Punto informatico Network
Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

Problema pc infestato

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

Problema pc infestato

Messaggioda Spaccy » ven gen 28, 2011 10:27 am

Salve a tutti! Come mio solito sfrutto la vostra grande esperienza per risolvere un problema ad un portatile che mio nipote ha infesta di virus credo... si blocca spesso e sopratutto alcune volte è andato in errore il services.exe e si è riavviato, è molto lento e ho visto parecchi file sospetti in giro nel pc.
Ho eseguito in ordine:
Combofix

ComboFix 09-07-23.02 - Emi 28/01/2011 9.53.17.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.1014.527 [GMT 1:00]
Eseguito da: c:\documents and settings\Emi\Desktop\ComboFix.exe

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
- MODALITÀ CON FUNZIONALITÀ RIDOTTE -
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1390067357-287218729-1644491937-1003
c:\recycler\S-1-5-21-1390067357-287218729-1644491937-1003\desktop.ini
c:\recycler\S-1-5-21-1390067357-287218729-1644491937-1003\INFO2
c:\recycler\S-1-5-21-2638280606-0105679128-389402846-4637
c:\recycler\S-1-5-21-2638280606-0105679128-389402846-4637\Desktop.ini
c:\recycler\S-1-5-21-5678904175-3677594498-938935232-7781
c:\recycler\S-1-5-21-5678904175-3677594498-938935232-7781\Desktop.ini
c:\recycler\S-1-5-21-5896478041-2041622491-161689209-7570
c:\recycler\S-1-5-21-5896478041-2041622491-161689209-7570\Desktop.ini
c:\recycler\S-1-5-21-6409695080-1659653269-861064033-6587
c:\recycler\S-1-5-21-6409695080-1659653269-861064033-6587\Desktop.ini
c:\recycler\S-1-5-21-7291785352-5523834420-898729970-4675
c:\recycler\S-1-5-21-7291785352-5523834420-898729970-4675\Desktop.ini
c:\recycler\S-1-5-21-7442447357-5278525835-667071259-3147
c:\recycler\S-1-5-21-7442447357-5278525835-667071259-3147\Desktop.ini
c:\recycler\S-1-5-21-7442447357-5278525835-667071259-3147\yv8g67.exe
c:\recycler\S-1-5-21-8771023885-3849802572-623309233-1153
c:\recycler\S-1-5-21-8771023885-3849802572-623309233-1153\Desktop.ini
c:\recycler\S-1-5-21-931196064-335735689-1684122734-1005
c:\recycler\S-1-5-21-931196064-335735689-1684122734-1005\desktop.ini
c:\recycler\S-1-5-21-931196064-335735689-1684122734-1005\Di13.ini
c:\recycler\S-1-5-21-931196064-335735689-1684122734-1005\INFO2
c:\recycler\S-1-5-21-9447738301-3881823704-572909997-8925
c:\recycler\S-1-5-21-9447738301-3881823704-572909997-8925\Desktop.ini
c:\windows\msetup
c:\windows\msetup\MSetup.exe
c:\windows\nvsvc32.exe
c:\windows\prefetch\explorer.exe
c:\windows\system32\secupdat.dat
c:\windows\system32\spool\drivers\systempro.exe
c:\windows\system32\userini.exe

.
((((((((((((((((((((((((( Files Creati Da 2010-12-28 al 2011-01-28 )))))))))))))))))))))))))))))))))))
.

2011-01-28 07:43 . 2011-01-28 07:44 82944 ----a-w- c:\windows\system32\drivers\bfjcbgxc.sys
2011-01-28 07:26 . 2011-01-28 08:59 2147 ----a-w- c:\documents and settings\Emi\Impostazioni locali\Dati applicazioni\bvjgs_navps.dat
2011-01-28 07:26 . 2011-01-28 08:59 3493 ----a-w- c:\documents and settings\Emi\Impostazioni locali\Dati applicazioni\bvjgs.dat
2011-01-28 07:26 . 2011-01-28 07:44 242085 ----a-w- c:\documents and settings\Emi\Impostazioni locali\Dati applicazioni\bvjgs_nav.dat
2011-01-28 07:26 . 2011-01-28 07:26 519680 ----a-w- c:\documents and settings\Emi\Impostazioni locali\Dati applicazioni\bvjgs.exe
2011-01-28 07:24 . 2011-01-28 07:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-28 08:45 . 2009-02-02 19:38 1036288 ----a-w- c:\windows\explorer.exe
2011-01-28 07:47 . 2010-01-28 07:35 -------- d-----w- c:\programmi\CCleaner
2010-12-08 20:26 . 2009-02-11 09:31 -------- d-----w- c:\programmi\Connection Manager
2010-11-30 21:57 . 2010-11-30 21:57 0 ----a-w- c:\windows\system32\drivers\orrjrgij.sys
2010-11-30 20:51 . 2010-11-30 20:52 461824 ----a-w- c:\windows\system32\touzoup.exe
2010-11-30 20:51 . 2010-11-30 20:47 461824 ----a-w- c:\windows\system32\quogybyzaqu.exe
2010-11-28 21:47 . 2010-11-28 21:47 82944 ----a-w- c:\windows\system32\drivers\npybivcu.sys
2010-11-27 14:03 . 2010-11-20 13:31 315392 ----a-w- c:\windows\system32\befel.exe
2010-11-27 14:03 . 2010-11-20 13:29 315392 ----a-w- c:\windows\system32\hookud.exe
2010-11-27 13:49 . 2010-11-27 13:49 0 ----a-w- c:\windows\system32\drivers\nonagpdd.sys
2010-11-27 13:46 . 2010-11-27 13:46 138272 ----a-w- c:\windows\system32\drivers\nai31d4.sys
2010-11-26 20:51 . 2010-11-18 13:20 410624 ----a-w- c:\windows\system32\curunoogab.exe
2010-11-26 20:50 . 2010-11-26 20:50 138272 ----a-w- c:\windows\system32\drivers\qsff98e.sys
2010-11-26 19:40 . 2010-11-26 19:40 0 ----a-w- c:\windows\system32\drivers\tnrouhoi.sys
2010-11-18 13:19 . 2010-11-27 19:57 201216 ----a-w- c:\windows\system32\firoosek.exe
2010-11-18 13:19 . 2010-11-18 13:36 201216 ----a-w- c:\windows\system32\mefalyg.exe
2010-11-18 13:19 . 2010-11-18 13:19 201216 ----a-w- c:\windows\system32\poubyj.exe
2010-11-11 00:09 . 2010-11-11 00:09 40128 ----a-w- c:\windows\system32\drivers\akcjtcwg.sys
2010-11-11 00:07 . 2010-11-11 00:07 45568 ---h--w- c:\documents and settings\Emi\secupdat.dat
2010-11-11 00:07 . 2010-11-11 00:07 19456 ---ha-w- c:\documents and settings\Emi\vqrq.exe
2010-11-10 22:29 . 2010-11-10 22:29 180224 --sh--r- c:\documents and settings\Emi\Dati applicazioni\juzjf.exe
2010-11-10 22:29 . 2010-11-10 22:29 180224 --sh--r- c:\documents and settings\Emi\Dati applicazioni\juzjf.exe
2010-10-31 14:16 . 2009-02-02 19:39 80060 ----a-w- c:\windows\system32\perfc010.dat
2010-10-31 14:16 . 2009-02-02 19:39 479750 ----a-w- c:\windows\system32\perfh010.dat
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\programmi\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"bvjgs"="c:\documents and settings\emi\impostazioni locali\dati applicazioni\bvjgs.exe" [2011-01-28 519680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.5.0\bin\jusched.exe" [2009-02-02 36972]
"EDS"="c:\programmi\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-20 659456]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"DMHotKey"="c:\programmi\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\programmi\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-20 2768896]
"MagicKeyboard"="c:\programmi\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-14 151552]
"tyvessac"="c:\windows\system32\poubyj.exe" [2010-11-18 201216]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-08-26 16851456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\
0hdtez6.exe [2011-1-28 43520]
0vrmm6y.exe [2011-1-28 42496]
sid876v3.exe [2011-1-28 43008]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
BTTray.lnk - c:\programmi\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-17 580200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\akcjtcwg.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^0ccni6u.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\0ccni6u.exe
backup=c:\windows\pss\0ccni6u.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^0dzuu6g.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\0dzuu6g.exe
backup=c:\windows\pss\0dzuu6g.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^0eezqql.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\0eezqql.exe
backup=c:\windows\pss\0eezqql.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^0fbww6i.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\0fbww6i.exe
backup=c:\windows\pss\0fbww6i.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^0ggbssn.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\0ggbssn.exe
backup=c:\windows\pss\0ggbssn.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^0jfaa6m.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\0jfaa6m.exe
backup=c:\windows\pss\0jfaa6m.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^0kkfwwr.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\0kkfwwr.exe
backup=c:\windows\pss\0kkfwwr.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^0oojaav.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\0oojaav.exe
backup=c:\windows\pss\0oojaav.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^0qqlccx.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\0qqlccx.exe
backup=c:\windows\pss\0qqlccx.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^0ssneez.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\0ssneez.exe
backup=c:\windows\pss\0ssneez.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^0tpkk6w.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\0tpkk6w.exe
backup=c:\windows\pss\0tpkk6w.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^0xtoo6a.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\0xtoo6a.exe
backup=c:\windows\pss\0xtoo6a.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^1awwrii.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\1awwrii.exe
backup=c:\windows\pss\1awwrii.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^1okkfww.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\1okkfww.exe
backup=c:\windows\pss\1okkfww.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^1okkv2h.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\1okkv2h.exe
backup=c:\windows\pss\1okkv2h.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^1qmmhyy.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\1qmmhyy.exe
backup=c:\windows\pss\1qmmhyy.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^1wssnee.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\1wssnee.exe
backup=c:\windows\pss\1wssnee.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^2faa6mm.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\2faa6mm.exe
backup=c:\windows\pss\2faa6mm.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^2faa6mx.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\2faa6mx.exe
backup=c:\windows\pss\2faa6mx.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^2lgg6ss.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\2lgg6ss.exe
backup=c:\windows\pss\2lgg6ss.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^3mmhyyt.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\3mmhyyt.exe
backup=c:\windows\pss\3mmhyyt.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^5zvqbh6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\5zvqbh6.exe
backup=c:\windows\pss\5zvqbh6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^69e1abb.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\69e1abb.exe
backup=c:\windows\pss\69e1abb.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^6aa6mm6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\6aa6mm6.exe
backup=c:\windows\pss\6aa6mm6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^6aa6mxn.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\6aa6mxn.exe
backup=c:\windows\pss\6aa6mxn.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^6cnoouf.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\6cnoouf.exe
backup=c:\windows\pss\6cnoouf.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^6hi70jf.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\6hi70jf.exe
backup=c:\windows\pss\6hi70jf.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^6ii6uu6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\6ii6uu6.exe
backup=c:\windows\pss\6ii6uu6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^6oo6aa6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\6oo6aa6.exe
backup=c:\windows\pss\6oo6aa6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^6ww6ii6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\6ww6ii6.exe
backup=c:\windows\pss\6ww6ii6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^703y0zv.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\703y0zv.exe
backup=c:\windows\pss\703y0zv.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^70bxss6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\70bxss6.exe
backup=c:\windows\pss\70bxss6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^70hdyy6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\70hdyy6.exe
backup=c:\windows\pss\70hdyy6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^70jfaa6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\70jfaa6.exe
backup=c:\windows\pss\70jfaa6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^70mmss1.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\70mmss1.exe
backup=c:\windows\pss\70mmss1.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^70plgg6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\70plgg6.exe
backup=c:\windows\pss\70plgg6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^70rnii6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\70rnii6.exe
backup=c:\windows\pss\70rnii6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^70tpkk6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\70tpkk6.exe
backup=c:\windows\pss\70tpkk6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^780wwrx.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\780wwrx.exe
backup=c:\windows\pss\780wwrx.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^9q1cns9.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\9q1cns9.exe
backup=c:\windows\pss\9q1cns9.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^9z1fwwr.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\9z1fwwr.exe
backup=c:\windows\pss\9z1fwwr.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^a0wbx3oo.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\a0wbx3oo.exe
backup=c:\windows\pss\a0wbx3oo.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^a1wssnee.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\a1wssnee.exe
backup=c:\windows\pss\a1wssnee.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^a3ccxoojaav.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\a3ccxoojaav.exe
backup=c:\windows\pss\a3ccxoojaav.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^aavmmhyy.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\aavmmhyy.exe
backup=c:\windows\pss\aavmmhyy.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^afbg6xdjzk.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\afbg6xdjzk.exe
backup=c:\windows\pss\afbg6xdjzk.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^bbxnnjzzvll.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\bbxnnjzzvll.exe
backup=c:\windows\pss\bbxnnjzzvll.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^bc70dzuu6g.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\bc70dzuu6g.exe
backup=c:\windows\pss\bc70dzuu6g.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^brcsi6uu.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\brcsi6uu.exe
backup=c:\windows\pss\brcsi6uu.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^bssneezqqlc.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\bssneezqqlc.exe
backup=c:\windows\pss\bssneezqqlc.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^bw1soojaav.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\bw1soojaav.exe
backup=c:\windows\pss\bw1soojaav.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^bww6ii6uu.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\bww6ii6uu.exe
backup=c:\windows\pss\bww6ii6uu.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^bxnnjzzv.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\bxnnjzzv.exe
backup=c:\windows\pss\bxnnjzzv.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^cxytup0v.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\cxytup0v.exe
backup=c:\windows\pss\cxytup0v.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^dzpplbbxnn.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\dzpplbbxnn.exe
backup=c:\windows\pss\dzpplbbxnn.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^dzuu6gg6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\dzuu6gg6.exe
backup=c:\windows\pss\dzuu6gg6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^e70fbmrni.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\e70fbmrni.exe
backup=c:\windows\pss\e70fbmrni.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^e70fbww6i.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\e70fbww6i.exe
backup=c:\windows\pss\e70fbww6i.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^eezqqlcc.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\eezqqlcc.exe
backup=c:\windows\pss\eezqqlcc.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^ezqqlccx.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\ezqqlccx.exe
backup=c:\windows\pss\ezqqlccx.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^fa1wssneez.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\fa1wssneez.exe
backup=c:\windows\pss\fa1wssneez.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^faa6mm6yy.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\faa6mm6yy.exe
backup=c:\windows\pss\faa6mm6yy.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^faa6mm6yy6k.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\faa6mm6yy6k.exe
backup=c:\windows\pss\faa6mm6yy6k.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^faa6ms70t.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\faa6ms70t.exe
backup=c:\windows\pss\faa6ms70t.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^fbrrnddz.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\fbrrnddz.exe
backup=c:\windows\pss\fbrrnddz.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^fbww6ii6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\fbww6ii6.exe
backup=c:\windows\pss\fbww6ii6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^g1cyytkk.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\g1cyytkk.exe
backup=c:\windows\pss\g1cyytkk.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^g3xy0uupgbb.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\g3xy0uupgbb.exe
backup=c:\windows\pss\g3xy0uupgbb.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^g9c1yuupgg.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\g9c1yuupgg.exe
backup=c:\windows\pss\g9c1yuupgg.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^gg6ss6ee6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\gg6ss6ee6.exe
backup=c:\windows\pss\gg6ss6ee6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^ggbssnee.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\ggbssnee.exe
backup=c:\windows\pss\ggbssnee.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^ggbxxde70f.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\ggbxxde70f.exe
backup=c:\windows\pss\ggbxxde70f.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^h2too0q6g10.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\h2too0q6g10.exe
backup=c:\windows\pss\h2too0q6g10.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^hcc6ou70vrm.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\hcc6ou70vrm.exe
backup=c:\windows\pss\hcc6ou70vrm.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^hdttef4wmx.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\hdttef4wmx.exe
backup=c:\windows\pss\hdttef4wmx.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^hdyy6kk6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\hdyy6kk6.exe
backup=c:\windows\pss\hdyy6kk6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^hxxtjjfv.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\hxxtjjfv.exe
backup=c:\windows\pss\hxxtjjfv.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^hyytkkfw.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\hyytkkfw.exe
backup=c:\windows\pss\hyytkkfw.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^i6za70bx.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\i6za70bx.exe
backup=c:\windows\pss\i6za70bx.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^iduupggb.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\iduupggb.exe
backup=c:\windows\pss\iduupggb.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^ieezqqlccx.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\ieezqqlccx.exe
backup=c:\windows\pss\ieezqqlccx.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^iiduupgg.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\iiduupgg.exe
backup=c:\windows\pss\iiduupgg.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^ioo1aagbxnt.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\ioo1aagbxnt.exe
backup=c:\windows\pss\ioo1aagbxnt.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^j0plgg6ss.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\j0plgg6ss.exe
backup=c:\windows\pss\j0plgg6ss.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^jaavmmhy.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\jaavmmhy.exe
backup=c:\windows\pss\jaavmmhy.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^je1awwriy0.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\je1awwriy0.exe
backup=c:\windows\pss\je1awwriy0.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^jee6qq6cc.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\jee6qq6cc.exe
backup=c:\windows\pss\jee6qq6cc.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^jee6qq6cc6o.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\jee6qq6cc6o.exe
backup=c:\windows\pss\jee6qq6cc6o.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^jfaa6mm6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\jfaa6mm6.exe
backup=c:\windows\pss\jfaa6mm6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^jzzvllhx.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\jzzvllhx.exe
backup=c:\windows\pss\jzzvllhx.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^k1gccxooja.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\k1gccxooja.exe
backup=c:\windows\pss\k1gccxooja.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^k3qg6cc6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\k3qg6cc6.exe
backup=c:\windows\pss\k3qg6cc6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^kk6ww6ii6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\kk6ww6ii6.exe
backup=c:\windows\pss\kk6ww6ii6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^kkfwwriidu.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\kkfwwriidu.exe
backup=c:\windows\pss\kkfwwriidu.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^l26injo9k1.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\l26injo9k1.exe
backup=c:\windows\pss\l26injo9k1.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^lccxoojaal2.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\lccxoojaal2.exe
backup=c:\windows\pss\lccxoojaal2.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^lccxoojaavm.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\lccxoojaavm.exe
backup=c:\windows\pss\lccxoojaavm.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^lg1cyytkkf.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\lg1cyytkkf.exe
backup=c:\windows\pss\lg1cyytkkf.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^lgg6ss6ee6q.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\lgg6ss6ee6q.exe
backup=c:\windows\pss\lgg6ss6ee6q.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^lgg6sy70z.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\lgg6sy70z.exe
backup=c:\windows\pss\lgg6sy70z.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^lhxxtjjf.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\lhxxtjjf.exe
backup=c:\windows\pss\lhxxtjjf.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^llmcd3o3vvr.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\llmcd3o3vvr.exe
backup=c:\windows\pss\llmcd3o3vvr.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^m002zavmmh.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\m002zavmmh.exe
backup=c:\windows\pss\m002zavmmh.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^m6yy6kk6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\m6yy6kk6.exe
backup=c:\windows\pss\m6yy6kk6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^mcsi6uu6gg6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\mcsi6uu6gg6.exe
backup=c:\windows\pss\mcsi6uu6gg6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^mhyytkvv.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\mhyytkvv.exe
backup=c:\windows\pss\mhyytkvv.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^mmhyyj2v.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\mmhyyj2v.exe
backup=c:\windows\pss\mmhyyj2v.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^neuzqqlc.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\neuzqqlc.exe
backup=c:\windows\pss\neuzqqlc.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^njjfvvrh.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\njjfvvrh.exe
backup=c:\windows\pss\njjfvvrh.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^njzzvllh.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\njzzvllh.exe
backup=c:\windows\pss\njzzvllh.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^o1kggbssne.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\o1kggbssne.exe
backup=c:\windows\pss\o1kggbssne.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^o9k1gccxoo.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\o9k1gccxoo.exe
backup=c:\windows\pss\o9k1gccxoo.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^ouaq9mxotpk.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\ouaq9mxotpk.exe
backup=c:\windows\pss\ouaq9mxotpk.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^pllhcc6oo7.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\pllhcc6oo7.exe
backup=c:\windows\pss\pllhcc6oo7.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^pllhxxtj.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\pllhxxtj.exe
backup=c:\windows\pss\pllhxxtj.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^q3ssneezqql.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\q3ssneezqql.exe
backup=c:\windows\pss\q3ssneezqql.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^q70rnii6u.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\q70rnii6u.exe
backup=c:\windows\pss\q70rnii6u.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^qlccxoojaa.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\qlccxoojaa.exe
backup=c:\windows\pss\qlccxoojaa.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^qq6cc6oo6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\qq6cc6oo6.exe
backup=c:\windows\pss\qq6cc6oo6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^rhhdttpf.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\rhhdttpf.exe
backup=c:\windows\pss\rhhdttpf.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^rmm6yy6kk.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\rmm6yy6kk.exe
backup=c:\windows\pss\rmm6yy6kk.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^rnddzppl.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\rnddzppl.exe
backup=c:\windows\pss\rnddzppl.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^s1okkfww.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\s1okkfww.exe
backup=c:\windows\pss\s1okkfww.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^sduk70lh.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\sduk70lh.exe
backup=c:\windows\pss\sduk70lh.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^ss6ee6qq6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\ss6ee6qq6.exe
backup=c:\windows\pss\ss6ee6qq6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^tjjfvvrh.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\tjjfvvrh.exe
backup=c:\windows\pss\tjjfvvrh.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^tjp1qg6is1.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\tjp1qg6is1.exe
backup=c:\windows\pss\tjp1qg6is1.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^tkkfwwri.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\tkkfwwri.exe
backup=c:\windows\pss\tkkfwwri.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^tkkfwwriidu.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\tkkfwwriidu.exe
backup=c:\windows\pss\tkkfwwriidu.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^too6aa6mm6y.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\too6aa6mm6y.exe
backup=c:\windows\pss\too6aa6mm6y.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^vrhhdttp.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\vrhhdttp.exe
backup=c:\windows\pss\vrhhdttp.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^vrmm6yy6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\vrmm6yy6.exe
backup=c:\windows\pss\vrmm6yy6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^w1soojaa.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\w1soojaa.exe
backup=c:\windows\pss\w1soojaa.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^w6ii6uu6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\w6ii6uu6.exe
backup=c:\windows\pss\w6ii6uu6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^w9s1okkfww.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\w9s1okkfww.exe
backup=c:\windows\pss\w9s1okkfww.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^wwmcioj0.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\wwmcioj0.exe
backup=c:\windows\pss\wwmcioj0.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^wwriiduu.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\wwriiduu.exe
backup=c:\windows\pss\wwriiduu.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^wwriiduupg.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\wwriiduupg.exe
backup=c:\windows\pss\wwriiduupg.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^x0dzuu6gg.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\x0dzuu6gg.exe
backup=c:\windows\pss\x0dzuu6gg.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^xnnjzzvl.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\xnnjzzvl.exe
backup=c:\windows\pss\xnnjzzvl.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^xoojaavmmhy.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\xoojaavmmhy.exe
backup=c:\windows\pss\xoojaavmmhy.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^xtjjfvvrhh.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\xtjjfvvrhh.exe
backup=c:\windows\pss\xtjjfvvrhh.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^xy70zvqq6c.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\xy70zvqq6c.exe
backup=c:\windows\pss\xy70zvqq6c.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^y1uqqlccxo.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\y1uqqlccxo.exe
backup=c:\windows\pss\y1uqqlccxo.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^y3aavbxss6e.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\y3aavbxss6e.exe
backup=c:\windows\pss\y3aavbxss6e.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^za70bxss6e.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\za70bxss6e.exe
backup=c:\windows\pss\za70bxss6e.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^zppggbxn.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\zppggbxn.exe
backup=c:\windows\pss\zppggbxn.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^zpplbbxn.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\zpplbbxn.exe
backup=c:\windows\pss\zpplbbxn.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^zqqlccxooja.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\zqqlccxooja.exe
backup=c:\windows\pss\zqqlccxooja.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^zu1qmmhyyt.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\zu1qmmhyyt.exe
backup=c:\windows\pss\zu1qmmhyyt.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^zuu6gg6ss6e.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\zuu6gg6ss6e.exe
backup=c:\windows\pss\zuu6gg6ss6e.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^zvllhxxt.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\zvllhxxt.exe
backup=c:\windows\pss\zvllhxxt.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^zvqq6cc6.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\zvqq6cc6.exe
backup=c:\windows\pss\zvqq6cc6.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Emi^Menu Avvio^Programmi^Esecuzione automatica^zzva30m3yy3.exe]
path=c:\documents and settings\Emi\Menu Avvio\Programmi\Esecuzione automatica\zzva30m3yy3.exe
backup=c:\windows\pss\zzva30m3yy3.exeStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programmi\\Internet Explorer\\IEXPLORE.EXE"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\curunoogab.exe"=
"c:\\WINDOWS\\system32\\hookud.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\Distributed.exe"=

R0 akcjtcwg;akcjtcwg;c:\windows\system32\drivers\akcjtcwg.sys [11/11/2010 1.09.47 40128]
R1 nai31d4;nai31d4;c:\windows\system32\drivers\nai31d4.sys [27/11/2010 14.46.59 138272]
R2 DistributedAgentServices;DistributedAgentServices;c:\windows\system32\spool\drivers\Distributed.exe [07/12/2010 20.42.43 117732]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [02/02/2009 13.02.58 4300]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [12/03/2010 20.53.45 54752]
R2 nso68rema3uuu;RUMBA AS/400 Shared Folders;c:\windows\system32\mefalyg.exe [18/11/2010 14.36.35 201216]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [14/01/2008 19.01.02 30208]
R3 hspabus;SAMSUNG HSPA USB Composite Device driver (WDM);c:\windows\system32\drivers\hspabus.sys [02/02/2009 13.07.56 91776]
R3 hspamdfl;SAMSUNG HSPA Modem Filter;c:\windows\system32\drivers\hspamdfl.sys [02/02/2009 13.07.56 14976]
R3 hspamdm;SAMSUNG HSPA Modem Drivers;c:\windows\system32\drivers\hspamdm.sys [02/02/2009 13.07.56 119808]
R3 hspaserd;SAMSUNG HSPA Modem Diagnostic Serial Port (WDM);c:\windows\system32\drivers\hspaserd.sys [02/02/2009 13.07.56 98560]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [02/02/2009 13.07.09 238464]
S1 qsff98e;qsff98e;c:\windows\system32\drivers\qsff98e.sys [26/11/2010 21.50.22 138272]
S2 bfjcbgxc;bfjcbgxc;c:\windows\system32\drivers\bfjcbgxc.sys [28/01/2011 8.43.55 82944]
S2 vt97q9pfoou;Creative ALchemy AL1 Licensing Service;c:\windows\system32\touzoup.exe [30/11/2010 21.52.57 461824]
S2 x1ii41iydau;BeTwin Terminal Services;c:\windows\system32\befel.exe [20/11/2010 14.31.39 315392]
S2 yoazoomvoivvh2s;bcveServ;c:\windows\system32\firoosek.exe [27/11/2010 20.57.43 201216]
S3 fsssvc;Servizio Windows Live Family Safety;c:\programmi\Windows Live\Family Safety\fsssvc.exe [05/08/2009 22.48.42 704864]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f3476f4-098d-11de-9aa3-001377f1b908}]
\Shell\1\Command - D:\Recycled.exe
\Shell\2\Command - D:\Recycled.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contenuto della cartella 'Scheduled Tasks'

2011-01-28 c:\windows\Tasks\User_Feed_Synchronization-{0A761CC7-6A10-4D3E-8A02-6E63CD970BFF}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKCU-Run-NVIDIA driver monitor - c:\windows\nvsvc32.exe
HKCU-Run-userini - c:\windows\system32\userini.exe
HKLM-Run-NVIDIA driver monitor - c:\windows\nvsvc32.exe
HKLM-Run-userini - c:\windows\system32\userini.exe
HKLM-Explorer_Run-userini - c:\windows\system32\userini.exe
HKCU-Explorer_Run-userini - c:\windows\system32\userini.exe
SafeBoot-bfjcbgxc


.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.facebook.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Invia a Bluetooth - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: Invia a periferica &Bluetooth... - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/ ... 1193264765
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/200 ... ader55.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-28 09:59
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...


c:\windows\explorer.exe:userini.exe 69632 bytes executable

Scansione completata con successo
Files nascosti: 1

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(5248)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\spool\drivers\systempro.exe
c:\programmi\Samsung\Samsung Update Plus\SLUBackgroundService.exe
c:\programmi\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\explorer.exe:userini.exe
c:\windows\explorer.exe:userini.exe
c:\windows\explorer.exe:userini.exe
c:\windows\explorer.exe:userini.exe
c:\programmi\Samsung\MagicKBD\MagicKBD.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Ora fine scansione: 2011-01-28 10.01.39 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2011-01-28 09:01

Pre-Run: 64.544.649.216 byte disponibili
Post-Run: 64.607.133.696 byte disponibili

675 --- E O F --- 2010-11-15 23:44


Poi Hijaticks

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10.20.37, on 28/01/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spool\drivers\Distributed.exe
C:\WINDOWS\system32\spool\drivers\systempro.exe
C:\WINDOWS\system32\mefalyg.exe
C:\Programmi\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Programmi\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\poubyj.exe
C:\WINDOWS\system32\ctfmon.exe
C:\documents and settings\emi\impostazioni locali\dati applicazioni\bvjgs.exe
C:\WINDOWS\explorer.exe:userini.exe
C:\WINDOWS\explorer.exe:userini.exe
C:\WINDOWS\explorer.exe:userini.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe:userini.exe
C:\Programmi\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Programmi\SAMSUNG\MagicKBD\MagicKBD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Emi\Desktop\MegaLab_copia_hijack.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O3 - Toolbar: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EDS] C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DMHotKey] C:\Programmi\Samsung\Easy Display Manager\DMLoader.exe
O4 - HKLM\..\Run: [BatteryManager] C:\Programmi\Samsung\Samsung Battery Manager\BatteryManager.exe
O4 - HKLM\..\Run: [MagicKeyboard] C:\Programmi\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKLM\..\Run: [tyvessac] C:\WINDOWS\system32\poubyj.exe
O4 - HKLM\..\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [bvjgs] "c:\documents and settings\emi\impostazioni locali\dati applicazioni\bvjgs.exe" bvjgs
O4 - HKCU\..\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKLM\..\Policies\Explorer\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKCU\..\Policies\Explorer\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: 0hdtez6.exe
O4 - Startup: 0vrmm6y.exe
O4 - Startup: sid876v3.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Invia a Bluetooth - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O8 - Extra context menu item: Invia a periferica &Bluetooth... - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - http://static.ak.facebook.com/fbplugin/ ... 1193264765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8351545484
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DistributedAgentServices - BrainWork - C:\WINDOWS\system32\spool\drivers\Distributed.exe
O23 - Service: RUMBA AS/400 Shared Folders (nso68rema3uuu) - Unknown owner - C:\WINDOWS\system32\mefalyg.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Programmi\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: Creative ALchemy AL1 Licensing Service (vt97q9pfoou) - Unknown owner - C:\WINDOWS\system32\touzoup.exe
O23 - Service: BeTwin Terminal Services (x1ii41iydau) - Unknown owner - C:\WINDOWS\system32\befel.exe
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)
O23 - Service: bcveServ (yoazoomvoivvh2s) - Unknown owner - C:\WINDOWS\system32\firoosek.exe

--
End of file - 6934 bytes


e per ultimo MBR (che sinceramente mi sembra l'unico in ordine)

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK



Grazie in anticipo
Avatar utente
Spaccy
Aficionado
Aficionado
 
Messaggi: 121
Iscritto il: ven feb 01, 2008 5:15 pm
Località: Roma

Re: Problema pc infestato

Messaggioda CRYPAX » ven gen 28, 2011 10:45 am

nel log di Hijackthis queste voci sembrano infette(aspetta qualcuno più esperto [:)] )

C:\documents and settings\emi\impostazioni locali\dati applicazioni\bvjgs.exe
C:\WINDOWS\explorer.exe:userini.exe
C:\WINDOWS\explorer.exe:userini.exe
C:\WINDOWS\explorer.exe:userini.exe
C:\WINDOWS\explorer.exe:userini.exe

O3 - Toolbar: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - (no file)
O4 - HKLM\..\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKCU\..\Run: [bvjgs] "c:\documents and settings\emi\impostazioni locali\dati applicazioni\bvjgs.exe" bvjgs
O4 - HKCU\..\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKLM\..\Policies\Explorer\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKCU\..\Policies\Explorer\Run: [userini] C:\WINDOWS\system32\userini.exe

queste non saprei
O4 - Startup: 0hdtez6.exe
O4 - Startup: 0vrmm6y.exe
O4 - Startup: sid876v3.exe


Fai una bella scansione con Malwarebytes e poi posta il log [^]
Ogni uomo vive governato dalle proprie opinioni cui dà il nome fallace di realtà.
Avatar utente
CRYPAX
Bronze Member
Bronze Member
 
Messaggi: 994
Iscritto il: sab lug 24, 2010 5:01 pm
Località: K-PAX

Re: Problema pc infestato

Messaggioda Spaccy » ven gen 28, 2011 11:24 am

Ok allora attendo altre risposte ^_^
Avatar utente
Spaccy
Aficionado
Aficionado
 
Messaggi: 121
Iscritto il: ven feb 01, 2008 5:15 pm
Località: Roma


Re: Problema pc infestato

Messaggioda crazy.cat » ven gen 28, 2011 1:23 pm

Guardando il log di combofix ti direi che ci sono più cose infette che file puliti, c'è anche un rootkit.
Non vedo un antivirus installato.
Formattare e installare un buon antivirus e magari un comodo firewall per evitare di ribeccare un mucchio di schifezze?
Quando i molti governano, pensano solo a contentar sé stessi, si ha allora la tirannia più balorda e più odiosa: la tirannia mascherata da libertà.
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Re: Problema pc infestato

Messaggioda Spaccy » lun gen 31, 2011 9:32 am

Crazy sinceramente è una delle mie opzioni preferite [:D] [:D] però se ti dicessi che non posso farlo e preferirei tenare di pulirlo pensi di potermi aiutare?! se pensi sia veramente impossibile allora procederò con la formattazione!
Avatar utente
Spaccy
Aficionado
Aficionado
 
Messaggi: 121
Iscritto il: ven feb 01, 2008 5:15 pm
Località: Roma

Re: Problema pc infestato

Messaggioda crazy.cat » lun gen 31, 2011 9:56 am

Spaccy ha scritto: se pensi sia veramente impossibile allora procederò con la formattazione!

Nulla è impossibile, ma quando vedi decine di virus nei log cominci a pensare che non ne valga tanto la pena e fai sicuramente prima a formattare.

Comincia a fare una scansione da avira rescue cd
http://www.MegaLab.it/3591/avira-antivir-rescue-system
Poi installa avast antivirus,comodo firewall e malwarebytes, rifai una pulizia completa con avast e malwarebytes.

Poi riposta un log di hijackthis e combofix e vediamo cosa è rimasto.
Quando i molti governano, pensano solo a contentar sé stessi, si ha allora la tirannia più balorda e più odiosa: la tirannia mascherata da libertà.
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Re: Problema pc infestato

Messaggioda sampei.nihira » lun gen 31, 2011 11:43 am

Intervengo per una curiosità. [:)]

Un pc è infetto quando ovviamente ha subìto delle modifiche al suo OS iniziale causa malwares.
Un pc infetto se connesso alla rete può diventare infestante nei confronti di altri pc connessi.
Prendiamo ad esempio per ciò un pc infetto con,ad esempio,un malwares che invia spam remoto a tutti gli indirizzi della rubrica del sw di posta elettronica.

Quindi possiamo dire che un pc infetto subisce un'infezione,ruolo passivo.
Ma un pc infetto può anche infestare altri pc avendo in tale azione un ruolo attivo.

Si dice comunemente che un vecchio castello sia infestato dai fantasmi.
E un ammalato sia infetto da una malattia contagiosa.
釣りキチ三平
Avatar utente
sampei.nihira
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 3527
Iscritto il: dom ott 03, 2010 8:18 am

Re: Problema pc infestato

Messaggioda hashcat » lun gen 31, 2011 2:01 pm

Sei pesantemente infetto:

Esegui nuovamente un analisi con hijackthis e fixa i seguenti elementi:

Codice: Seleziona tutto
C:\WINDOWS\system32\spool\drivers\systempro.exe
C:\WINDOWS\system32\poubyj.exe
C:\documents and settings\emi\impostazioni locali\dati applicazioni\bvjgs.exe
C:\WINDOWS\explorer.exe:userini.exe
C:\WINDOWS\explorer.exe:userini.exe
C:\WINDOWS\explorer.exe:userini.exe
C:\WINDOWS\explorer.exe:userini.exe
O4 - HKLM\..\Run: [tyvessac] C:\WINDOWS\system32\poubyj.exe
O4 - HKLM\..\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKCU\..\Run: [bvjgs] "c:\documents and settings\emi\impostazioni locali\dati applicazioni\bvjgs.exe" bvjgs
O4 - HKCU\..\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKLM\..\Policies\Explorer\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKCU\..\Policies\Explorer\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - Startup: sid876v3.exe
O4 - Startup: 0vrmm6y.exe
O4 - Startup: 0hdtez6.exe
O23 - Service: bcveServ (yoazoomvoivvh2s) - Unknown owner - C:\WINDOWS\system32\firoosek.exe


Poi carica questi file su virustotal.com per controllare se sono infetti o no:
Codice: Seleziona tutto
C:\WINDOWS\system32\befel.exe
C:\WINDOWS\system32\mefalyg.exe
C:\WINDOWS\system32\spool\drivers\Distributed.exe


Elimina questi file:

Codice: Seleziona tutto
C:\WINDOWS\system32\0fbww6i.exe
C:\WINDOWS\system32\0ggbssn.exe
C:\WINDOWS\system32\0jfaa6m.exe
C:\WINDOWS\system32\0kkfwwr.exe
C:\WINDOWS\system32\0oojaav.exe
C:\WINDOWS\system32\0qqlccx.exe
C:\WINDOWS\system32\0ssneez.exe
C:\WINDOWS\system32\0tpkk6w.exe
C:\WINDOWS\system32\0xtoo6a.exe
C:\WINDOWS\system32\1awwrii.exe
C:\WINDOWS\system32\1okkfww.exe
C:\WINDOWS\system32\1okkv2h.exe
C:\WINDOWS\system32\1qmmhyy.exe
C:\WINDOWS\system32\1wssnee.exe
C:\WINDOWS\system32\2faa6mm.exe
C:\WINDOWS\system32\2faa6mx.exe
C:\WINDOWS\system32\2lgg6ss.exe
C:\WINDOWS\system32\3mmhyyt.exe
C:\WINDOWS\system32\5zvqbh6.exe
C:\WINDOWS\system32\69e1abb.exe
C:\WINDOWS\system32\6aa6mm6.exe
C:\WINDOWS\system32\6aa6mxn.exe
C:\WINDOWS\system32\6cnoouf.exe
C:\WINDOWS\system32\6hi70jf.exe
C:\WINDOWS\system32\6ii6uu6.exe
C:\WINDOWS\system32\6oo6aa6.exe
C:\WINDOWS\system32\6ww6ii6.exe
C:\WINDOWS\system32\703y0zv.exe
C:\WINDOWS\system32\70bxss6.exe
C:\WINDOWS\system32\70hdyy6.exe
C:\WINDOWS\system32\70jfaa6.exe
C:\WINDOWS\system32\70mmss1.exe
C:\WINDOWS\system32\70plgg6.exe
C:\WINDOWS\system32\70rnii6.exe
C:\WINDOWS\system32\70tpkk6.exe
C:\WINDOWS\system32\780wwrx.exe
C:\WINDOWS\system32\9q1cns9.exe
C:\WINDOWS\system32\9z1fwwr.exe
C:\WINDOWS\system32\a0wbx3oo.exe
C:\WINDOWS\system32\a1wssnee.exe
C:\WINDOWS\system32\a3ccxoojaav.exe
C:\WINDOWS\system32\aavmmhyy.exe
C:\WINDOWS\system32\afbg6xdjzk.exe
C:\WINDOWS\system32\bbxnnjzzvll.exe
C:\WINDOWS\system32\bc70dzuu6g.exe
C:\WINDOWS\system32\brcsi6uu.exe
C:\WINDOWS\system32\bssneezqqlc.exe
C:\WINDOWS\system32\bw1soojaav.exe
C:\WINDOWS\system32\bww6ii6uu.exe
C:\WINDOWS\system32\bxnnjzzv.exe
C:\WINDOWS\system32\cxytup0v.exe
C:\WINDOWS\system32\dzpplbbxnn.exe
C:\WINDOWS\system32\dzuu6gg6.exe
C:\WINDOWS\system32\e70fbmrni.exe
C:\WINDOWS\system32\e70fbww6i.exe
C:\WINDOWS\system32\eezqqlcc.exe
C:\WINDOWS\system32\ezqqlccx.exe
C:\WINDOWS\system32\fa1wssneez.exe
C:\WINDOWS\system32\faa6mm6yy.exe
C:\WINDOWS\system32\faa6mm6yy6k.exe
C:\WINDOWS\system32\faa6ms70t.exe
C:\WINDOWS\system32\fbrrnddz.exe
C:\WINDOWS\system32\fbww6ii6.exe
C:\WINDOWS\system32\g1cyytkk.exe
C:\WINDOWS\system32\g3xy0uupgbb.exe
C:\WINDOWS\system32\g9c1yuupgg.exe
C:\WINDOWS\system32\gg6ss6ee6.exe
C:\WINDOWS\system32\ggbssnee.exe
C:\WINDOWS\system32\ggbxxde70f.exe
C:\WINDOWS\system32\h2too0q6g10.exe
C:\WINDOWS\system32\hcc6ou70vrm.exe
C:\WINDOWS\system32\hdttef4wmx.exe
C:\WINDOWS\system32\hdyy6kk6.exe
C:\WINDOWS\system32\hxxtjjfv.exe
C:\WINDOWS\system32\hyytkkfw.exe
C:\WINDOWS\system32\i6za70bx.exe
C:\WINDOWS\system32\iduupggb.exe
C:\WINDOWS\system32\ieezqqlccx.exe
C:\WINDOWS\system32\iiduupgg.exe
C:\WINDOWS\system32\ioo1aagbxnt.exe
C:\WINDOWS\system32\j0plgg6ss.exe
C:\WINDOWS\system32\jaavmmhy.exe
C:\WINDOWS\system32\je1awwriy0.exe
C:\WINDOWS\system32\jee6qq6cc.exe
C:\WINDOWS\system32\jee6qq6cc6o.exe
C:\WINDOWS\system32\jfaa6mm6.exe
C:\WINDOWS\system32\jzzvllhx.exe
C:\WINDOWS\system32\k1gccxooja.exe
C:\WINDOWS\system32\k3qg6cc6.exe
C:\WINDOWS\system32\kk6ww6ii6.exe
C:\WINDOWS\system32\kkfwwriidu.exe
C:\WINDOWS\system32\l26injo9k1.exe
C:\WINDOWS\system32\lccxoojaal2.exe
C:\WINDOWS\system32\lccxoojaavm.exe
C:\WINDOWS\system32\lg1cyytkkf.exe
C:\WINDOWS\system32\lgg6ss6ee6q.exe
C:\WINDOWS\system32\lgg6sy70z.exe
C:\WINDOWS\system32\lhxxtjjf.exe
C:\WINDOWS\system32\llmcd3o3vvr.exe
C:\WINDOWS\system32\m002zavmmh.exe
C:\WINDOWS\system32\m6yy6kk6.exe
C:\WINDOWS\system32\mcsi6uu6gg6.exe
C:\WINDOWS\system32\mhyytkvv.exe
C:\WINDOWS\system32\mmhyyj2v.exe
C:\WINDOWS\system32\neuzqqlc.exe
C:\WINDOWS\system32\njjfvvrh.exe
C:\WINDOWS\system32\njzzvllh.exe
C:\WINDOWS\system32\o1kggbssne.exe
C:\WINDOWS\system32\o9k1gccxoo.exe
C:\WINDOWS\system32\ouaq9mxotpk.exe
C:\WINDOWS\system32\pllhcc6oo7.exe
C:\WINDOWS\system32\pllhxxtj.exe
C:\WINDOWS\system32\q3ssneezqql.exe
C:\WINDOWS\system32\q70rnii6u.exe
C:\WINDOWS\system32\qlccxoojaa.exe
C:\WINDOWS\system32\qq6cc6oo6.exe
C:\WINDOWS\system32\rhhdttpf.exe
C:\WINDOWS\system32\rmm6yy6kk.exe
C:\WINDOWS\system32\rnddzppl.exe
C:\WINDOWS\system32\s1okkfww.exe
C:\WINDOWS\system32\sduk70lh.exe
C:\WINDOWS\system32\ss6ee6qq6.exe
C:\WINDOWS\system32\tjjfvvrh.exe
C:\WINDOWS\system32\tjp1qg6is1.exe
C:\WINDOWS\system32\tkkfwwri.exe
C:\WINDOWS\system32\tkkfwwriidu.exe
C:\WINDOWS\system32\too6aa6mm6y.exe
C:\WINDOWS\system32\vrhhdttp.exe
C:\WINDOWS\system32\vrmm6yy6.exe
C:\WINDOWS\system32\w1soojaa.exe
C:\WINDOWS\system32\w6ii6uu6.exe
C:\WINDOWS\system32\w9s1okkfww.exe
C:\WINDOWS\system32\wwmcioj0.exe
C:\WINDOWS\system32\wwriiduu.exe
C:\WINDOWS\system32\wwriiduupg.exe
C:\WINDOWS\system32\x0dzuu6gg.exe
C:\WINDOWS\system32\xnnjzzvl.exe
C:\WINDOWS\system32\xoojaavmmhy.exe
C:\WINDOWS\system32\xtjjfvvrhh.exe
C:\WINDOWS\system32\xy70zvqq6c.exe
C:\WINDOWS\system32\y1uqqlccxo.exe
C:\WINDOWS\system32\y3aavbxss6e.exe
C:\WINDOWS\system32\za70bxss6e.exe
C:\WINDOWS\system32\zppggbxn.exe
C:\WINDOWS\system32\zpplbbxn.exe
C:\WINDOWS\system32\zqqlccxooja.exe
C:\WINDOWS\system32\zu1qmmhyyt.exe
C:\WINDOWS\system32\zuu6gg6ss6e.exe
C:\WINDOWS\system32\zvllhxxt.exe
C:\WINDOWS\system32\zvqq6cc6.exe
C:\WINDOWS\system32\zzva30m3yy3.exe


A questo punto scarica e installa malwarebytes, aggiornalo ed esegui una scansione completa del computer, elimina tutto quello che trova e posta il log.

Scarica ed esegui SUPERAntispyware portable, aggiorna il database ed esegui una scansione completa del computer, elimina tutto quello che trova e posta il log.

Scarica Vipre Rescue estrailo, dovrebbe avviarsi da solo, non ha bisogno di aggiornamenti e provvederà a mettere tutto in quarantena automaticamente.

A questo punto scarica e installa Hitman pro, e segui questo video:

Immagine

al termine della scansione attiva la licenza di prova gratuita per 30 giorni e rimuovi le minacce.

Scarica e avvia The Avenger copia il seguente script al suo interno e clicca su execute.

Codice: Seleziona tutto
Files to delete:
C:\WINDOWS\system32\0fbww6i.exe
C:\WINDOWS\system32\0ggbssn.exe
C:\WINDOWS\system32\0jfaa6m.exe
C:\WINDOWS\system32\0kkfwwr.exe
C:\WINDOWS\system32\0oojaav.exe
C:\WINDOWS\system32\0qqlccx.exe
C:\WINDOWS\system32\0ssneez.exe
C:\WINDOWS\system32\0tpkk6w.exe
C:\WINDOWS\system32\0xtoo6a.exe
C:\WINDOWS\system32\1awwrii.exe
C:\WINDOWS\system32\1okkfww.exe
C:\WINDOWS\system32\1okkv2h.exe
C:\WINDOWS\system32\1qmmhyy.exe
C:\WINDOWS\system32\1wssnee.exe
C:\WINDOWS\system32\2faa6mm.exe
C:\WINDOWS\system32\2faa6mx.exe
C:\WINDOWS\system32\2lgg6ss.exe
C:\WINDOWS\system32\3mmhyyt.exe
C:\WINDOWS\system32\5zvqbh6.exe
C:\WINDOWS\system32\69e1abb.exe
C:\WINDOWS\system32\6aa6mm6.exe
C:\WINDOWS\system32\6aa6mxn.exe
C:\WINDOWS\system32\6cnoouf.exe
C:\WINDOWS\system32\6hi70jf.exe
C:\WINDOWS\system32\6ii6uu6.exe
C:\WINDOWS\system32\6oo6aa6.exe
C:\WINDOWS\system32\6ww6ii6.exe
C:\WINDOWS\system32\703y0zv.exe
C:\WINDOWS\system32\70bxss6.exe
C:\WINDOWS\system32\70hdyy6.exe
C:\WINDOWS\system32\70jfaa6.exe
C:\WINDOWS\system32\70mmss1.exe
C:\WINDOWS\system32\70plgg6.exe
C:\WINDOWS\system32\70rnii6.exe
C:\WINDOWS\system32\70tpkk6.exe
C:\WINDOWS\system32\780wwrx.exe
C:\WINDOWS\system32\9q1cns9.exe
C:\WINDOWS\system32\9z1fwwr.exe
C:\WINDOWS\system32\a0wbx3oo.exe
C:\WINDOWS\system32\a1wssnee.exe
C:\WINDOWS\system32\a3ccxoojaav.exe
C:\WINDOWS\system32\aavmmhyy.exe
C:\WINDOWS\system32\afbg6xdjzk.exe
C:\WINDOWS\system32\bbxnnjzzvll.exe
C:\WINDOWS\system32\bc70dzuu6g.exe
C:\WINDOWS\system32\brcsi6uu.exe
C:\WINDOWS\system32\bssneezqqlc.exe
C:\WINDOWS\system32\bw1soojaav.exe
C:\WINDOWS\system32\bww6ii6uu.exe
C:\WINDOWS\system32\bxnnjzzv.exe
C:\WINDOWS\system32\cxytup0v.exe
C:\WINDOWS\system32\dzpplbbxnn.exe
C:\WINDOWS\system32\dzuu6gg6.exe
C:\WINDOWS\system32\e70fbmrni.exe
C:\WINDOWS\system32\e70fbww6i.exe
C:\WINDOWS\system32\eezqqlcc.exe
C:\WINDOWS\system32\ezqqlccx.exe
C:\WINDOWS\system32\fa1wssneez.exe
C:\WINDOWS\system32\faa6mm6yy.exe
C:\WINDOWS\system32\faa6mm6yy6k.exe
C:\WINDOWS\system32\faa6ms70t.exe
C:\WINDOWS\system32\fbrrnddz.exe
C:\WINDOWS\system32\fbww6ii6.exe
C:\WINDOWS\system32\g1cyytkk.exe
C:\WINDOWS\system32\g3xy0uupgbb.exe
C:\WINDOWS\system32\g9c1yuupgg.exe
C:\WINDOWS\system32\gg6ss6ee6.exe
C:\WINDOWS\system32\ggbssnee.exe
C:\WINDOWS\system32\ggbxxde70f.exe
C:\WINDOWS\system32\h2too0q6g10.exe
C:\WINDOWS\system32\hcc6ou70vrm.exe
C:\WINDOWS\system32\hdttef4wmx.exe
C:\WINDOWS\system32\hdyy6kk6.exe
C:\WINDOWS\system32\hxxtjjfv.exe
C:\WINDOWS\system32\hyytkkfw.exe
C:\WINDOWS\system32\i6za70bx.exe
C:\WINDOWS\system32\iduupggb.exe
C:\WINDOWS\system32\ieezqqlccx.exe
C:\WINDOWS\system32\iiduupgg.exe
C:\WINDOWS\system32\ioo1aagbxnt.exe
C:\WINDOWS\system32\j0plgg6ss.exe
C:\WINDOWS\system32\jaavmmhy.exe
C:\WINDOWS\system32\je1awwriy0.exe
C:\WINDOWS\system32\jee6qq6cc.exe
C:\WINDOWS\system32\jee6qq6cc6o.exe
C:\WINDOWS\system32\jfaa6mm6.exe
C:\WINDOWS\system32\jzzvllhx.exe
C:\WINDOWS\system32\k1gccxooja.exe
C:\WINDOWS\system32\k3qg6cc6.exe
C:\WINDOWS\system32\kk6ww6ii6.exe
C:\WINDOWS\system32\kkfwwriidu.exe
C:\WINDOWS\system32\l26injo9k1.exe
C:\WINDOWS\system32\lccxoojaal2.exe
C:\WINDOWS\system32\lccxoojaavm.exe
C:\WINDOWS\system32\lg1cyytkkf.exe
C:\WINDOWS\system32\lgg6ss6ee6q.exe
C:\WINDOWS\system32\lgg6sy70z.exe
C:\WINDOWS\system32\lhxxtjjf.exe
C:\WINDOWS\system32\llmcd3o3vvr.exe
C:\WINDOWS\system32\m002zavmmh.exe
C:\WINDOWS\system32\m6yy6kk6.exe
C:\WINDOWS\system32\mcsi6uu6gg6.exe
C:\WINDOWS\system32\mhyytkvv.exe
C:\WINDOWS\system32\mmhyyj2v.exe
C:\WINDOWS\system32\neuzqqlc.exe
C:\WINDOWS\system32\njjfvvrh.exe
C:\WINDOWS\system32\njzzvllh.exe
C:\WINDOWS\system32\o1kggbssne.exe
C:\WINDOWS\system32\o9k1gccxoo.exe
C:\WINDOWS\system32\ouaq9mxotpk.exe
C:\WINDOWS\system32\pllhcc6oo7.exe
C:\WINDOWS\system32\pllhxxtj.exe
C:\WINDOWS\system32\q3ssneezqql.exe
C:\WINDOWS\system32\q70rnii6u.exe
C:\WINDOWS\system32\qlccxoojaa.exe
C:\WINDOWS\system32\qq6cc6oo6.exe
C:\WINDOWS\system32\rhhdttpf.exe
C:\WINDOWS\system32\rmm6yy6kk.exe
C:\WINDOWS\system32\rnddzppl.exe
C:\WINDOWS\system32\s1okkfww.exe
C:\WINDOWS\system32\sduk70lh.exe
C:\WINDOWS\system32\ss6ee6qq6.exe
C:\WINDOWS\system32\tjjfvvrh.exe
C:\WINDOWS\system32\tjp1qg6is1.exe
C:\WINDOWS\system32\tkkfwwri.exe
C:\WINDOWS\system32\tkkfwwriidu.exe
C:\WINDOWS\system32\too6aa6mm6y.exe
C:\WINDOWS\system32\vrhhdttp.exe
C:\WINDOWS\system32\vrmm6yy6.exe
C:\WINDOWS\system32\w1soojaa.exe
C:\WINDOWS\system32\w6ii6uu6.exe
C:\WINDOWS\system32\w9s1okkfww.exe
C:\WINDOWS\system32\wwmcioj0.exe
C:\WINDOWS\system32\wwriiduu.exe
C:\WINDOWS\system32\wwriiduupg.exe
C:\WINDOWS\system32\x0dzuu6gg.exe
C:\WINDOWS\system32\xnnjzzvl.exe
C:\WINDOWS\system32\xoojaavmmhy.exe
C:\WINDOWS\system32\xtjjfvvrhh.exe
C:\WINDOWS\system32\xy70zvqq6c.exe
C:\WINDOWS\system32\y1uqqlccxo.exe
C:\WINDOWS\system32\y3aavbxss6e.exe
C:\WINDOWS\system32\za70bxss6e.exe
C:\WINDOWS\system32\zppggbxn.exe
C:\WINDOWS\system32\zpplbbxn.exe
C:\WINDOWS\system32\zqqlccxooja.exe
C:\WINDOWS\system32\zu1qmmhyyt.exe
C:\WINDOWS\system32\zuu6gg6ss6e.exe
C:\WINDOWS\system32\zvllhxxt.exe
C:\WINDOWS\system32\zvqq6cc6.exe
C:\WINDOWS\system32\zzva30m3yy3.exe
C:\WINDOWS\system32\poubyj.exe
C:\WINDOWS\system32\spool\drivers\systempro.exe
C:\documents and settings\emi\im


A questo punto riavvii il computer.

Spero di averti aiutato [weponed]

N.B.: Lo script di the Avenger provvederà a rimuovere alcuni file infetti solo al riavvio del computer
<<Intelligence is the ability to avoid doing work, yet getting the work done.>>
Linus Torvalds

EX [MLI] Power User.
Avatar utente
hashcat
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 2285
Iscritto il: lun ott 25, 2010 1:26 pm

Re: Problema pc infestato

Messaggioda hashcat » lun gen 31, 2011 6:44 pm

hashcat ha scritto:Scarica e avvia The Avenger copia il seguente script al suo interno e clicca su execute.


Scusa ma avevo sbagliato una riga dello script (script revisionato):

Codice: Seleziona tutto
Files to delete:
C:\WINDOWS\system32\0fbww6i.exe
C:\WINDOWS\system32\0ggbssn.exe
C:\WINDOWS\system32\0jfaa6m.exe
C:\WINDOWS\system32\0kkfwwr.exe
C:\WINDOWS\system32\0oojaav.exe
C:\WINDOWS\system32\0qqlccx.exe
C:\WINDOWS\system32\0ssneez.exe
C:\WINDOWS\system32\0tpkk6w.exe
C:\WINDOWS\system32\0xtoo6a.exe
C:\WINDOWS\system32\1awwrii.exe
C:\WINDOWS\system32\1okkfww.exe
C:\WINDOWS\system32\1okkv2h.exe
C:\WINDOWS\system32\1qmmhyy.exe
C:\WINDOWS\system32\1wssnee.exe
C:\WINDOWS\system32\2faa6mm.exe
C:\WINDOWS\system32\2faa6mx.exe
C:\WINDOWS\system32\2lgg6ss.exe
C:\WINDOWS\system32\3mmhyyt.exe
C:\WINDOWS\system32\5zvqbh6.exe
C:\WINDOWS\system32\69e1abb.exe
C:\WINDOWS\system32\6aa6mm6.exe
C:\WINDOWS\system32\6aa6mxn.exe
C:\WINDOWS\system32\6cnoouf.exe
C:\WINDOWS\system32\6hi70jf.exe
C:\WINDOWS\system32\6ii6uu6.exe
C:\WINDOWS\system32\6oo6aa6.exe
C:\WINDOWS\system32\6ww6ii6.exe
C:\WINDOWS\system32\703y0zv.exe
C:\WINDOWS\system32\70bxss6.exe
C:\WINDOWS\system32\70hdyy6.exe
C:\WINDOWS\system32\70jfaa6.exe
C:\WINDOWS\system32\70mmss1.exe
C:\WINDOWS\system32\70plgg6.exe
C:\WINDOWS\system32\70rnii6.exe
C:\WINDOWS\system32\70tpkk6.exe
C:\WINDOWS\system32\780wwrx.exe
C:\WINDOWS\system32\9q1cns9.exe
C:\WINDOWS\system32\9z1fwwr.exe
C:\WINDOWS\system32\a0wbx3oo.exe
C:\WINDOWS\system32\a1wssnee.exe
C:\WINDOWS\system32\a3ccxoojaav.exe
C:\WINDOWS\system32\aavmmhyy.exe
C:\WINDOWS\system32\afbg6xdjzk.exe
C:\WINDOWS\system32\bbxnnjzzvll.exe
C:\WINDOWS\system32\bc70dzuu6g.exe
C:\WINDOWS\system32\brcsi6uu.exe
C:\WINDOWS\system32\bssneezqqlc.exe
C:\WINDOWS\system32\bw1soojaav.exe
C:\WINDOWS\system32\bww6ii6uu.exe
C:\WINDOWS\system32\bxnnjzzv.exe
C:\WINDOWS\system32\cxytup0v.exe
C:\WINDOWS\system32\dzpplbbxnn.exe
C:\WINDOWS\system32\dzuu6gg6.exe
C:\WINDOWS\system32\e70fbmrni.exe
C:\WINDOWS\system32\e70fbww6i.exe
C:\WINDOWS\system32\eezqqlcc.exe
C:\WINDOWS\system32\ezqqlccx.exe
C:\WINDOWS\system32\fa1wssneez.exe
C:\WINDOWS\system32\faa6mm6yy.exe
C:\WINDOWS\system32\faa6mm6yy6k.exe
C:\WINDOWS\system32\faa6ms70t.exe
C:\WINDOWS\system32\fbrrnddz.exe
C:\WINDOWS\system32\fbww6ii6.exe
C:\WINDOWS\system32\g1cyytkk.exe
C:\WINDOWS\system32\g3xy0uupgbb.exe
C:\WINDOWS\system32\g9c1yuupgg.exe
C:\WINDOWS\system32\gg6ss6ee6.exe
C:\WINDOWS\system32\ggbssnee.exe
C:\WINDOWS\system32\ggbxxde70f.exe
C:\WINDOWS\system32\h2too0q6g10.exe
C:\WINDOWS\system32\hcc6ou70vrm.exe
C:\WINDOWS\system32\hdttef4wmx.exe
C:\WINDOWS\system32\hdyy6kk6.exe
C:\WINDOWS\system32\hxxtjjfv.exe
C:\WINDOWS\system32\hyytkkfw.exe
C:\WINDOWS\system32\i6za70bx.exe
C:\WINDOWS\system32\iduupggb.exe
C:\WINDOWS\system32\ieezqqlccx.exe
C:\WINDOWS\system32\iiduupgg.exe
C:\WINDOWS\system32\ioo1aagbxnt.exe
C:\WINDOWS\system32\j0plgg6ss.exe
C:\WINDOWS\system32\jaavmmhy.exe
C:\WINDOWS\system32\je1awwriy0.exe
C:\WINDOWS\system32\jee6qq6cc.exe
C:\WINDOWS\system32\jee6qq6cc6o.exe
C:\WINDOWS\system32\jfaa6mm6.exe
C:\WINDOWS\system32\jzzvllhx.exe
C:\WINDOWS\system32\k1gccxooja.exe
C:\WINDOWS\system32\k3qg6cc6.exe
C:\WINDOWS\system32\kk6ww6ii6.exe
C:\WINDOWS\system32\kkfwwriidu.exe
C:\WINDOWS\system32\l26injo9k1.exe
C:\WINDOWS\system32\lccxoojaal2.exe
C:\WINDOWS\system32\lccxoojaavm.exe
C:\WINDOWS\system32\lg1cyytkkf.exe
C:\WINDOWS\system32\lgg6ss6ee6q.exe
C:\WINDOWS\system32\lgg6sy70z.exe
C:\WINDOWS\system32\lhxxtjjf.exe
C:\WINDOWS\system32\llmcd3o3vvr.exe
C:\WINDOWS\system32\m002zavmmh.exe
C:\WINDOWS\system32\m6yy6kk6.exe
C:\WINDOWS\system32\mcsi6uu6gg6.exe
C:\WINDOWS\system32\mhyytkvv.exe
C:\WINDOWS\system32\mmhyyj2v.exe
C:\WINDOWS\system32\neuzqqlc.exe
C:\WINDOWS\system32\njjfvvrh.exe
C:\WINDOWS\system32\njzzvllh.exe
C:\WINDOWS\system32\o1kggbssne.exe
C:\WINDOWS\system32\o9k1gccxoo.exe
C:\WINDOWS\system32\ouaq9mxotpk.exe
C:\WINDOWS\system32\pllhcc6oo7.exe
C:\WINDOWS\system32\pllhxxtj.exe
C:\WINDOWS\system32\q3ssneezqql.exe
C:\WINDOWS\system32\q70rnii6u.exe
C:\WINDOWS\system32\qlccxoojaa.exe
C:\WINDOWS\system32\qq6cc6oo6.exe
C:\WINDOWS\system32\rhhdttpf.exe
C:\WINDOWS\system32\rmm6yy6kk.exe
C:\WINDOWS\system32\rnddzppl.exe
C:\WINDOWS\system32\s1okkfww.exe
C:\WINDOWS\system32\sduk70lh.exe
C:\WINDOWS\system32\ss6ee6qq6.exe
C:\WINDOWS\system32\tjjfvvrh.exe
C:\WINDOWS\system32\tjp1qg6is1.exe
C:\WINDOWS\system32\tkkfwwri.exe
C:\WINDOWS\system32\tkkfwwriidu.exe
C:\WINDOWS\system32\too6aa6mm6y.exe
C:\WINDOWS\system32\vrhhdttp.exe
C:\WINDOWS\system32\vrmm6yy6.exe
C:\WINDOWS\system32\w1soojaa.exe
C:\WINDOWS\system32\w6ii6uu6.exe
C:\WINDOWS\system32\w9s1okkfww.exe
C:\WINDOWS\system32\wwmcioj0.exe
C:\WINDOWS\system32\wwriiduu.exe
C:\WINDOWS\system32\wwriiduupg.exe
C:\WINDOWS\system32\x0dzuu6gg.exe
C:\WINDOWS\system32\xnnjzzvl.exe
C:\WINDOWS\system32\xoojaavmmhy.exe
C:\WINDOWS\system32\xtjjfvvrhh.exe
C:\WINDOWS\system32\xy70zvqq6c.exe
C:\WINDOWS\system32\y1uqqlccxo.exe
C:\WINDOWS\system32\y3aavbxss6e.exe
C:\WINDOWS\system32\za70bxss6e.exe
C:\WINDOWS\system32\zppggbxn.exe
C:\WINDOWS\system32\zpplbbxn.exe
C:\WINDOWS\system32\zqqlccxooja.exe
C:\WINDOWS\system32\zu1qmmhyyt.exe
C:\WINDOWS\system32\zuu6gg6ss6e.exe
C:\WINDOWS\system32\zvllhxxt.exe
C:\WINDOWS\system32\zvqq6cc6.exe
C:\WINDOWS\system32\zzva30m3yy3.exe
C:\WINDOWS\system32\poubyj.exe
C:\WINDOWS\system32\spool\drivers\systempro.exe
C:\documents and settings\emi\impostazioni locali\dati applicazioni\bvjgs.exe
C:\WINDOWS\system32\userini.exe
C:\WINDOWS\system32\sid876v3.exe
C:\WINDOWS\system32\0vrmm6y.exe
C:\WINDOWS\system32\0hdtez6.exe
C:\WINDOWS\system32\firoosek.exe


Buon lavoro [8D]

N.B.: Il passo con "The Avenger" anche se nominato per ultimo va effettuato subito dopo quello con hijackthis, quindi subito dopo averlo fatto riavvia il computer e prosegui seguendo il procedimento che ti ho indicato
<<Intelligence is the ability to avoid doing work, yet getting the work done.>>
Linus Torvalds

EX [MLI] Power User.
Avatar utente
hashcat
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 2285
Iscritto il: lun ott 25, 2010 1:26 pm

Re: Problema pc infestato

Messaggioda hashcat » mar feb 01, 2011 2:25 pm

Controllando più approfonditamente il log di Combofix ho notato che vanno eliminati anche questi file:

Codice: Seleziona tutto
c:\WINDOWS\system32\hookud.exe
c:\WINDOWS\system32\curunoogab.exe
c:\WINDOWS\system32\dpvsetup.exe
c:\windows\system32\touzoup.exe
c:\windows\system32\drivers\akcjtcwg.sys
c:\windows\system32\drivers\nai31d4.sys
c:\windows\system32\mefalyg.exe
c:\windows\system32\drivers\qsff98e.sys
c:\windows\system32\drivers\bfjcbgxc.sys
D:\Recycled.exe


Inoltre se ho visto bene il tuo computer e anche i dischi esterni (non solo quali possiedi) sembrano essere infetti da un autorun.inf

Per ricapitolare aggiorno lo script di The Avenger:

Codice: Seleziona tutto
Files to delete:
C:\WINDOWS\system32\0fbww6i.exe
C:\WINDOWS\system32\0ggbssn.exe
C:\WINDOWS\system32\0jfaa6m.exe
C:\WINDOWS\system32\0kkfwwr.exe
C:\WINDOWS\system32\0oojaav.exe
C:\WINDOWS\system32\0qqlccx.exe
C:\WINDOWS\system32\0ssneez.exe
C:\WINDOWS\system32\0tpkk6w.exe
C:\WINDOWS\system32\0xtoo6a.exe
C:\WINDOWS\system32\1awwrii.exe
C:\WINDOWS\system32\1okkfww.exe
C:\WINDOWS\system32\1okkv2h.exe
C:\WINDOWS\system32\1qmmhyy.exe
C:\WINDOWS\system32\1wssnee.exe
C:\WINDOWS\system32\2faa6mm.exe
C:\WINDOWS\system32\2faa6mx.exe
C:\WINDOWS\system32\2lgg6ss.exe
C:\WINDOWS\system32\3mmhyyt.exe
C:\WINDOWS\system32\5zvqbh6.exe
C:\WINDOWS\system32\69e1abb.exe
C:\WINDOWS\system32\6aa6mm6.exe
C:\WINDOWS\system32\6aa6mxn.exe
C:\WINDOWS\system32\6cnoouf.exe
C:\WINDOWS\system32\6hi70jf.exe
C:\WINDOWS\system32\6ii6uu6.exe
C:\WINDOWS\system32\6oo6aa6.exe
C:\WINDOWS\system32\6ww6ii6.exe
C:\WINDOWS\system32\703y0zv.exe
C:\WINDOWS\system32\70bxss6.exe
C:\WINDOWS\system32\70hdyy6.exe
C:\WINDOWS\system32\70jfaa6.exe
C:\WINDOWS\system32\70mmss1.exe
C:\WINDOWS\system32\70plgg6.exe
C:\WINDOWS\system32\70rnii6.exe
C:\WINDOWS\system32\70tpkk6.exe
C:\WINDOWS\system32\780wwrx.exe
C:\WINDOWS\system32\9q1cns9.exe
C:\WINDOWS\system32\9z1fwwr.exe
C:\WINDOWS\system32\a0wbx3oo.exe
C:\WINDOWS\system32\a1wssnee.exe
C:\WINDOWS\system32\a3ccxoojaav.exe
C:\WINDOWS\system32\aavmmhyy.exe
C:\WINDOWS\system32\afbg6xdjzk.exe
C:\WINDOWS\system32\bbxnnjzzvll.exe
C:\WINDOWS\system32\bc70dzuu6g.exe
C:\WINDOWS\system32\brcsi6uu.exe
C:\WINDOWS\system32\bssneezqqlc.exe
C:\WINDOWS\system32\bw1soojaav.exe
C:\WINDOWS\system32\bww6ii6uu.exe
C:\WINDOWS\system32\bxnnjzzv.exe
C:\WINDOWS\system32\cxytup0v.exe
C:\WINDOWS\system32\dzpplbbxnn.exe
C:\WINDOWS\system32\dzuu6gg6.exe
C:\WINDOWS\system32\e70fbmrni.exe
C:\WINDOWS\system32\e70fbww6i.exe
C:\WINDOWS\system32\eezqqlcc.exe
C:\WINDOWS\system32\ezqqlccx.exe
C:\WINDOWS\system32\fa1wssneez.exe
C:\WINDOWS\system32\faa6mm6yy.exe
C:\WINDOWS\system32\faa6mm6yy6k.exe
C:\WINDOWS\system32\faa6ms70t.exe
C:\WINDOWS\system32\fbrrnddz.exe
C:\WINDOWS\system32\fbww6ii6.exe
C:\WINDOWS\system32\g1cyytkk.exe
C:\WINDOWS\system32\g3xy0uupgbb.exe
C:\WINDOWS\system32\g9c1yuupgg.exe
C:\WINDOWS\system32\gg6ss6ee6.exe
C:\WINDOWS\system32\ggbssnee.exe
C:\WINDOWS\system32\ggbxxde70f.exe
C:\WINDOWS\system32\h2too0q6g10.exe
C:\WINDOWS\system32\hcc6ou70vrm.exe
C:\WINDOWS\system32\hdttef4wmx.exe
C:\WINDOWS\system32\hdyy6kk6.exe
C:\WINDOWS\system32\hxxtjjfv.exe
C:\WINDOWS\system32\hyytkkfw.exe
C:\WINDOWS\system32\i6za70bx.exe
C:\WINDOWS\system32\iduupggb.exe
C:\WINDOWS\system32\ieezqqlccx.exe
C:\WINDOWS\system32\iiduupgg.exe
C:\WINDOWS\system32\ioo1aagbxnt.exe
C:\WINDOWS\system32\j0plgg6ss.exe
C:\WINDOWS\system32\jaavmmhy.exe
C:\WINDOWS\system32\je1awwriy0.exe
C:\WINDOWS\system32\jee6qq6cc.exe
C:\WINDOWS\system32\jee6qq6cc6o.exe
C:\WINDOWS\system32\jfaa6mm6.exe
C:\WINDOWS\system32\jzzvllhx.exe
C:\WINDOWS\system32\k1gccxooja.exe
C:\WINDOWS\system32\k3qg6cc6.exe
C:\WINDOWS\system32\kk6ww6ii6.exe
C:\WINDOWS\system32\kkfwwriidu.exe
C:\WINDOWS\system32\l26injo9k1.exe
C:\WINDOWS\system32\lccxoojaal2.exe
C:\WINDOWS\system32\lccxoojaavm.exe
C:\WINDOWS\system32\lg1cyytkkf.exe
C:\WINDOWS\system32\lgg6ss6ee6q.exe
C:\WINDOWS\system32\lgg6sy70z.exe
C:\WINDOWS\system32\lhxxtjjf.exe
C:\WINDOWS\system32\llmcd3o3vvr.exe
C:\WINDOWS\system32\m002zavmmh.exe
C:\WINDOWS\system32\m6yy6kk6.exe
C:\WINDOWS\system32\mcsi6uu6gg6.exe
C:\WINDOWS\system32\mhyytkvv.exe
C:\WINDOWS\system32\mmhyyj2v.exe
C:\WINDOWS\system32\neuzqqlc.exe
C:\WINDOWS\system32\njjfvvrh.exe
C:\WINDOWS\system32\njzzvllh.exe
C:\WINDOWS\system32\o1kggbssne.exe
C:\WINDOWS\system32\o9k1gccxoo.exe
C:\WINDOWS\system32\ouaq9mxotpk.exe
C:\WINDOWS\system32\pllhcc6oo7.exe
C:\WINDOWS\system32\pllhxxtj.exe
C:\WINDOWS\system32\q3ssneezqql.exe
C:\WINDOWS\system32\q70rnii6u.exe
C:\WINDOWS\system32\qlccxoojaa.exe
C:\WINDOWS\system32\qq6cc6oo6.exe
C:\WINDOWS\system32\rhhdttpf.exe
C:\WINDOWS\system32\rmm6yy6kk.exe
C:\WINDOWS\system32\rnddzppl.exe
C:\WINDOWS\system32\s1okkfww.exe
C:\WINDOWS\system32\sduk70lh.exe
C:\WINDOWS\system32\ss6ee6qq6.exe
C:\WINDOWS\system32\tjjfvvrh.exe
C:\WINDOWS\system32\tjp1qg6is1.exe
C:\WINDOWS\system32\tkkfwwri.exe
C:\WINDOWS\system32\tkkfwwriidu.exe
C:\WINDOWS\system32\too6aa6mm6y.exe
C:\WINDOWS\system32\vrhhdttp.exe
C:\WINDOWS\system32\vrmm6yy6.exe
C:\WINDOWS\system32\w1soojaa.exe
C:\WINDOWS\system32\w6ii6uu6.exe
C:\WINDOWS\system32\w9s1okkfww.exe
C:\WINDOWS\system32\wwmcioj0.exe
C:\WINDOWS\system32\wwriiduu.exe
C:\WINDOWS\system32\wwriiduupg.exe
C:\WINDOWS\system32\x0dzuu6gg.exe
C:\WINDOWS\system32\xnnjzzvl.exe
C:\WINDOWS\system32\xoojaavmmhy.exe
C:\WINDOWS\system32\xtjjfvvrhh.exe
C:\WINDOWS\system32\xy70zvqq6c.exe
C:\WINDOWS\system32\y1uqqlccxo.exe
C:\WINDOWS\system32\y3aavbxss6e.exe
C:\WINDOWS\system32\za70bxss6e.exe
C:\WINDOWS\system32\zppggbxn.exe
C:\WINDOWS\system32\zpplbbxn.exe
C:\WINDOWS\system32\zqqlccxooja.exe
C:\WINDOWS\system32\zu1qmmhyyt.exe
C:\WINDOWS\system32\zuu6gg6ss6e.exe
C:\WINDOWS\system32\zvllhxxt.exe
C:\WINDOWS\system32\zvqq6cc6.exe
C:\WINDOWS\system32\zzva30m3yy3.exe
C:\WINDOWS\system32\poubyj.exe
C:\WINDOWS\system32\spool\drivers\systempro.exe
C:\documents and settings\emi\impostazioni locali\dati applicazioni\bvjgs.exe
C:\WINDOWS\system32\userini.exe
C:\WINDOWS\system32\sid876v3.exe
C:\WINDOWS\system32\0vrmm6y.exe
C:\WINDOWS\system32\0hdtez6.exe
C:\WINDOWS\system32\firoosek.exe
c:\WINDOWS\system32\hookud.exe
c:\WINDOWS\system32\curunoogab.exe
c:\WINDOWS\system32\dpvsetup.exe
c:\windows\system32\touzoup.exe
c:\windows\system32\drivers\akcjtcwg.sys
c:\windows\system32\drivers\nai31d4.sys
c:\windows\system32\mefalyg.exe
c:\windows\system32\drivers\qsff98e.sys
c:\windows\system32\drivers\bfjcbgxc.sys
D:\Recycled.exe


Dopo la Pulizia con The Avenger puoi continuare con il resto del procedimento

[;)] [^]
<<Intelligence is the ability to avoid doing work, yet getting the work done.>>
Linus Torvalds

EX [MLI] Power User.
Avatar utente
hashcat
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 2285
Iscritto il: lun ott 25, 2010 1:26 pm

Re: Problema pc infestato

Messaggioda Spaccy » mar feb 01, 2011 6:17 pm

Allora, scusate il ritardo...ho diciamo seguito tutte le guide ma mi sono perso qualche log qua e la dopo le scansioni con i vari programmi...che hanno evidenziato un oceano di spy e adware e troj...un casino insomma.... ora devo dire che va meglio e per sicurezza o ripetuto i classici test....
CONBOFIX

ComboFix 11-01-31.02 - Emi 01/02/2011 17.16.44.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.1014.488 [GMT 1:00]
Eseguito da: c:\documents and settings\Emi\Desktop\ComboFix.exe

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Emi\Impostazioni locali\Dati applicazioni\bvjgs.dat
c:\documents and settings\Emi\Impostazioni locali\Dati applicazioni\bvjgs_nav.dat
c:\documents and settings\Emi\Impostazioni locali\Dati applicazioni\bvjgs_navps.dat
c:\documents and settings\Emi\Impostazioni locali\Dati applicazioni\hwiayk.dat
c:\documents and settings\Emi\Impostazioni locali\Dati applicazioni\hwiayk_nav.dat
c:\documents and settings\Emi\Impostazioni locali\Dati applicazioni\hwiayk_navps.dat
c:\windows\ndl.dl

.
((((((((((((((((((((((((( Files Creati Da 2011-01-01 al 2011-02-01 )))))))))))))))))))))))))))))))))))
.

2011-02-01 16:11 . 2011-02-01 16:11 398336 ----a-w- c:\windows\system32\CF22270.exe
2011-02-01 15:54 . 2011-02-01 15:54 -------- d-----w- c:\programmi\CCleaner
2011-01-31 16:43 . 2011-01-31 16:49 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-01-31 16:43 . 2011-01-31 16:43 -------- d-----w- c:\programmi\Hitman Pro 3.5
2011-01-31 16:41 . 2011-01-31 16:46 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Hitman Pro
2011-01-31 16:16 . 2011-01-31 16:16 -------- d-----w- c:\documents and settings\Emi\Dati applicazioni\SUPERAntiSpyware.com
2011-01-31 16:16 . 2011-01-31 16:16 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2011-01-31 16:14 . 2011-01-31 16:14 -------- d-----w- c:\documents and settings\Administrator
2011-01-31 15:35 . 2011-01-31 15:35 -------- d-----w- c:\documents and settings\Emi\Dati applicazioni\Malwarebytes
2011-01-31 15:34 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-31 15:34 . 2011-01-31 15:34 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2011-01-31 15:34 . 2011-01-31 15:34 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2011-01-31 15:34 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-31 08:35 . 2011-01-31 08:35 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-31 08:34 . 2011-01-31 08:34 -------- d---a-w- c:\windows\MSETUP
2011-01-28 09:24 . 2011-01-31 08:34 -------- d-----w- C:\RECYCLER(2)
2011-01-28 07:43 . 2011-01-28 07:44 82944 ----a-w- c:\windows\system32\drivers\bfjcbgxc.sys
2011-01-28 07:24 . 2011-01-28 07:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-31 08:40 . 2009-02-02 19:38 1036288 ----a-w- c:\windows\explorer.exe
2011-01-28 08:45 . 2009-02-02 19:38 1036288 ----a-w- c:\windows\explorer(2).exe
2011-01-26 08:30 . 2009-02-02 19:38 1036288 ----a-w- c:\windows\explorer(3).exe
2010-12-08 20:14 . 2009-02-02 19:38 1036288 ----a-w- c:\windows\explorer(4).exe
2010-12-08 19:49 . 2009-02-02 19:38 1036288 ----a-w- c:\windows\explorer(5).exe
2010-12-07 21:12 . 2009-02-02 19:38 1036288 ----a-w- c:\windows\explorer(6).exe
2010-12-07 20:05 . 2009-02-02 19:38 1036288 ----a-w- c:\windows\explorer(7).exe
2010-11-30 21:57 . 2010-11-30 21:57 0 ----a-w- c:\windows\system32\drivers\orrjrgij.sys
2010-11-27 13:49 . 2010-11-27 13:49 0 ----a-w- c:\windows\system32\drivers\nonagpdd.sys
2010-11-26 19:40 . 2010-11-26 19:40 0 ----a-w- c:\windows\system32\drivers\tnrouhoi.sys
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\programmi\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.5.0\bin\jusched.exe" [2009-02-02 36972]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"EDS"="c:\programmi\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-20 659456]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"DMHotKey"="c:\programmi\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\programmi\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-20 2768896]
"MagicKeyboard"="c:\programmi\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-14 151552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
BTTray.lnk - c:\programmi\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-17 580200]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Emi\IMPOST~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Emi\IMPOST~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
R1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Emi\IMPOST~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Emi\IMPOST~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [02/02/2009 13.02.58 4300]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [14/01/2008 19.01.02 30208]
R3 hspabus;SAMSUNG HSPA USB Composite Device driver (WDM);c:\windows\system32\drivers\hspabus.sys [02/02/2009 13.07.56 91776]
R3 hspamdfl;SAMSUNG HSPA Modem Filter;c:\windows\system32\drivers\hspamdfl.sys [02/02/2009 13.07.56 14976]
R3 hspamdm;SAMSUNG HSPA Modem Drivers;c:\windows\system32\drivers\hspamdm.sys [02/02/2009 13.07.56 119808]
R3 hspaserd;SAMSUNG HSPA Modem Diagnostic Serial Port (WDM);c:\windows\system32\drivers\hspaserd.sys [02/02/2009 13.07.56 98560]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [02/02/2009 13.07.09 238464]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]

--- Altri Servizi/Drivers In Memoria ---

*NewlyCreated* - HITMANPRO35
*Deregistered* - hitmanpro35
.
Contenuto della cartella 'Scheduled Tasks'

2011-02-01 c:\windows\Tasks\User_Feed_Synchronization-{0A761CC7-6A10-4D3E-8A02-6E63CD970BFF}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.facebook.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Invia a Bluetooth - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: Invia a periferica &Bluetooth... - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

SafeBoot-akcjtcwg.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-01 17:20
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\igfxdev.dll
.
Ora fine scansione: 2011-02-01 17:22:25
ComboFix-quarantined-files.txt 2011-02-01 16:22
ComboFix2.txt 2011-01-28 09:07

Pre-Run: 63.473.831.936 byte disponibili
Post-Run: 64.043.737.088 byte disponibili

- - End Of File - - 9ECAA1A04CAC9163D85610D9EF15EAB9


<hijaticks

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17.25.37, on 01/02/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Programmi\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Emi\Desktop\MegaLab_copia_hijack.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EDS] C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DMHotKey] C:\Programmi\Samsung\Easy Display Manager\DMLoader.exe
O4 - HKLM\..\Run: [BatteryManager] C:\Programmi\Samsung\Samsung Battery Manager\BatteryManager.exe
O4 - HKLM\..\Run: [MagicKeyboard] C:\Programmi\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Invia a Bluetooth - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O8 - Extra context menu item: Invia a periferica &Bluetooth... - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - http://static.ak.facebook.com/fbplugin/ ... 1193264765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8351545484
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Programmi\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 5284 bytes



Il pc sembras migliorato moltissimo ma e' ancora apparso una schermata blu (troppo veloce per poterla leggere) ma ho recuperato l'errore che appare nella "visual. eventi di sistema"

Codice errore 000000ca, parametro1 00000004, parametro2 84c396d0, parametro3 00000000, parametro4 00000000.

Per ulteriori informazioni, consultare la Guida in linea e supporto tecnico all'indirizzo http://go.microsoft.com/fwlink/events.asp.



altri consigli?

(grazie di cuore veramente per tutto l'aiuto)
Avatar utente
Spaccy
Aficionado
Aficionado
 
Messaggi: 121
Iscritto il: ven feb 01, 2008 5:15 pm
Località: Roma

Re: Problema pc infestato

Messaggioda hashcat » mar feb 01, 2011 8:00 pm

Spaccy ha scritto:Allora, scusate il ritardo...ho diciamo seguito tutte le guide ma mi sono perso qualche log qua e la dopo le scansioni con i vari programmi...che hanno evidenziato un oceano di spy e adware e troj...un casino insomma.... ora devo dire che va meglio e per sicurezza o ripetuto i classici test....
CONBOFIX

ComboFix 11-01-31.02 - Emi 01/02/2011 17.16.44.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.1014.488 [GMT 1:00]
Eseguito da: c:\documents and settings\Emi\Desktop\ComboFix.exe

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Emi\Impostazioni locali\Dati applicazioni\bvjgs.dat
c:\documents and settings\Emi\Impostazioni locali\Dati applicazioni\bvjgs_nav.dat
c:\documents and settings\Emi\Impostazioni locali\Dati applicazioni\bvjgs_navps.dat
c:\documents and settings\Emi\Impostazioni locali\Dati applicazioni\hwiayk.dat
c:\documents and settings\Emi\Impostazioni locali\Dati applicazioni\hwiayk_nav.dat
c:\documents and settings\Emi\Impostazioni locali\Dati applicazioni\hwiayk_navps.dat
c:\windows\ndl.dl

.
((((((((((((((((((((((((( Files Creati Da 2011-01-01 al 2011-02-01 )))))))))))))))))))))))))))))))))))
.

2011-02-01 16:11 . 2011-02-01 16:11 398336 ----a-w- c:\windows\system32\CF22270.exe
2011-02-01 15:54 . 2011-02-01 15:54 -------- d-----w- c:\programmi\CCleaner
2011-01-31 16:43 . 2011-01-31 16:49 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-01-31 16:43 . 2011-01-31 16:43 -------- d-----w- c:\programmi\Hitman Pro 3.5
2011-01-31 16:41 . 2011-01-31 16:46 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Hitman Pro
2011-01-31 16:16 . 2011-01-31 16:16 -------- d-----w- c:\documents and settings\Emi\Dati applicazioni\SUPERAntiSpyware.com
2011-01-31 16:16 . 2011-01-31 16:16 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2011-01-31 16:14 . 2011-01-31 16:14 -------- d-----w- c:\documents and settings\Administrator
2011-01-31 15:35 . 2011-01-31 15:35 -------- d-----w- c:\documents and settings\Emi\Dati applicazioni\Malwarebytes
2011-01-31 15:34 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-31 15:34 . 2011-01-31 15:34 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2011-01-31 15:34 . 2011-01-31 15:34 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2011-01-31 15:34 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-31 08:35 . 2011-01-31 08:35 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-31 08:34 . 2011-01-31 08:34 -------- d---a-w- c:\windows\MSETUP
2011-01-28 09:24 . 2011-01-31 08:34 -------- d-----w- C:\RECYCLER(2)
2011-01-28 07:43 . 2011-01-28 07:44 82944 ----a-w- c:\windows\system32\drivers\bfjcbgxc.sys
2011-01-28 07:24 . 2011-01-28 07:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-31 08:40 . 2009-02-02 19:38 1036288 ----a-w- c:\windows\explorer.exe
2011-01-28 08:45 . 2009-02-02 19:38 1036288 ----a-w- c:\windows\explorer(2).exe
2011-01-26 08:30 . 2009-02-02 19:38 1036288 ----a-w- c:\windows\explorer(3).exe
2010-12-08 20:14 . 2009-02-02 19:38 1036288 ----a-w- c:\windows\explorer(4).exe
2010-12-08 19:49 . 2009-02-02 19:38 1036288 ----a-w- c:\windows\explorer(5).exe
2010-12-07 21:12 . 2009-02-02 19:38 1036288 ----a-w- c:\windows\explorer(6).exe
2010-12-07 20:05 . 2009-02-02 19:38 1036288 ----a-w- c:\windows\explorer(7).exe
2010-11-30 21:57 . 2010-11-30 21:57 0 ----a-w- c:\windows\system32\drivers\orrjrgij.sys
2010-11-27 13:49 . 2010-11-27 13:49 0 ----a-w- c:\windows\system32\drivers\nonagpdd.sys
2010-11-26 19:40 . 2010-11-26 19:40 0 ----a-w- c:\windows\system32\drivers\tnrouhoi.sys
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\programmi\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.5.0\bin\jusched.exe" [2009-02-02 36972]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"EDS"="c:\programmi\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-20 659456]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"DMHotKey"="c:\programmi\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\programmi\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-20 2768896]
"MagicKeyboard"="c:\programmi\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-14 151552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
BTTray.lnk - c:\programmi\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-17 580200]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Emi\IMPOST~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Emi\IMPOST~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
R1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Emi\IMPOST~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Emi\IMPOST~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [02/02/2009 13.02.58 4300]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [14/01/2008 19.01.02 30208]
R3 hspabus;SAMSUNG HSPA USB Composite Device driver (WDM);c:\windows\system32\drivers\hspabus.sys [02/02/2009 13.07.56 91776]
R3 hspamdfl;SAMSUNG HSPA Modem Filter;c:\windows\system32\drivers\hspamdfl.sys [02/02/2009 13.07.56 14976]
R3 hspamdm;SAMSUNG HSPA Modem Drivers;c:\windows\system32\drivers\hspamdm.sys [02/02/2009 13.07.56 119808]
R3 hspaserd;SAMSUNG HSPA Modem Diagnostic Serial Port (WDM);c:\windows\system32\drivers\hspaserd.sys [02/02/2009 13.07.56 98560]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [02/02/2009 13.07.09 238464]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]

--- Altri Servizi/Drivers In Memoria ---

*NewlyCreated* - HITMANPRO35
*Deregistered* - hitmanpro35
.
Contenuto della cartella 'Scheduled Tasks'

2011-02-01 c:\windows\Tasks\User_Feed_Synchronization-{0A761CC7-6A10-4D3E-8A02-6E63CD970BFF}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.facebook.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Invia a Bluetooth - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: Invia a periferica &Bluetooth... - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

SafeBoot-akcjtcwg.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-01 17:20
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\igfxdev.dll
.
Ora fine scansione: 2011-02-01 17:22:25
ComboFix-quarantined-files.txt 2011-02-01 16:22
ComboFix2.txt 2011-01-28 09:07

Pre-Run: 63.473.831.936 byte disponibili
Post-Run: 64.043.737.088 byte disponibili

- - End Of File - - 9ECAA1A04CAC9163D85610D9EF15EAB9


<hijaticks

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17.25.37, on 01/02/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Programmi\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Emi\Desktop\MegaLab_copia_hijack.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EDS] C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DMHotKey] C:\Programmi\Samsung\Easy Display Manager\DMLoader.exe
O4 - HKLM\..\Run: [BatteryManager] C:\Programmi\Samsung\Samsung Battery Manager\BatteryManager.exe
O4 - HKLM\..\Run: [MagicKeyboard] C:\Programmi\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Invia a Bluetooth - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O8 - Extra context menu item: Invia a periferica &Bluetooth... - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - http://static.ak.facebook.com/fbplugin/ ... 1193264765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8351545484
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Programmi\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 5284 bytes



Il pc sembras migliorato moltissimo ma e' ancora apparso una schermata blu (troppo veloce per poterla leggere) ma ho recuperato l'errore che appare nella "visual. eventi di sistema"

Codice errore 000000ca, parametro1 00000004, parametro2 84c396d0, parametro3 00000000, parametro4 00000000.

Per ulteriori informazioni, consultare la Guida in linea e supporto tecnico all'indirizzo http://go.microsoft.com/fwlink/events.asp.



altri consigli?

(grazie di cuore veramente per tutto l'aiuto)


Bene, qualcosa è ancora rimasto, ma molto se ne è andtato, stasera non credo che riuscirò ad aiutarti, per quanto riguarda il blue screen scarica lo strumento BlueScreen View installalo e cerca informazioni aggiuntive sull'ultimo blue screen e posta uno screenshot oppure un log testuale, se il log dovesse essere molto lungo caricalo su paste2.org.

Nel frattempo installa sul computer un antivirus e un firewall, poiché ora non possiede software di sicurezza installati.
E ripeti tutto il procedimento di pulizia che ti avevo indicato per vedere se trova nuovamente qualcosa.


Buona serata [^]

N.B.: Devi scaricare nuovamente vipre rescue perché viene aggiornato ogni 4 ore circa
<<Intelligence is the ability to avoid doing work, yet getting the work done.>>
Linus Torvalds

EX [MLI] Power User.
Avatar utente
hashcat
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 2285
Iscritto il: lun ott 25, 2010 1:26 pm

Re: Problema pc infestato

Messaggioda crazy.cat » mar feb 01, 2011 8:04 pm

Non vedo ancora avast o altro antivirus installato....
Poi non meravigliamoci se trovi centinaia di schifezze nel pc.
Scaricati Hijackthis aggiornato ne hai una versione vecchia.

Quanti explorer ci sono nel tuo pc?
2011-01-31 08:40 . 2009-02-02 19:38 1036288 ----a-w- c:\windows\explorer.exe
2011-01-28 08:45 . 2009-02-02 19:38 1036288 ----a-w- c:\windows\explorer(2).exe
2011-01-26 08:30 . 2009-02-02 19:38 1036288 ----a-w- c:\windows\explorer(3).exe
2010-12-08 20:14 . 2009-02-02 19:38 1036288 ----a-w- c:\windows\explorer(4).exe
2010-12-08 19:49 . 2009-02-02 19:38 1036288 ----a-w- c:\windows\explorer(5).exe
2010-12-07 21:12 . 2009-02-02 19:38 1036288 ----a-w- c:\windows\explorer(6).exe
2010-12-07 20:05 . 2009-02-02 19:38 1036288 ----a-w- c:\windows\explorer(7).exe


Controlla la presenza di questi file e falli analizzare sul sito http://www.virustotal.com (se ci sono ancora)
2010-11-30 21:57 . 2010-11-30 21:57 0 ----a-w- c:\windows\system32\drivers\orrjrgij.sys
2010-11-27 13:49 . 2010-11-27 13:49 0 ----a-w- c:\windows\system32\drivers\nonagpdd.sys
2010-11-26 19:40 . 2010-11-26 19:40 0 ----a-w- c:\windows\system32\drivers\tnrouhoi.sys


ma ho recuperato l'errore che appare nella "visual. eventi di sistema"

Dati poco significativi, prova con questo programma http://www.MegaLab.it/4734/2/scopri-chi ... di-windows e cerca un qualche riferimento ad un file o un programma che possa avere creato l'errore.

Se poi non si è più ripetuto non mi preoccuperei più di tanto.
Quando i molti governano, pensano solo a contentar sé stessi, si ha allora la tirannia più balorda e più odiosa: la tirannia mascherata da libertà.
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Re: Problema pc infestato

Messaggioda hashcat » mar feb 01, 2011 9:56 pm

Si è ricreato questo maledetto:

Codice: Seleziona tutto
c:\windows\system32\drivers\bfjcbgxc.sys


Devi eliminarlo (script the avenger):

Codice: Seleziona tutto
Files to replace with dummy:
c:\windows\system32\drivers\bfjcbgxc.sys


Col comando che ho indicato nello script il file non viene eliminato ma viene sostituito con un file spazzatura innocuo.
Dopo aver terminato la pulizia lo cancelleremo.

[weponed] [weponed]
<<Intelligence is the ability to avoid doing work, yet getting the work done.>>
Linus Torvalds

EX [MLI] Power User.
Avatar utente
hashcat
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 2285
Iscritto il: lun ott 25, 2010 1:26 pm

Re: Problema pc infestato

Messaggioda hashcat » mer feb 02, 2011 2:35 pm

Controllando meglio l'ultimo log di combofix vedo che quasi tutte le minacce sono sparite, per quanto riguarda i file sospetti segnalati da crazy.cat se sono infetti per eliminarli usa questo script di the Avenger:

Codice: Seleziona tutto
Files to delete:
c:\windows\system32\drivers\orrjrgij.sys
c:\windows\system32\drivers\nonagpdd.sys
c:\windows\system32\drivers\tnrouhoi.sys

Files to replace with dummy:
c:\windows\system32\drivers\bfjcbgxc.sys

Una semplice domanda, come è possibile che tuo nipote sia riuscito ad infettare fino a questo punto il computer?

Per evitare che questo si ripeta in futuro devi dotare il tuo computer di software di sicurezza adeguati:

  • Un antivirus gratuito, come ad esempio Avira
  • Un antivirus leggero da affiancare alla protezione di Avira, PandaCloud
  • Un buon firewall come Outpost nella versione gratuita o Comodo

[brindisi]
<<Intelligence is the ability to avoid doing work, yet getting the work done.>>
Linus Torvalds

EX [MLI] Power User.
Avatar utente
hashcat
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 2285
Iscritto il: lun ott 25, 2010 1:26 pm

Re: Problema pc infestato

Messaggioda hashcat » mer feb 02, 2011 3:22 pm

Inoltre potresti aggiungere un filtro per i siti pericolosi come Wot e ClearCloud.

Tutte queste misure di sicurezza usate insieme al buonsenso e alla prudenza di chi usa il computer incrementano notevolmente la sicurezza del tuo computer.


[^] [^]
<<Intelligence is the ability to avoid doing work, yet getting the work done.>>
Linus Torvalds

EX [MLI] Power User.
Avatar utente
hashcat
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 2285
Iscritto il: lun ott 25, 2010 1:26 pm

Re: Problema pc infestato

Messaggioda Spaccy » mer feb 02, 2011 6:41 pm

allora, rieccomi...sto seguendo tutti i vostri consigli alla lettera (spero di non essermi perso nulla)
Ho installato intanto AVAST 5 come antivirus e COMODO come firewall (molto bello non lo conoscevo grazie)
ho copiato quei script su avenger e sembra ok!

vi ri propongo nuovi script di:
combofix

ComboFix 11-01-31.02 - Emi 02/02/2011 17.59.19.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.1014.628 [GMT 1:00]
Eseguito da: c:\documents and settings\Emi\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((( Files Creati Da 2011-01-02 al 2011-02-02 )))))))))))))))))))))))))))))))))))
.

2011-02-02 16:42 . 2011-02-02 16:42 -------- d-----w- C:\VritualRoot
2011-02-02 16:39 . 2011-02-02 16:39 -------- d-----w- c:\programmi\COMODO
2011-02-02 15:51 . 2011-02-02 16:43 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Comodo
2011-02-02 14:32 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-02-02 14:32 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-02-02 14:32 . 2010-09-07 15:53 340048 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-02-02 14:32 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-02-02 14:32 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-02-02 14:32 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-02-02 14:32 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-02-02 14:32 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-02-02 14:32 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2011-02-02 14:32 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2011-02-02 13:52 . 2011-02-02 13:52 -------- d-----w- c:\programmi\NirSoft
2011-02-01 16:11 . 2011-02-01 16:11 398336 ----a-w- c:\windows\system32\CF22270.exe
2011-02-01 15:54 . 2011-02-01 15:54 -------- d-----w- c:\programmi\CCleaner
2011-01-31 16:43 . 2011-01-31 16:49 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-01-31 16:43 . 2011-01-31 16:43 -------- d-----w- c:\programmi\Hitman Pro 3.5
2011-01-31 16:41 . 2011-01-31 16:46 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Hitman Pro
2011-01-31 16:16 . 2011-01-31 16:16 -------- d-----w- c:\documents and settings\Emi\Dati applicazioni\SUPERAntiSpyware.com
2011-01-31 16:16 . 2011-01-31 16:16 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2011-01-31 16:14 . 2011-01-31 16:14 -------- d-----w- c:\documents and settings\Administrator
2011-01-31 15:35 . 2011-01-31 15:35 -------- d-----w- c:\documents and settings\Emi\Dati applicazioni\Malwarebytes
2011-01-31 15:34 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-31 15:34 . 2011-01-31 15:34 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2011-01-31 15:34 . 2011-01-31 15:34 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2011-01-31 15:34 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-31 08:35 . 2011-01-31 08:35 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-31 08:34 . 2011-01-31 08:34 -------- d---a-w- c:\windows\MSETUP
2011-01-28 07:24 . 2011-01-28 07:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-01-06 16:37 . 2011-01-06 16:37 94784 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-01-06 16:37 . 2011-01-06 16:37 27576 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-01-06 16:37 . 2011-01-06 16:37 239368 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-01-06 16:37 . 2011-01-06 16:37 15592 ----a-w- c:\windows\system32\drivers\cmderd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-31 08:40 . 2009-02-02 19:38 1036288 ----a-w- c:\windows\explorer.exe
2010-12-29 00:42 . 2010-12-29 00:42 285480 ----a-w- c:\windows\system32\guard32.dll
2010-11-18 18:12 . 2009-02-02 11:56 86016 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:51 . 2009-02-02 19:38 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:21 . 2009-02-02 19:39 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:21 . 2009-02-02 19:38 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:21 . 2009-02-02 19:38 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
.

((((((((((((((((((((((((((((( SnapShot@2011-02-01_16.20.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 01:19 . 2007-11-07 01:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 05:07 . 2008-07-29 05:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 05:07 . 2008-07-29 05:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
- 2009-02-02 19:39 . 2010-06-21 14:46 46080 c:\windows\system32\tzchange.exe
+ 2009-02-02 19:39 . 2010-11-03 13:12 46080 c:\windows\system32\tzchange.exe
- 2009-07-07 19:28 . 2010-02-22 14:27 18808 c:\windows\system32\spmsg.dll
+ 2009-07-07 19:28 . 2009-05-26 11:41 18808 c:\windows\system32\spmsg.dll
+ 2009-02-02 19:38 . 2010-11-06 00:21 66560 c:\windows\system32\mshtmled.dll
- 2009-02-02 19:38 . 2010-09-10 05:49 66560 c:\windows\system32\mshtmled.dll
- 2009-03-08 02:31 . 2010-09-10 05:49 55296 c:\windows\system32\msfeedsbs.dll
+ 2009-03-08 02:31 . 2010-11-06 00:21 55296 c:\windows\system32\msfeedsbs.dll
+ 2009-02-02 19:38 . 2010-11-06 00:21 25600 c:\windows\system32\jsproxy.dll
- 2009-02-02 19:38 . 2010-09-10 05:49 25600 c:\windows\system32\jsproxy.dll
+ 2009-02-02 12:49 . 2011-02-01 17:56 97456 c:\windows\system32\FNTCACHE.DAT
- 2009-02-02 12:49 . 2010-10-15 18:57 97456 c:\windows\system32\FNTCACHE.DAT
+ 2009-02-02 19:38 . 2010-11-02 15:17 40960 c:\windows\system32\drivers\ndproxy.sys
+ 2009-06-09 20:23 . 2010-11-06 00:21 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-06-09 20:23 . 2010-09-10 05:49 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-02-02 11:56 . 2010-10-11 14:59 45568 c:\windows\system32\dllcache\wab.exe
+ 2009-02-02 19:38 . 2010-11-02 15:17 40960 c:\windows\system32\dllcache\ndproxy.sys
+ 2009-02-02 19:38 . 2010-11-06 00:21 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2009-02-02 19:38 . 2010-09-10 05:49 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-07-28 21:50 . 2010-11-06 00:21 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2009-07-28 21:50 . 2010-09-10 05:49 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2009-02-02 19:38 . 2010-09-10 05:49 43520 c:\windows\system32\dllcache\licmgr10.dll
+ 2009-02-02 19:38 . 2010-11-06 00:21 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2009-02-02 19:38 . 2010-09-10 05:49 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-02-02 19:38 . 2010-11-06 00:21 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2009-02-02 11:56 . 2008-04-14 12:00 86016 c:\windows\system32\dllcache\isign32.dll
+ 2009-02-02 11:56 . 2010-11-18 18:12 86016 c:\windows\system32\dllcache\isign32.dll
+ 2010-06-03 19:44 . 2011-02-01 17:28 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
- 2010-06-03 19:44 . 2010-09-28 19:48 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
+ 2011-02-01 17:28 . 2010-09-10 05:49 12800 c:\windows\ie8updates\KB2416400-IE8\xpshims.dll
+ 2011-02-01 17:28 . 2010-09-10 05:49 66560 c:\windows\ie8updates\KB2416400-IE8\mshtmled.dll
+ 2011-02-01 17:28 . 2010-09-10 05:49 55296 c:\windows\ie8updates\KB2416400-IE8\msfeedsbs.dll
+ 2011-02-01 17:28 . 2010-09-10 05:49 43520 c:\windows\ie8updates\KB2416400-IE8\licmgr10.dll
+ 2011-02-01 17:28 . 2010-09-10 05:49 25600 c:\windows\ie8updates\KB2416400-IE8\jsproxy.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 02:54 . 2008-07-29 02:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2009-02-02 19:38 . 2010-11-06 00:21 206848 c:\windows\system32\occache.dll
- 2009-02-02 19:38 . 2010-09-10 05:49 206848 c:\windows\system32\occache.dll
+ 2009-02-02 19:38 . 2010-11-06 00:21 611840 c:\windows\system32\mstime.dll
- 2009-02-02 19:38 . 2010-09-10 05:49 611840 c:\windows\system32\mstime.dll
- 2009-03-08 02:32 . 2010-09-10 05:49 602112 c:\windows\system32\msfeeds.dll
+ 2009-03-08 02:32 . 2010-11-06 00:21 602112 c:\windows\system32\msfeeds.dll
- 2009-02-02 19:38 . 2010-09-10 05:49 184320 c:\windows\system32\iepeers.dll
+ 2009-02-02 19:38 . 2010-11-06 00:21 184320 c:\windows\system32\iepeers.dll
+ 2009-02-02 19:38 . 2010-11-06 00:21 387584 c:\windows\system32\iedkcs32.dll
- 2009-02-02 19:38 . 2010-09-10 05:49 387584 c:\windows\system32\iedkcs32.dll
+ 2009-02-02 19:38 . 2010-11-03 12:26 173568 c:\windows\system32\ie4uinit.exe
- 2009-02-02 19:39 . 2010-09-10 05:49 916480 c:\windows\system32\dllcache\wininet.dll
+ 2009-02-02 19:39 . 2010-11-06 00:21 916480 c:\windows\system32\dllcache\wininet.dll
- 2009-02-02 19:38 . 2008-04-14 12:00 249856 c:\windows\system32\dllcache\odbc32.dll
+ 2009-02-02 19:38 . 2010-11-09 14:51 249856 c:\windows\system32\dllcache\odbc32.dll
+ 2009-02-02 19:38 . 2010-11-06 00:21 206848 c:\windows\system32\dllcache\occache.dll
- 2009-02-02 19:38 . 2010-09-10 05:49 206848 c:\windows\system32\dllcache\occache.dll
- 2009-02-02 19:38 . 2010-09-10 05:49 611840 c:\windows\system32\dllcache\mstime.dll
+ 2009-02-02 19:38 . 2010-11-06 00:21 611840 c:\windows\system32\dllcache\mstime.dll
+ 2009-02-02 11:56 . 2010-11-09 14:51 102400 c:\windows\system32\dllcache\msjro.dll
- 2009-02-02 11:56 . 2008-04-14 12:00 102400 c:\windows\system32\dllcache\msjro.dll
- 2009-07-28 21:49 . 2010-09-10 05:49 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-07-28 21:49 . 2010-11-06 00:21 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-02-02 11:56 . 2010-11-09 14:51 200704 c:\windows\system32\dllcache\msadox.dll
- 2009-02-02 11:56 . 2008-04-14 12:00 200704 c:\windows\system32\dllcache\msadox.dll
- 2009-02-02 11:56 . 2008-04-14 12:00 180224 c:\windows\system32\dllcache\msadomd.dll
+ 2009-02-02 11:56 . 2010-11-09 14:51 180224 c:\windows\system32\dllcache\msadomd.dll
- 2009-02-02 11:56 . 2008-04-14 12:00 536576 c:\windows\system32\dllcache\msado15.dll
+ 2009-02-02 11:56 . 2010-11-09 14:51 536576 c:\windows\system32\dllcache\msado15.dll
+ 2009-02-02 11:56 . 2010-11-09 14:51 143360 c:\windows\system32\dllcache\msadco.dll
- 2009-02-02 11:56 . 2008-04-14 12:00 143360 c:\windows\system32\dllcache\msadco.dll
+ 2009-06-09 20:23 . 2010-11-06 00:21 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2009-06-09 20:23 . 2010-09-10 05:49 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2009-02-02 19:38 . 2010-11-06 00:21 184320 c:\windows\system32\dllcache\iepeers.dll
- 2009-02-02 19:38 . 2010-09-10 05:49 184320 c:\windows\system32\dllcache\iepeers.dll
- 2010-06-10 19:33 . 2010-09-10 05:49 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2010-06-10 19:33 . 2010-11-06 00:21 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2009-02-02 19:38 . 2010-11-06 00:21 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2009-02-02 19:38 . 2010-09-10 05:49 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2009-02-02 19:38 . 2010-11-03 12:26 173568 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-02-02 19:38 . 2010-10-28 13:13 290048 c:\windows\system32\dllcache\atmfd.dll
+ 2009-02-02 19:38 . 2010-10-28 13:13 290048 c:\windows\system32\atmfd.dll
+ 2011-02-02 15:36 . 2011-02-02 15:36 228352 c:\windows\Installer\247499.msi
+ 2011-02-01 17:28 . 2010-09-10 05:49 916480 c:\windows\ie8updates\KB2416400-IE8\wininet.dll
+ 2011-02-01 17:28 . 2010-07-05 13:20 402296 c:\windows\ie8updates\KB2416400-IE8\spuninst\updspapi.dll
+ 2011-02-01 17:28 . 2010-02-22 14:27 233848 c:\windows\ie8updates\KB2416400-IE8\spuninst\spuninst.exe
+ 2011-02-01 17:28 . 2010-09-10 05:49 206848 c:\windows\ie8updates\KB2416400-IE8\occache.dll
+ 2011-02-01 17:28 . 2010-09-10 05:49 611840 c:\windows\ie8updates\KB2416400-IE8\mstime.dll
+ 2011-02-01 17:28 . 2010-09-10 05:49 602112 c:\windows\ie8updates\KB2416400-IE8\msfeeds.dll
+ 2011-02-01 17:28 . 2010-09-10 05:49 247808 c:\windows\ie8updates\KB2416400-IE8\ieproxy.dll
+ 2011-02-01 17:28 . 2010-09-10 05:49 184320 c:\windows\ie8updates\KB2416400-IE8\iepeers.dll
+ 2011-02-01 17:28 . 2010-09-10 05:49 743424 c:\windows\ie8updates\KB2416400-IE8\iedvtool.dll
+ 2011-02-01 17:28 . 2010-09-10 05:49 387584 c:\windows\ie8updates\KB2416400-IE8\iedkcs32.dll
+ 2011-02-01 17:28 . 2010-08-26 12:22 173056 c:\windows\ie8updates\KB2416400-IE8\ie4uinit.exe
+ 2008-07-29 07:05 . 2008-07-29 07:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2009-02-02 19:39 . 2010-10-26 14:05 1853312 c:\windows\system32\win32k.sys
- 2009-02-02 19:39 . 2010-09-10 05:49 1210880 c:\windows\system32\urlmon.dll
+ 2009-02-02 19:39 . 2010-11-06 00:21 1210880 c:\windows\system32\urlmon.dll
+ 2009-02-02 19:38 . 2010-11-06 00:21 5959168 c:\windows\system32\mshtml.dll
+ 2009-03-08 02:32 . 2010-11-06 00:21 1991680 c:\windows\system32\iertutil.dll
+ 2009-02-02 19:39 . 2010-10-26 14:05 1853312 c:\windows\system32\dllcache\win32k.sys
- 2009-02-02 19:39 . 2010-09-10 05:49 1210880 c:\windows\system32\dllcache\urlmon.dll
+ 2009-02-02 19:39 . 2010-11-06 00:21 1210880 c:\windows\system32\dllcache\urlmon.dll
+ 2009-02-02 19:38 . 2010-11-06 00:21 5959168 c:\windows\system32\dllcache\mshtml.dll
+ 2009-06-09 20:23 . 2010-11-06 00:21 1991680 c:\windows\system32\dllcache\iertutil.dll
+ 2011-02-02 16:40 . 2011-02-02 16:40 3293696 c:\windows\Installer\97f9f.msi
+ 2011-02-01 17:28 . 2010-09-10 05:49 1210880 c:\windows\ie8updates\KB2416400-IE8\urlmon.dll
+ 2011-02-01 17:28 . 2010-09-10 05:49 5957120 c:\windows\ie8updates\KB2416400-IE8\mshtml.dll
+ 2011-02-01 17:28 . 2010-09-10 05:49 1986560 c:\windows\ie8updates\KB2416400-IE8\iertutil.dll
+ 2009-04-28 13:14 . 2011-01-04 16:20 37403080 c:\windows\system32\MRT.exe
+ 2009-03-08 02:39 . 2010-11-06 00:21 11080704 c:\windows\system32\ieframe.dll
+ 2009-06-09 20:23 . 2010-11-06 00:21 11080704 c:\windows\system32\dllcache\ieframe.dll
+ 2011-02-01 17:26 . 2011-02-01 17:26 20304384 c:\windows\Installer\c5ddf.msp
+ 2011-02-02 15:51 . 2011-02-02 15:51 28120576 c:\windows\Installer\97a54.msi
+ 2011-02-01 17:28 . 2010-09-10 05:49 11080192 c:\windows\ie8updates\KB2416400-IE8\ieframe.dll
.
-- Snapshot per reimpostare la data corrente --
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-09-07 16:14 152160 ----a-w- c:\programmi\Alwil Software\Avast5\snxPlugins.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\programmi\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.5.0\bin\jusched.exe" [2009-02-02 36972]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"EDS"="c:\programmi\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-20 659456]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"DMHotKey"="c:\programmi\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\programmi\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-20 2768896]
"MagicKeyboard"="c:\programmi\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-14 151552]
"avast5"="c:\programmi\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"COMODO Internet Security"="c:\programmi\COMODO\COMODO Internet Security\cfp.exe" [2011-01-17 2548552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
BTTray.lnk - c:\programmi\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-17 580200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [02/02/2011 15.32.32 340048]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [02/02/2011 15.32.33 165584]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [06/01/2011 17.37.02 239368]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [06/01/2011 17.37.04 27576]
R1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Emi\IMPOST~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Emi\IMPOST~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
R1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Emi\IMPOST~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Emi\IMPOST~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [02/02/2011 15.32.33 17744]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [02/02/2009 13.02.58 4300]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [14/01/2008 19.01.02 30208]
R3 hspabus;SAMSUNG HSPA USB Composite Device driver (WDM);c:\windows\system32\drivers\hspabus.sys [02/02/2009 13.07.56 91776]
R3 hspamdfl;SAMSUNG HSPA Modem Filter;c:\windows\system32\drivers\hspamdfl.sys [02/02/2009 13.07.56 14976]
R3 hspamdm;SAMSUNG HSPA Modem Drivers;c:\windows\system32\drivers\hspamdm.sys [02/02/2009 13.07.56 119808]
R3 hspaserd;SAMSUNG HSPA Modem Diagnostic Serial Port (WDM);c:\windows\system32\drivers\hspaserd.sys [02/02/2009 13.07.56 98560]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [02/02/2009 13.07.09 238464]

--- Altri Servizi/Drivers In Memoria ---

*NewlyCreated* - CMDAGENT
*NewlyCreated* - CMDGUARD
*NewlyCreated* - CMDHLP
*NewlyCreated* - INSPECT
.
Contenuto della cartella 'Scheduled Tasks'

2011-02-02 c:\windows\Tasks\User_Feed_Synchronization-{0A761CC7-6A10-4D3E-8A02-6E63CD970BFF}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.facebook.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Invia a Bluetooth - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: Invia a periferica &Bluetooth... - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-02 18:23
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(848)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(1508)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Ora fine scansione: 2011-02-02 18:33:19
ComboFix-quarantined-files.txt 2011-02-02 17:33
ComboFix2.txt 2011-01-28 09:07

Pre-Run: 62.982.193.152 byte disponibili
Post-Run: 63.202.217.984 byte disponibili

- - End Of File - - F73097D237282077B435899A562A43B3


e hijackthis (versione presa dal vostro sito quindi credo sia la piu recente)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17.55.16, on 02/02/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\Programmi\Samsung\Easy Display Manager\dmhkcore.exe
C:\Programmi\Alwil Software\Avast5\avastUI.exe
C:\Programmi\COMODO\COMODO Internet Security\cfp.exe
C:\Programmi\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Programmi\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\Programmi\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Emi\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EDS] C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DMHotKey] C:\Programmi\Samsung\Easy Display Manager\DMLoader.exe
O4 - HKLM\..\Run: [BatteryManager] C:\Programmi\Samsung\Samsung Battery Manager\BatteryManager.exe
O4 - HKLM\..\Run: [MagicKeyboard] C:\Programmi\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKLM\..\Run: [avast5] "C:\Programmi\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Programmi\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Invia a Bluetooth - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O8 - Extra context menu item: Invia a periferica &Bluetooth... - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - http://static.ak.facebook.com/fbplugin/ ... 1193264765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8351545484
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Programmi\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Programmi\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Programmi\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Programmi\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Programmi\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 6504 bytes


poi ho usato il programmino per vedere il blue screen (he ultimamente non si è presentato) e non ci capisco molto ma l'unica cosa che mi mostra è questa

==================================================
Dump File : Mini020111-01.dmp
Crash Time : 01/02/2011 18.07.32
Bug Check String : PNP_DETECTED_FATAL_ERROR
Bug Check Code : 0x000000ca
Parameter 1 : 0x00000004
Parameter 2 : 0x84c396d0
Parameter 3 : 0x00000000
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+606ba
File Description : Sistema e kernel NT
Product Name : Sistema operativo Microsoft® Windows®
Company : Microsoft Corporation
File Version : 5.1.2600.5973 (xpsp_sp3_gdr.100427-1636)
Processor : 32-bit
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini020111-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 2600
Dump File Size : 90.112
==================================================


==================================================
Filename : ntoskrnl.exe
Address In Stack : ntoskrnl.exe+2ec78
From Address : 0x804d7000
To Address : 0x80700000
Size : 0x00229000
Time Stamp : 0x4bd6eda6
Time String : 27/04/2010 14.59.02
Product Name : Sistema operativo Microsoft® Windows®
File Description : Sistema e kernel NT
File Version : 5.1.2600.5973 (xpsp_sp3_gdr.100427-1636)
Company : Microsoft Corporation
Full Path : C:\WINDOWS\system32\ntoskrnl.exe
==================================================



Riguardo la domanda del perché il pc fosse ridotto così veramente non saprei darvi una risposta...a me i pc li portano per pulirli e speso chiedo a voi perché siete gli esperti numeri uno su questo campo...grazie a voi salvo sempre dei pc dall'oblio eheheh [crylol] [crylol]
Avatar utente
Spaccy
Aficionado
Aficionado
 
Messaggi: 121
Iscritto il: ven feb 01, 2008 5:15 pm
Località: Roma

Re: Problema pc infestato

Messaggioda hashcat » mer feb 02, 2011 9:13 pm

Spaccy ha scritto:allora, rieccomi...sto seguendo tutti i vostri consigli alla lettera (spero di non essermi perso nulla)
Ho installato intanto AVAST 5 come antivirus e COMODO come firewall (molto bello non lo conoscevo grazie)
ho copiato quei script su avenger e sembra ok!


Ho guardato il log di hijackthis e quello di combofix velocemente, ma non mi è sembrato di vedere alcuna traccia di infezione [^] . Per quanto riguarda la schermata blu se è successo una sola volta non ti preoccupare, comunque domani ti dirò meglio quindi non abbandonare ancora la discussione. Potresti ricapitolarmi velocemente la tua configurazione di sicurezza?

(Antivirus: Avast, Firewall: Comodo, Filtro web: wot ?? ClearCloud??, panda cloud??)

[grazie]
<<Intelligence is the ability to avoid doing work, yet getting the work done.>>
Linus Torvalds

EX [MLI] Power User.
Avatar utente
hashcat
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 2285
Iscritto il: lun ott 25, 2010 1:26 pm

Re: Problema pc infestato

Messaggioda Spaccy » gio feb 03, 2011 9:01 am

Si allora AVAST ; COMODO sicuri... per il filtro ancora non ho scelto perché lascerò che sia mio fratello a farlo visto che è il pc del figlio xDDD lol
Grazie per la pazienza tengo d'occhio la discussione ;)
Avatar utente
Spaccy
Aficionado
Aficionado
 
Messaggi: 121
Iscritto il: ven feb 01, 2008 5:15 pm
Località: Roma

Re: Problema pc infestato

Messaggioda hashcat » gio feb 03, 2011 3:28 pm

Spaccy ha scritto:Si allora AVAST ; COMODO sicuri... per il filtro ancora non ho scelto perché lascerò che sia mio fratello a farlo visto che è il pc del figlio xDDD lol
Grazie per la pazienza tengo d'occhio la discussione ;)


[^]
Ok, l'importante e che ora è tutto a posto, tiene presente che wot è preventivo, classifica i risultati di ricerca prima di aprire un sito, ClearCloud blocca solo ma sono entrambi molto efficienti e soprattutto non rallentano minimamente il computer.


Un consiglio che mi sento di darti e di suggerire a tuo fratello e a suo figlio di cambiare le password degli account importanti, account di posta, account Facebook, paypal eccetera, poiché in seguito alle infezioni alcuni virus potrebbero aver acquisito le password di alcuni di questi account.

Se persiste qualche problema noi siamo qui [sh]
<<Intelligence is the ability to avoid doing work, yet getting the work done.>>
Linus Torvalds

EX [MLI] Power User.
Avatar utente
hashcat
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 2285
Iscritto il: lun ott 25, 2010 1:26 pm

Prossimo

Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Nessuno e 5 ospiti

cron
Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising