Valutazione 4.87/ 5 (100.00%) 5838 voti

Condividi:        

Aiuto per rimuovere uninstall.exe

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: kadosh, Luke57

Aiuto per rimuovere uninstall.exe

Postdi fefinho » 29/07/09 21:34

Salve,
apro questa discussione perchè da alcuni giorni Avira antivirus mi segnala la presenza di un virus nella cartella esecuzione automatica denominato uninstall.exe che dopo aver cancellato il file si riforma.
Ho letto vari topic con problemi simili ma non sono riuscito a risolvere e non so più cosa inventarmi.
Vi posto il file HijackThis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22.13.58, on 29/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmi\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Programmi\Logitech\MouseWare\system\em_exec.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\Lavasoft\Ad-Aware\AAWTray.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
C:\Programmi\VIA\RAID\raid_tool.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Salvini\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgilio.it/oggi/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programmi\File comuni\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [IndexSearch] C:\Programmi\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Programmi\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Programmi\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Programmi\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: uninstall.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Programmi\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{56C1E3AB-40A1-4EDD-A635-2D918DD64198}: NameServer = 85.37.17.55 85.38.28.93
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6755 bytes
fefinho
Utente Junior
 
Post: 11
Iscritto il: 10/07/09 20:29

Sponsor
 

Re: Aiuto per rimuovere uninstall.exe

Postdi Luke57 » 30/07/09 13:20

Ciao, questo tool ti dovrebbe eliminare il problema:
Scarica Combofix sul desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
disattiva il tuo antivirus e disconnettiti da internet
avvia combofix.exe
(non installare la recovery console quando il programma lo propone)
Lascia lavorare il programma senza interferire, se spariscono le icone del desktop è normale
Al termine, allega il rapporto C:\ComboFix.txt nella tua risposta.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: Aiuto per rimuovere uninstall.exe

Postdi fefinho » 30/07/09 18:28

Ho fatto un errore. Per sbaglio ho installato la recovery console.
Ti allego il rapporto e ti sarei grato se mi spieghi come togliere la recovery console.

Codice: Seleziona tutto
ComboFix 09-07-29.04 - Salvini 30/07/2009 19.12.53.3.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.39.1040.18.1023.684 [GMT 2:00]
Eseguito da: c:\documents and settings\Salvini\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {00000002-0002-0000-7C25-9E7C08000A00}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

(((((((((((((((((((((((((   Files Creati Da 2009-06-28 al 2009-07-30  )))))))))))))))))))))))))))))))))))
.

2009-07-16 17:27 . 2009-07-16 17:27   --------   d-----r-   c:\documents and settings\LocalService\Preferiti
2009-07-16 16:56 . 2009-07-16 16:56   --------   d-----w-   c:\documents and settings\LocalService\Menu Avvio
2009-07-16 16:56 . 2009-03-30 08:33   96104   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2009-07-16 16:56 . 2009-03-24 14:08   55640   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2009-07-16 16:56 . 2009-02-13 10:29   22360   ----a-w-   c:\windows\system32\drivers\avgntmgr.sys
2009-07-16 16:56 . 2009-02-13 10:17   45416   ----a-w-   c:\windows\system32\drivers\avgntdd.sys
2009-07-16 16:55 . 2009-07-16 16:55   --------   d-----w-   c:\programmi\Avira
2009-07-16 16:55 . 2009-07-16 16:55   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Avira
2009-07-10 19:14 . 2009-07-10 19:13   102664   ----a-w-   c:\windows\system32\drivers\tmcomm.sys
2009-07-10 19:13 . 2009-07-10 19:14   --------   d-----w-   c:\documents and settings\Salvini\.housecall6.6
2009-07-10 12:31 . 2009-07-10 18:39   --------   d---a-w-   c:\documents and settings\All Users\Dati applicazioni\TEMP
2009-07-10 12:31 . 2009-07-10 18:42   --------   d-----w-   c:\programmi\PC Tools AntiVirus

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-30 17:16 . 2009-01-29 13:52   9750560   --sha-w-   c:\windows\system32\drivers\fidbox.dat
2009-07-30 10:47 . 2009-01-29 13:52   116492   --sha-w-   c:\windows\system32\drivers\fidbox.idx
2009-07-29 20:40 . 2007-03-12 13:25   --------   d-----w-   c:\programmi\Mozilla Thunderbird
2009-07-24 15:39 . 2009-07-24 15:39   1705472   ----a-w-   c:\windows\Internet Logs\xDB5.tmp
2009-07-16 18:19 . 2009-02-13 10:15   --------   d-----w-   c:\programmi\Malwarebytes' Anti-Malware
2009-07-16 18:17 . 2006-09-14 14:57   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-07-16 17:18 . 2009-04-02 12:40   3775176   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-13 11:36 . 2009-02-13 10:15   38160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 11:36 . 2009-02-13 10:15   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-07-10 12:44 . 2009-07-10 12:45   3201024   ----a-w-   c:\windows\Internet Logs\xDB4.tmp
2009-07-08 18:27 . 2009-06-20 10:21   314712   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-07-08 18:27 . 2009-06-20 10:21   25440   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-07-08 18:27 . 2009-06-20 10:21   169312   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-07-08 18:27 . 2009-06-20 10:21   348496   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-07-08 18:27 . 2009-06-20 10:21   298336   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-07-08 18:27 . 2009-06-09 17:41   84832   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-07-08 18:27 . 2009-06-20 10:21   1630560   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\Resources.dll
2009-07-08 18:25 . 2009-06-04 21:49   246128   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-07-08 18:25 . 2009-06-04 21:49   40288   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-07-08 18:25 . 2009-06-20 10:21   85352   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-07-08 18:25 . 2009-06-20 10:21   664424   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-07-08 18:25 . 2009-06-20 10:21   563064   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-07-08 18:22 . 2009-06-20 10:21   566632   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-07-08 18:22 . 2009-06-20 10:21   2353480   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-07-08 18:22 . 2009-06-20 10:21   629072   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-07-08 18:21 . 2009-06-20 10:21   520024   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-07-08 18:20 . 2009-06-20 10:21   1029456   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-26 16:49 . 2004-08-19 13:39   669184   ----a-w-   c:\windows\system32\wininet.dll
2009-06-26 16:49 . 2004-08-19 13:39   81920   ----a-w-   c:\windows\system32\ieencode.dll
2009-06-26 09:58 . 2009-06-26 09:56   1878984   ----a-w-   c:\documents and settings\Salvini\Dati applicazioni\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-06-26 09:50 . 2006-03-27 15:17   45080   -c--a-w-   c:\documents and settings\Salvini\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-06-22 12:41 . 2008-10-28 20:46   --------   d-----w-   c:\documents and settings\Salvini\Dati applicazioni\dvdcss
2009-06-16 14:36 . 2004-08-19 13:39   119808   ----a-w-   c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2001-08-31 15:00   81920   ----a-w-   c:\windows\system32\fontsub.dll
2009-06-09 17:41 . 2009-06-09 17:41   15688   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-09 17:41 . 2009-01-29 23:03   15688   ----a-w-   c:\windows\system32\lsdelete.exe
2009-06-06 17:16 . 2009-06-06 17:16   --------   d-----w-   c:\programmi\Philips
2009-06-06 17:16 . 2006-03-27 15:24   --------   d--h--w-   c:\programmi\InstallShield Installation Information
2009-06-06 17:16 . 2009-06-06 17:16   --------   d-----w-   c:\documents and settings\Salvini\Dati applicazioni\InstallShield
2009-06-03 19:09 . 2004-08-19 13:39   1296384   ----a-w-   c:\windows\system32\quartz.dll
2009-05-22 23:23 . 2009-05-22 23:23   1587712   ----a-w-   c:\windows\Internet Logs\xDB3.tmp
2009-05-07 15:32 . 2004-08-19 13:39   347648   ----a-w-   c:\windows\system32\localspl.dll
2009-05-04 10:07 . 2009-05-04 10:07   2207858   ----a-w-   c:\windows\Internet Logs\tvDebug.zip
2009-07-24 11:53 . 2008-09-01 14:54   134648   ----a-w-   c:\programmi\mozilla firefox\components\brwsrcmp.dll
.

(((((((((((((((((((((((((((((((((((((((((((((   AWF   ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-10-24 13:53 . 2006-03-30 14:45   313472   c:\programmi\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe

2007-03-11 15:31 . 2005-01-26 17:02   49152   c:\programmi\Brother\Brmfl05a\bak\BrStDvPt.exe
2007-07-04 12:31 . 2005-01-26 16:02   49152   c:\programmi\Brother\Brmfl05a\BrStDvPt.exe

2007-03-11 15:31 . 2005-05-17 16:42   933888   c:\programmi\Brother\ControlCenter2\bak\brctrcen.exe
2007-07-04 12:31 . 2005-05-17 15:42   933888   c:\programmi\Brother\ControlCenter2\brctrcen.exe

2004-12-09 10:14 . 2004-12-09 10:14   1068032   c:\programmi\File comuni\PCSuite\DataLayer\bak\DATALA~1.EXE

2003-10-14 09:22 . 2003-10-14 09:22   155648   c:\programmi\File comuni\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe
2003-10-14 08:22 . 2003-10-14 08:22   155648   c:\programmi\File comuni\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

2007-02-23 13:37 . 2007-03-14 14:18   411648   c:\programmi\Grisoft\AVG Free\bak\avgcc.exe

2007-03-07 20:26 . 2006-12-15 02:23   75520   c:\programmi\Java\jre1.5.0_11\bin\bak\jusched.exe

2006-03-27 16:02 . 2004-03-18 08:33   892928   c:\programmi\Logitech\iTouch\bak\iTouch.exe

2006-06-06 09:07 . 2006-06-06 09:07   40960   c:\programmi\Macrogaming\SweetIM\bak\SweetIM.exe

2004-11-24 10:29 . 2004-11-24 10:29   880640   c:\programmi\Nokia\Nokia PC Suite 6\bak\PcSync2.exe
2006-06-27 15:21 . 2006-06-27 15:21   1449984   c:\programmi\Nokia\Nokia PC Suite 6\PcSync2.exe

2005-03-11 00:28 . 2005-03-11 00:28   40960   c:\programmi\ScanSoft\PaperPort\bak\IndexSearch.exe
2005-03-10 23:28 . 2005-03-10 23:28   40960   c:\programmi\ScanSoft\PaperPort\IndexSearch.exe

2005-03-11 00:01 . 2005-03-11 00:01   57393   c:\programmi\ScanSoft\PaperPort\bak\pptd40nt.exe
2005-03-10 23:01 . 2005-03-10 23:01   57393   c:\programmi\ScanSoft\PaperPort\pptd40nt.exe

2004-08-19 13:39 . 2004-08-19 13:39   15360   c:\windows\system32\bak\ctfmon.exe
2004-08-19 13:39 . 2008-04-14 02:14   15360   c:\windows\system32\ctfmon.exe

.
(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\programmi\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-03-09 86016]
"SSBkgdUpdate"="c:\programmi\File comuni\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"IndexSearch"="c:\programmi\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-10 40960]
"SetDefPrt"="c:\programmi\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter2.0"="c:\programmi\Brother\ControlCenter2\brctrcen.exe" [2005-05-17 933888]
"Motive SmartBridge"="c:\progra~1\ALICET~1\SMARTB~1\MotiveSB.exe" [2006-04-21 438359]
"ZoneAlarm Client"="c:\programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"Ad-Watch"="c:\programmi\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-08 520024]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-01-08 65536]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-03-09 1519616]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
uninstall.exe [2009-7-30 421888]
VIA RAID TOOL.lnk - c:\programmi\VIA\RAID\raid_tool.exe [2006-3-27 561152]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\eMule\\emule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"c:\\Programmi\\MSN Messenger\\livecall.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [30/01/2009 0.49.22 64160]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [27/03/2006 17.40.08 75904]
R2 nvTUNEP;nVidia WDM TVTuner;c:\windows\system32\drivers\NVTUNEP.SYS [27/03/2006 18.05.29 20480]
R2 nvtvSND;nVidia WDM TVAudio Crossbar;c:\windows\system32\drivers\NVTVSND.SYS [27/03/2006 18.05.29 20224]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\programmi\Lavasoft\Ad-Aware\AAWService.exe [18/01/2009 23.34.37 1029456]
.
Contenuto della cartella 'Scheduled Tasks'

2009-07-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\programmi\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 18:22]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.virgilio.it/oggi/index.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Salvini\Dati applicazioni\Mozilla\Firefox\Profiles\b58vhy3a.default\
FF - plugin: c:\programmi\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\programmi\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\programmi\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\programmi\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\programmi\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\programmi\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\programmi\Java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npdbplug.dll
FF - plugin: c:\windows\system32\DNAML\npdbplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-30 19:16
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(1380)
c:\progra~1\ALICET~1\SMARTB~1\SBHook.dll
c:\programmi\Logitech\MouseWare\System\LgWndHk.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\programmi\File comuni\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Ora fine scansione: 2009-07-30 19.19.10
ComboFix-quarantined-files.txt  2009-07-30 17:19

Pre-Run: 28.474.597.376 byte disponibili
Post-Run: 28.471.877.632 byte disponibili

187   --- E O F ---   2009-07-29 19:56
fefinho
Utente Junior
 
Post: 11
Iscritto il: 10/07/09 20:29

Re: Aiuto per rimuovere uninstall.exe

Postdi fefinho » 30/07/09 19:42

Ho risolto il piccolo inconveniente con la recovery console.
Ecco il rapporto di combofix
Codice: Seleziona tutto
ComboFix 09-07-29.04 - Salvini 30/07/2009 20.06.55.4.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.39.1040.18.1023.667 [GMT 2:00]
Eseguito da: c:\documents and settings\Salvini\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {00000002-0002-0000-7C25-9E7C08000A00}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

(((((((((((((((((((((((((   Files Creati Da 2009-06-28 al 2009-07-30  )))))))))))))))))))))))))))))))))))
.

2009-07-16 17:27 . 2009-07-16 17:27   --------   d-----r-   c:\documents and settings\LocalService\Preferiti
2009-07-16 16:56 . 2009-07-16 16:56   --------   d-----w-   c:\documents and settings\LocalService\Menu Avvio
2009-07-16 16:56 . 2009-03-30 08:33   96104   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2009-07-16 16:56 . 2009-03-24 14:08   55640   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2009-07-16 16:56 . 2009-02-13 10:29   22360   ----a-w-   c:\windows\system32\drivers\avgntmgr.sys
2009-07-16 16:56 . 2009-02-13 10:17   45416   ----a-w-   c:\windows\system32\drivers\avgntdd.sys
2009-07-16 16:55 . 2009-07-16 16:55   --------   d-----w-   c:\programmi\Avira
2009-07-16 16:55 . 2009-07-16 16:55   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Avira
2009-07-10 19:14 . 2009-07-10 19:13   102664   ----a-w-   c:\windows\system32\drivers\tmcomm.sys
2009-07-10 19:13 . 2009-07-10 19:14   --------   d-----w-   c:\documents and settings\Salvini\.housecall6.6
2009-07-10 12:31 . 2009-07-10 18:39   --------   d---a-w-   c:\documents and settings\All Users\Dati applicazioni\TEMP
2009-07-10 12:31 . 2009-07-10 18:42   --------   d-----w-   c:\programmi\PC Tools AntiVirus

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-30 18:10 . 2009-01-29 13:52   9838624   --sha-w-   c:\windows\system32\drivers\fidbox.dat
2009-07-30 18:02 . 2009-01-29 13:52   117716   --sha-w-   c:\windows\system32\drivers\fidbox.idx
2009-07-30 17:58 . 2007-03-12 13:25   --------   d-----w-   c:\programmi\Mozilla Thunderbird
2009-07-30 17:28 . 2006-09-14 14:57   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-07-24 15:39 . 2009-07-24 15:39   1705472   ----a-w-   c:\windows\Internet Logs\xDB5.tmp
2009-07-16 18:19 . 2009-02-13 10:15   --------   d-----w-   c:\programmi\Malwarebytes' Anti-Malware
2009-07-16 17:18 . 2009-04-02 12:40   3775176   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-13 11:36 . 2009-02-13 10:15   38160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 11:36 . 2009-02-13 10:15   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-07-10 12:44 . 2009-07-10 12:45   3201024   ----a-w-   c:\windows\Internet Logs\xDB4.tmp
2009-07-08 18:27 . 2009-06-20 10:21   314712   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-07-08 18:27 . 2009-06-20 10:21   25440   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-07-08 18:27 . 2009-06-20 10:21   169312   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-07-08 18:27 . 2009-06-20 10:21   348496   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-07-08 18:27 . 2009-06-20 10:21   298336   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-07-08 18:27 . 2009-06-09 17:41   84832   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-07-08 18:27 . 2009-06-20 10:21   1630560   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\Resources.dll
2009-07-08 18:25 . 2009-06-04 21:49   246128   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-07-08 18:25 . 2009-06-04 21:49   40288   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-07-08 18:25 . 2009-06-20 10:21   85352   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-07-08 18:25 . 2009-06-20 10:21   664424   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-07-08 18:25 . 2009-06-20 10:21   563064   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-07-08 18:22 . 2009-06-20 10:21   566632   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-07-08 18:22 . 2009-06-20 10:21   2353480   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-07-08 18:22 . 2009-06-20 10:21   629072   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-07-08 18:21 . 2009-06-20 10:21   520024   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-07-08 18:20 . 2009-06-20 10:21   1029456   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-26 16:49 . 2004-08-19 13:39   669184   ----a-w-   c:\windows\system32\wininet.dll
2009-06-26 16:49 . 2004-08-19 13:39   81920   ----a-w-   c:\windows\system32\ieencode.dll
2009-06-26 09:58 . 2009-06-26 09:56   1878984   ----a-w-   c:\documents and settings\Salvini\Dati applicazioni\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-06-26 09:50 . 2006-03-27 15:17   45080   -c--a-w-   c:\documents and settings\Salvini\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-06-22 12:41 . 2008-10-28 20:46   --------   d-----w-   c:\documents and settings\Salvini\Dati applicazioni\dvdcss
2009-06-16 14:36 . 2004-08-19 13:39   119808   ----a-w-   c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2001-08-31 15:00   81920   ----a-w-   c:\windows\system32\fontsub.dll
2009-06-09 17:41 . 2009-06-09 17:41   15688   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-09 17:41 . 2009-01-29 23:03   15688   ----a-w-   c:\windows\system32\lsdelete.exe
2009-06-06 17:16 . 2009-06-06 17:16   --------   d-----w-   c:\programmi\Philips
2009-06-06 17:16 . 2006-03-27 15:24   --------   d--h--w-   c:\programmi\InstallShield Installation Information
2009-06-06 17:16 . 2009-06-06 17:16   --------   d-----w-   c:\documents and settings\Salvini\Dati applicazioni\InstallShield
2009-06-03 19:09 . 2004-08-19 13:39   1296384   ----a-w-   c:\windows\system32\quartz.dll
2009-05-22 23:23 . 2009-05-22 23:23   1587712   ----a-w-   c:\windows\Internet Logs\xDB3.tmp
2009-05-07 15:32 . 2004-08-19 13:39   347648   ----a-w-   c:\windows\system32\localspl.dll
2009-05-04 10:07 . 2009-05-04 10:07   2207858   ----a-w-   c:\windows\Internet Logs\tvDebug.zip
2009-07-24 11:53 . 2008-09-01 14:54   134648   ----a-w-   c:\programmi\mozilla firefox\components\brwsrcmp.dll
.

(((((((((((((((((((((((((((((((((((((((((((((   AWF   ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-10-24 13:53 . 2006-03-30 14:45   313472   c:\programmi\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe

2007-03-11 15:31 . 2005-01-26 17:02   49152   c:\programmi\Brother\Brmfl05a\bak\BrStDvPt.exe
2007-07-04 12:31 . 2005-01-26 16:02   49152   c:\programmi\Brother\Brmfl05a\BrStDvPt.exe

2007-03-11 15:31 . 2005-05-17 16:42   933888   c:\programmi\Brother\ControlCenter2\bak\brctrcen.exe
2007-07-04 12:31 . 2005-05-17 15:42   933888   c:\programmi\Brother\ControlCenter2\brctrcen.exe

2004-12-09 10:14 . 2004-12-09 10:14   1068032   c:\programmi\File comuni\PCSuite\DataLayer\bak\DATALA~1.EXE

2003-10-14 09:22 . 2003-10-14 09:22   155648   c:\programmi\File comuni\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe
2003-10-14 08:22 . 2003-10-14 08:22   155648   c:\programmi\File comuni\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

2007-02-23 13:37 . 2007-03-14 14:18   411648   c:\programmi\Grisoft\AVG Free\bak\avgcc.exe

2007-03-07 20:26 . 2006-12-15 02:23   75520   c:\programmi\Java\jre1.5.0_11\bin\bak\jusched.exe

2006-03-27 16:02 . 2004-03-18 08:33   892928   c:\programmi\Logitech\iTouch\bak\iTouch.exe

2006-06-06 09:07 . 2006-06-06 09:07   40960   c:\programmi\Macrogaming\SweetIM\bak\SweetIM.exe

2004-11-24 10:29 . 2004-11-24 10:29   880640   c:\programmi\Nokia\Nokia PC Suite 6\bak\PcSync2.exe
2006-06-27 15:21 . 2006-06-27 15:21   1449984   c:\programmi\Nokia\Nokia PC Suite 6\PcSync2.exe

2005-03-11 00:28 . 2005-03-11 00:28   40960   c:\programmi\ScanSoft\PaperPort\bak\IndexSearch.exe
2005-03-10 23:28 . 2005-03-10 23:28   40960   c:\programmi\ScanSoft\PaperPort\IndexSearch.exe

2005-03-11 00:01 . 2005-03-11 00:01   57393   c:\programmi\ScanSoft\PaperPort\bak\pptd40nt.exe
2005-03-10 23:01 . 2005-03-10 23:01   57393   c:\programmi\ScanSoft\PaperPort\pptd40nt.exe

2004-08-19 13:39 . 2004-08-19 13:39   15360   c:\windows\system32\bak\ctfmon.exe
2004-08-19 13:39 . 2008-04-14 02:14   15360   c:\windows\system32\ctfmon.exe

.
(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\programmi\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-03-09 86016]
"SSBkgdUpdate"="c:\programmi\File comuni\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"IndexSearch"="c:\programmi\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-10 40960]
"SetDefPrt"="c:\programmi\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter2.0"="c:\programmi\Brother\ControlCenter2\brctrcen.exe" [2005-05-17 933888]
"Motive SmartBridge"="c:\progra~1\ALICET~1\SMARTB~1\MotiveSB.exe" [2006-04-21 438359]
"ZoneAlarm Client"="c:\programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"Ad-Watch"="c:\programmi\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-08 520024]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-01-08 65536]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-03-09 1519616]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
uninstall.exe [2009-7-30 421888]
VIA RAID TOOL.lnk - c:\programmi\VIA\RAID\raid_tool.exe [2006-3-27 561152]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\eMule\\emule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"c:\\Programmi\\MSN Messenger\\livecall.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [30/01/2009 0.49.22 64160]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [27/03/2006 17.40.08 75904]
R2 nvTUNEP;nVidia WDM TVTuner;c:\windows\system32\drivers\NVTUNEP.SYS [27/03/2006 18.05.29 20480]
R2 nvtvSND;nVidia WDM TVAudio Crossbar;c:\windows\system32\drivers\NVTVSND.SYS [27/03/2006 18.05.29 20224]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\programmi\Lavasoft\Ad-Aware\AAWService.exe [18/01/2009 23.34.37 1029456]
.
Contenuto della cartella 'Scheduled Tasks'

2009-07-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\programmi\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 18:22]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.virgilio.it/oggi/index.html
uInternet Settings,ProxyOverride = 127.0.0.1
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Salvini\Dati applicazioni\Mozilla\Firefox\Profiles\b58vhy3a.default\
FF - plugin: c:\programmi\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\programmi\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\programmi\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\programmi\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\programmi\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\programmi\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\programmi\Java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npdbplug.dll
FF - plugin: c:\windows\system32\DNAML\npdbplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-30 20:10
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(4048)
c:\progra~1\ALICET~1\SMARTB~1\SBHook.dll
c:\programmi\Logitech\MouseWare\System\LgWndHk.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\programmi\File comuni\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Ora fine scansione: 2009-07-30 20.13.17
ComboFix-quarantined-files.txt  2009-07-30 18:13

Pre-Run: 28.480.421.888 byte disponibili
Post-Run: 28.439.994.368 byte disponibili

189   --- E O F ---   2009-07-29 19:56
fefinho
Utente Junior
 
Post: 11
Iscritto il: 10/07/09 20:29

Re: Aiuto per rimuovere uninstall.exe

Postdi Luke57 » 31/07/09 14:16

Ciao, apri un file di testo, al suo interno copiaci il seguente testo.

Codice: Seleziona tutto
AWF::
c:\programmi\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe
c:\programmi\Brother\Brmfl05a\bak\BrStDvPt.exe
c:\programmi\Brother\ControlCenter2\bak\brctrcen.exe
c:\programmi\File comuni\PCSuite\DataLayer\bak\DATALA~1.EXE
c:\programmi\File comuni\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe
c:\programmi\Grisoft\AVG Free\bak\avgcc.exe
c:\programmi\Logitech\iTouch\bak\iTouch.exe
c:\programmi\Nokia\Nokia PC Suite 6\bak\PcSync2.exe
c:\programmi\ScanSoft\PaperPort\bak\IndexSearch.exe
c:\programmi\ScanSoft\PaperPort\bak\pptd40nt.exe
c:\windows\system32\bak\ctfmon.exe

File::
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
uninstall.exe



salvalo sul desktop con il nome obbligatorio di CFScript.txt

trascina con il puntatore del mouse sull'icona di combofix ; il programma avvierà una nuova scansione. Al termine di essa, riavvia e posta il nuovo report.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: Aiuto per rimuovere uninstall.exe

Postdi fefinho » 31/07/09 18:50

Ciao,
Ho fatto quanto mi hai detto e ti posto il report. Ti segnalo una volta riavviato il computer Avira mi ha segnalato nuovamente il virus. Forse ho sbagliato qualcosa nella procedura?
Codice: Seleziona tutto
ComboFix 09-07-29.04 - Salvini 31/07/2009 19.29.42.7.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.39.1040.18.1023.696 [GMT 2:00]
Eseguito da: c:\documents and settings\Salvini\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Salvini\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {00000002-0002-0000-7C25-9E7C08000A00}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!

FILE ::
"c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\"
.

(((((((((((((((((((((((((((((((((((((   Altre eliminazioni   )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\2712c8.msi

.
(((((((((((((((((((((((((   Files Creati Da 2009-06-28 al 2009-07-31  )))))))))))))))))))))))))))))))))))
.

2009-07-16 17:27 . 2009-07-16 17:27   --------   d-----r-   c:\documents and settings\LocalService\Preferiti
2009-07-16 16:56 . 2009-07-16 16:56   --------   d-----w-   c:\documents and settings\LocalService\Menu Avvio
2009-07-16 16:56 . 2009-03-30 08:33   96104   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2009-07-16 16:56 . 2009-03-24 14:08   55640   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2009-07-16 16:56 . 2009-02-13 10:29   22360   ----a-w-   c:\windows\system32\drivers\avgntmgr.sys
2009-07-16 16:56 . 2009-02-13 10:17   45416   ----a-w-   c:\windows\system32\drivers\avgntdd.sys
2009-07-16 16:55 . 2009-07-16 16:55   --------   d-----w-   c:\programmi\Avira
2009-07-16 16:55 . 2009-07-16 16:55   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Avira
2009-07-10 19:14 . 2009-07-10 19:13   102664   ----a-w-   c:\windows\system32\drivers\tmcomm.sys
2009-07-10 19:13 . 2009-07-10 19:14   --------   d-----w-   c:\documents and settings\Salvini\.housecall6.6
2009-07-10 12:31 . 2009-07-10 18:39   --------   d---a-w-   c:\documents and settings\All Users\Dati applicazioni\TEMP
2009-07-10 12:31 . 2009-07-10 18:42   --------   d-----w-   c:\programmi\PC Tools AntiVirus

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-31 17:32 . 2009-01-29 13:52   10164256   --sha-w-   c:\windows\system32\drivers\fidbox.dat
2009-07-31 17:21 . 2007-03-11 15:27   --------   d-----w-   c:\programmi\ScanSoft
2009-07-31 17:21 . 2007-03-11 15:27   --------   d-----w-   c:\programmi\File comuni\ScanSoft Shared
2009-07-31 17:21 . 2007-03-15 14:08   --------   d-----w-   c:\documents and settings\Salvini\Dati applicazioni\ScanSoft
2009-07-31 17:20 . 2006-06-30 11:41   --------   d-----w-   c:\programmi\Nokia
2009-07-31 17:16 . 2009-01-29 13:52   121340   --sha-w-   c:\windows\system32\drivers\fidbox.idx
2009-07-31 17:15 . 2009-01-29 22:47   --------   d-----w-   c:\programmi\Lavasoft
2009-07-31 17:15 . 2007-12-26 14:58   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Downloaded Installations
2009-07-31 17:13 . 2007-03-12 13:25   --------   d-----w-   c:\programmi\Mozilla Thunderbird
2009-07-31 17:09 . 2006-09-14 14:57   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-07-31 16:55 . 2006-03-27 15:24   --------   d--h--w-   c:\programmi\InstallShield Installation Information
2009-07-31 16:54 . 2006-03-27 15:24   --------   d-----w-   c:\programmi\File comuni\InstallShield
2009-07-31 16:54 . 2006-03-27 15:25   --------   d-----w-   c:\programmi\Common Files
2009-07-31 16:53 . 2006-03-27 15:25   --------   d-----w-   c:\programmi\Alice ti aiuta
2009-07-24 15:39 . 2009-07-24 15:39   1705472   ----a-w-   c:\windows\Internet Logs\xDB5.tmp
2009-07-16 18:19 . 2009-02-13 10:15   --------   d-----w-   c:\programmi\Malwarebytes' Anti-Malware
2009-07-16 17:18 . 2009-04-02 12:40   3775176   ----a-w-   c:\documents and settings\All Users\Dati applicazioni\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-13 11:36 . 2009-02-13 10:15   38160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 11:36 . 2009-02-13 10:15   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-07-10 12:44 . 2009-07-10 12:45   3201024   ----a-w-   c:\windows\Internet Logs\xDB4.tmp
2009-06-26 16:49 . 2004-08-19 13:39   669184   ----a-w-   c:\windows\system32\wininet.dll
2009-06-26 16:49 . 2004-08-19 13:39   81920   ----a-w-   c:\windows\system32\ieencode.dll
2009-06-26 09:58 . 2009-06-26 09:56   1878984   ----a-w-   c:\documents and settings\Salvini\Dati applicazioni\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-06-26 09:50 . 2006-03-27 15:17   45080   -c--a-w-   c:\documents and settings\Salvini\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-06-22 12:41 . 2008-10-28 20:46   --------   d-----w-   c:\documents and settings\Salvini\Dati applicazioni\dvdcss
2009-06-16 14:36 . 2004-08-19 13:39   119808   ----a-w-   c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2001-08-31 15:00   81920   ----a-w-   c:\windows\system32\fontsub.dll
2009-06-06 17:16 . 2009-06-06 17:16   --------   d-----w-   c:\programmi\Philips
2009-06-06 17:16 . 2009-06-06 17:16   --------   d-----w-   c:\documents and settings\Salvini\Dati applicazioni\InstallShield
2009-06-03 19:09 . 2004-08-19 13:39   1296384   ----a-w-   c:\windows\system32\quartz.dll
2009-05-22 23:23 . 2009-05-22 23:23   1587712   ----a-w-   c:\windows\Internet Logs\xDB3.tmp
2009-05-07 15:32 . 2004-08-19 13:39   347648   ----a-w-   c:\windows\system32\localspl.dll
2009-05-04 10:07 . 2009-05-04 10:07   2207858   ----a-w-   c:\windows\Internet Logs\tvDebug.zip
2009-07-24 11:53 . 2008-09-01 14:54   134648   ----a-w-   c:\programmi\mozilla firefox\components\brwsrcmp.dll
.

(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\programmi\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-03-09 86016]
"ZoneAlarm Client"="c:\programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-01-08 65536]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-03-09 1519616]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
uninstall.exe [2009-7-31 421888]
VIA RAID TOOL.lnk - c:\programmi\VIA\RAID\raid_tool.exe [2006-3-27 561152]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\eMule\\emule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"c:\\Programmi\\MSN Messenger\\livecall.exe"=

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [27/03/2006 17.40.08 75904]
R2 nvTUNEP;nVidia WDM TVTuner;c:\windows\system32\drivers\NVTUNEP.SYS [27/03/2006 18.05.29 20480]
R2 nvtvSND;nVidia WDM TVAudio Crossbar;c:\windows\system32\drivers\NVTVSND.SYS [27/03/2006 18.05.29 20224]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
.
Contenuto della cartella 'Scheduled Tasks'
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.virgilio.it/oggi/index.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Salvini\Dati applicazioni\Mozilla\Firefox\Profiles\b58vhy3a.default\
FF - plugin: c:\programmi\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\programmi\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\programmi\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\programmi\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\programmi\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\programmi\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\programmi\Java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npdbplug.dll
FF - plugin: c:\windows\system32\DNAML\npdbplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-31 19:32
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2009-07-31 19.35.30
ComboFix-quarantined-files.txt  2009-07-31 17:35
ComboFix2.txt  2009-07-30 18:13

Pre-Run: 29.737.066.496 byte disponibili
Post-Run: 29.696.786.432 byte disponibili

144   --- E O F ---   2009-07-29 19:56
fefinho
Utente Junior
 
Post: 11
Iscritto il: 10/07/09 20:29

Re: Aiuto per rimuovere uninstall.exe

Postdi Luke57 » 01/08/09 10:48

Ciao, apri hijackthis, premi "do a system scan only", cerca e spunta la voce seguente, se presente:
O4 - Global Startup: uninstall.exe

premi fix checked.

Poi cerca ed elimina questo file, se presente:
c:\windows\system32\uninstall.exe
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: Aiuto per rimuovere uninstall.exe

Postdi fefinho » 03/08/09 12:46

Ciao, ho fatto la scansione con hijachthis ed eliminato la voce :
O4 - Global Startup: uninstall.exe

Però non ho trovato nessun file c:\windows\system32\uninstall.exe e quindi il problema sussiste.
fefinho
Utente Junior
 
Post: 11
Iscritto il: 10/07/09 20:29

Re: Aiuto per rimuovere uninstall.exe

Postdi Luke57 » 03/08/09 18:45

Scarica systemscan da qui sul desktop
http://www.suspectfile.com/systemscan
aprilo e scegli l'opzione "recent files (imposta a 60 gg.), clicca su "Scan Now" al termine della scansione (velocissima) verranno rilasciati (sempre sul desktop all'interno della cartella suspectfile) due file. Allega il file con estensione .zip nella tua prossima risposta.

Ricordati d'effettuare la scansione senza connessione attiva e con l'antivirus disabilitato salvo poi riattivarlo a scansione terminata.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: Aiuto per rimuovere uninstall.exe

Postdi fefinho » 04/08/09 18:15

Ciao, ho fatto la scansione con il nuovo programma. Ora però non so in che modo allegare il file .zip in questo forum.
fefinho
Utente Junior
 
Post: 11
Iscritto il: 10/07/09 20:29

Re: Aiuto per rimuovere uninstall.exe

Postdi fefinho » 04/08/09 19:15

Ciao, trovi il file .zip a questo indirizzo:
http://wikisend.com/download/456682/04_ ... report.zip

Spero vada bene lo stesso questo procedimento di inserimento del file sul forum.
fefinho
Utente Junior
 
Post: 11
Iscritto il: 10/07/09 20:29

Re: Aiuto per rimuovere uninstall.exe

Postdi Luke57 » 05/08/09 07:36

Ciao, nel report non appare, segui questo percorso:
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
uninstall.exe

prova a eliminarlo da lì. Se la cosa non funzionasse, riesegui systemscan, stavolta scegliendo tutte le opzioni (la scansione sarà più lunga) e poi inserisci il report.zip come hai già fatto la volta precedente.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: Aiuto per rimuovere uninstall.exe

Postdi fefinho » 08/08/09 13:32

Ciao, non posso eliminare manualmente il file perchè mi indica un messaggio di errore "file già in uso da un altro utente o programma".
Questo è il report della nuova scansione con systemscan:
http://wikisend.com/download/469610/08_ ... report.zip
fefinho
Utente Junior
 
Post: 11
Iscritto il: 10/07/09 20:29

Re: Aiuto per rimuovere uninstall.exe

Postdi Luke57 » 08/08/09 14:07

Ciao, scarica avenger
http://swandog46.geekstogo.com/avenger2/download.php
disattiva l'antivirus, il Tea Timer di Spybot S&D

Decomprimi l'archivio, esegui il file.
Verifica che la voce "Scan for rootkits" sia abilitata e che invece sia disabilitata la voce "Automatically disable any rootkits found"
all'interno del box bianco "input script here:" copia e incolla le scritte riportate sotto:

Files to move:
C:\Programmi\Java\jre1.5.0_11\bin\bak\jusched.exe | C:\Programmi\Java\jre1.5.0_11\bin\jusched.exe
C:\Programmi\Macrogaming\SweetIM\bak\SweetIM.exe | C:\Programmi\Macrogaming\SweetIM\SweetIM.exe

Files to delete:
C:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\uninstall.exe

Folders to delete:
C:\DOCUME~1\Salvini\IMPOST~1\Temp


Clicca sul pulsante "Execute"
rispondi Sì alle domande.
Dopo il riavvio portati in C:\ copia/incolla il contenuto del file avenger.txt

Apri hijackthis, premi "do a system scan only", cerca e spunta la voce segeuente (se presente):
O4 - Global Startup: uninstall.exe

premi fix checked

Poi vai qui:
http://www2.gmer.net/mbr/mbr.exe

scarica Stealth MBR rootkit detector e salvalo direttamente in C:\
Riavviail Pc in modalità provvisoria (premi ripetutamente il tasto F8 all'accensione del computer, prima che si carichi windows; nella schermata grigia che appare scegli modalità provvisoria spostandoti con le freccette e confermando con invio)

Dalla modalità provvisoria, premi Start>Esegui, nella finestra che appare copia e e incolla:
C:\mbr.exe -f
premi OK
salva il log prodotto che troverai in c:\ come file di testo e incollalo in un post

Riavvia il PC in modalità normale
Da Start - Esegui - digita
C:\mbr.exe
premi OK
salva il log prodotto che troverai in c:\ come file di testo e incollalo in un post per controllo,
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: Aiuto per rimuovere uninstall.exe

Postdi fefinho » 11/08/09 13:30

Ciao, ho eseguito avenger e ti posto il file avenger.txt
Codice: Seleziona tutto
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\Programmi\Java\jre1.5.0_11\bin\bak\jusched.exe|C:\Programmi\Java\jre1.5.0_11\bin\jusched.exe" completed successfully.
File move operation "C:\Programmi\Macrogaming\SweetIM\bak\SweetIM.exe|C:\Programmi\Macrogaming\SweetIM\SweetIM.exe" completed successfully.
File "C:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\uninstall.exe" deleted successfully.
Folder "C:\DOCUME~1\Salvini\IMPOST~1\Temp" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.
fefinho
Utente Junior
 
Post: 11
Iscritto il: 10/07/09 20:29

Re: Aiuto per rimuovere uninstall.exe

Postdi fefinho » 11/08/09 13:50

e questo è quello di MBR
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
PE file found in sector at 0x098A412B !
fefinho
Utente Junior
 
Post: 11
Iscritto il: 10/07/09 20:29

Re: Aiuto per rimuovere uninstall.exe

Postdi Luke57 » 11/08/09 14:36

Pare sempre presente l'infezione in mbr, vai qui:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
Compatibile: Windows XP - Vista
Caratteristiche: non necessita di installazione
Doppio click su CureIt - cliccate su Avvia - alla domanda Avvia ora il controllo? cliccate su OK
In questa modalità Express Scan vengono controllati solo i seguenti oggetti:
* Random access memory
* Settori di Boot di tutti i dischi
* Ogetti di Startup
* Disco di Boot e cartella principale
* Cartella principale del disco di installaizone di Windows
* Cartella di Sistema di Windows
* Cartella documenti Utente ("Documenti")
* Cartella temporanea di Sistema
* Usa la cartella temporanea
Al termine di questa fase cliccate su Completa scansione e avviate cliccando sul triangolino verde
Gli eventuali malware rilevati è preferibile metterli in quarantena cliccando sul tasto Sposta
Dopo aver terminato la scansione allegare il log per il controllo che trovate in %USERPROFILE%\DoctorWeb\CureIt.log ovvero C:\Documents and Settings\nomeutente\DoctorWeb
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: Aiuto per rimuovere uninstall.exe

Postdi fefinho » 14/08/09 17:49

Ciao, non vorrei esultare troppo presto ma sembra che il problema sia risolto!!!
Questo è il report di DoctorWeb
http://wikisend.com/download/544616/CureIt.log

Ti ringrazio per il grande aiuto che mi hai dato!
fefinho
Utente Junior
 
Post: 11
Iscritto il: 10/07/09 20:29


Torna a Sicurezza e Privacy


Topic correlati a "Aiuto per rimuovere uninstall.exe":

Aiuto urgente!!!
Autore: templare77
Forum: Software Windows
Risposte: 0

Chi c’è in linea

Visitano il forum: Nessuno e 5 ospiti