PDA

Visualizza versione completa : Vdibej..virus..??..



p060477
01-08-10, 11: 36
ciao

..mi sono appena accorto,con ccleaner,che nei programmi di avvio-start up mi e' apparso:

HKCU:Run Vdibej rundll32.exe "C:\WINDOWS\putlmi.dll",Startup

ed anche:

HKLM:Run awkqzcmhekpkaql C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\pavqlaormpxlux.dll"

io non li ho mai scaricati..

inoltre antivir mi troverebbe dei trojian in c\doc settings\admin\impostazioni locali\temp..sono o file svchost.exe..oppure file dal nome strano tipo 6.exe o 1.exe..

ho provato ad andare nel registro sistema di win e cancellare le chiavi in hk current user software microsoft windows current version run..ma si ricreano..
..anche se uso regseeker per eliminare..si ricreano..

ecco il log di hijackthis..mi aiutereste..??!!

grazie in anticipo!!

luca

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11.29.20, on 01/08/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\ADMINI~2\IMPOST~1\Temp\svchost.exe
C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\Programmi\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Programmi\uTorrent\uTorrent.exe
C:\Programmi\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Programmi\isposure\IsposureAgent.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\WINDOWS\system32\NLSSRV32.EXE
C:\Programmi\Spyware Terminator\sp_rsser.exe
C:\Programmi\isposure\IsposureAgent.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Windows Live\Toolbar\wltuser.exe
C:\Programmi\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Programmi\CCleaner\CCleaner.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\PROCESS EXPLORER\procexp.exe
C:\WINDOWS\system32\msiexec.exe
C:\Programmi\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Programmi\Orbitdownloader\orbitcth.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\I E\rpbrowserrecordplugin.dll
O2 - BHO: cashtitan browser enhancer - {3B8080AF-C70B-C997-CBDA-04D275B43B91} - C:\WINDOWS\system32\pavqlaormpxlux.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programmi\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programmi\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugi n.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Programmi\Orbitdownloader\GrabPro.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programmi\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [DW6] "C:\Programmi\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Programmi\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Programmi\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - HKCU\..\Run: [Vdibej] rundll32.exe "C:\WINDOWS\putlmi.dll",Startup
O8 - Extra context menu item: &Download by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1235630691343
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://www.telepace.it/scripts/sopcore.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O21 - SSODL: PSFactoryBuffer - {38c8f34e-2cc7-4b04-9b75-1a35043970f8} - C:\Programmi\File comuni\PSFactoryBuffer\PSFactoryBuffer.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: IsposureAgent (isposure_svc) - Epitiro Ltd. - C:\Programmi\isposure\IsposureAgent.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NitroPDFDriverCreatorReadSpool (NitroDriverReadSpool) - Nitro PDF Software - C:\Programmi\Nitro PDF\Professional\NitroPDFDriverService.exe
O23 - Service: NLS Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\NLSSRV32.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Programmi\WinPcap\rpcapd.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programmi\Spyware Terminator\sp_rsser.exe

--
End of file - 7915 bytes

Armandillo
01-08-10, 11: 54
:bai

Non sono capace di leggerlo ma potresti caricarlo qui (http://www.hijackthis.de/index.php?langselect=italian) per una scansione

p060477
01-08-10, 14: 45
ciao!

..ho fatto combofix..ecco il log..:

ComboFix 10-07-31.04 - Administrator 01/08/2010 14.50.32.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.2047.1437 [GMT 2:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {00000002-0002-0000-7C25-9E7C08000A00}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {0012EE0C-E2C8-7C98-30EE-120028EE1200}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {0012EE1C-EE8C-0012-58EF-120000000000}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) )
.

c:\documents and settings\Administrator\Dati applicazioni\chrtmp
c:\windows\system32\pavqlaormpxlux.dll
c:\windows\Tasks\Acrobat Update.job

.
((((((((((((((((((((((((( Files Creati Da 2010-07-01 al 2010-08-01 )))))))))))))))))))))))))))))))))))
.

2010-08-01 09:28 . 2010-08-01 09:28 388096 ----a-r- c:\documents and settings\Administrator\Dati applicazioni\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-31 15:21 . 2010-07-31 15:21 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Restore
2010-07-31 15:21 . 2010-08-01 08:48 584704 ----a-w- c:\documents and settings\Administrator\Dati applicazioni\WMR.exe
2010-07-31 15:21 . 2010-07-31 15:21 -------- d-----w- c:\programmi\Xenocode
2010-07-31 15:21 . 2010-07-31 15:21 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Xenocode
2010-07-31 14:53 . 2010-07-31 15:35 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\vlc
2010-07-21 14:49 . 2010-07-21 14:50 -------- d-----w- C:\svabi
2010-07-21 14:47 . 2010-07-21 14:48 -------- d-----w- C:\RTE-NE40
2010-07-17 20:21 . 2010-07-17 20:21 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\ProgSense
2010-07-13 18:14 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-10 17:13 . 2010-07-11 06:29 -------- d-----w- c:\programmi\Notepad++
2010-07-10 17:13 . 2010-07-10 17:14 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Notepad++
2010-07-10 15:07 . 2010-07-10 15:07 -------- d-----w- c:\programmi\XnView
2010-07-10 13:37 . 2010-07-10 13:37 -------- d-----w- c:\programmi\gs
2010-07-10 13:30 . 2010-07-10 15:07 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\XnView
2010-07-10 07:39 . 2010-07-10 07:39 503808 ----a-w- c:\documents and settings\Administrator\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\4 6\f84c6ae-5cc7ad2f-n\msvcp71.dll
2010-07-10 07:39 . 2010-07-10 07:39 499712 ----a-w- c:\documents and settings\Administrator\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\4 6\f84c6ae-5cc7ad2f-n\jmc.dll
2010-07-10 07:39 . 2010-07-10 07:39 348160 ----a-w- c:\documents and settings\Administrator\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\4 6\f84c6ae-5cc7ad2f-n\msvcr71.dll
2010-07-10 07:39 . 2010-07-10 07:39 61440 ----a-w- c:\documents and settings\Administrator\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\5 0\5535ab32-592dff5e-n\decora-sse.dll
2010-07-10 07:39 . 2010-07-10 07:39 12800 ----a-w- c:\documents and settings\Administrator\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\5 0\5535ab32-592dff5e-n\decora-d3d.dll
2010-07-10 07:37 . 2010-07-10 07:37 56765 ----a-w- c:\documents and settings\All Users\Dati applicazioni\DivX\DivXPlusShortcuts\Uninstaller.ex e
2010-07-10 07:37 . 2010-07-10 07:37 57715 ----a-w- c:\documents and settings\All Users\Dati applicazioni\DivX\Player\Uninstaller.exe
2010-07-10 07:36 . 2010-07-10 07:36 54153 ----a-w- c:\documents and settings\All Users\Dati applicazioni\DivX\DFXPlugin\Uninstaller.exe
2010-07-06 17:59 . 2010-07-06 17:59 -------- d-----w- C:\Diskeeper
2010-07-06 15:39 . 2010-07-06 15:39 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Diskeeper Corporation
2010-07-04 14:39 . 2010-07-04 14:39 49152 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\F irefox\Ext\Components\nprpffbrowserrecordext.dll
2010-07-04 14:39 . 2010-07-04 14:39 45056 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\T hinShims\rpnpshimwmp.dll
2010-07-04 14:39 . 2010-07-04 14:39 45056 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\T hinShims\rpnpshimswf.dll
2010-07-04 14:39 . 2010-07-04 14:39 45056 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\T hinShims\rpnpshimrp.dll
2010-07-04 14:39 . 2010-07-04 14:39 45056 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\T hinShims\rpnpshimqt.dll
2010-07-04 14:39 . 2010-07-04 14:39 40960 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\C hrome\Hook\rpchromebrowserrecordhelper.dll
2010-07-04 14:39 . 2010-07-04 14:39 308808 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\C ommon\rpmainbrowserrecordplugin.dll
2010-07-04 14:39 . 2010-07-04 14:39 14848 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\M ozillaPlugins\nprphtml5videoshim.dll
2010-07-04 14:38 . 2010-07-04 14:38 -------- d-----w- c:\programmi\File comuni\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
2010-08-01 12:46 . 2008-01-17 16:38 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\uTorrent
2010-08-01 12:35 . 2009-12-25 09:10 -------- d-----w- c:\programmi\isposure
2010-07-31 22:01 . 2009-12-25 09:10 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Epitiro
2010-07-31 16:56 . 2008-01-16 17:55 -------- d-----w- c:\programmi\SpeedFan
2010-07-31 16:56 . 2008-01-20 16:52 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Media Player Classic
2010-07-31 09:41 . 2010-01-28 20:17 -------- d-----w- c:\windows\system32\config\systemprofile\Dati applicazioni\Nitro PDF
2010-07-30 15:14 . 2008-10-16 21:07 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Spyware Terminator
2010-07-30 15:09 . 2008-10-16 21:07 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Spyware Terminator
2010-07-29 15:45 . 2008-06-08 16:22 -------- d-----w- c:\programmi\Orbitdownloader
2010-07-26 14:49 . 2008-01-16 19:02 -------- d-----w- c:\programmi\CCleaner
2010-07-25 16:03 . 2008-10-14 11:58 1 ----a-w- c:\documents and settings\Administrator\Dati applicazioni\OpenOffice.org\3\user\uno_packages\ca che\stamp.sys
2010-07-24 13:40 . 2008-01-17 16:46 -------- d-----w- c:\programmi\uTorrent
2010-07-21 18:56 . 2009-09-16 20:20 201081 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\FAILSAVE\aeoffice.dll
2010-07-21 18:56 . 2009-09-16 20:20 385396 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\FAILSAVE\aegen.dll
2010-07-20 19:36 . 2009-09-16 20:20 1364346 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\FAILSAVE\aescript.dll
2010-07-20 19:36 . 2009-09-16 20:20 614772 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\FAILSAVE\aerdl.dll
2010-07-20 19:36 . 2009-09-16 20:20 471414 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\FAILSAVE\aepack.dll
2010-07-20 19:36 . 2009-09-16 20:20 2793846 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\FAILSAVE\aeheur.dll
2010-07-20 19:35 . 2009-09-16 20:20 242039 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\FAILSAVE\aehelp.dll
2010-07-20 19:35 . 2009-09-16 20:20 192887 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\FAILSAVE\aecore.dll
2010-07-18 16:11 . 2008-01-24 06:39 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\dvdcss
2010-07-17 20:37 . 2009-06-06 22:04 -------- d-----w- c:\programmi\Replay Media Catcher 3.02
2010-07-17 20:35 . 2008-10-17 10:09 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2010-07-17 20:35 . 2008-10-17 10:09 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2010-07-17 20:35 . 2008-10-17 10:09 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
2010-07-17 20:35 . 2009-10-26 21:53 -------- d-----w- c:\programmi\Replay Media Catcher 3.01
2010-07-17 20:35 . 2009-10-26 22:54 -------- d-----w- c:\programmi\Replay Media Catcher 2.4
2010-07-17 20:27 . 2008-01-16 22:47 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Orbit
2010-07-17 20:21 . 2009-10-27 17:46 -------- d-----w- c:\programmi\Replay Media Catcher 3.03
2010-07-17 16:00 . 2010-03-15 14:58 -------- d-----w- c:\programmi\WMR14.1
2010-07-16 17:27 . 2009-11-24 19:09 -------- d-----w- c:\programmi\Recuva
2010-07-16 06:35 . 2008-04-07 13:14 -------- d-----w- c:\programmi\SIW
2010-07-16 06:31 . 2010-04-26 20:42 -------- d-----w- c:\programmi\Speccy
2010-07-10 07:39 . 2008-01-28 22:22 -------- d-----w- c:\programmi\File comuni\Java
2010-07-10 07:38 . 2010-04-15 19:35 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-10 07:37 . 2010-04-16 16:27 57344 ----a-w- c:\documents and settings\All Users\Dati applicazioni\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-07-10 07:37 . 2010-03-23 17:42 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\DivX
2010-07-10 07:37 . 2008-01-21 21:18 -------- d-----w- c:\programmi\DivX
2010-07-10 07:36 . 2010-04-16 16:26 144696 ----a-w- c:\documents and settings\All Users\Dati applicazioni\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-07-10 07:36 . 2010-03-23 17:44 1062184 ----a-w- c:\documents and settings\All Users\Dati applicazioni\DivX\Setup\Resource.dll
2010-07-08 15:59 . 2008-03-02 21:27 -------- d---a-w- c:\documents and settings\All Users\Dati applicazioni\TEMP
2010-07-07 18:30 . 2010-03-23 17:44 895256 ----a-w- c:\documents and settings\All Users\Dati applicazioni\DivX\Setup\DivXSetup.exe
2010-07-06 14:16 . 2008-01-16 23:23 -------- d-----w- c:\programmi\Unlocker
2010-07-04 14:39 . 2010-02-19 22:57 341600 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\I E\rpbrowserrecordplugin.dll
2010-07-04 14:39 . 2008-01-18 22:25 -------- d-----w- c:\programmi\File comuni\Real
2010-07-04 14:38 . 2009-03-12 13:50 -------- d-----w- c:\programmi\Real
2010-07-04 14:38 . 2009-02-25 07:24 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-07-04 14:38 . 2009-02-25 07:24 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-06-29 16:14 . 2008-01-16 11:00 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2010-06-29 14:00 . 2010-06-29 14:00 -------- d-----w- c:\programmi\Quicksys
2010-06-29 13:46 . 2010-06-29 13:46 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Auslogics
2010-06-29 13:30 . 2010-06-29 13:30 -------- d-----w- c:\programmi\Auslogics
2010-06-29 13:28 . 2010-06-29 13:28 -------- d-----w- c:\programmi\File comuni\PSFactoryBuffer
2010-06-29 05:34 . 2010-02-03 17:08 -------- d-----w- c:\programmi\Paint.NET
2010-06-27 08:02 . 2008-01-17 23:34 -------- d-----w- c:\programmi\SpywareBlaster
2010-06-24 05:45 . 2008-01-17 18:37 -------- d-----w- c:\programmi\Windows Media Connect 2
2010-06-24 05:38 . 2004-08-19 12:00 79862 ----a-w- c:\windows\system32\perfc010.dat
2010-06-24 05:38 . 2004-08-19 12:00 479512 ----a-w- c:\windows\system32\perfh010.dat
2010-06-24 05:37 . 2010-04-15 21:12 -------- d-----w- c:\programmi\VS Revo Group
2010-06-23 14:09 . 2010-05-27 15:56 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\MyGuitar
2010-06-18 13:39 . 2010-04-15 19:32 79488 ----a-w- c:\documents and settings\Administrator\Dati applicazioni\Sun\Java\jre1.6.0_20\gtapi.dll
2010-06-18 13:39 . 2010-04-15 19:32 152576 ----a-w- c:\documents and settings\Administrator\Dati applicazioni\Sun\Java\jre1.6.0_20\lzma.dll
2010-06-15 13:13 . 2008-05-01 11:10 -------- d-----w- c:\programmi\Kantaris
2010-06-15 05:34 . 2010-06-15 05:34 -------- d-----w- c:\programmi\PDFCreator
2010-06-14 14:31 . 2008-01-16 09:30 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-11 20:33 . 2010-06-11 20:33 -------- d-----w- c:\programmi\Secunia
2010-06-11 20:26 . 2008-11-24 22:34 -------- d-----w- c:\programmi\File comuni\Adobe AIR
2010-06-11 20:26 . 2010-06-11 20:26 53632 ----a-w- c:\documents and settings\Administrator\Dati applicazioni\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\aira ppinstaller.exe
2010-06-05 15:31 . 2009-03-15 00:04 -------- d-----w- c:\programmi\File comuni\DivX Shared
2010-06-05 15:31 . 2010-06-05 15:31 56997 ----a-w- c:\documents and settings\All Users\Dati applicazioni\DivX\WebPlayer\Uninstaller.exe
2010-06-05 15:31 . 2010-06-05 15:31 53600 ----a-w- c:\documents and settings\All Users\Dati applicazioni\DivX\Update\Uninstaller.exe
2010-06-05 15:31 . 2010-06-05 15:31 54128 ----a-w- c:\documents and settings\All Users\Dati applicazioni\DivX\Converter\Uninstaller.exe
2010-06-05 15:31 . 2010-06-05 15:31 54644 ----a-w- c:\documents and settings\All Users\Dati applicazioni\DivX\TranscodeEngine\Uninstaller.exe
2010-06-05 15:31 . 2010-06-05 15:31 54101 ----a-w- c:\documents and settings\All Users\Dati applicazioni\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-05 09:04 . 2008-01-16 21:46 90688 ----a-w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-06-05 07:02 . 2008-10-14 11:54 -------- d-----w- c:\programmi\OpenOffice.org 3
2010-06-04 12:48 . 2008-09-10 15:30 -------- d-----w- c:\programmi\Microsoft Silverlight
2010-05-28 11:04 . 2010-05-28 11:04 14896 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2010-05-27 16:18 . 2010-05-27 16:18 57409 ----a-w- c:\documents and settings\All Users\Dati applicazioni\DivX\ControlPanel\Uninstaller.exe
2010-05-13 13:54 . 2009-09-16 20:20 127347 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\FAILSAVE\aescn.dll
2010-05-06 10:32 . 2004-08-19 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2004-10-01 14:00 . 2008-01-16 10:59 40960 ----a-w- c:\programmi\Uninstall_CDS.exe
2008-01-21 20:53 . 2008-01-21 20:53 5 --sha-w- c:\windows\system32\ccacb6_d.dll
2009-10-28 06:44 . 2009-10-28 06:44 23 --sha-w- c:\windows\system32\edacded0.dat
2009-03-17 18:07 . 2009-03-17 18:07 23 --sha-w- c:\windows\system32\edacded0_x.dat
2006-05-03 10:06 . 2010-02-12 17:41 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2010-02-12 17:41 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2010-02-12 17:41 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"DW6"="c:\programmi\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-11-10 818288]
"uTorrent"="c:\programmi\uTorrent\uTorrent.exe" [2010-07-24 327984]
"SpywareTerminatorUpdate"="c:\programmi\Spyware Terminator\SpywareTerminatorUpdate.exe" [2009-12-09 3037696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SpywareTerminator"="c:\programmi\Spyware Terminator\SpywareTerminatorShield.exe" [2010-03-30 2176512]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\programmi\DVD Region+CSS Free\DVDShell.dll" [2004-10-09 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
"PSFactoryBuffer"= {38c8f34e-2cc7-4b04-9b75-1a35043970f8} - c:\programmi\File comuni\PSFactoryBuffer\PSFactoryBuffer.dll [2010-06-29 131072]

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\Programmi\\Orbitdownloader\\orbitdm.exe"=
"c:\\Programmi\\Orbitdownloader\\orbitnet.exe"=
"c:\\Programmi\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programmi\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Programmi\\isposure\\IsposureAgent.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"38188:TCP"= 38188:TCP:*:Disabled:utorrent
"38188:UDP"= 38188:UDP:*:Disabled:utorrent
"45871:TCP"= 45871:TCP:emule
"53794:UDP"= 53794:UDP:emule

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [16/10/2008 23.07.59 142592]
R2 isposure_svc;IsposureAgent;c:\programmi\isposure\I sposureAgent.exe [18/06/2009 17.52.46 761856]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpoo l;c:\programmi\Nitro PDF\Professional\NitroPDFDriverService.exe [16/12/2009 11.09.04 188736]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [16/12/2009 11.11.06 65856]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [20/10/2009 20.19.44 50704]
R2 RVIEGVST;VSC VST Engine;c:\programmi\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [10/07/2009 13.16.24 188276]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMo n.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSy sMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [28/05/2010 13.04.52 14896]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\ TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contenuto della cartella 'Scheduled Tasks'

2010-06-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2010-08-01 c:\windows\Tasks\emule.job
- c:\programmi\eMule\emule.exe [2008-01-17 13:00]

2010-08-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-436374069-616249376-725345543-500.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-06-03 01:02]

2010-08-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-436374069-616249376-725345543-500.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2010-06-03 01:02]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.yahoo.it/
IE: &Download by Orbit - c:\programmi\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\programmi\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\programmi\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\programmi\Orbitdownloader\orbitmxt.dll/202
IE: E&sporta in Microsoft Excel
FF - ProfilePath - c:\documents and settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\primo profilo 3.0\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.it
FF - prefs.js: keyword.enabled - false
FF - component: c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\F irefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\primo profilo 3.0\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\M ozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\programmi\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\programmi\Java\jre6\bin\new_plugin\npdeployJava 1.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npagent.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: c:\programmi\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\programmi\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll
FF - plugin: c:\programmi\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere_ _temporarily_available_pref", true);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-01 14:55
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

************************************************** ************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-436374069-616249376-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,6b,5d ,c9,0a,98,3d,49,80,22,fa,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,21,1a,22 ,77,0f,2e,ca,4d,9e,e9,28,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,6b,5d ,c9,0a,98,3d,49,80,22,fa,\

[HKEY_LOCAL_MACHINE\software\ATI Technologies Inc.\Driver ATI]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\Applications\A croRd32.exe\shell]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil 10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil1 0h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F 2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F 2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F 2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\ UIPlugins\{292AE934-4F49-40bb-9E7E-6F6398ED9C31}]
@DACL=(02 0000)
"FriendlyName"="Nero Fast CD-Burning Plug-in"
"Description"="Scrivere CD"
"Capabilities"=dword:40000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Updates\Wind ows XP OOB\SP10\KB835221WXP\Filelist]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\Setup\OOBE\CKPT]
@DACL=(02 0000)
"0"=dword:00000001
"TOS"=dword:00000002
"1"=dword:0000000a

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\Setup\OOBE\Status]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows Media Device Manager\Plugins\SP\NeroBurnPlugin]
@DACL=(02 0000)
"ProgID"="MDNeroBurnPlugin.MDNeroBurnPlugin"

[HKEY_LOCAL_MACHINE\software\REALTEK Semiconductor Corporation\REALTEK Gigabit and Fast Ethernet NIC Driver]
@DACL=(02 0000)
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\Ati2evxx.dll
.
Ora fine scansione: 2010-08-01 14:58:06
ComboFix-quarantined-files.txt 2010-08-01 12:58
ComboFix2.txt 2010-06-17 13:48

Pre-Run: 69.197.770.752 byte disponibili
Post-Run: 69.183.381.504 byte disponibili

- - End Of File - - 55A305B16CA9BEEC9164F3D1F55BE572

e nuovo hijackthis..:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 15.04.26, on 01/08/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\Programmi\uTorrent\uTorrent.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Programmi\isposure\IsposureAgent.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\WINDOWS\system32\NLSSRV32.EXE
C:\Programmi\Spyware Terminator\sp_rsser.exe
C:\Programmi\isposure\IsposureAgent.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Spyware Terminator\SpyWareTerminator.exe
C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Mozilla Firefox\plugin-container.exe
C:\Programmi\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Programmi\Orbitdownloader\orbitcth.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\I E\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programmi\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programmi\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugi n.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Programmi\Orbitdownloader\GrabPro.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programmi\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [DW6] "C:\Programmi\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Programmi\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Programmi\Spyware Terminator\SpywareTerminatorUpdate.exe"
O8 - Extra context menu item: &Download by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Programmi\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1235630691343
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://www.telepace.it/scripts/sopcore.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O21 - SSODL: PSFactoryBuffer - {38c8f34e-2cc7-4b04-9b75-1a35043970f8} - C:\Programmi\File comuni\PSFactoryBuffer\PSFactoryBuffer.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: IsposureAgent (isposure_svc) - Epitiro Ltd. - C:\Programmi\isposure\IsposureAgent.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NitroPDFDriverCreatorReadSpool (NitroDriverReadSpool) - Nitro PDF Software - C:\Programmi\Nitro PDF\Professional\NitroPDFDriverService.exe
O23 - Service: NLS Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\NLSSRV32.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Programmi\WinPcap\rpcapd.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programmi\Spyware Terminator\sp_rsser.exe

--
End of file - 7242 bytes

LadyHawke
01-08-10, 21: 31
Ciao p060477,

Adesso devi scaricare Malwarebytes (http://www.malwaresupport.com/mbam/program/mbam-setup.exe) e aggiornalo, scarica anche ATF-Cleaner (http://www.atribune.org/ccount/click.php?id=1)

- Dalla ModalitÓ Provvisoria ripulisci tutto con ATF-Cleaner
- Fai la scansione approfondita con Malwarebytes (ricordarsi di visualizzare i risultati e premere il tasto in basso a sinistra per eliminare quanto trovato)
- Allega il log di Malwarebytes


Cortesemente i log inseriscili come allegati, oppure utilizza i TAG spoiler

:bai

p060477
02-08-10, 09: 16
ciao LadyHawke!
..perdona la mia max imbranataggine..mi guideresti all'uso del "tag Spoiler"..
..non riuscirei ad usarlo..ma faresti un esempio magari usando delle immagini guida..?!..
grazie mille..anche della pazienza!
luca

LadyHawke
02-08-10, 09: 33
Ecco qua:

http://www.collectiontricks.it/imagesbox/collection/varie/spoiler.png

Le TAG che determinano inizio e fine codice sono quelle in rosso, dove titolo dello spoiler Ŕ il nome (obbligatorio) che devi dare allo spoiler (es. [spoiler=HJT] o [spoiler=combofix]


:bai

p060477
02-08-10, 10: 13
ciao e grazie!
chiarissimo!
..una domanda..anche la scan con malwarebytes devo farla in mod provvisoria..?
ancora grazie!

luca

LadyHawke
02-08-10, 10: 29
No, non Ŕ necessario, l'importante Ŕ che sia quella completa e non quella veloce

:bai

p060477
02-08-10, 16: 26
ciao ladyhawke!

1) fatta pulizia con Atf cleaner in mod provvisoria!

2)fatta la scan completa con malawarebytes..ecco il log..:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Versione database: 4380

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

02/08/2010 16.20.23
mbam-log-2010-08-02 (16-20-23).txt

Tipo di scansione: Scansione completa (C:\|D:\|E:\|)
Elementi esaminati: 245516
Tempo trascorso: 1 ore, 1 minuti, 49 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 1
Valori di registro infetti: 1
Voci infette nei dati di registro: 0
Cartelle infette: 0
File infetti: 1

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
HKEY_CLASSES_ROOT\CLSID\{38c8f34e-2cc7-4b04-9b75-1a35043970f8} (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

Valori di registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\psfactorybu ffer (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

Voci infette nei dati di registro:
(Non sono stati rilevati elementi nocivi)

Cartelle infette:
(Non sono stati rilevati elementi nocivi)

File infetti:
C:\Programmi\File comuni\PSFactoryBuffer\PSFactoryBuffer.dll (Trojan.FakeAlert.H) -> Delete on reboot.



..cosa ne pensi ora del tutto,log di hijackthis piu' combofix piu' questo di malawarebytes..??!!

luca

LadyHawke
02-08-10, 21: 17
Direi che saremo a posto dopo che avrai disinstallato PSFactoryBuffer che non Ŕ roba buona, ed eliminato la sua cartella in C:\Programmi\File comuni\PSFactoryBuffer (verifica anche la presenza in C:\programmi\PSFactoryBuffer)


:bai

p060477
02-08-10, 22: 16
ciao LadyHawke!
ancora grazie!!

1)..ma da cosa puo' essere venuto fuori questo PSFactoryBuffer ..??

2)comunque ora sul pc non c'e' piu'..ho usato anche la funzione cerca ed e' sparito..!!

3)la cosa strana e' che quei due prog in start up di cui mi son accorto con ccleaner,il Vdibej e l'altro dal nome inpronunciabile..sono spariti subito - prima - che usassi sia il combo fix che il malawarebytes..
..praticamente ho solo lanciato hijackthis ma senza fixare nulla..poi in task manager ho killato un processo,mi pare regsvr32run.exe..o simile..,che era apparso..e tali prog sono spariti dallo start up..
..in buona sostanza senza far nulla - sembrava - che il pc si fosse pulito da solo..
..ma poi lanciando il combo ed anche il malawarebytes la musica era ben diversa..mi sa che il malawere era ancora li' bello silente e nascosto..
..ho quasi avuto la sensazione che mi vedessero nelle mie azioni e vedendo che ero in cerca del malaware avessero tentato di nascondersi e di farmi credere che era tutto ok..

..almeno queste sono le mie supposizioni di persona assai imbranata ed incapace al pc..!!

grazie mille di tutto!!

luca