\e:\players\PowerDVD\000.fcl"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(352)
c:\programmi\file comuni\logishrd\bluetooth\LBTWlgn.dll

- - - - - - - > 'explorer.exe'(988)
c:\windows\system32\WININET.dll
c:\windows\system32\AcSignIcon.dll
e:\architettura\3dMax2011\AcSignCore16.dll
c:\windows\system32\msi.dll
c:\windows\system32\netprovcredman.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\programmi\WIBU-SYSTEMS\System\WibuShellExt.dll
e:\fotografia\Autopano Giga 2\AutopanoShell_win32.dll
c:\programmi\File comuni\Autodesk Shared\AcShellEx\AcShellExtension.dll
e:\fotografia\Autopano Pro\AutopanoShell_win32.dll
c:\programmi\File comuni\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\programmi\File comuni\Adobe\Acrobat\ActiveX\PDFShell.ITA
.
Ora fine scansione: 2010-11-14 12:26:26
ComboFix-quarantined-files.txt 2010-11-14 11:26

Pre-Run: 3.571.109.888 byte disponibili
Post-Run: 3.540.336.640 byte disponibili

Current=2 Default=2 Failed=5 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - B44022A1725F0EA98DD33FA1C4F17164

[torch]

TDSS remover ha trovato 19 hidden objects (sta cui l'sptd.sys in system32\drivers\ che aveva segnalato come sospetto anche l'altro tool).

Come faccio a fare un log da tdss/remover?

[Sabbb]

Link NoVirusThanks Anti-Rootkit:
http://downloads.novirusthanks.org/files/NVTArk_Free_Setup.exe

Scusate,ma è attendibile sto antirootkit? L'ho provato,come provo sempre il nuovo e ancora deve finire ma già mi da :

Aggiungo che Avira e Hitman lo rilevano come malevolo

e MBR Check dice che il mio MBR è a posto,come anche mbr.exe. Scusate,sarebbe stato il caso di aprire un topic mio,ma è venuto tutto all'improvviso leggendo questo post.Gradirei solo un opinione.Buon proseguimento ..

[torch]

Ecco il log di TDSS remover:

##########################################################################
#
# TDSS Remover detected objects log
# Copyright (c) 2009-2010 eSage Lab
#
# http://www.esagelab.com/
# support@esagelab.com
#
# Program Version: 1.8.0.0
# OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)
#
# Computer Name: TRH-DELL
#
# Log File Date/Time: 14.11.2010/22:13:21
#
# Data Directory: dump_14.11-22.13.21
#
# NOTE:
# To convert registry binary dumps (*reg.bin) to human readable format (*.reg),
# copy dumps to a clean PC and run bin_to_reg.bat
#
##########################################################################

Alert Type: Hidden Object
Object Type: Registry Key
Original Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Dumped Name: 0000_reg.bin
MD5: 44CA1E0727BE819D918D5F3BA91B9CBB
Size: 8192 bytes

Alert Type: Hidden Object
Object Type: Registry Key
Original Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Dumped Name: 0001_reg.bin
MD5: 689FBB7AA6E180FA75EB29C8FB5C37A6
Size: 8192 bytes

Alert Type: Hidden Object
Object Type: Registry Key
Original Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Dumped Name: 0002_reg.bin
MD5: C36AD810D4FC11F54F5D31B5F8F2022F
Size: 8192 bytes

Alert Type: Hidden Object
Object Type: Registry Key
Original Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Dumped Name: 0003_reg.bin
MD5: 09148A9E36964F23A09BB19503CA9BAD
Size: 8192 bytes

Alert Type: Hidden Object
Object Type: Registry Key
Original Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Dumped Name: 0004_reg.bin
MD5: 618A017A343F5A1DB2F955D88522C60F
Size: 8192 bytes

Alert Type: Hidden Object
Object Type: Registry Key
Original Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Dumped Name: 0005_reg.bin
MD5: 0DA1201A988C991BCE64ECBEBB952CDD
Size: 12288 bytes

Alert Type: Hidden Object
Object Type: Registry Key
Original Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001641fadf2a
Dumped Name: 0006_reg.bin
MD5: B02FA1B5B2C992296FA3798F92B29445
Size: 8192 bytes

Alert Type: Hidden Object
Object Type: Registry Key
Original Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Dumped Name: 0007_reg.bin
MD5: 58343AAD9ADD9D9563271E04D320AEBB
Size: 8192 bytes

Alert Type: Hidden Object
Object Type: Registry Key
Original Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Dumped Name: 0008_reg.bin
MD5: 5FB43E6F62BE5FAB33CBCFBE0C51E237
Size: 8192 bytes

Alert Type: Hidden Object
Object Type: Registry Key
Original Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Dumped Name: 0009_reg.bin
MD5: 5A3EA17411850DA002064BF67B46B14C
Size: 8192 bytes

Alert Type: Hidden Object
Object Type: Registry Key
Original Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Dumped Name: 000a_reg.bin
MD5: 8BD308FE6D6208BABE5A60812D4CB077
Size: 8192 bytes

Alert Type: Hidden Object
Object Type: Registry Key
Original Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Dumped Name: 000b_reg.bin
MD5: 2093A247A1E81493BA56640D203F53BD
Size: 8192 bytes

Alert Type: Hidden Object
Object Type: Registry Key
Original Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Dumped Name: 000c_reg.bin
MD5: 9D4B1E8703EBC61B1DD36426EDD077C6
Size: 12288 bytes

Alert Type: No Access
Object Type: Registry Key
Original Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg
Dumped Name: 000d_reg.bin
MD5: 99C34D024C88DE8B2744FC076F5BBA74
Size: 12288 bytes

Alert Type: No Access
Object Type: File
Original Name: C:\WINDOWS\system32\drivers\kbdhid.sys
Dumped Name: 4C61C226BDDA2EF1672B2C5F4E56625E_kbdhid.sys
MD5: 4C61C226BDDA2EF1672B2C5F4E56625E
Size: 14720 bytes

Alert Type: No Access
Object Type: File
Original Name: C:\WINDOWS\system32\drivers\sptd.sys
Dumped Name: D390675B8CE45E5FB359338E5E649329_sptd.sys
MD5: D390675B8CE45E5FB359338E5E649329
Size: 685816 bytes

Alert Type: Rootkit.Win32.TDSS.cf
Object Type: File
Original Name: C:\WINDOWS\system32\drivers\aksfridge.sys
Dumped Name: CB5A5079744A0535416D3A5E462C5EFE_aksfridge.sys
MD5: CB5A5079744A0535416D3A5E462C5EFE
Infected with: Rootkit.Win32.TDSS.cf
Size: 350720 bytes

Alert Type: Rootkit.Win32.TDSS.cf
Object Type: File
Original Name: C:\WINDOWS\system32\drivers\hardlock.sys
Dumped Name: 9DE9A7A19195C57EF38B4EE25422F2D7_hardlock.sys
MD5: 9DE9A7A19195C57EF38B4EE25422F2D7
Infected with: Rootkit.Win32.TDSS.cf
Size: 586240 bytes

Nel generarlo mi ha dato un errore: Error while dumping object ''HKEY_LOCAL_MACINE\SYSTEM\ControlSet001\Services\cercsr6'

[torch]

E questo è il log di novirusthanks anti-rootkit

http://paste2.org/p/1090269

In rosso, sotto drivers, è evidenziato il file PCI_NTPNP0954 driver object 0xFCFC2040

sotto ssdt c'e ne sono di segnalati almeno una 30ina quasi tutti relativi a cmdguard.sys , uno relativo a TUKERNEL.EXE, ede altri "empty"

ho pure segnalazioni in rosso nel campo shadow SDT, IDT e Kernel Callbacks

[torch]

Salve a tutti,
nottetempo ho lanciato kaspersky che ha trovato (e rimosso) 7 bestiaccie.

Ecco il log.

Scansione automatica: processo completato 4 minuti fa (eventi: , oggetti: 1540961, ora: 09:33:05)
14/11/2010 23:57:16 Attività avviata
15/11/2010 02:09:20 Rilevato: Trojan.Win32.Buzus.fbfz E:\Architettura\HDR Light Studio Standard V1.5\HDRLightStudioStandard.exe/Armadillo
15/11/2010 02:19:04 Rilevato: Worm.Win32.AutoRun.bijn E:\Architettura\SketchBookPro2010\SketchBookPro.exe/Armadillo
15/11/2010 02:32:46 Rilevato: P2P-Worm.Win32.Kapucen.b E:\Internet\eMule\Incoming\STUDIO- Autocad - Librerie Dwg - Particolari Costruttivi Tetto E Struttura In Legno.rar/setup.exe
15/11/2010 08:28:19 Eliminato: Worm.Win32.AutoRun.bijn E:\Architettura\SketchBookPro2010\SketchBookPro.exe
15/11/2010 08:28:21 Eliminato: Trojan.Win32.Buzus.fbfz E:\Architettura\HDR Light Studio Standard V1.5\HDRLightStudioStandard.exe
15/11/2010 08:28:27 Eliminato: P2P-Worm.Win32.Kapucen.b E:\Internet\eMule\Incoming\STUDIO- Autocad - Librerie Dwg - Particolari Costruttivi Tetto E Struttura In Legno.rar
15/11/2010 08:43:23 Rilevato: Trojan.Win32.Buzus.fbfz E:\System Volume Information\_restore{574F9E0E-F470-4B98-B92D-66C74254173F}\RP5\A0003612.exe/Armadillo
15/11/2010 08:43:25 Rilevato: Worm.Win32.AutoRun.bijn E:\System Volume Information\_restore{574F9E0E-F470-4B98-B92D-66C74254173F}\RP5\A0003611.exe/Armadillo
15/11/2010 08:43:41 Eliminato: Trojan.Win32.Buzus.fbfz E:\System Volume Information\_restore{574F9E0E-F470-4B98-B92D-66C74254173F}\RP5\A0003612.exe
15/11/2010 08:43:51 Eliminato: Worm.Win32.AutoRun.bijn E:\System Volume Information\_restore{574F9E0E-F470-4B98-B92D-66C74254173F}\RP5\A0003611.exe
15/11/2010 08:50:59 Rilevato: Trojan-Banker.Win32.Banker.bbuo F:\Downloads\rapidshare\Avlan.Design.AVD.Photo.Frame.v1.1.WinAll.Cracked-CRD\Avlan.Design.AVD.Photo.Frame.v1.1.WinAll.Cracked-CRD\crack\photo_frame.exe
15/11/2010 08:51:26 Eliminato: Trojan-Banker.Win32.Banker.bbuo F:\Downloads\rapidshare\Avlan.Design.AVD.Photo.Frame.v1.1.WinAll.Cracked-CRD\Avlan.Design.AVD.Photo.Frame.v1.1.WinAll.Cracked-CRD\crack\photo_frame.exe
15/11/2010 09:05:32 Rilevato: Trojan-Banker.Win32.Banker.bbuo F:\System Volume Information\_restore{574F9E0E-F470-4B98-B92D-66C74254173F}\RP5\A0003613.exe
15/11/2010 09:05:50 Eliminato: Trojan-Banker.Win32.Banker.bbuo F:\System Volume Information\_restore{574F9E0E-F470-4B98-B92D-66C74254173F}\RP5\A0003613.exe
15/11/2010 09:30:22 Attività completata

Attendo vostri lumi, grazie

[torch]

Questo è il log di gmer.
Questa volta (la quarta) è riuscito a finire la scansione, ma al salvataggio del log, che posto, il sistema scrash con un bsod.

Il log che mi ha restituito è questo:

http://rapidshare.com/files/430990601/aaa.log

l'ho messo su rapidshare perché neanche paste2 me lo riesce a caricare.

Grazie

[hashcat]

Questo è il log di gmer.
Questa volta (la quarta) è riuscito a finire la scansione, ma al salvataggio del log, che posto, il sistema scrash con un bsod.

Il log che mi ha restituito è questo:

http://rapidshare.com/files/430990601/aaa.log

l'ho messo su rapidshare perché neanche paste2 me lo riesce a caricare.

Grazie

Stò analizzando il log anche se sono 4222 linee quindi ci metterò un bel po', prima di tutto analizzami questi su virustotal:

Codice: Seleziona tutto

System32\Drivers\aj44by1j.SYS
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
atapi.sys
System32\Drivers\NDProxy.SYS

Poi posta i log.
Finito.

[hashcat]

Il log che mi ha restituito è questo:

http://rapidshare.com/files/430990601/aaa.log

l'ho messo su rapidshare perché neanche paste2 me lo riesce a caricare.

Visto che in questi giorni scaricare da rapidshare è un casino quì ci sono altri 14 link alternativi. (Ho messo il file in un'archivio autoestraente):
http://www.mirrorcreator.com/files/QV8XFW5V/aaa.exe_links

[torch]

Mille grazie anche per i mirrors.
Ora sto facendo analizzare i file che mi hai segnalato.

System32\Drivers\aj44by1j.SYS
questo non risulta essere presente nel sistema

[hashcat]

Salve a tutti,
nottetempo ho lanciato kaspersky che ha trovato (e rimosso) 7 bestiaccie.

Ecco il log.

Scansione automatica: processo completato 4 minuti fa (eventi: , oggetti: 1540961, ora: 09:33:05)
14/11/2010 23:57:16 Attività avviata
15/11/2010 02:09:20 Rilevato: Trojan.Win32.Buzus.fbfz E:\Architettura\HDR Light Studio Standard V1.5\HDRLightStudioStandard.exe/Armadillo
15/11/2010 02:19:04 Rilevato: Worm.Win32.AutoRun.bijn E:\Architettura\SketchBookPro2010\SketchBookPro.exe/Armadillo
15/11/2010 02:32:46 Rilevato: P2P-Worm.Win32.Kapucen.b E:\Internet\eMule\Incoming\STUDIO- Autocad - Librerie Dwg - Particolari Costruttivi Tetto E Struttura In Legno.rar/setup.exe
15/11/2010 08:28:19 Eliminato: Worm.Win32.AutoRun.bijn E:\Architettura\SketchBookPro2010\SketchBookPro.exe
15/11/2010 08:28:21 Eliminato: Trojan.Win32.Buzus.fbfz E:\Architettura\HDR Light Studio Standard V1.5\HDRLightStudioStandard.exe
15/11/2010 08:28:27 Eliminato: P2P-Worm.Win32.Kapucen.b E:\Internet\eMule\Incoming\STUDIO- Autocad - Librerie Dwg - Particolari Costruttivi Tetto E Struttura In Legno.rar
15/11/2010 08:43:23 Rilevato: Trojan.Win32.Buzus.fbfz E:\System Volume Information\_restore{574F9E0E-F470-4B98-B92D-66C74254173F}\RP5\A0003612.exe/Armadillo
15/11/2010 08:43:25 Rilevato: Worm.Win32.AutoRun.bijn E:\System Volume Information\_restore{574F9E0E-F470-4B98-B92D-66C74254173F}\RP5\A0003611.exe/Armadillo
15/11/2010 08:43:41 Eliminato: Trojan.Win32.Buzus.fbfz E:\System Volume Information\_restore{574F9E0E-F470-4B98-B92D-66C74254173F}\RP5\A0003612.exe
15/11/2010 08:43:51 Eliminato: Worm.Win32.AutoRun.bijn E:\System Volume Information\_restore{574F9E0E-F470-4B98-B92D-66C74254173F}\RP5\A0003611.exe
15/11/2010 08:50:59 Rilevato: Trojan-Banker.Win32.Banker.bbuo F:\Downloads\rapidshare\Avlan.Design.AVD.Photo.Frame.v1.1.WinAll.Cracked-CRD\Avlan.Design.AVD.Photo.Frame.v1.1.WinAll.Cracked-CRD\crack\photo_frame.exe
15/11/2010 08:51:26 Eliminato: Trojan-Banker.Win32.Banker.bbuo F:\Downloads\rapidshare\Avlan.Design.AVD.Photo.Frame.v1.1.WinAll.Cracked-CRD\Avlan.Design.AVD.Photo.Frame.v1.1.WinAll.Cracked-CRD\crack\photo_frame.exe
15/11/2010 09:05:32 Rilevato: Trojan-Banker.Win32.Banker.bbuo F:\System Volume Information\_restore{574F9E0E-F470-4B98-B92D-66C74254173F}\RP5\A0003613.exe
15/11/2010 09:05:50 Eliminato: Trojan-Banker.Win32.Banker.bbuo F:\System Volume Information\_restore{574F9E0E-F470-4B98-B92D-66C74254173F}\RP5\A0003613.exe
15/11/2010 09:30:22 Attività completata

Attendo vostri lumi, grazie

Fai nuovamente una scansione completa con malwarebytes, (prima aggiornalo). Poi posta il log.

[torch]

Tutti i files che mi hai segnalato hanno dato esito negativo 0/43 su virustotal.

Malwarebytes l'ho aggiornato ieri. Dici che devo correre il rischio di collegarmi a intrenet con il pc infetto per scaricare gli aggiornamenti, o pensi possa bastare il database di ieri?

p.s.: e tutte le schifezze che mi ha trovato ieri novirusthanks anti-rootkit? Per il momento le lascio stare?

[torch]

Aggiungo 2 cose:

-se può essere utile, oggi ho acquistato un case esterno sata per installare come unità usb esterna l'hd infettato su un altro pc
-adesso come adesso, malwarebyte non parte. mi da errore: vbAccelerator SGrid II Control: Errore di run-time '0'
se chiudo la finestra d'errore, se ne apre un'altra, questa volta non si sistema, ma di malwarebytes: Errore di run-time '440': errore di automazione

provo a riavviare?

[torch]

Niente. Anche riavviando malwarebytes non parte più. continua a darmi gli errori di cui sopra

[hashcat]

Scusami ma ora non posso più usare il computer [stò scrivendo dal cellulare] bà se mentre ti colleghi ad internet tieni acceso il firewall di comodo non dovrebbero esserci rischi.
Mah, ho analizzato il log velocemente [novirusthank] e molte erano solo voci sospette. Comunque stasera lo guarderò con più attenzione.

N.B.: visto che erano presenti dei trojan "banker" ti consiglio vitamente di cambiare tutte le password inerenti ad internet e la stessa password di windows. Inoltre controlla le tue transazioni

[torch]

Grazie per le dritte.

[torch]

Disinstallato malwarebytes, reinstallato... e da sempre lo stesso errore.

[hashcat]

Per quanto riguarda malwarebytes prova ad avviarlo in modalità provvisoria.

[torch]

Ci stò entrando proprio adesso. Speriamo in bene