Valutazione 4.87/ 5 (100.00%) 5838 voti

Condividi:        

PC inaccessibile

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: kadosh, Luke57

PC inaccessibile

Postdi faker » 29/06/10 08:22

Mi è capitata una cosa stranissima al PC in ufficio: un cervellone di collega si è messo a smanettare con dei giochi per il suo Pocket (HTC 3300). Inizialmente mi sono accorto di una cartella sul desktop (Simcity) che non riuscivo ad eliminare malgrado risultasse vuota. Poi ho incominciato ad avere problemi con la connessione Internet (segnale assente quando il PC vicino andava al massimo) e mi sono accorto che l'antivirus (Avira free) non si avviava, nel senso che non c'è più l'icona attiva in basso a dx. e se cerco di aprirlo dai proggrammi mi compare il messaggio che "non è un'applicazione win 32"!!! Ho provato ad attivare il ComboFix ma non si avvia neppure. Ho fatto una scansione con RegCleaner ma niente. Non mi fa partire il PC in modalità provvisoria (nè riavviandolo con F8 nè partendo da msconfig e impostando il boot con le minime applicazioni). Sono intervenuto sul boot safe del BIOS e ora mi trovo che il PC si apre con la schermata di scelta tra modalità provvisoria o normale ma, qualsiasi opzione scelga, mi ritorna alla stessa schermata. Vorrei riuscire almeno ad aprire Windows (W XP) per poter recuparare i dati e fare un backup dei drivers e poi formattare il tutto ma non ci riesco. Possibile che un virus sia così ostinato????? Mai capitata una cosa simile.........

:cry: :cry: :cry: :cry: :cry: :cry: :cry: :cry: :cry:
faker
Utente Senior
 
Post: 454
Iscritto il: 03/03/04 22:19

Sponsor
 

Re: PC inaccessibile

Postdi shel » 29/06/10 08:46

ciao

hai una brutta infezione, il worm bagle

scarica e avvia rkill

rimuovi combofix con OTC by OldTimer

eseguilo
Clicca su CleanUp.
Alla richiesta di riavvio clicca SI


scarica nuovamente combofix da qui usando Internet Explorer
devi rinominare il file prima di salvarlo sul desktop in abc.exe
(per rinominare il file, quando lo scarichi ti chiede dove salvarlo e ti compare la casella "nome file", cambia il nome che ti appare in abc.exe e salvalo obbligatoriamente sul desktop)
(non installare la recovery console)
Lascia lavorare il programma senza interferire
Allega il rapporto C:\ComboFix.txt nella tua risposta.
shel
Utente Senior
 
Post: 1292
Iscritto il: 29/08/08 21:56

Re: PC inaccessibile

Postdi shel » 29/06/10 08:59

per il tuo problema prova a leggere qui
shel
Utente Senior
 
Post: 1292
Iscritto il: 29/08/08 21:56

Re: PC inaccessibile

Postdi faker » 29/06/10 11:11

shel ha scritto:per il tuo problema prova a leggere qui

Ti ringrazio immensamente. Alle 14 vado in Ufficio e mi metto all'opera e poi ti faccio sapere. Certo, chi se lo sarebbe aspettato!!!!!! Ma come posso averlo preso????????

:-? :-? :-? :-? :-? :undecided: :undecided: :undecided: :undecided: :undecided: :undecided:
faker
Utente Senior
 
Post: 454
Iscritto il: 03/03/04 22:19

Re: PC inaccessibile

Postdi shel » 29/06/10 11:15

Ma come posso averlo preso????????


Generalmente queste infezioni attraverso peer-to-peer (emule, torrent....) ma non e' da escludere anche da altre fonti.....
shel
Utente Senior
 
Post: 1292
Iscritto il: 29/08/08 21:56

Re: PC inaccessibile

Postdi faker » 01/07/10 11:36

shel ha scritto:
Ma come posso averlo preso????????


Generalmente queste infezioni attraverso peer-to-peer (emule, torrent....) ma non e' da escludere anche da altre fonti.....


Purtroppo, malgrado i tuoi ottimi consigli, per il PC in Ufficio non ho potuto fare molto: mi si bloccava sempre alla schermata "Modalità Provvisoria" e mi usciva un messaggio di impossibilità a procedere in questa modalità. A questo punto, ho preferito formattarlo. Quando, però, ho visto nel tuo post il termine "Worm Bagle", mi è venuto in mente che c'era qualcosa del genere su una pen drive che utilizzo spesso (in una cartella Smart Movie per Pocket PC). Ho fatto una scansione della pen drive con avira e poi ho applicato la procedura che mi hai descritto sui miei PC dove ho inserito la pen drive. Se non ti è di troppo disturbo, dai un'occhiata ai report Combofix:
PC Desktop (che, penso, non abbia alcun problema: funziona alla perfezione):
ComboFix 10-06-30.03 - Paolo 01/07/2010 9:41.1.1 - x86
Microsoft Windows 7 Ultimate 6.1.7100.0.1252.39.1040.18.1024.448 [GMT 2:00]
Eseguito da: c:\users\Paolo\Desktop\abc.exe
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\SHELLLNK.TLB

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hkmsvc


((((((((((((((((((((((((( Files Creati Da 2010-06-01 al 2010-07-01 )))))))))))))))))))))))))))))))))))
.

2010-07-01 07:50 . 2010-07-01 07:54 -------- d-----w- c:\users\Paolo\AppData\Local\temp
2010-07-01 07:50 . 2010-07-01 07:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-08 17:35 . 2010-06-08 17:35 411368 ----a-w- c:\windows\system32\deployJava1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-01 07:54 . 2010-05-13 18:27 -------- d-----w- c:\users\Paolo\AppData\Roaming\Dropbox
2010-07-01 07:31 . 2009-05-09 11:38 689234 ----a-w- c:\windows\system32\perfh010.dat
2010-07-01 07:31 . 2009-05-09 11:38 124422 ----a-w- c:\windows\system32\perfc010.dat
2010-06-23 17:16 . 2009-11-14 12:28 -------- d-----w- c:\users\Paolo\AppData\Roaming\vlc
2010-06-16 15:16 . 2009-11-17 10:13 -------- d-----w- c:\program files\FCM
2010-05-28 08:17 . 2010-05-28 08:17 -------- d-----w- c:\program files\EPSON
2010-05-21 12:14 . 2009-11-13 20:00 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-13 18:27 . 2010-05-13 18:27 89831 ----a-w- c:\users\Paolo\AppData\Roaming\Dropbox\bin\Uninstall.exe
2010-05-10 18:37 . 2010-05-10 18:37 50354 ----a-w- c:\users\Paolo\AppData\Roaming\Facebook\uninstall.exe
2010-05-10 18:37 . 2010-05-10 18:37 -------- d-----w- c:\users\Paolo\AppData\Roaming\Facebook
2009-03-27 04:24 . 2009-04-22 05:58 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-04-22 05:19 . 2009-04-22 03:40 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7100.0_none_624b25e9a4cb0444\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Paolo\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Paolo\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Paolo\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SharingPrivate]
@="{08244EE6-92F0-47f2-9FC9-929BAA2E7235}"
[HKEY_CLASSES_ROOT\CLSID\{08244EE6-92F0-47f2-9FC9-929BAA2E7235}]
2009-04-22 05:21 441856 ----a-w- c:\windows\System32\ntshrui.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-22 1174016]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-04-22 349184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-20 1545512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\users\Paolo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Paolo\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Avvio veloce di Adobe Reader.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EFS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Power]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcEptMapper]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

R3 1394ohci;1394 OHCI Compliant Host Controller;c:\windows\system32\DRIVERS\1394ohci.sys [2009-04-22 162816]
R3 AcpiPmi;ACPI Power Meter Driver;c:\windows\system32\DRIVERS\acpipmi.sys [2009-04-22 9728]
R3 adp94xx;adp94xx;c:\windows\system32\DRIVERS\adp94xx.sys [2009-04-22 422992]
R3 adpahci;adpahci;c:\windows\system32\DRIVERS\adpahci.sys [2009-04-22 297552]
R3 amdsata;amdsata;c:\windows\system32\DRIVERS\amdsata.sys [2009-04-22 77904]
R3 amdsbs;amdsbs;c:\windows\system32\DRIVERS\amdsbs.sys [2009-04-22 159312]
R3 AppID;Driver AppID;c:\windows\system32\drivers\appid.sys [2009-04-22 50176]
R3 AppIDSvc;Identità applicazione;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 Appinfo;Informazioni applicazioni;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 arcsas;arcsas;c:\windows\system32\DRIVERS\arcsas.sys [2009-04-22 86608]
R3 b06bdrv;Broadcom NetXtreme II VBD;c:\windows\system32\DRIVERS\bxvbdx.sys [2009-04-22 430080]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2009-04-22 229888]
R3 BDESVC;Servizio di crittografia unità BitLocker;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 BrFiltLo;Brother USB Mass-Storage Lower Filter Driver;c:\windows\system32\DRIVERS\BrFiltLo.sys [2009-04-22 13568]
R3 BrFiltUp;Brother USB Mass-Storage Upper Filter Driver;c:\windows\system32\DRIVERS\BrFiltUp.sys [2009-04-22 5248]
R3 Brserid;Brother MFC Serial Port Interface Driver (WDM);c:\windows\System32\Drivers\Brserid.sys [2009-04-22 272128]
R3 BrSerWdm;Brother WDM Serial driver;c:\windows\System32\Drivers\BrSerWdm.sys [2009-04-22 62336]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\System32\Drivers\BrUsbMdm.sys [2009-04-22 12160]
R3 circlass;Consumer IR Devices;c:\windows\system32\DRIVERS\circlass.sys [2009-04-22 37888]
R3 defragsvc;Utilità di deframmentazione dischi;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 DXGKrnl;LDDM Graphics Subsystem;c:\windows\System32\drivers\dxgkrnl.sys [2009-04-22 720384]
R3 ebdrv;Broadcom NetXtreme II 10 GigE VBD;c:\windows\system32\DRIVERS\evbdx.sys [2009-04-22 3100160]
R3 elxstor;elxstor;c:\windows\system32\DRIVERS\elxstor.sys [2009-04-22 453712]
R3 Filetrace;Filetrace;c:\windows\system32\drivers\filetrace.sys [2009-04-22 28160]
R3 FontCache;Servizio cache tipi di carattere Windows;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 FsDepends;File System Dependency Minifilter;c:\windows\system32\drivers\FsDepends.sys [2009-04-22 45648]
R3 hcw85cir;Hauppauge Consumer Infrared Receiver;c:\windows\system32\drivers\hcw85cir.sys [2009-04-22 26624]
R3 HpSAMD;HpSAMD;c:\windows\system32\DRIVERS\HpSAMD.sys [2009-04-22 67152]
R3 iaStorV;iaStorV;c:\windows\system32\DRIVERS\iaStorV.sys [2009-04-22 332368]
R3 IPBusEnum;Enumeratore bus IP PnP-X;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 IPMIDRV;IPMIDRV;c:\windows\system32\DRIVERS\IPMIDrv.sys [2009-04-22 65536]
R3 iScsiPrt;iScsiPort Driver;c:\windows\system32\DRIVERS\msiscsi.sys [2009-04-22 186960]
R3 KeyIso;Isolamento chiavi CNG;c:\windows\system32\lsass.exe [2009-04-22 22528]
R3 KtmRm;KtmRm per Distributed Transaction Coordinator;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 lltdsvc;Mapper individuazione topologia livelli di collegamento;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 LSI_FC;LSI_FC;c:\windows\system32\DRIVERS\lsi_fc.sys [2009-04-22 95824]
R3 LSI_SAS;LSI_SAS;c:\windows\system32\DRIVERS\lsi_sas.sys [2009-04-22 89168]
R3 LSI_SAS2;LSI_SAS2;c:\windows\system32\DRIVERS\lsi_sas2.sys [2009-04-22 54864]
R3 LSI_SCSI;LSI_SCSI;c:\windows\system32\DRIVERS\lsi_scsi.sys [2009-04-22 96848]
R3 megasas;megasas;c:\windows\system32\DRIVERS\megasas.sys [2009-04-22 30800]
R3 mpio;mpio;c:\windows\system32\DRIVERS\mpio.sys [2009-04-22 130640]
R3 msahci;msahci;c:\windows\system32\DRIVERS\msahci.sys [2009-04-22 27728]
R3 msdsm;msdsm;c:\windows\system32\DRIVERS\msdsm.sys [2009-04-22 115792]
R3 mshidkmdf;Pass-through HID to KMDF Filter Driver;c:\windows\System32\drivers\mshidkmdf.sys [2009-04-22 4096]
R3 MSiSCSI;Servizio iniziatore iSCSI Microsoft;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 MsRPC;MsRPC; [x]
R3 MTConfig;Microsoft Input Configuration Driver;c:\windows\system32\DRIVERS\MTConfig.sys [2009-04-22 12288]
R3 NativeWifiP;NativeWiFi Filter;c:\windows\system32\DRIVERS\nwifi.sys [2009-04-22 267264]
R3 NdisCap;NDIS Capture LightWeight Filter;c:\windows\system32\DRIVERS\ndiscap.sys [2009-04-22 27136]
R3 nfrd960;nfrd960;c:\windows\system32\DRIVERS\nfrd960.sys [2009-04-22 44624]
R3 nvstor;nvstor;c:\windows\system32\DRIVERS\nvstor.sys [2009-04-22 142416]
R3 PcaSvc;Servizio Risoluzione problemi compatibilità programmi;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 PeerDistSvc;BranchCache;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 pla;Avvisi e registri di prestazioni;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 PNRPAutoReg;Servizio di pubblicazione nome computer PNRP;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 ql2300;ql2300;c:\windows\system32\DRIVERS\ql2300.sys [2009-04-22 1383504]
R3 ql40xx;ql40xx;c:\windows\system32\DRIVERS\ql40xx.sys [2009-04-22 105552]
R3 s3cap;s3cap;c:\windows\system32\DRIVERS\vms3cap.sys [2009-04-22 5632]
R3 scfilter;Driver di filtro della classe Plug and Play smart card;c:\windows\system32\DRIVERS\scfilter.sys [2009-04-22 26624]
R3 SCPolicySvc;Criterio rimozione smart card;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 SDRSVC;Windows Backup;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 SensrSvc;Luminosità adattiva;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 sffp_mmc;SFF Storage Protocol Driver for MMC;c:\windows\system32\DRIVERS\sffp_mmc.sys [2009-04-22 12288]
R3 SiSRaid4;SiSRaid4;c:\windows\system32\DRIVERS\sisraid4.sys [2009-04-22 77904]
R3 Smb;Protocollo TCP/IP e TCP/IPv6 orientato ai messaggi (sessione SMB);c:\windows\system32\DRIVERS\smb.sys [2009-04-22 71168]
R3 sppuinotify;Servizio di notifica SPP;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 stexstor;stexstor;c:\windows\system32\DRIVERS\stexstor.sys [2009-04-22 21072]
R3 storvsc;storvsc;c:\windows\system32\DRIVERS\storvsc.sys [2009-04-22 28240]
R3 TabletInputService;Servizio di input Tablet PC;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 TBS;Servizi di base TPM;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 THREADORDER;Server di ordinamento thread;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 TrustedInstaller;Programma di installazione dei moduli di Windows;c:\windows\servicing\TrustedInstaller.exe [2009-04-22 204800]
R3 UI0Detect;Rilevamento servizi interattivi;c:\windows\system32\UI0Detect.exe [2009-04-22 35840]
R3 uliagpkx;Uli AGP Bus Filter;c:\windows\system32\DRIVERS\uliagpkx.sys [2009-04-22 57424]
R3 usbcir;eHome Infrared Receiver (USBCIR);c:\windows\system32\DRIVERS\usbcir.sys [2009-04-22 86016]
R3 VaultSvc;Gestione credenziali;c:\windows\system32\lsass.exe [2009-04-22 22528]
R3 vhdmp;vhdmp;c:\windows\system32\DRIVERS\vhdmp.sys [2009-04-22 158288]
R3 ViaC7;VIA C7 Processor Driver;c:\windows\system32\DRIVERS\viac7.sys [2009-04-22 52736]
R3 vmbus;vmbus;c:\windows\system32\DRIVERS\vmbus.sys [2009-04-22 175824]
R3 VMBusHID;VMBusHID;c:\windows\system32\DRIVERS\VMBusHID.sys [2009-04-22 17920]
R3 vwifibus;Driver bus WiFi virtuale;c:\windows\System32\drivers\vwifibus.sys [2009-04-22 19968]
R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\DRIVERS\wacompen.sys [2009-04-22 21632]
R3 wbengine;Servizio modulo di backup a livello di blocco;c:\windows\system32\wbengine.exe [2009-04-22 1203200]
R3 WbioSrvc;Servizio di biometria Windows;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 wcncsvc;Windows Connect Now - Registro configurazioni;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 WcsPlugInService;Sistema colori Windows;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 Wd;Wd;c:\windows\system32\DRIVERS\wd.sys [2009-04-22 19024]
R3 Wecsvc;Raccolta eventi Windows;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 wercplsupport;Segnalazioni di problemi e soluzioni nel Pannello di controllo;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 WerSvc;Servizio Segnalazione errori Windows;c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 WIMMount;WIMMount;c:\windows\system32\drivers\wimmount.sys [2009-04-22 19024]
R3 WinRM;Gestione remota Windows (WS-Management);c:\windows\System32\svchost.exe [2009-04-22 20992]
R3 Wlansvc;Configurazione automatica WLAN;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 WPCSvc;Parental Controls;c:\windows\system32\svchost.exe [2009-04-22 20992]
R3 WwanSvc;Configurazione automatica WWAN;c:\windows\system32\svchost.exe [2009-04-22 20992]
R4 Mcx2Svc;Servizio Media Center Extender;c:\windows\system32\svchost.exe [2009-04-22 20992]
S0 amdxata;amdxata;c:\windows\system32\DRIVERS\amdxata.sys [2009-04-22 23120]
S0 CLFS;Registro comune (CLFS);c:\windows\System32\CLFS.sys [2009-04-22 249424]
S0 CNG;CNG;c:\windows\System32\Drivers\cng.sys [2009-04-22 369056]
S0 FileInfo;File Information FS MiniFilter;c:\windows\system32\drivers\fileinfo.sys [2009-04-22 58448]
S0 fvevol;Driver filtro Crittografia unità BitLocker;c:\windows\System32\DRIVERS\fvevol.sys [2009-04-22 194488]
S0 hwpolicy;Hardware Policy Driver;c:\windows\System32\drivers\hwpolicy.sys [2009-04-22 13904]
S0 KSecPkg;KSecPkg;c:\windows\System32\Drivers\ksecpkg.sys [2009-04-22 133200]
S0 msisadrv;msisadrv;c:\windows\system32\DRIVERS\msisadrv.sys [2009-04-22 13904]
S0 pcw;Performance Counters for Windows Driver;c:\windows\System32\drivers\pcw.sys [2009-04-22 42576]
S0 rdyboost;ReadyBoost;c:\windows\System32\drivers\rdyboost.sys [2009-04-22 173648]
S0 spldr;Security Processor Loader Driver; [x]
S0 storflt;Driver di filtro accelerazione bus macchina virtuale disco;c:\windows\system32\DRIVERS\vmstorfl.sys [2009-04-22 40912]
S0 vdrvroot;Driver enumeratore unità virtuale Microsoft;c:\windows\system32\DRIVERS\vdrvroot.sys [2009-04-22 32848]
S0 volmgr;Driver archiviazione volumi;c:\windows\system32\DRIVERS\volmgr.sys [2009-04-22 52304]
S0 volmgrx;Gestore volumi dinamici;c:\windows\System32\drivers\volmgrx.sys [2009-04-22 297040]
S0 vsmraid;vsmraid;c:\windows\system32\DRIVERS\vsmraid.sys [2009-04-22 141904]
S1 blbdrive;blbdrive;c:\windows\system32\DRIVERS\blbdrive.sys [2009-04-22 35328]
S1 CSC;Driver di File non in linea;c:\windows\system32\drivers\csc.sys [2009-04-22 387584]
S1 DfsC;DFS Namespace Client Driver;c:\windows\system32\Drivers\dfsc.sys [2009-04-22 78336]
S1 discache;System Attribute Cache;c:\windows\system32\drivers\discache.sys [2009-04-22 32768]
S1 nsiproxy;NSI proxy service driver.;c:\windows\system32\drivers\nsiproxy.sys [2009-04-22 16896]
S1 RDPENCDD;RDP Encoder Mirror Driver;c:\windows\system32\drivers\rdpencdd.sys [2009-04-22 6656]
S1 RDPREFMP;Reflector Display Driver used to gain access to graphics data;c:\windows\system32\drivers\rdprefmp.sys [2009-04-22 7168]
S1 tdx;Driver di supporto TDI legacy NetIO;c:\windows\system32\DRIVERS\tdx.sys [2009-04-22 74240]
S1 Wanarpv6;Driver ARP IPv6 di accesso remoto;c:\windows\system32\DRIVERS\wanarp.sys [2009-04-22 63488]
S1 WfpLwf;WFP Lightweight Filter;c:\windows\system32\DRIVERS\wfplwf.sys [2009-04-22 9728]
S2 AudioEndpointBuilder;Generatore endpoint audio di Windows;c:\windows\System32\svchost.exe [2009-04-22 20992]
S2 BFE;BFE (Base Filtering Engine);c:\windows\system32\svchost.exe [2009-04-22 20992]
S2 CscService;File non linea;c:\windows\System32\svchost.exe [2009-04-22 20992]
S2 DPS;Servizio Criteri di diagnostica;c:\windows\System32\svchost.exe [2009-04-22 20992]
S2 gpsvc;Client di Criteri di gruppo;c:\windows\system32\svchost.exe [2009-04-22 20992]
S2 IKEEXT;Moduli di impostazione chiavi IPSec IKE e Auth-IP;c:\windows\system32\svchost.exe [2009-04-22 20992]
S2 iphlpsvc;Helper IP;c:\windows\System32\svchost.exe [2009-04-22 20992]
S2 lltdio;Link-Layer Topology Discovery Mapper I/O Driver;c:\windows\system32\DRIVERS\lltdio.sys [2009-04-22 48128]
S2 luafv;Virtualizzazione file controllo dell'account utente;c:\windows\system32\drivers\luafv.sys [2009-04-22 86528]
S2 MMCSS;Utilità di pianificazione classi multimediali;c:\windows\system32\svchost.exe [2009-04-22 20992]
S2 MpsSvc;Windows Firewall;c:\windows\system32\svchost.exe [2009-04-22 20992]
S2 NlaSvc;Riconoscimento presenza in rete;c:\windows\System32\svchost.exe [2009-04-22 20992]
S2 nsi;Servizio Interfaccia archivio di rete;c:\windows\system32\svchost.exe [2009-04-22 20992]
S2 PEAUTH;PEAUTH;c:\windows\system32\drivers\peauth.sys [2009-04-22 586752]
S2 Power;Alimentazione;c:\windows\system32\svchost.exe [2009-04-22 20992]
S2 ProfSvc;Servizio profili utente;c:\windows\system32\svchost.exe [2009-04-22 20992]
S2 RpcEptMapper;Agente mapping endpoint RPC;c:\windows\system32\svchost.exe [2009-04-22 20992]
S2 sppsvc;Protezione software;c:\windows\system32\sppsvc.exe [2009-04-22 3179520]
S2 SysMain;Ottimizzazione avvio;c:\windows\system32\svchost.exe [2009-04-22 20992]
S2 tcpipreg;TCP/IP Registry Compatibility;c:\windows\system32\drivers\tcpipreg.sys [2009-04-22 34816]
S2 UxSms;Gestione sessione di Gestione finestre desktop;c:\windows\System32\svchost.exe [2009-04-22 20992]
S2 WinDefend;Windows Defender;c:\windows\System32\svchost.exe [2009-04-22 20992]
S3 bowser;Driver di supporto del browser;c:\windows\system32\DRIVERS\bowser.sys [2009-04-22 69632]
S3 CertPropSvc;Propagazione certificati;c:\windows\system32\svchost.exe [2009-04-22 20992]
S3 CompositeBus;Driver enumeratore bus composito;c:\windows\system32\DRIVERS\CompositeBus.sys [2009-04-22 31232]
S3 fdPHost;Host provider di individuazione funzioni;c:\windows\system32\svchost.exe [2009-04-22 20992]
S3 FDResPub;Pubblicazione risorse per individuazione;c:\windows\system32\svchost.exe [2009-04-22 20992]
S3 HomeGroupListener;Listener Gruppo Home;c:\windows\System32\svchost.exe [2009-04-22 20992]
S3 HomeGroupProvider;Provider Gruppo Home;c:\windows\System32\svchost.exe [2009-04-22 20992]
S3 monitor;Servizio driver funzioni di classe monitor Microsoft;c:\windows\system32\DRIVERS\monitor.sys [2009-04-22 23552]
S3 mpsdrv;Driver di autorizzazione di Windows Firewall;c:\windows\system32\drivers\mpsdrv.sys [2009-04-22 60416]
S3 mrxsmb10;Mini-redirector SMB 1.x;c:\windows\system32\DRIVERS\mrxsmb10.sys [2009-04-22 220672]
S3 mrxsmb20;Mini-redirector SMB 2.0;c:\windows\system32\DRIVERS\mrxsmb20.sys [2009-04-22 94720]
S3 netprofm;Servizio Elenco reti;c:\windows\System32\svchost.exe [2009-04-22 20992]
S3 RasAgileVpn;WAN Miniport (IKEv2);c:\windows\system32\DRIVERS\AgileVpn.sys [2009-04-22 49152]
S3 rdpbus;Remote Desktop Device Redirector Bus Driver;c:\windows\system32\DRIVERS\rdpbus.sys [2009-04-22 18432]
S3 SessionEnv;Remote Desktop Configuration;c:\windows\System32\svchost.exe [2009-04-22 20992]
S3 srv2;Driver server SMB 2.xxx;c:\windows\system32\DRIVERS\srv2.sys [2009-09-10 306688]
S3 srvnet;srvnet;c:\windows\system32\DRIVERS\srvnet.sys [2009-04-22 113664]
S3 tssecsrv;Remote Desktop Services Security Filter Driver;c:\windows\system32\DRIVERS\tssecsrv.sys [2009-04-22 30208]
S3 tunnel;Driver scheda Microsoft Tunnel Miniport;c:\windows\system32\DRIVERS\tunnel.sys [2009-04-22 108032]
S3 umbus;Driver enumeratore UMBus;c:\windows\system32\DRIVERS\umbus.sys [2009-04-22 39936]
S3 UmRdpService;Redirector porta UserMode di Servizi Desktop remoto;c:\windows\System32\svchost.exe [2009-04-22 20992]
S3 WdiServiceHost;Host servizio di diagnostica;c:\windows\System32\svchost.exe [2009-04-22 20992]
S3 WdiSystemHost;Host sistema di diagnostica;c:\windows\System32\svchost.exe [2009-04-22 20992]
S3 WPDBusEnum;Servizio enumeratore dispositivi mobili;c:\windows\system32\svchost.exe [2009-04-22 20992]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
RPCSS REG_MULTI_SZ RpcEptMapper RpcSs
defragsvc REG_MULTI_SZ defragsvc
WerSvcGroup REG_MULTI_SZ wersvc
LocalServiceNoNetwork REG_MULTI_SZ DPS PLA BFE mpssvc WwanSvc
swprv REG_MULTI_SZ swprv
LocalServicePeerNet REG_MULTI_SZ PNRPSvc p2pimsvc p2psvc PnrpAutoReg
NetworkServiceAndNoImpersonation REG_MULTI_SZ KtmRm
regsvc REG_MULTI_SZ RemoteRegistry
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS AppIDSvc FontCache fdrespub QWAVE wcncsvc Mcx2Svc SensrSvc
DcomLaunch REG_MULTI_SZ Power PlugPlay DcomLaunch
NetworkServiceNetworkRestricted REG_MULTI_SZ PolicyAgent
sdrsvc REG_MULTI_SZ sdrsvc
WbioSvcGroup REG_MULTI_SZ WbioSrvc
wcssvc REG_MULTI_SZ WcsPlugInService
secsvcs REG_MULTI_SZ WinDefend
AxInstSVGroup REG_MULTI_SZ AxInstSV
PeerDist REG_MULTI_SZ PeerDistSvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
IKEEXT
AudioSrv
FastUserSwitchingCompatibility
Nla
NWCWorkstation
SRService
Wmi
WmdmPmSp
TermService
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
seclogon
AppInfo
msiscsi
MMCSS
EapHost
wercplsupport
ProfSvc
winmgmt
SessionEnv
schedule
browser
BDESVC
Themes
AppMgmt

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalSystemNetworkRestricted
homegrouplistener


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
WdiServiceHost
sppuinotify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetworkService
lanmanworkstation

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalServiceNetworkRestricted
BthHFSrv
homegroupprovider

.
Contenuto della cartella 'Scheduled Tasks'
.
.
------- Scansione supplementare -------
.
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Paolo\AppData\Roaming\Mozilla\Firefox\Profiles\ewavz4yr.default\
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\users\Paolo\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl
SafeBoot-WudfPf
SafeBoot-WudfRd
SafeBoot-sacsvr
SafeBoot-vmms



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-01 09:53
Windows 6.1.7100 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-01 09:53
Windows 6.1.7100 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-01 09:53
Windows 6.1.7100 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-01 09:54
Windows 6.1.7100 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-01 09:54
Windows 6.1.7100 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-01 09:54
Windows 6.1.7100 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-01 09:54
Windows 6.1.7100 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-01 09:54
Windows 6.1.7100 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-01 09:54
Windows 6.1.7100 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-01 09:54
Windows 6.1.7100 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-01 09:54
Windows 6.1.7100 NTFS

detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti:

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'Explorer.exe'(3864)
c:\users\Paolo\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\program files\Avira\AntiVir Desktop\sched.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\WUDFHost.exe
c:\windows\System32\rundll32.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\sdclt.exe
.
**************************************************************************
.
Ora fine scansione: 2010-07-01 10:00:12 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-07-01 08:00

Pre-Run: 59.646.820.352 byte disponibili
Post-Run: 63.069.884.416 byte disponibili

- - End Of File - - 907C0BDF748BA29BE502862F74AAA8CC

PC Notebook (che, penso, abbia grossi problemi: formattato da poco, andava benissimo, oggi mi sono accorto che Avira è con l'ombrellino chiuso, malgrado risulti attivo, è di una lentezza esasperante ad ogni comando e la scansione con Combofix è durata circa 1 ora e non si è mai riavviato):
ComboFix 10-06-30.03 - Salvatore Vullo 01/07/10 10.52.10.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.1022.698 [GMT 2:00]
Eseguito da: c:\documents and settings\Salvatore Vullo\Desktop\abc.exe
AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {00000002-0002-0000-7C25-9E7C08000A00}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-6C25-9E7C08000A00}
* Creato nuovo punto di ripristino

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Creati Da 2010-06-01 al 2010-07-01 )))))))))))))))))))))))))))))))))))
.

2010-07-01 08:09 . 2010-07-01 08:09 -------- d-s---w- c:\documents and settings\Salvatore Vullo\UserData
2010-06-23 18:25 . 2010-06-23 18:26 -------- d-----w- c:\programmi\Windows Media Connect 2
2010-06-23 18:23 . 2010-06-23 18:24 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-06-19 12:51 . 2010-06-19 12:51 503808 ----a-w- c:\documents and settings\Salvatore Vullo\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7a3e6d18-n\msvcp71.dll
2010-06-19 12:51 . 2010-06-19 12:51 499712 ----a-w- c:\documents and settings\Salvatore Vullo\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7a3e6d18-n\jmc.dll
2010-06-19 12:51 . 2010-06-19 12:51 348160 ----a-w- c:\documents and settings\Salvatore Vullo\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7a3e6d18-n\msvcr71.dll
2010-06-19 12:51 . 2010-06-19 12:51 61440 ----a-w- c:\documents and settings\Salvatore Vullo\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-645d47f9-n\decora-sse.dll
2010-06-19 12:51 . 2010-06-19 12:51 12800 ----a-w- c:\documents and settings\Salvatore Vullo\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-645d47f9-n\decora-d3d.dll
2010-06-19 12:51 . 2010-06-19 12:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-19 09:48 . 2010-06-19 09:48 -------- d-----w- c:\documents and settings\Salvatore Vullo\Dati applicazioni\Nero
2010-06-15 10:18 . 2010-06-23 18:23 -------- d-----w- c:\windows\system32\LogFiles
2010-06-15 10:09 . 2010-06-23 18:42 -------- d-----w- c:\programmi\Microsoft ActiveSync
2010-06-15 10:08 . 2010-06-15 10:08 -------- d-----w- c:\windows\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-01 08:04 . 2010-02-15 19:57 103448 ----a-w- c:\documents and settings\Salvatore Vullo\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-06-23 17:31 . 2004-08-19 12:00 84354 ----a-w- c:\windows\system32\perfc010.dat
2010-06-23 17:31 . 2004-08-19 12:00 489648 ----a-w- c:\windows\system32\perfh010.dat
2010-06-23 17:05 . 2010-02-16 13:57 -------- d-----w- c:\programmi\Microsoft.NET
2010-06-22 09:53 . 2010-02-15 22:04 -------- d-----w- c:\documents and settings\Salvatore Vullo\Dati applicazioni\vlc
2010-06-19 10:13 . 2010-02-15 16:06 -------- d--h--w- c:\programmi\InstallShield Installation Information
2010-05-02 08:06 . 2004-08-19 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-19 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-18 20:58 . 2010-04-18 20:58 29926 ----a-r- c:\documents and settings\Salvatore Vullo\Dati applicazioni\Microsoft\Installer\{6DE721A5-5E89-4D74-994C-652BB3C0672E}\ARPPRODUCTICON.exe
2010-04-18 20:18 . 2010-04-18 20:18 503808 ----a-w- c:\documents and settings\Salvatore Vullo\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-49eb6eb2-n\msvcp71.dll
2010-04-18 20:18 . 2010-04-18 20:18 499712 ----a-w- c:\documents and settings\Salvatore Vullo\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-49eb6eb2-n\jmc.dll
2010-04-18 20:18 . 2010-04-18 20:18 348160 ----a-w- c:\documents and settings\Salvatore Vullo\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-49eb6eb2-n\msvcr71.dll
2010-04-18 20:18 . 2010-04-18 20:18 61440 ----a-w- c:\documents and settings\Salvatore Vullo\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51f953db-n\decora-sse.dll
2010-04-18 20:18 . 2010-04-18 20:18 12800 ----a-w- c:\documents and settings\Salvatore Vullo\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51f953db-n\decora-d3d.dll
2010-04-16 16:06 . 2004-08-19 12:00 669696 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:06 . 2004-08-19 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-12 15:29 . 2010-04-18 20:18 411368 ----a-w- c:\windows\system32\deployJava1.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nokia Internet Modem"="c:\programmi\Nokia\Nokia Internet Modem\WellPhone2.exe" [2009-11-09 1962648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-19 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-19 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-19 455168]
"ATIPTA"="c:\programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-22 339968]
"Cpqset"="c:\programmi\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"HP Software Update"="c:\programmi\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"SynTPLpr"="c:\programmi\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"eabconfg.cpl"="c:\programmi\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2010-02-18 248040]
"hpWirelessAssistant"="c:\programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 794624]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2009-11-10 417792]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programs\\RM.exe"=
"c:\\Programs\\Studio.exe"=
"c:\\Programs\\umi.exe"=
"c:\programmi\Microsoft ActiveSync\rapimgr.exe"= c:\programmi\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\programmi\Microsoft ActiveSync\wcescomm.exe"= c:\programmi\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\programmi\Microsoft ActiveSync\WCESMgr.exe"= c:\programmi\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [15/02/10 6.09.26 200192]
S3 nokiacpo;Nokia Internet Stick Wireless Modem Service Install;c:\windows\system32\drivers\nokiacpo.sys [05/08/09 6.03.02 18688]
S3 nokiappo;Nokia Internet Stick Wireless Modem Power Policy Service;c:\windows\system32\drivers\nokiappo.sys [05/08/09 6.03.02 27008]
.
Contenuto della cartella 'Scheduled Tasks'

2010-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Salvatore Vullo\Dati applicazioni\Mozilla\Firefox\Profiles\1o81s1ip.default\
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-01 11:41
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\programmi\HPQ\Default Settings\cpqset.exe????????????4?5?5?4??????? ???B?????????????hLC????????

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1390067357-725345543-839522115-1004\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1390067357-725345543-839522115-1004\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1390067357-725345543-839522115-1004\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1390067357-725345543-839522115-1004\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1390067357-725345543-839522115-1004\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000002
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\Ati2evxx.dll
.
Ora fine scansione: 2010-07-01 12:15:12
ComboFix-quarantined-files.txt 2010-07-01 10:14

Pre-Run: 80.004.808.704 byte disponibili
Post-Run: 81.965.969.408 byte disponibili

- - End Of File - - AB3085044E5F9EB31AF7CEE387B55FD6

Speriamo bene. Grazie in anticipo.

:roll: :roll: :roll: :roll: :roll: :roll: :roll: :roll: :roll: :roll: :roll: :roll:
faker
Utente Senior
 
Post: 454
Iscritto il: 03/03/04 22:19

Re: PC inaccessibile

Postdi Luke57 » 01/07/10 12:16

Ciao, per ulteriore controllo,
scarica e installa malwarebytes sui pc.
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
Aggiornalo: clicca sulla scheda "aggiornamenti" => "controlla aggiornamenti"
Esegui una "scansione completa" (seleziona l'opzione)
A scansione completa, fai clic su OK => Mostra i Risultati.
Assicurarti che tutto sia selezionato e clicca clic su Rimuovi selezionati.
Se ti chiede di riavviare, riavvia per completare il processo di pulizia.
Posta i report rilasciati da malwarebytes.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: PC inaccessibile

Postdi faker » 01/07/10 21:36

Luke57 ha scritto:Ciao, per ulteriore controllo,
scarica e installa malwarebytes sui pc.
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
Aggiornalo: clicca sulla scheda "aggiornamenti" => "controlla aggiornamenti"
Esegui una "scansione completa" (seleziona l'opzione)
A scansione completa, fai clic su OK => Mostra i Risultati.
Assicurarti che tutto sia selezionato e clicca clic su Rimuovi selezionati.
Se ti chiede di riavviare, riavvia per completare il processo di pulizia.
Posta i report rilasciati da malwarebytes.


OK, fatto, questi sono i log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Versione database: 4265

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

01/07/10 10.25.24
mbam-log-2010-07-01 (10-25-24).txt

Tipo di scansione: Scansione completa (C:\|)
Elementi esaminati: 169611
Tempo trascorso: 1 ore, 7 minuti, 44 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 1
Valori di registro infetti: 0
Voci infette nei dati di registro: 0
Cartelle infette: 0
File infetti: 1

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Adware.Agent) -> No action taken.

Valori di registro infetti:
(Non sono stati rilevati elementi nocivi)

Voci infette nei dati di registro:
(Non sono stati rilevati elementi nocivi)

Cartelle infette:
(Non sono stati rilevati elementi nocivi)

File infetti:
C:\Documents and Settings\Salvatore Vullo\Desktop\HTC\Spb Backup\setup.exe (Adware.Agent) -> No action taken.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Versione database: 4265

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

01/07/10 10.26.55
mbam-log-2010-07-01 (10-26-55).txt

Tipo di scansione: Scansione completa (C:\|)
Elementi esaminati: 169611
Tempo trascorso: 1 ore, 7 minuti, 44 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 1
Valori di registro infetti: 0
Voci infette nei dati di registro: 0
Cartelle infette: 0
File infetti: 1

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Adware.Agent) -> Quarantined and deleted successfully.

Valori di registro infetti:
(Non sono stati rilevati elementi nocivi)

Voci infette nei dati di registro:
(Non sono stati rilevati elementi nocivi)

Cartelle infette:
(Non sono stati rilevati elementi nocivi)

File infetti:
C:\Documents and Settings\Salvatore Vullo\Desktop\HTC\Spb Backup\setup.exe (Adware.Agent) -> Quarantined and deleted successfully.

Forse è andato tutto bene: Antivir lo ritrovo con l'ombrellino aperto ed il PC è tornato alle prestazioni di prima. La scansione è durata 1 ora e mezza ed ho anche riavviato. Grazie immensamente per l'aiuto: a giorni parto per le vacanze e non mi andava proprio di riformattare il PC con tutte le cose che ho in sospeso da fare........

:) :) :) :) :) :) :) :)
faker
Utente Senior
 
Post: 454
Iscritto il: 03/03/04 22:19


Torna a Sicurezza e Privacy


Topic correlati a "PC inaccessibile":


Chi c’è in linea

Visitano il forum: Nessuno e 1 ospite