www.MegaLab.it

da **marchetto89** » sab feb 18, 2012 10:21 am

Salve,
da una settimana circa ho notato dei rallentamenti notevoli al pc dovuti al file avp.exe.
cosa posso fare?
Grazie in anticipo

da **The Doctor** » sab feb 18, 2012 10:42 am

Posta un log di hijackthis

da **marchetto89** » sab feb 18, 2012 11:15 am

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10.09.10, on 18/02/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\Telecom Italia\WanMiniport1st\srvany.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Telecom Italia\WanMiniport1st\WanMiniport1st_srv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
C:\Programmi\File comuni\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\IObit\Advanced SystemCare 5\ASCTray.exe
C:\PROGRAMMI\MESSENGER\MSMSGS.EXE
C:\Documents and Settings\Mark\Impostazioni locali\Dati applicazioni\Akamai\netsession_win.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBZE.EXE
C:\Documents and Settings\Mark\Impostazioni locali\Dati applicazioni\Akamai\netsession_win.exe
C:\Programmi\USRobotics\Wireless PCI Manager\USR54G.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Documents and Settings\All Users\Documenti\AppData\PoApp\PService.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtblfs.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mark\Impostazioni locali\Temporary Internet Files\Content.IE5\NWK5CJO3\HijackThis[1].exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://it.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.igoogle.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.findeer.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local;127.0.0.1:9421
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O1 - Hosts: 74.208.10.249 gs.apple.com
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2011\ievkbd.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programmi\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Programmi\Microsoft\BingBar\BingExt.dll" (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {99079a25-328f-4bd4-be04-00955acaa0a7} - (no file)
O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Programmi\Microsoft\BingBar\BingExt.dll" (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVP] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe"
O4 - HKLM\..\Run: [PosService] C:\Documents and Settings\All Users\Documenti\AppData\PoApp\PLauncher.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus D92 Series (Copia 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBZE.EXE /FU "C:\WINDOWS\TEMP\E_S91.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Advanced SystemCare 5] "C:\Programmi\IObit\Advanced SystemCare 5\ASCTray.exe" /AutoStart
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRAMMI\MESSENGER\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Documents and Settings\Mark\Impostazioni locali\Dati applicazioni\Akamai\netsession_win.exe"
O4 - HKCU\..\Run: [EPSON Stylus D92 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBZE.EXE /FU "C:\WINDOWS\TEMP\E_SBC.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: USRobotics Wireless PCI Adapter.lnk = C:\Programmi\USRobotics\Wireless PCI Manager\USR54G.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Documents and Settings\Mark\Dati applicazioni\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
O9 - Extra button: Statistiche sulla protezione del traffico Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: &Tastiera Virtuale - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: C&ontrollo URL - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.print.photocity.it/InvioFoto ... oader5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6657151546
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/ph ... NPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{936DD211-FA99-4B79-A849-16C6A91AD49B}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{936DD211-FA99-4B79-A849-16C6A91AD49B}: NameServer = 176.31.229.24,176.31.229.25
O17 - HKLM\System\CS2\Services\Tcpip\..\{936DD211-FA99-4B79-A849-16C6A91AD49B}: NameServer = 176.31.229.24,176.31.229.25
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programmi\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~3\mzvkbd3.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Servizio Kaspersky Anti-Virus (AVP) - Kaspersky Lab ZAO - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: Network WanMiniport First Position - Unknown owner - C:\Programmi\Telecom Italia\WanMiniport1st\srvany.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pos Service (PowerOffer Service) - PowerOfferService - C:\Documents and Settings\Mark\Impostazioni locali\Dati applicazioni\PosService\Pos.exe
O23 - Service: ServiceLayer - Nokia - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Serv Updater (ServUpdater) - ServiceUpd - C:\Documents and Settings\Mark\Impostazioni locali\Dati applicazioni\ServUpdater\ServiceUpd.exe

--
End of file - 11811 bytes

da **marchetto89** » gio mar 01, 2012 8:30 pm

Qualcuno sa se c'è qualcosa che non va? Perché continua a peggiorare

da **eugenio19911** » gio mar 01, 2012 10:05 pm

hai parecchie toolbar.
questa da fixare:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.findeer.com
O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - (no file) (questa è un altra toolbar ma non molto raccomandabile)
facoltativo:
O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Programmi\Microsoft\BingBar\BingExt.dll" (file missing)
puoi caricare su virustotal questi 2 oggetti:
C:\Documents and Settings\Mark\Impostazioni locali\Dati applicazioni\Akamai\netsession_win.exe
C:\Documents and Settings\Mark\Impostazioni locali\Dati applicazioni\ServUpdater\ServiceUpd.exe

da **cippico** » ven mar 02, 2012 1:43 pm

se non sbaglio avp.exe e´ l´ eseguibile di kaspersky antivirus...

controlla che sia aggiornato
controlla che non sia configurato in modo di autoaggiornarsi
controlla che le firme siano aggiornate

forse qualcosa non sta funzionando bene...

ciaooo

da **tecnico24** » ven mar 02, 2012 11:41 pm

Il pc è infetto da ServUpdate e PowerOffice.

Non basta fixare la voce in Hijackthis, in quanto il servizio si rigenera.

Aggiorna Internet Explorer alla versione 9.
Aggiorna Java all'ultima versione

Scarica combofix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

● Scarica combofix dal link postato e salvalo sul desktop
● Disattiva l'antivirus , il firewall e la connessione
● Doppio click su Combofix.exe per avviarlo (Rifiutare la console di ripristino)
Aspettare che combofix faccio il suo lavoro ed al termine (dopo il riavvio) invia il report delle operazioni.

Avp.exe fa parte di Kaspersky.
Posta la tua configurazione hardware
L'ultima versione è molto pesante.

da **marchetto89** » lun mar 05, 2012 12:29 pm

Per eugenio19911 fatto tutto quello che mi hai consigliato
Per cippico kaspersky è aggiornato ma purtroppo avp.exe continua a occupare dal 50 al 90% della CPU
per tecnico24 ho aggiornato java, ie non posso perché ho XP e ho usato combofix.exe ma non è cambiato nulla...

da **eugenio19911** » lun mar 05, 2012 12:34 pm

fai queste altre 2 cose:
http://www.surfright.nl/en/downloads/
se non trovasse nulla il precedente scarica malwarebyrte's:
http://www.filehippo.com/download_malwa ... c877f6df1/
aggiornalo ed esegui una scansione completa

da **tecnico24** » lun mar 05, 2012 2:40 pm

Serve il log di combofix , da lì effettuiamo lo script per eliminare l'infezione.

da **marchetto89** » mar mar 06, 2012 11:48 am

Ecco il Log di Combofix

ComboFix 12-03-03.02 - Mark 04/03/2012 12.41.46.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.1983.1360 [GMT 1:00]
Eseguito da: c:\documents and settings\Mark\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Dati applicazioni\TEMP
c:\documents and settings\Mark\Dati applicazioni\OfferBox
c:\documents and settings\Mark\Dati applicazioni\OfferBox\config.dat
c:\documents and settings\Mark\Dati applicazioni\OfferBox\config.xml
c:\documents and settings\Mark\Impostazioni locali\Dati applicazioni\wfpfp.dat
c:\documents and settings\Mark\Impostazioni locali\Dati applicazioni\wfpfp_nav.dat
c:\documents and settings\Mark\Impostazioni locali\Dati applicazioni\wfpfp_navps.dat
c:\programmi\Internet Explorer\SETAB7.tmp
c:\programmi\Internet Explorer\SETAB8.tmp
c:\programmi\OfferBox
c:\programmi\OfferBox\OfferBoxBHO.dll
c:\programmi\Windows Searchqu Toolbar
c:\windows\_000009_.tmp.dll
c:\windows\_000016_.tmp.dll
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
c:\windows\system32\_000011_.tmp.dll
c:\windows\system32\_000012_.tmp.dll
c:\windows\system32\_000013_.tmp.dll
c:\windows\system32\_000014_.tmp.dll
c:\windows\system32\_000015_.tmp.dll
c:\windows\system32\_000016_.tmp.dll
c:\windows\system32\_000017_.tmp.dll
c:\windows\system32\_000018_.tmp.dll
c:\windows\system32\_000019_.tmp.dll
c:\windows\system32\_000020_.tmp.dll
c:\windows\system32\_000021_.tmp.dll
c:\windows\system32\_000022_.tmp.dll
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\SET1185.tmp
c:\windows\system32\SET118A.tmp
c:\windows\system32\SET1192.tmp
c:\windows\system32\SET1193.tmp
c:\windows\system32\SET1194.tmp
c:\windows\system32\SET1199.tmp
c:\windows\system32\SET1BC.tmp
c:\windows\system32\SET1C5.tmp
c:\windows\system32\SET1CC.tmp
c:\windows\system32\SET1D2.tmp
c:\windows\system32\SET229.tmp
c:\windows\system32\SET2A6.tmp
c:\windows\system32\SET2A7.tmp
c:\windows\system32\SET2C8.tmp
c:\windows\system32\SET359.tmp
c:\windows\system32\SET3CD.tmp
c:\windows\system32\SET3CE.tmp
c:\windows\system32\SET3CF.tmp
c:\windows\system32\SET5F0.tmp
c:\windows\system32\SET5FD.tmp
c:\windows\system32\SET69D.tmp
c:\windows\system32\SET69E.tmp
c:\windows\system32\SET6A4.tmp
c:\windows\system32\SET6AD.tmp
c:\windows\system32\SET710.tmp
c:\windows\system32\SET718.tmp
c:\windows\system32\SET748.tmp
c:\windows\system32\SET77B.tmp
c:\windows\system32\SET77F.tmp
c:\windows\system32\SET8EB.tmp
c:\windows\system32\SET95.tmp
c:\windows\system32\SET96.tmp
c:\windows\system32\SET97.tmp
c:\windows\system32\SETAA6.tmp
c:\windows\system32\SETAA7.tmp
c:\windows\system32\SETAA8.tmp
c:\windows\system32\SETAAC.tmp
c:\windows\system32\SETAAD.tmp
c:\windows\system32\SETAAE.tmp
c:\windows\system32\SETAB2.tmp
c:\windows\system32\SETAB3.tmp
c:\windows\system32\SETAB4.tmp
c:\windows\system32\SETB51.tmp
c:\windows\system32\SETB97.tmp
c:\windows\system32\SETB9C.tmp
c:\windows\system32\SETB9D.tmp
c:\windows\system32\SETB9F.tmp
c:\windows\system32\SETBC2.tmp
c:\windows\system32\SETCD7.tmp
c:\windows\system32\SETCE0.tmp
c:\windows\system32\SETCE1.tmp
c:\windows\system32\SETCEB.tmp
c:\windows\system32\SETCFD.tmp
c:\windows\system32\SETD05.tmp
c:\windows\system32\SETD06.tmp
c:\windows\system32\SETEFA.tmp
c:\windows\system32\SETF07.tmp
c:\windows\system32\SETF13.tmp
c:\windows\system32\SETF48.tmp
c:\windows\system32\SETF49.tmp
c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBZE.exe
D:\install.exe
.
.
((((((((((((((((((((((((( Files Creati Da 2012-02-04 al 2012-03-04 )))))))))))))))))))))))))))))))))))
.
.
2012-03-04 09:18 . 2010-05-07 10:37 109240 ----a-w- c:\programmi\Mozilla Firefox\extensions\KavAntiBanner@Kaspersky.ru\components\abhelperxpcom.dll
2012-03-03 09:34 . 2012-03-04 09:00 -------- d-----w- c:\programmi\Spybot - Search & Destroy
2012-03-03 09:34 . 2012-03-03 11:44 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2012-02-19 09:41 . 2012-02-19 09:42 -------- d-----w- c:\programmi\Nemo PDF To Word
2012-02-15 20:01 . 2012-02-15 20:01 17801 ----a-w- c:\windows\system32\drivers\AegisP.sys
2012-02-15 20:01 . 2005-12-23 16:36 469216 ----a-w- c:\windows\system32\drivers\USRPCI.sys
2012-02-15 20:00 . 2012-02-15 20:00 1409 ----a-w- c:\windows\system32\tmp7630B.FOT
2012-02-15 20:00 . 2012-02-15 20:00 1409 ----a-w- c:\windows\system32\tmp3140B.FOT
2012-02-15 20:00 . 2012-02-15 20:00 1409 ----a-w- c:\windows\system32\tmp1740B.FOT
2012-02-06 11:13 . 2012-02-06 11:13 -------- d-----w- C:\s5ls
2012-02-06 11:12 . 2012-02-06 11:12 -------- d-----w- c:\documents and settings\Mark\Impostazioni locali\Dati applicazioni\libimobiledevice
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-20 09:39 . 2011-05-23 09:43 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-30 16:03 . 2011-11-27 11:53 21336 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2011-04-14 16:53 . 2011-06-05 11:11 142296 ----a-w- c:\programmi\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 5"="c:\programmi\IObit\Advanced SystemCare 5\ASCTray.exe" [2011-12-29 620376]
"Akamai NetSession Interface"="c:\documents and settings\Mark\Impostazioni locali\Dati applicazioni\Akamai\netsession_win.exe" [2012-02-02 3329824]
"SpybotSD TeaTimer"="c:\programmi\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 16862208]
"GrooveMonitor"="c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AVP"="c:\programmi\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" [2010-05-07 344736]
"PosService"="c:\documents and settings\All Users\Documenti\AppData\PoApp\PLauncher.exe" [2011-12-03 218624]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
.
c:\documents and settings\Mark\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma.lnk - c:\programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
USRobotics Wireless PCI Adapter.lnk - c:\programmi\USRobotics\Wireless PCI Manager\USR54G.exe [2006-4-14 667648]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\C\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Air Mouse.lnk]
backup=c:\windows\pss\Air Mouse.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Mark^Menu Avvio^Programmi^Esecuzione automatica^Ritaglio schermata e avvio di OneNote 2007.lnk]
backup=c:\windows\pss\Ritaglio schermata e avvio di OneNote 2007.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBAgent
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 00:04 39792 ----a-w- c:\programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 06:58 611712 ----a-w- c:\programmi\File comuni\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
2012-02-02 01:44 3329824 ----a-w- c:\documents and settings\Mark\Impostazioni locali\Dati applicazioni\Akamai\netsession_win.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AliceRE_McciTrayApp]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-04-20 10:48 58656 ----a-w- c:\programmi\File comuni\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-11-01 22:25 59240 ----a-w- c:\programmi\File comuni\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GM4IE]
2006-07-23 08:32 61440 ----a-w- c:\programmi\SocialPlus\gm4ie.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-06-06 18:16 136176 ----atw- c:\documents and settings\Mark\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-12-08 00:36 421736 ----a-w- c:\programmi\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2006-04-21 13:41 438359 ------w- c:\progra~1\ALICET~1\SMARTB~1\MotiveSB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 17:14 1695232 ------w- c:\programmi\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PosService]
2011-12-03 10:04 218624 ----a-w- c:\documents and settings\All Users\Documenti\AppData\PoApp\PLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 16:36 421888 ----a-w- c:\programmi\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMBBLaunchAgent.exe]
2011-02-18 09:47 79192 ----a-w- c:\programmi\File comuni\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-08-26 11:35 39408 ----a-w- c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"iPod Service"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"Bonjour Service"=2 (0x2)
"BBUpdate"=2 (0x2)
"BBSvc"=2 (0x2)
"AdvancedSystemCareService5"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Dati applicazioni\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\Italian\\setup.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\eMule\\LinkCreator.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R?2 ServUpdater;Serv Updater;c:\documents and settings\Mark\Impostazioni locali\Dati applicazioni\ServUpdater\ServiceUpd.exe [27/11/2011 16.15.59 156160]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29/01/2008 17.29.38 36880]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [13/04/2008 18.14.22 14336]
R2 Network WanMiniport First Position;Network WanMiniport First Position;c:\programmi\Telecom Italia\WanMiniport1st\srvany.exe [22/08/2009 12.27.16 8192]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [14/09/2009 13.42.46 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02/10/2009 18.39.44 19472]
R3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [21/04/2004 16.51.00 16384]
S1 kl2;Kl2;c:\windows\system32\drivers\kl2.sys [06/05/2010 23.19.06 132184]
S2 PowerOffer Service;Pos Service;c:\documents and settings\Mark\Impostazioni locali\Dati applicazioni\PosService\Pos.exe [27/11/2011 16.15.46 164864]
S3 CA500AI;GSmart Mini Still Image Capture;c:\windows\system32\drivers\BULK2NM.sys [19/03/2009 14.57.25 11117]
S3 CA500AV;GSmart Mini WDM Video Capture;c:\windows\system32\drivers\ca500av.SYS [19/03/2009 14.56.27 492619]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys -->

c:\windows\system32\drivers\nmwcdnsu.sys [?]

S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys -->

c:\windows\system32\drivers\nmwcdnsuc.sys [?]

S3 USRPCI;USRobotics Wireless PCI Adapter Service;c:\windows\system32\drivers\USRPCI.sys [15/02/2012 21.01.02 469216]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [13/04/2008 18.14.22 14336]
S4 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\programmi\IObit\Advanced SystemCare 5\ASCService.exe [27/11/2011 12.07.38 497496]
S4 BBSvc;Bing Bar Update Service;c:\programmi\Microsoft\BingBar\BBSvc.EXE [21/10/2011 15.23.42 196176]
S4 BBUpdate;BBUpdate;c:\programmi\Microsoft\BingBar\SeaPort.EXE [13/10/2011 17.21.52 249648]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
WINRM REG_MULTI_SZ WINRM
.
Contenuto della cartella 'Scheduled Tasks'
.
2011-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:57]
.
2012-02-29 c:\windows\Tasks\ASC5_AutoUpdate.job
- c:\programmi\IObit\Advanced SystemCare 5\AutoUpdate.exe [2011-11-27 17:19]
.
2012-03-04 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-26 10:01]
.
2012-03-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-2025429265-1417001333-1004Core.job
- c:\documents and settings\Mark\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2011-07-04 18:16]
.
2012-03-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-2025429265-1417001333-1004UA.job
- c:\documents and settings\Mark\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2011-07-04 18:16]
.
2012-03-04 c:\windows\Tasks\User_Feed_Synchronization-{AE1684AE-7354-40AF-9642-0C6FDD22AFD1}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.igoogle.it/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local;127.0.0.1:9421
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube to Mp3 Converter - c:\documents and settings\Mark\Dati applicazioni\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
TCP: Interfaces\{936DD211-FA99-4B79-A849-16C6A91AD49B}: NameServer = 176.31.229.24,176.31.229.25
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Mark\Dati applicazioni\Mozilla\Firefox\Profiles\6gggeeg7.default\
FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&app ... 10&sr=0&q=
FF - prefs.js: network.proxy.type - 0
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
Toolbar-10 - (no file)
AddRemove-Artistic Effects by Lokas Software - c:\windows\AWuninstall.exe Software\Lokas Ltd\Artistic Effects
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-04 13:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="c:\programmi\file comuni\akamai/netsession_win_7de0ed9.dll"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_USERS\S-1-5-21-1214440339-2025429265-1417001333-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B5920541-4255-F6FC-5EA7-34FDB5C823CF}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iacenagniaiejfebmi"=hex:6b,61,61,68,61,63,68,65,6a,6d,6d,6b,70,66,6a,67,67,65,
67,70,66,70,00,00
"hamdpbnnlpcfcpfb"=hex:6b,61,70,67,69,63,70,6d,6b,62,63,64,69,6d,62,63,62,66,
69,6e,63,6f,00,7e
"gadeefjbgaijjh"=hex:61,63,64,67,69,64,65,62,6f,67,65,61,6a,67,69,6c,6a,70,68,
6d,61,6e,67,62,6e,6a,69,67,6d,6f,69,61,66,65,67,66,67,63,6d,67,68,61,6e,6e,\
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'winlogon.exe'(760)
c:\programmi\File comuni\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
- - - - - - - > 'explorer.exe'(3156)
c:\windows\system32\WININET.dll
c:\programmi\iTunes\iTunesMiniPlayer.dll
c:\programmi\iTunes\iTunesMiniPlayer.Resources\it.lproj\iTunesMiniPlayerLocalized.dll
c:\programmi\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\programmi\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\acs.exe
c:\programmi\File comuni\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\programmi\Telecom Italia\WanMiniport1st\WanMiniport1st_srv.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Ora fine scansione: 2012-03-04 13:07:00 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2012-03-04 12:06
.
Pre-Run: 39.263.191.040 byte disponibili
Post-Run: 39.541.997.568 byte disponibili
.
- - End Of File - - E7354A2A1BC44CAE24921DE87CF23C3B

da **tecnico24** » mar mar 06, 2012 4:18 pm

Ciao ,
scarica il file CFScript.txt che ti ho allegato su wikisend qui in basso e posizionalo sul desktop.
Adesso trascina il file sull'icona di combofix a forma di leone.

Al riavvio posta il risultato delle operazioni , cioè il nuovo log.

http://wikisend.com/download/584020/CFScript.txt

da **marchetto89** » gio mar 08, 2012 12:04 pm

Ciao tecnico24,
siccome il log era troppo lungo l'ho messo qui
http://wikisend.com/download/404698/log.txt
Grazie dell'aiuto

da **tecnico24** » ven mar 09, 2012 6:53 pm

Il computer è pulito.
Elimina queste voci in Hijackthis per velocizzare l'avvio:

Codice: Seleziona tutto: O4 - HKCU\..\Run: [EPSON Stylus D92 Series (Copia 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBZE.EXE /FU "C:\WINDOWS\TEMP\E_S91.tmp" /EF "HKCU" O4 - HKCU\..\Run: [Advanced SystemCare 5] "C:\Programmi\IObit\Advanced SystemCare 5\ASCTray.exe" /AutoStart O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRAMMI\MESSENGER\MSMSGS.EXE" /background O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Documents and Settings\Mark\Impostazioni locali\Dati applicazioni\Akamai\netsession_win.exe" O4 - HKCU\..\Run: [EPSON Stylus D92 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBZE.EXE /FU "C:\WINDOWS\TEMP\E_SBC.tmp" /EF "HKCU"

da **marchetto89** » sab mar 10, 2012 10:26 am

Grazie, Grazie a tutti voi che mi avete aiutato...
Adesso il pc va sicuramente meglio e soprattutto è pulito. ;)

www.MegaLab.it

Problema con avp.exe

Problema con avp.exe

Re: Problema con avp.exe

Re: Problema con avp.exe

Re: Problema con avp.exe

Re: Problema con avp.exe

Re: Problema con avp.exe

Re: Problema con avp.exe

Re: Problema con avp.exe

Re: Problema con avp.exe

Re: Problema con avp.exe

Re: Problema con avp.exe

Re: Problema con avp.exe

Re: Problema con avp.exe

Re: Problema con avp.exe

Re: Problema con avp.exe

Chi c’è in linea