Valutazione 4.87/ 5 (100.00%) 5838 voti

Condividi:        

explorer.exe e winlogon.exe

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: kadosh, Luke57

explorer.exe e winlogon.exe

Postdi lupin86 » 26/10/10 12:23

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13.19.46, on 26/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Programmi\Avira\AntiVir Desktop\avshadow.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\Option\Option WWAN Driver 5.0.29.0 Installer\GtDetectSc.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\SupportAppXL\onda_mon.exe
C:\Programmi\Acer\Acer VCM\RS_Service.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\File comuni\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\PersistenceThread.exe
C:\Programmi\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\Programmi\File comuni\LogiShrd\LComMgr\Communications_Helper.exe
C:\Programmi\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Windows Live\Messenger\msnmsgr .exe
C:\Programmi\Acer\Acer VCM\AcerVCM.exe
C:\Programmi\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Programmi\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\File comuni\Logishrd\LQCVFX\COCIManager.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Mozilla Firefox\plugin-container.exe
C:\Programmi\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACA ... 5w57114690
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/webhp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACA ... 5w57114690
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACA ... 5w57114690
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Cerca Italia Toolbar - {45dd02aa-87d3-441a-9e77-068f8fa93fc8} - C:\Programmi\Cerca_Italia\tbCer1.dll
R3 - URLSearchHook: (no name) - {fc600575-3013-4e8e-941c-4b00dafce730} - (no file)
R3 - URLSearchHook: Softonic-IT Toolbar - {e3393495-8103-46a0-8181-270273eddd60} - C:\Programmi\Softonic-IT\tbSof0.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: Cerca Italia Toolbar - {45dd02aa-87d3-441a-9e77-068f8fa93fc8} - C:\Programmi\Cerca_Italia\tbCer1.dll
O2 - BHO: BrowserHelper Class - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - C:\Programmi\SGPSA\SearchAssistant.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll (file missing)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Programmi\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Softonic-IT Toolbar - {e3393495-8103-46a0-8181-270273eddd60} - C:\Programmi\Softonic-IT\tbSof0.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Programmi\SGPSA\BHO.dll
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Programmi\Fast Browser Search\IE\FBStoolbar.dll
O3 - Toolbar: Cerca Italia Toolbar - {45dd02aa-87d3-441a-9e77-068f8fa93fc8} - C:\Programmi\Cerca_Italia\tbCer1.dll
O3 - Toolbar: Fast Browser Search Toolbar - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Programmi\Fast Browser Search\IE\FBStoolbar.dll
O3 - Toolbar: Softonic-IT Toolbar - {e3393495-8103-46a0-8181-270273eddd60} - C:\Programmi\Softonic-IT\tbSof0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PersistenceThread] C:\WINDOWS\system32\PersistenceThread.exe
O4 - HKLM\..\Run: [MobileConnect] C:\Programmi\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programmi\File comuni\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programmi\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegistryBooster] "C:\Programmi\Uniblue\RegistryBooster\launcher.exe" delay 20000
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\Windows Live\Messenger\msnmsgr .exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acer VCM.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Programmi\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O8 - Extra context menu item: Invia a Bluetooth - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O8 - Extra context menu item: Invia a periferica &Bluetooth... - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Scarica con Free Download Manager - file://C:\Programmi\Free Download Manager\dllink.htm
O8 - Extra context menu item: Scarica i video con Free Download Manager - file://C:\Programmi\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Scarica selezionati con Free Download Manager - file://C:\Programmi\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Scarica tutto con Free Download Manager - file://C:\Programmi\Free Download Manager\dlall.htm
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: 4APoker - {47DDC1F4-8611-4f89-806E-3CBD8B7F924F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: 4APoker - {47DDC1F4-8611-4f89-806E-3CBD8B7F924F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O15 - Trusted IP range: http://87.28.72.25
O15 - Trusted IP range: http://82.63.175.253
O15 - Trusted IP range: http://82.104.5.56
O15 - Trusted IP range: http://95.226.123.147
O15 - Trusted IP range: http://95.227.242.48
O15 - Trusted IP range: http://79.14.77.40
O16 - DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} (Remote200 Control) - http://87.28.72.25:81/RemoteWeb.cab
O16 - DPF: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8} (CViewerControl Object) - http://87.28.72.25:81/VideoViewer.cab
O20 - AppInit_DLLs: mapiprf.dll wlanutil.dll
O20 - Winlogon Notify: igdlogin - igdlogin.dll (file missing)
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Servizio Bonjour (Bonjour Service) - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: GtDetectSc - OptionNV - C:\Programmi\Option\Option WWAN Driver 5.0.29.0 Installer\GtDetectSc.exe
O23 - Service: Servizio di Google Update (gupdate) (gupdate) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Programmi\File comuni\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Programmi\File comuni\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programmi\File comuni\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Programmi\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: ONDA Autorun CDROM Monitor - Unknown owner - C:\WINDOWS\system32\SupportAppXL\onda_mon.exe
O23 - Service: Raw Socket Service (RS_Service) - Acer Incorporated - C:\Programmi\Acer\Acer VCM\RS_Service.exe
O23 - Service: ServiceLayer - Nokia - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Programmi\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe

--
End of file - 13208 bytes





ciao ragazzi,

ho un po di problemi con il desktop che si blocca e al avvio non parte explorer.exe xke e infettato, mi potete dire cosa devo eliminare da scan! sono disperato :(
lupin86
Newbie
 
Post: 4
Iscritto il: 26/10/10 12:02

Sponsor
 

Re: explorer.exe e winlogon.exe

Postdi FDAC » 26/10/10 12:55

Scarica ComboFix da qui:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Quando lo salvi hai la possibilità di rinominare il file: rinomina l’exe in pippo.exe

● posiziona pippo.exe sul Desktop
● disconnettiti da Internet
● sconnetti, fisicamente, il modem dal computer
● accedi al sistema in modalità provvisoria con un account con privilegi di Amministratore
● lancia ComboFix e segui le istruzioni che verranno rilasciate per eseguire la scansione
● senza eseguire altre operazioni, lascia che il tool completi la scansione e la fase di creazione del log
● al termine della operazione, il sistema verrà riavviato automaticamente (in caso contrario, riavvialo tu)

Note - durante la scansione:
● verranno creati alcuni file sul desktop e poi eliminati
● spariranno, per un attimo, tutte le icone presenti sul Desktop
● potrebbe venire rilasciato un messaggio in relazione all' antivirus in uso: prosegui ignorando il messaggio
● il firewall, se attivo, potrebbe rilasciare un avviso che verranno rimossi alcuni driver (consenti pure)

Verrà creato un log in Disco Locale C: dal nome combofix.txt che dovrai inviare qui.

Conclusa la scansione:
● riavvia il sistema in modalità normale
● ricollega, fisicamente, il modem al computer
● connettiti a Internet e invia il file di testo

N.B. Se non riuscissi in alcun modo ad utilizzare Combofix, segui questi semplici passi:

start > esegui, nel box bianco copia e incolla questo comando, virgolette comprese:
"%userprofile%\desktop\pippo.exe" /killall
Premi OK, si dovrebbe avviare la scansione.
MSN/Email: supercesco94@hotmail.it
Skype: francesco240194
Sito Web: http://windowspertutti.altervista.org
FDAC
Utente Senior
 
Post: 235
Iscritto il: 30/07/10 08:39
Località: Trento

Re: explorer.exe e winlogon.exe

Postdi lupin86 » 26/10/10 15:50

ho fatto quello che mi hai detto ed ecco il log!

Codice: Seleziona tutto
ComboFix 10-10-25.04 - mauro 26/10/2010  16.03.42.1.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.39.1040.18.1014.499 [GMT 2:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\pippo.exe.exe

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

(((((((((((((((((((((((((((((((((((((   Altre eliminazioni   )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Dati applicazioni\Seekapp
c:\documents and settings\All Users\Dati applicazioni\Seekapp\seekapp132.exe
c:\documents and settings\mauro\Dati applicazioni\.#
c:\documents and settings\mauro\Dati applicazioni\Bitrix Security
c:\documents and settings\mauro\Dati applicazioni\Bitrix Security\hsbgz4_shrd
c:\documents and settings\mauro\Dati applicazioni\PriceGong
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\1.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\a.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\b.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\c.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\d.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\e.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\f.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\g.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\h.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\i.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\J.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\k.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\l.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\m.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\mru.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\n.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\o.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\p.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\q.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\r.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\s.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\t.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\u.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\v.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\w.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\x.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\y.xml
c:\documents and settings\mauro\Dati applicazioni\PriceGong\Data\z.xml
c:\documents and settings\mauro\Impostazioni locali\Dati applicazioni\dbsra.dat
c:\documents and settings\mauro\Impostazioni locali\Dati applicazioni\dbsra_nav.dat
c:\documents and settings\mauro\Impostazioni locali\Dati applicazioni\dbsra_navps.dat
c:\documents and settings\NetworkService\Dati applicazioni\Bitrix Security
c:\documents and settings\NetworkService\Dati applicazioni\Bitrix Security\hsbgz4_shrd
c:\documents and settings\NetworkService\Dati applicazioni\Bitrix Security\qnf.txt
c:\documents and settings\NetworkService\Dati applicazioni\Bitrix Security\rstaq
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\1.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\a.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\b.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\c.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\d.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\e.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\f.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\g.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\h.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\i.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\J.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\k.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\l.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\m.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\mru.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\n.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\o.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\p.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\q.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\r.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\s.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\t.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\u.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\v.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\w.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\x.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\y.xml
c:\documents and settings\NetworkService\Dati applicazioni\PriceGong\Data\z.xml
c:\programmi\Fast Browser Search
c:\programmi\Fast Browser Search\IE\1.bat
c:\programmi\Fast Browser Search\IE\about.html
c:\programmi\Fast Browser Search\IE\affid.dat
c:\programmi\Fast Browser Search\IE\basis.xml
c:\programmi\Fast Browser Search\IE\basis_br.xml
c:\programmi\Fast Browser Search\IE\basis_de.xml
c:\programmi\Fast Browser Search\IE\basis_en.xml
c:\programmi\Fast Browser Search\IE\basis_es.xml
c:\programmi\Fast Browser Search\IE\basis_fr.xml
c:\programmi\Fast Browser Search\IE\basis_it.xml
c:\programmi\Fast Browser Search\IE\basis_nr.xml
c:\programmi\Fast Browser Search\IE\basis_pt.xml
c:\programmi\Fast Browser Search\IE\basis_ru.xml
c:\programmi\Fast Browser Search\IE\basis_tr.xml
c:\programmi\Fast Browser Search\IE\BHO.dll
c:\programmi\Fast Browser Search\IE\ClearRecycleBin.exe
c:\programmi\Fast Browser Search\IE\error.html
c:\programmi\Fast Browser Search\IE\FBSPlugin.dll
c:\programmi\Fast Browser Search\IE\fbsProtection.xml
c:\programmi\Fast Browser Search\IE\FbsSearchProvider.xml
c:\programmi\Fast Browser Search\IE\FbsSearchProviderIE8.exe
c:\programmi\Fast Browser Search\IE\FBStoolbar.dll
c:\programmi\Fast Browser Search\IE\FBStoolbar.exe
c:\programmi\Fast Browser Search\IE\fbstoolbar.jar
c:\programmi\Fast Browser Search\IE\fbstoolbar.manifest
c:\programmi\Fast Browser Search\IE\icons.bmp
c:\programmi\Fast Browser Search\IE\info.txt
c:\programmi\Fast Browser Search\IE\local.xml
c:\programmi\Fast Browser Search\IE\logobg.bmp
c:\programmi\Fast Browser Search\IE\MTWBtoolbar.html
c:\programmi\Fast Browser Search\IE\search.bmp
c:\programmi\Fast Browser Search\IE\search_br.bmp
c:\programmi\Fast Browser Search\IE\search_de.bmp
c:\programmi\Fast Browser Search\IE\search_es.bmp
c:\programmi\Fast Browser Search\IE\search_fr.bmp
c:\programmi\Fast Browser Search\IE\search_it.bmp
c:\programmi\Fast Browser Search\IE\search_pt.bmp
c:\programmi\Fast Browser Search\IE\search_ru.bmp
c:\programmi\Fast Browser Search\IE\SearchAssistant.dll
c:\programmi\Fast Browser Search\IE\SearchGuardPlus.exe
c:\programmi\Fast Browser Search\IE\SearchGuardPlus.ico
c:\programmi\Fast Browser Search\IE\SGPU.ico
c:\programmi\Fast Browser Search\IE\sgpUpdater.exe
c:\programmi\Fast Browser Search\IE\sgpUpdater.xml
c:\programmi\Fast Browser Search\IE\SGPUpdaterS.exe
c:\programmi\Fast Browser Search\IE\tbhelper.dll
c:\programmi\Fast Browser Search\IE\tbs_include_script_003175.js
c:\programmi\Fast Browser Search\IE\tbs_include_script_005064.js
c:\programmi\Fast Browser Search\IE\tbs_include_script_012817.js
c:\programmi\Fast Browser Search\IE\Toolbar Help.htm
c:\programmi\Fast Browser Search\IE\ToolBarBHO.dll
c:\programmi\Fast Browser Search\IE\uninstalSGP.exe
c:\programmi\Fast Browser Search\IE\uninstalSGPU.exe
c:\programmi\Fast Browser Search\IE\update.exe
c:\programmi\Fast Browser Search\IE\version.txt
c:\programmi\Search Guard Plus
c:\programmi\Search Guard Plus\fbsProtection.xml
c:\programmi\Search Guard Plus\fbsSearchProvider.xml
c:\programmi\Search Guard Plus\FbsSearchProviderIE8.exe
c:\programmi\Search Guard Plus\SearchGuardPlus .exe
c:\programmi\Search Guard Plus\SearchGuardPlus.ico
c:\programmi\Search Guard Plus\uninstalSGP.exe
c:\programmi\Search Guard PlusU
c:\programmi\Search Guard PlusU\SGPU.ico
c:\programmi\Search Guard PlusU\sgpUpdater.exe
c:\programmi\Search Guard PlusU\sgpUpdater.xml
c:\programmi\Search Guard PlusU\sgpUpdaters .exe
c:\programmi\Search Guard PlusU\uninstalSGPU.exe
c:\programmi\Seekapp
c:\programmi\SGPSA
c:\programmi\SGPSA\BHO.dll
c:\programmi\SGPSA\SeARchassistant.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000023_.tmp.dll
c:\windows\system32\_000024_.tmp.dll
c:\windows\system32\_000025_.tmp.dll
c:\windows\system32\_000026_.tmp.dll
c:\windows\system32\_000052_.tmp.dll

c:\windows\system32\drivers\udnskagjjup.sys . . . è infetto!! . . . Failed to find a valid replacement.
.
(((((((((((((((((((((((((   Files Creati Da 2010-09-26 al 2010-10-26  )))))))))))))))))))))))))))))))))))
.

2010-10-26 10:45 . 2010-10-26 10:45   --------   d-----w-   c:\windows\system32\MpEngineStore
2010-10-26 10:18 . 2010-10-26 10:40   --------   d-----w-   c:\documents and settings\Administrator
2010-10-26 09:52 . 2010-10-26 09:52   388096   ----a-r-   c:\documents and settings\mauro\Dati applicazioni\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-26 09:52 . 2010-10-26 09:52   --------   d-----w-   c:\programmi\Trend Micro
2010-10-26 07:37 . 2010-10-26 10:44   --------   d-----w-   C:\c4bc3cc01720f909cb60d0df21
2010-10-26 07:20 . 2008-04-14 12:00   1036288   ----a-w-   c:\windows\explorer.exe
2010-10-25 13:25 . 2010-10-25 13:25   12160   ----a-w-   c:\windows\system32\drivers\poqssemt.sys
2010-10-25 06:12 . 2010-10-25 06:12   --------   d--h--w-   c:\windows\PIF
2010-10-25 04:58 . 2010-10-25 04:58   --------   d-----w-   c:\documents and settings\mauro\Dati applicazioni\Avira
2010-10-24 17:28 . 2008-04-14 12:00   510464   ----a-w-   c:\windows\system32\winlogon.exe
2010-10-22 16:21 . 2010-10-22 16:21   --------   d-----r-   c:\documents and settings\LocalService\Preferiti
2010-10-22 15:50 . 2010-10-25 04:58   --------   d-----w-   c:\windows\system32\NtmsData
2010-10-22 15:46 . 2010-09-01 12:22   60936   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2010-10-22 15:46 . 2010-09-01 12:22   126856   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2010-10-22 15:46 . 2010-06-17 13:28   45416   ----a-w-   c:\windows\system32\drivers\avgntdd.sys
2010-10-22 15:46 . 2010-06-17 13:28   22360   ----a-w-   c:\windows\system32\drivers\avgntmgr.sys
2010-10-22 15:46 . 2010-10-22 15:46   --------   d-----w-   c:\programmi\Avira
2010-10-22 15:46 . 2010-10-22 15:46   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Avira
2010-10-22 12:49 . 2010-10-22 12:49   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\McAfee Security Scan
2010-10-22 12:48 . 2010-10-22 12:48   --------   d-----w-   c:\programmi\McAfee Security Scan
2010-10-22 12:16 . 2010-10-22 12:42   --------   d-----w-   c:\programmi\Wise Registry Cleaner
2010-10-22 06:25 . 2010-10-22 06:25   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\McAfee
2010-10-21 22:31 . 2010-10-21 22:31   --------   d-----w-   c:\documents and settings\mauro\Dati applicazioni\Uniblue
2010-10-20 18:46 . 2010-10-20 18:46   172064   ----a-w-   c:\windows\system32\drivers\str.sys
2010-10-20 18:46 . 2010-10-20 19:09   44416   ----a-w-   c:\windows\system32\drivers\udnskagjjup.sys
2010-10-12 15:27 . 2010-10-12 15:27   --------   d-----w-   c:\documents and settings\mauro\Impostazioni locali\Dati applicazioni\Opera
2010-10-12 02:01 . 2010-10-22 12:43   --------   d-----w-   c:\programmi\Opera
2010-10-11 22:52 . 2010-10-11 22:52   --------   d-----w-   c:\documents and settings\roberta\Dati applicazioni\Apple Computer
2010-10-11 22:52 . 2010-10-11 22:52   --------   d-----w-   c:\documents and settings\roberta\Impostazioni locali\Dati applicazioni\Apple Computer
2010-10-08 23:43 . 2004-03-08 22:00   152848   ----a-w-   c:\windows\system32\COMDLG32.OCX
2010-10-08 23:43 . 2010-10-08 23:43   --------   d-----w-   c:\programmi\File comuni\fwc
2010-10-08 23:43 . 2010-10-08 23:44   --------   d-----w-   c:\programmi\Fake Webcam
2010-10-02 23:00 . 2007-10-12 02:00   490008   ----a-w-   c:\windows\system32\LVUI2.dll
2010-10-02 23:00 . 2007-10-12 01:57   195096   ----a-w-   c:\windows\system32\lvci1150.dll
2010-10-02 23:00 . 2007-10-12 01:57   416280   ----a-w-   c:\windows\system32\lvcodec2.dll
2010-10-02 23:00 . 2007-10-12 01:55   1279000   ----a-w-   c:\windows\system32\drivers\LV302V32.SYS
2010-10-02 23:00 . 2007-10-12 02:00   41752   ----a-w-   c:\windows\system32\drivers\LVUSBSta.sys
2010-10-02 23:00 . 2007-10-12 02:00   465432   ----a-w-   c:\windows\system32\LVUI2RC.dll
2010-10-02 23:00 . 2007-10-12 01:18   21138   ----a-w-   c:\windows\system32\Repository.reg
2010-10-02 22:55 . 2010-10-02 23:10   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Logishrd
2010-10-02 22:55 . 2010-10-02 23:06   --------   d-----w-   c:\programmi\File comuni\LogiShrd
2010-10-02 22:54 . 2010-10-02 22:54   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Logitech
2010-10-02 22:54 . 2010-10-02 22:54   --------   d-----w-   c:\programmi\Logitech
2010-10-01 21:14 . 2010-10-01 21:14   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Driver Whiz

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-24 19:29 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6591.tmp
2010-10-24 19:28 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP663f.tmp
2010-10-24 19:28 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP65fd.tmp
2010-10-24 19:27 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6987.tmp
2010-10-24 19:26 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6584.tmp
2010-10-24 19:25 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6544.tmp
2010-10-24 19:24 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6543.tmp
2010-10-24 19:24 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP65a0.tmp
2010-10-24 19:23 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP66c8.tmp
2010-10-24 19:22 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6556.tmp
2010-10-24 19:21 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6583.tmp
2010-10-24 19:21 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP64f5.tmp
2010-10-24 19:20 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6542.tmp
2010-10-24 19:19 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP663e.tmp
2010-10-24 19:18 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP664b.tmp
2010-10-24 19:18 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6533.tmp
2010-10-24 19:17 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP64f4.tmp
2010-10-24 19:16 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP65c0.tmp
2010-10-24 19:15 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP65bf.tmp
2010-10-24 19:15 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6572.tmp
2010-10-24 19:14 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6555.tmp
2010-10-24 19:13 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6571.tmp
2010-10-24 19:12 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP659f.tmp
2010-10-24 19:11 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6570.tmp
2010-10-24 19:11 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6554.tmp
2010-10-24 19:10 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6582.tmp
2010-10-24 19:09 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6699.tmp
2010-10-24 19:08 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP691a.tmp
2010-10-24 19:08 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6553.tmp
2010-10-24 19:07 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP689e.tmp
2010-10-24 19:06 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP65be.tmp
2010-10-24 19:05 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP663d.tmp
2010-10-24 19:05 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6581.tmp
2010-10-24 19:04 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6968.tmp
2010-10-24 19:03 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6532.tmp
2010-10-24 19:02 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP667b.tmp
2010-10-24 19:01 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP667a.tmp
2010-10-24 19:01 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6590.tmp
2010-10-24 19:00 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP663c.tmp
2010-10-24 18:59 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP690a.tmp
2010-10-24 18:58 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6522.tmp
2010-10-24 18:58 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP663b.tmp
2010-10-24 18:57 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP65ce.tmp
2010-10-24 18:56 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6513.tmp
2010-10-24 18:55 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP689d.tmp
2010-10-24 18:55 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP64c4.tmp
2010-10-24 18:41 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP64f3.tmp
2010-10-24 18:40 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP68fb.tmp
2010-10-24 18:39 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6929.tmp
2010-10-24 18:39 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6580.tmp
2010-10-24 18:38 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6552.tmp
2010-10-24 18:37 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP65ed.tmp
2010-10-24 18:36 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6541.tmp
2010-10-24 18:35 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP66d8.tmp
2010-10-24 18:02 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6764.tmp
2010-10-24 18:01 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP665b.tmp
2010-10-24 17:33 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6551.tmp
2010-10-24 17:32 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP67b2.tmp
2010-09-25 14:47 . 2010-09-25 14:47   476672   --sh--w-   c:\windows\system32\mapiprf.dll
2010-09-25 14:47 . 2010-09-25 14:47   60416   --sh--w-   c:\windows\system32\wlanutil.dll
.
[code]<pre>
c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\programmi\AVG\AVG9\avgtray .exe
c:\programmi\CMS\EXE\Open .exe
c:\programmi\CyberLink\PowerDVD8\PDVD8Serv .exe
c:\programmi\CyberLink\PowerDVD8\Language\Language .exe
c:\programmi\DivX\DivX Update\DivXUpdate .exe
c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM .exe
c:\programmi\File comuni\Java\Java Update\jusched .exe
c:\programmi\File comuni\LogiShrd\LComMgr\Communications_Helper .exe
c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\programmi\iTunes\iTunesHelper .exe
c:\programmi\Java\jre6\bin\jusched .exe
c:\programmi\Launch Manager\LManager .exe
c:\programmi\Logitech\QuickCam\Quickcam .exe
c:\programmi\QuickTime\qttask                       .exe
c:\programmi\Realtek\Audio\Drivers\AzMixerSel .exe
c:\programmi\Skype\Phone\Skype .exe
c:\programmi\Synaptics\SynTP\SynTPEnh .exe
c:\programmi\Windows Live\Messenger\msnmsgr .exe
c:\windows\ime\imjp8_1\IMJPMIG .exe
</pre>[/code]

------- Sigcheck -------

[-] 2008-04-14 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 510464 . . [------] . . c:\windows\system32\winlogon.exe
[-] 2008-04-14 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 510464 . . [------] . . c:\windows\system32\dllcache\winlogon.exe

[-] 2008-04-14 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 1036288 . . [------] . . c:\windows\explorer.exe
[-] 2008-04-14 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 1036288 . . [------] . . c:\windows\system32\dllcache\explorer.exe
.
(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{45dd02aa-87d3-441a-9e77-068f8fa93fc8}"= "c:\programmi\Cerca_Italia\tbCer1.dll" [2010-10-19 2735200]
"{e3393495-8103-46a0-8181-270273eddd60}"= "c:\programmi\Softonic-IT\tbSof0.dll" [2010-09-13 2735200]

[HKEY_CLASSES_ROOT\clsid\{45dd02aa-87d3-441a-9e77-068f8fa93fc8}]

[HKEY_CLASSES_ROOT\clsid\{e3393495-8103-46a0-8181-270273eddd60}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45dd02aa-87d3-441a-9e77-068f8fa93fc8}]
2010-10-19 05:35   2735200   ----a-w-   c:\programmi\Cerca_Italia\tbCer1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3393495-8103-46a0-8181-270273eddd60}]
2010-09-13 19:18   2735200   ----a-w-   c:\programmi\Softonic-IT\tbSof0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{45dd02aa-87d3-441a-9e77-068f8fa93fc8}"= "c:\programmi\Cerca_Italia\tbCer1.dll" [2010-10-19 2735200]
"{e3393495-8103-46a0-8181-270273eddd60}"= "c:\programmi\Softonic-IT\tbSof0.dll" [2010-09-13 2735200]

[HKEY_CLASSES_ROOT\clsid\{45dd02aa-87d3-441a-9e77-068f8fa93fc8}]

[HKEY_CLASSES_ROOT\clsid\{e3393495-8103-46a0-8181-270273eddd60}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{45DD02AA-87D3-441A-9E77-068F8FA93FC8}"= "c:\programmi\Cerca_Italia\tbCer1.dll" [2010-10-19 2735200]
"{E3393495-8103-46A0-8181-270273EDDD60}"= "c:\programmi\Softonic-IT\tbSof0.dll" [2010-09-13 2735200]

[HKEY_CLASSES_ROOT\clsid\{45dd02aa-87d3-441a-9e77-068f8fa93fc8}]

[HKEY_CLASSES_ROOT\clsid\{e3393495-8103-46a0-8181-270273eddd60}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"fsm"="" [N/A]
"RegistryBooster"="c:\programmi\Uniblue\RegistryBooster\launcher.exe" [N/A]
"msnmsgr"="c:\programmi\Windows Live\Messenger\msnmsgr .exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-05-01 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-05-01 354840]
"PersistenceThread"="c:\windows\system32\PersistenceThread.exe" [2009-05-01 92696]
"MobileConnect"="c:\programmi\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2009-08-14 2332160]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2010-09-01 281768]
"LogitechCommunicationsManager"="c:\programmi\File comuni\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\programmi\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Acer VCM.lnk - c:\programmi\Acer\Acer VCM\AcerVCM.exe [2009-8-29 565248]
BTTray.lnk - c:\programmi\WIDCOMM\Bluetooth Software\BTTray.exe [2009-3-23 603488]
McAfee Security Scan Plus.lnk - c:\programmi\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igdlogin]
2009-04-28 03:44   65536   ----a-w-   c:\windows\system32\igdlogin.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Acer\\Acer VCM\\VC.exe"=
"c:\\Programmi\\CMS\\EXE\\CMS.exe"=
"c:\\Programmi\\LimeWire\\LimeWire.exe"=
"c:\\Programmi\\Client Erd\\remote.exe"=
"c:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Programmi\\FreeCall.com\\FreeCall\\FreeCall.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Programmi\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\WINDOWS\\system32\\igfxsrvc.exe"=
"c:\\Programmi\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr .exe"=

R2 GtDetectSc;GtDetectSc;c:\programmi\Option\Option WWAN Driver 5.0.29.0 Installer\GtDetectSc.exe [04/05/2009 16.49.20 545792]
R2 RS_Service;Raw Socket Service;c:\programmi\Acer\Acer VCM\RS_Service.exe [29/08/2009 5.50.46 237568]
R2 VMCService;Vodafone Mobile Connect Service;c:\programmi\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [14/08/2009 6.01.38 9216]
R3 GTUHSBUS;GT UHS BUS;c:\windows\system32\drivers\gtuhsbus.sys [08/09/2009 22.24.45 67840]
R3 GTUHSSER;GT UHS SER;c:\windows\system32\drivers\gtuhsser.sys [08/09/2009 22.24.49 8064]
R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [29/08/2009 4.47.11 5096544]
S0 gdyqufrocmkojq;gdyqufrocmkojq;c:\windows\system32\drivers\udnskagjjup.sys [20/10/2010 20.46.45 44416]
S2 gupdate;Servizio di Google Update (gupdate);c:\programmi\Google\Update\GoogleUpdate.exe [15/01/2010 23.29.43 135664]
S2 ONDA Autorun CDROM Monitor;ONDA Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\onda_mon.exe [19/10/2010 9.56.21 86016]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys --> c:\windows\system32\DRIVERS\ewusbnet.sys [?]
S3 GTMMDMUSB;GT M 3G+ USB MDM;c:\windows\system32\drivers\gtmmdmusb.sys [24/08/2010 2.43.11 25472]
S3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\drivers\gtuhs51.sys [08/09/2009 22.24.51 107776]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys --> c:\windows\system32\DRIVERS\ewusbdev.sys [?]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys --> c:\windows\system32\DRIVERS\ewusbfake.sys [?]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [29/08/2009 5.15.16 9728]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\programmi\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 14.49.20 227232]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [12/08/2010 2.55.13 18432]
S3 ONDAusbmdm6k;ONDA Proprietary USB Driver;c:\windows\system32\DRIVERS\ONDAusbmdm6k.sys --> c:\windows\system32\DRIVERS\ONDAusbmdm6k.sys [?]
S3 ONDAusbnet;ONDA USB-NDIS miniport;c:\windows\system32\DRIVERS\ONDAusbnet.sys --> c:\windows\system32\DRIVERS\ONDAusbnet.sys [?]
S3 ONDAusbnmea;ONDA NMEA Port;c:\windows\system32\DRIVERS\ONDAusbnmea.sys --> c:\windows\system32\DRIVERS\ONDAusbnmea.sys [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [29/08/2009 4.39.10 164864]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]

--- Altri Servizi/Drivers In Memoria ---

*Deregistered* - BMLoad

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A2BB4630-7F0F-4582-A90F-AB7629202F41}]
c:\documents and settings\NetworkService\Dati applicazioni\Bitrix Security\hsbgz4.dll [N/A]
.
Contenuto della cartella 'Scheduled Tasks'

2010-10-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2009-10-22 09:50]

2010-10-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-01-15 21:29]

2010-10-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-01-15 21:29]

2010-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-18Core.job
- c:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2010-10-26 03:28]

2010-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-18UA.job
- c:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2010-10-26 03:28]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/webhp
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0410&m=ao751h&r=0xph10095506l0353wu45w57114690
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\programmi\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Invia a Bluetooth - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: Invia a periferica &Bluetooth... - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Scarica con Free Download Manager - file://c:\programmi\Free Download Manager\dllink.htm
IE: Scarica i video con Free Download Manager - file://c:\programmi\Free Download Manager\dlfvideo.htm
IE: Scarica selezionati con Free Download Manager - file://c:\programmi\Free Download Manager\dlselected.htm
IE: Scarica tutto con Free Download Manager - file://c:\programmi\Free Download Manager\dlall.htm
IE: {{47DDC1F4-8611-4f89-806E-3CBD8B7F924F}
LSP: bmnet.dll
DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} - hxxp://87.28.72.25:81/RemoteWeb.cab
DPF: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8} - hxxp://87.28.72.25:81/VideoViewer.cab
FF - ProfilePath - c:\documents and settings\mauro\Dati applicazioni\Mozilla\Firefox\Profiles\autd84wp.default\
FF - prefs.js: browser.search.selectedEngine - Surf Canyon
FF - prefs.js: browser.startup.homepage - www.google.it
FF - component: c:\programmi\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\programmi\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\mauro\Impostazioni locali\Dati applicazioni\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\programmi\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\programmi\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programmi\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\programmi\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\programmi\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true);  // Traditional
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true);  // Simplified
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

URLSearchHooks-{fc600575-3013-4e8e-941c-4b00dafce730} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-26 16:25
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.0 by Gmer, http://www.gmer.net
Windows 5.1.2600

device: opened successfully
user: MBR read successfully
called modules: >>UNKNOWN [0x804D7000]<< >>UNKNOWN [0xEB5BA000]<< >>UNKNOWN [0xF763D000]<< >>UNKNOWN [0xF762D000]<< >>UNKNOWN [0xF74CE000]<< >>UNKNOWN [0x806E5000]<< >>UNKNOWN [0x86CCCEC5]<<
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86D8AAB8]
\Driver\Disk[0x86D6AB90] -> IRP_MJ_CREATE -> 0xF7643BB0
2 [0x804EF1A6] -> UNKNOWN[0xF763DFD7] -> \Device\Harddisk0\DR0[0x86D8AAB8]
3 [0xF763DFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006b[0x86D841E8]
\Driver\ACPI[0x86DA3A20] -> IRP_MJ_CREATE -> 0xF74D4CB8
4 [0x804EF1A6] -> UNKNOWN[0xF74D4620] -> \Device\0000006b[0x86D841E8]
5 [0xF74D4620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86D83D98]
[0x86D83270] -> IRP_MJ_CREATE -> 0x86CCCEC5
6 [0x804EF1A6] -> UNKNOWN[0x86CCCEC8] -> [0x86D83D98]
kernel: MBR read successfully
detected hooks:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HTS543216L9SA00_________________FB2OC40C#3930383031304246323231304335424541584133#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
\Driver\Disk -> 0xf7641f28
\Driver\ACPI -> 0xf74d4cb8
\Driver\atapi DriverStartIo -> 0x86CCCAEA
\Driver\atapi -> 0xf748c852
IoDeviceObjectType -> DeleteProcedure -> 0x805836a8
 SecurityProcedure -> 0x80583d4a
\Device\Harddisk0\DR0 -> DeleteProcedure -> 0x805836a8
 SecurityProcedure -> 0x80583d4a
NDIS: Scheda di rete Broadcom 802.11g -> SendCompleteHandler -> 0xf7398bb0
 PacketIndicateHandler -> 0xf7387a0d
 SendHandler -> 0xf739bb40
user & kernel MBR OK
sectors 312581552 (+254): user != kernel

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5a,59,ce,b8,be,48,5f,48,94,6c,b8,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5a,59,ce,b8,be,48,5f,48,94,6c,b8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'lsass.exe'(908)
c:\windows\system32\WININET.dll
c:\windows\system32\bmnet.dll
.
Ora fine scansione: 2010-10-26  16:39:49
ComboFix-quarantined-files.txt  2010-10-26 14:39

Pre-Run: 124.221.800.448 byte disponibili
Post-Run: 125.024.727.040 byte disponibili

- - End Of File - - E32A7015EA74CB2110D615A86AC200FC
lupin86
Newbie
 
Post: 4
Iscritto il: 26/10/10 12:02

Re: explorer.exe e winlogon.exe

Postdi Luke57 » 26/10/10 16:23

Ciao, copia ed incolla il seguente testo su blocco note e salva il file su desktop con il nome CFScript.txt.

Codice: Seleziona tutto
Driver::
gdyqufrocmkojq

File::
c:\windows\system32\drivers\udnskagjjup.sys



Ora trascina il file CFScript.txt sull'icona di ComboFix. Aspetta il termine della scansione e posta il nuovo log di Combofix.

Inoltre Scarica rkunhooker,salvalo sul desktop.
http://www.rootkit.com/vault/DiabloNova/RKUnhooker.EXE
Doppio click su rkunhooker.exe per avviarlo.
Clicca sul tab Report,poi clicca su scan.
Metti il segno di spunta su Drivers,Stealth.Non spuntare il resto.Clicca su ok.
Aspetta la fine delle operazioni e poi clicca su File-Save Report.
Salva il report.Clicca su Close.
Allega il report.

N.B.Se ricevi un avvertimento che rootkit Unhooker detiene un malware ignoralo.E' un falso positivo.

Scarica mbrcheck sul desktop.
http://ad13.geekstogo.com/MBRCheck.exe
Doppio click per eseguirlo.Aspetta la fine delle operazioni.Ti chiederà premi ENTER per chiudere.
Troverai il suo log sul desktop.Postalo.

Log da allegare: combofix, rkunhooker,mbrcheck
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: explorer.exe e winlogon.exe

Postdi lupin86 » 26/10/10 17:52

il link per scaricare rkunhooker non e più disponibile!
lupin86
Newbie
 
Post: 4
Iscritto il: 26/10/10 12:02

Re: explorer.exe e winlogon.exe

Postdi Luke57 » 26/10/10 19:09

Ciao, allora esegui combofix come detto, poi scaricati Dr.Web Cure it:
http://www.freedrweb.com/download+cureit/gr/?lng=en
Q Esegui Dr.Web Cure it facendogli risolvere tutte le minacce rilevate (all'avvio, alla comparsa della finestra "Enhanced Protection Mode" premi il pulsante OK).
Allega il log, se è troppo grande mettilo qui
http://wikisend.com/
e fornisci il link per poterlo vedere.

Per qualsiasi notizia riguardop a Cureit, vedi qui:
http://www.ilsoftware.it/articoli.asp?id=6382


poi esegui mbrcheck.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: explorer.exe e winlogon.exe

Postdi lupin86 » 27/10/10 09:14

ciao, con Drweb dice che sono stati curati ma i TR c'è sempre.


ComboFix.txt

Codice: Seleziona tutto
ComboFix 10-10-25.04 - mauro 26/10/2010  23.17.36.2.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.39.1040.18.1014.470 [GMT 2:00]
Eseguito da: c:\documents and settings\mauro\Desktop\pippo.exe.exe
Opzioni usate :: c:\documents and settings\mauro\Desktop\CFScript.txt..txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {0000007F-F204-0013-3094-807C7F000000}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {0000007F-F204-0012-3094-807C7F000000}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {0012F2B4-5CE9-7C92-0300-000100000000}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\drivers\udnskagjjup.sys"
.

(((((((((((((((((((((((((((((((((((((   Altre eliminazioni   )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documenti\Server\admin.txt
c:\documents and settings\All Users\Documenti\Server\server.dat
c:\windows\system32\drivers\str.sys
c:\windows\system32\drivers\udnskagjjup.sys

c:\windows\system32\drivers\udnskagjjup.sys . . . è infetto!! . . . Failed to find a valid replacement.
.
(((((((((((((((((((((((((((((((((((((((   Driver/Servizi   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gdyqufrocmkojq


(((((((((((((((((((((((((   Files Creati Da 2010-09-26 al 2010-10-26  )))))))))))))))))))))))))))))))))))
.

2010-10-26 10:45 . 2010-10-26 10:45   --------   d-----w-   c:\windows\system32\MpEngineStore
2010-10-26 10:18 . 2010-10-26 10:40   --------   d-----w-   c:\documents and settings\Administrator
2010-10-26 09:54 . 2010-10-26 09:56   --------   d-----w-   c:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\Adobe
2010-10-26 09:52 . 2010-10-26 09:52   388096   ----a-r-   c:\documents and settings\mauro\Dati applicazioni\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-26 09:52 . 2010-10-26 09:52   --------   d-----w-   c:\programmi\Trend Micro
2010-10-26 07:37 . 2010-10-26 10:44   --------   d-----w-   C:\c4bc3cc01720f909cb60d0df21
2010-10-26 07:20 . 2008-04-14 12:00   1036288   ----a-w-   c:\windows\explorer.exe
2010-10-25 13:25 . 2010-10-25 13:25   12160   ----a-w-   c:\windows\system32\drivers\poqssemt.sys
2010-10-25 06:12 . 2010-10-25 06:12   --------   d--h--w-   c:\windows\PIF
2010-10-25 04:58 . 2010-10-25 04:58   --------   d-----w-   c:\documents and settings\mauro\Dati applicazioni\Avira
2010-10-24 17:28 . 2008-04-14 12:00   510464   ----a-w-   c:\windows\system32\winlogon.exe
2010-10-22 16:21 . 2010-10-22 16:21   --------   d-----r-   c:\documents and settings\LocalService\Preferiti
2010-10-22 15:50 . 2010-10-25 04:58   --------   d-----w-   c:\windows\system32\NtmsData
2010-10-22 15:46 . 2010-09-01 12:22   60936   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2010-10-22 15:46 . 2010-09-01 12:22   126856   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2010-10-22 15:46 . 2010-06-17 13:28   45416   ----a-w-   c:\windows\system32\drivers\avgntdd.sys
2010-10-22 15:46 . 2010-06-17 13:28   22360   ----a-w-   c:\windows\system32\drivers\avgntmgr.sys
2010-10-22 15:46 . 2010-10-22 15:46   --------   d-----w-   c:\programmi\Avira
2010-10-22 15:46 . 2010-10-22 15:46   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Avira
2010-10-22 12:49 . 2010-10-22 12:49   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\McAfee Security Scan
2010-10-22 12:48 . 2010-10-22 12:48   --------   d-----w-   c:\programmi\McAfee Security Scan
2010-10-22 12:16 . 2010-10-22 12:42   --------   d-----w-   c:\programmi\Wise Registry Cleaner
2010-10-22 06:25 . 2010-10-22 06:25   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\McAfee
2010-10-21 22:31 . 2010-10-21 22:31   --------   d-----w-   c:\documents and settings\mauro\Dati applicazioni\Uniblue
2010-10-12 15:27 . 2010-10-12 15:27   --------   d-----w-   c:\documents and settings\mauro\Impostazioni locali\Dati applicazioni\Opera
2010-10-12 02:01 . 2010-10-22 12:43   --------   d-----w-   c:\programmi\Opera
2010-10-08 23:43 . 2004-03-08 22:00   152848   ----a-w-   c:\windows\system32\COMDLG32.OCX
2010-10-08 23:43 . 2010-10-08 23:43   --------   d-----w-   c:\programmi\File comuni\fwc
2010-10-08 23:43 . 2010-10-08 23:44   --------   d-----w-   c:\programmi\Fake Webcam
2010-10-02 23:00 . 2007-10-12 02:00   490008   ----a-w-   c:\windows\system32\LVUI2.dll
2010-10-02 23:00 . 2007-10-12 01:57   195096   ----a-w-   c:\windows\system32\lvci1150.dll
2010-10-02 23:00 . 2007-10-12 01:57   416280   ----a-w-   c:\windows\system32\lvcodec2.dll
2010-10-02 23:00 . 2007-10-12 01:55   1279000   ----a-w-   c:\windows\system32\drivers\LV302V32.SYS
2010-10-02 23:00 . 2007-10-12 02:00   41752   ----a-w-   c:\windows\system32\drivers\LVUSBSta.sys
2010-10-02 23:00 . 2007-10-12 02:00   465432   ----a-w-   c:\windows\system32\LVUI2RC.dll
2010-10-02 23:00 . 2007-10-12 01:18   21138   ----a-w-   c:\windows\system32\Repository.reg
2010-10-02 22:55 . 2010-10-02 23:10   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Logishrd
2010-10-02 22:55 . 2010-10-02 23:06   --------   d-----w-   c:\programmi\File comuni\LogiShrd
2010-10-02 22:54 . 2010-10-02 22:54   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Logitech
2010-10-02 22:54 . 2010-10-02 22:54   --------   d-----w-   c:\programmi\Logitech
2010-10-01 21:14 . 2010-10-01 21:14   --------   d-----w-   c:\documents and settings\All Users\Dati applicazioni\Driver Whiz

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-24 19:29 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6591.tmp
2010-10-24 19:28 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP663f.tmp
2010-10-24 19:28 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP65fd.tmp
2010-10-24 19:27 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6987.tmp
2010-10-24 19:26 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6584.tmp
2010-10-24 19:25 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6544.tmp
2010-10-24 19:24 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6543.tmp
2010-10-24 19:24 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP65a0.tmp
2010-10-24 19:23 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP66c8.tmp
2010-10-24 19:22 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6556.tmp
2010-10-24 19:21 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6583.tmp
2010-10-24 19:21 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP64f5.tmp
2010-10-24 19:20 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6542.tmp
2010-10-24 19:19 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP663e.tmp
2010-10-24 19:18 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP664b.tmp
2010-10-24 19:18 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6533.tmp
2010-10-24 19:17 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP64f4.tmp
2010-10-24 19:16 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP65c0.tmp
2010-10-24 19:15 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP65bf.tmp
2010-10-24 19:15 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6572.tmp
2010-10-24 19:14 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6555.tmp
2010-10-24 19:13 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6571.tmp
2010-10-24 19:12 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP659f.tmp
2010-10-24 19:11 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6570.tmp
2010-10-24 19:11 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6554.tmp
2010-10-24 19:10 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6582.tmp
2010-10-24 19:09 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6699.tmp
2010-10-24 19:08 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP691a.tmp
2010-10-24 19:08 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6553.tmp
2010-10-24 19:07 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP689e.tmp
2010-10-24 19:06 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP65be.tmp
2010-10-24 19:05 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP663d.tmp
2010-10-24 19:05 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6581.tmp
2010-10-24 19:04 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6968.tmp
2010-10-24 19:03 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6532.tmp
2010-10-24 19:02 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP667b.tmp
2010-10-24 19:01 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP667a.tmp
2010-10-24 19:01 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6590.tmp
2010-10-24 19:00 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP663c.tmp
2010-10-24 18:59 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP690a.tmp
2010-10-24 18:58 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6522.tmp
2010-10-24 18:58 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP663b.tmp
2010-10-24 18:57 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP65ce.tmp
2010-10-24 18:56 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6513.tmp
2010-10-24 18:55 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP689d.tmp
2010-10-24 18:55 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP64c4.tmp
2010-10-24 18:41 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP64f3.tmp
2010-10-24 18:40 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP68fb.tmp
2010-10-24 18:39 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6929.tmp
2010-10-24 18:39 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6580.tmp
2010-10-24 18:38 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6552.tmp
2010-10-24 18:37 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP65ed.tmp
2010-10-24 18:36 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6541.tmp
2010-10-24 18:35 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP66d8.tmp
2010-10-24 18:02 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6764.tmp
2010-10-24 18:01 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP665b.tmp
2010-10-24 17:33 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP6551.tmp
2010-10-24 17:32 . 2009-09-08 20:23   106496   ----a-w-   c:\windows\DUMP67b2.tmp
2010-09-25 14:47 . 2010-09-25 14:47   476672   --sh--w-   c:\windows\system32\mapiprf.dll
2010-09-25 14:47 . 2010-09-25 14:47   60416   --sh--w-   c:\windows\system32\wlanutil.dll
.
[code]<pre>
c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\programmi\AVG\AVG9\avgtray .exe
c:\programmi\CMS\EXE\Open .exe
c:\programmi\CyberLink\PowerDVD8\PDVD8Serv .exe
c:\programmi\CyberLink\PowerDVD8\Language\Language .exe
c:\programmi\DivX\DivX Update\DivXUpdate .exe
c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM .exe
c:\programmi\File comuni\Java\Java Update\jusched .exe
c:\programmi\File comuni\LogiShrd\LComMgr\Communications_Helper .exe
c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\programmi\iTunes\iTunesHelper .exe
c:\programmi\Java\jre6\bin\jusched .exe
c:\programmi\Launch Manager\LManager .exe
c:\programmi\Logitech\QuickCam\Quickcam .exe
c:\programmi\QuickTime\qttask                       .exe
c:\programmi\Realtek\Audio\Drivers\AzMixerSel .exe
c:\programmi\Skype\Phone\Skype .exe
c:\programmi\Synaptics\SynTP\SynTPEnh .exe
c:\programmi\Windows Live\Messenger\msnmsgr .exe
c:\windows\ime\imjp8_1\IMJPMIG .exe
</pre>[/code]

------- Sigcheck -------

[-] 2008-04-14 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 510464 . . [------] . . c:\windows\system32\winlogon.exe
[-] 2008-04-14 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 510464 . . [------] . . c:\windows\system32\dllcache\winlogon.exe

[-] 2008-04-14 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 1036288 . . [------] . . c:\windows\explorer.exe
[-] 2008-04-14 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 1036288 . . [------] . . c:\windows\system32\dllcache\explorer.exe
.
(((((((((((((((((((((((((((((   SnapShot@2010-10-26_14.26.19   )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-26 21:38 . 2010-10-26 21:38   16384              c:\windows\Temp\Perflib_Perfdata_318.dat
.
(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{45dd02aa-87d3-441a-9e77-068f8fa93fc8}"= "c:\programmi\Cerca_Italia\tbCer1.dll" [2010-10-19 2735200]
"{e3393495-8103-46a0-8181-270273eddd60}"= "c:\programmi\Softonic-IT\tbSof0.dll" [2010-09-13 2735200]

[HKEY_CLASSES_ROOT\clsid\{45dd02aa-87d3-441a-9e77-068f8fa93fc8}]

[HKEY_CLASSES_ROOT\clsid\{e3393495-8103-46a0-8181-270273eddd60}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45dd02aa-87d3-441a-9e77-068f8fa93fc8}]
2010-10-19 05:35   2735200   ----a-w-   c:\programmi\Cerca_Italia\tbCer1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3393495-8103-46a0-8181-270273eddd60}]
2010-09-13 19:18   2735200   ----a-w-   c:\programmi\Softonic-IT\tbSof0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{45dd02aa-87d3-441a-9e77-068f8fa93fc8}"= "c:\programmi\Cerca_Italia\tbCer1.dll" [2010-10-19 2735200]
"{e3393495-8103-46a0-8181-270273eddd60}"= "c:\programmi\Softonic-IT\tbSof0.dll" [2010-09-13 2735200]

[HKEY_CLASSES_ROOT\clsid\{45dd02aa-87d3-441a-9e77-068f8fa93fc8}]

[HKEY_CLASSES_ROOT\clsid\{e3393495-8103-46a0-8181-270273eddd60}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{45DD02AA-87D3-441A-9E77-068F8FA93FC8}"= "c:\programmi\Cerca_Italia\tbCer1.dll" [2010-10-19 2735200]
"{E3393495-8103-46A0-8181-270273EDDD60}"= "c:\programmi\Softonic-IT\tbSof0.dll" [2010-09-13 2735200]

[HKEY_CLASSES_ROOT\clsid\{45dd02aa-87d3-441a-9e77-068f8fa93fc8}]

[HKEY_CLASSES_ROOT\clsid\{e3393495-8103-46a0-8181-270273eddd60}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"fsm"="" [N/A]
"RegistryBooster"="c:\programmi\Uniblue\RegistryBooster\launcher.exe" [N/A]
"msnmsgr"="c:\programmi\Windows Live\Messenger\msnmsgr .exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-05-01 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-05-01 354840]
"PersistenceThread"="c:\windows\system32\PersistenceThread.exe" [2009-05-01 92696]
"MobileConnect"="c:\programmi\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2009-08-14 2332160]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2010-09-01 281768]
"LogitechCommunicationsManager"="c:\programmi\File comuni\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\programmi\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Acer VCM.lnk - c:\programmi\Acer\Acer VCM\AcerVCM.exe [2009-8-29 565248]
BTTray.lnk - c:\programmi\WIDCOMM\Bluetooth Software\BTTray.exe [2009-3-23 603488]
McAfee Security Scan Plus.lnk - c:\programmi\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igdlogin]
2009-04-28 03:44   65536   ----a-w-   c:\windows\system32\igdlogin.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Acer\\Acer VCM\\VC.exe"=
"c:\\Programmi\\CMS\\EXE\\CMS.exe"=
"c:\\Programmi\\LimeWire\\LimeWire.exe"=
"c:\\Programmi\\Client Erd\\remote.exe"=
"c:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Programmi\\FreeCall.com\\FreeCall\\FreeCall.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Programmi\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\WINDOWS\\system32\\igfxsrvc.exe"=
"c:\\Programmi\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr .exe"=

R2 GtDetectSc;GtDetectSc;c:\programmi\Option\Option WWAN Driver 5.0.29.0 Installer\GtDetectSc.exe [04/05/2009 16.49.20 545792]
R2 ONDA Autorun CDROM Monitor;ONDA Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\onda_mon.exe [19/10/2010 9.56.21 86016]
R2 RS_Service;Raw Socket Service;c:\programmi\Acer\Acer VCM\RS_Service.exe [29/08/2009 5.50.46 237568]
R2 VMCService;Vodafone Mobile Connect Service;c:\programmi\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [14/08/2009 6.01.38 9216]
R3 GTUHSBUS;GT UHS BUS;c:\windows\system32\drivers\gtuhsbus.sys [08/09/2009 22.24.45 67840]
R3 GTUHSSER;GT UHS SER;c:\windows\system32\drivers\gtuhsser.sys [08/09/2009 22.24.49 8064]
R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [29/08/2009 4.47.11 5096544]
S2 gupdate;Servizio di Google Update (gupdate);c:\programmi\Google\Update\GoogleUpdate.exe [15/01/2010 23.29.43 135664]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys --> c:\windows\system32\DRIVERS\ewusbnet.sys [?]
S3 GTMMDMUSB;GT M 3G+ USB MDM;c:\windows\system32\drivers\gtmmdmusb.sys [24/08/2010 2.43.11 25472]
S3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\drivers\gtuhs51.sys [08/09/2009 22.24.51 107776]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys --> c:\windows\system32\DRIVERS\ewusbdev.sys [?]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys --> c:\windows\system32\DRIVERS\ewusbfake.sys [?]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [29/08/2009 5.15.16 9728]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\programmi\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 14.49.20 227232]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [12/08/2010 2.55.13 18432]
S3 ONDAusbmdm6k;ONDA Proprietary USB Driver;c:\windows\system32\DRIVERS\ONDAusbmdm6k.sys --> c:\windows\system32\DRIVERS\ONDAusbmdm6k.sys [?]
S3 ONDAusbnet;ONDA USB-NDIS miniport;c:\windows\system32\DRIVERS\ONDAusbnet.sys --> c:\windows\system32\DRIVERS\ONDAusbnet.sys [?]
S3 ONDAusbnmea;ONDA NMEA Port;c:\windows\system32\DRIVERS\ONDAusbnmea.sys --> c:\windows\system32\DRIVERS\ONDAusbnmea.sys [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [29/08/2009 4.39.10 164864]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]

--- Altri Servizi/Drivers In Memoria ---

*Deregistered* - BMLoad

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A2BB4630-7F0F-4582-A90F-AB7629202F41}]
c:\documents and settings\NetworkService\Dati applicazioni\Bitrix Security\hsbgz4.dll [N/A]
.
Contenuto della cartella 'Scheduled Tasks'

2010-10-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2009-10-22 09:50]

2010-10-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-01-15 21:29]

2010-10-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-01-15 21:29]

2010-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-18Core.job
- c:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2010-10-26 03:28]

2010-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-18UA.job
- c:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2010-10-26 03:28]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/webhp
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0410&m=ao751h&r=0xph10095506l0353wu45w57114690
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\programmi\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Invia a Bluetooth - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: Invia a periferica &Bluetooth... - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Scarica con Free Download Manager - file://c:\programmi\Free Download Manager\dllink.htm
IE: Scarica i video con Free Download Manager - file://c:\programmi\Free Download Manager\dlfvideo.htm
IE: Scarica selezionati con Free Download Manager - file://c:\programmi\Free Download Manager\dlselected.htm
IE: Scarica tutto con Free Download Manager - file://c:\programmi\Free Download Manager\dlall.htm
IE: {{47DDC1F4-8611-4f89-806E-3CBD8B7F924F}
LSP: bmnet.dll
DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} - hxxp://87.28.72.25:81/RemoteWeb.cab
DPF: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8} - hxxp://87.28.72.25:81/VideoViewer.cab
FF - ProfilePath - c:\documents and settings\mauro\Dati applicazioni\Mozilla\Firefox\Profiles\autd84wp.default\
FF - prefs.js: browser.search.selectedEngine - Surf Canyon
FF - prefs.js: browser.startup.homepage - www.google.it
FF - component: c:\programmi\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\programmi\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\mauro\Impostazioni locali\Dati applicazioni\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\programmi\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\programmi\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programmi\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\programmi\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\programmi\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true);  // Traditional
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true);  // Simplified
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-26 23:39
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.0 by Gmer, http://www.gmer.net
Windows 5.1.2600

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86CCBEC5]<<
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86CC6AB8]
2 ntkrnlpa[0x804EF1A6] -> CLASSPNP.SYS[0xF7667FD7] -> \Device\Harddisk0\DR0[0x86CC6AB8]
3 CLASSPNP[0xF7667FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006b[0x86DC59E8]
4 ntkrnlpa[0x804EF1A6] -> ACPI.sys[0xF74FE620] -> \Device\0000006b[0x86DC59E8]
5 ACPI[0xF74FE620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86DC6D98]
[0x86D82260] -> IRP_MJ_CREATE -> 0x86CCBEC5
6 ntkrnlpa[0x804EF1A6] -> UNKNOWN[0x86CCBEC8] -> [0x86DC6D98]
kernel: MBR read successfully
detected hooks:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HTS543216L9SA00_________________FB2OC40C#3930383031304246323231304335424541584133#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
\Driver\Disk -> CLASSPNP.SYS @ 0xf766bf28
\Driver\ACPI -> ACPI.sys @ 0xf74fecb8
\Driver\atapi DriverStartIo -> 0x86CCBAEA
\Driver\atapi -> atapi.sys @ 0xf74b6852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
 SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
 SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
NDIS: Scheda di rete Broadcom 802.11g -> SendCompleteHandler -> NDIS.sys @ 0xf73c2bb0
 PacketIndicateHandler -> NDIS.sys @ 0xf73b1a0d
 SendHandler -> NDIS.sys @ 0xf73c5b40
user & kernel MBR OK
sectors 312581552 (+254): user != kernel

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5a,59,ce,b8,be,48,5f,48,94,6c,b8,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5a,59,ce,b8,be,48,5f,48,94,6c,b8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'lsass.exe'(904)
c:\windows\system32\bmnet.dll

- - - - - - - > 'explorer.exe'(4168)
c:\windows\system32\WININET.dll
c:\programmi\File comuni\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\bmnet.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\File comuni\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\programmi\Avira\AntiVir Desktop\sched.exe
c:\programmi\Avira\AntiVir Desktop\avguard.exe
c:\programmi\File comuni\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\programmi\Bonjour\mDNSResponder.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\programmi\Avira\AntiVir Desktop\avshadow.exe
c:\programmi\File comuni\LogiShrd\LVCOMSER\LVComSer.exe
c:\programmi\File comuni\LogiShrd\LVCOMSER\LVComSer.exe
c:\programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\programmi\iPod\bin\iPodService.exe
c:\programmi\File comuni\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Ora fine scansione: 2010-10-26  23:49:28 - Il pc è stato riavviato
ComboFix-quarantined-files.txt  2010-10-26 21:49
ComboFix2.txt  2010-10-26 14:39

Pre-Run: 124.655.603.712 byte disponibili
Post-Run: 124.615.172.096 byte disponibili

WindowsXP-KB310994-SP2-Home-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - D099F95FD4D35D67E0838D79E4FA2F7C



DrWeb.csv

Codice: Seleziona tutto
Processi in memoria: C:\WINDOWS\System32\svchost.exe:1204;;BackDoor.Tdss.565;Eradicato.;
OLD14.tmp;C:\WINDOWS\system32;Win32.Dat.4;Curato.;
explorer(2).exe;C:\WINDOWS\system32\dllcache;Win32.Dat.4;Curato.;
explorer.exe;C:\WINDOWS\system32\dllcache;Win32.Dat.4;Curato.;
winlogon(2).exe;C:\WINDOWS\system32\dllcache;Win32.Dat.4;Curato.;
winlogon.exe;C:\WINDOWS\system32\dllcache;Win32.Dat.4;Curato.;
acpiec.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Curato.;
explorer.exe;c:\windows;Win32.Dat.4;Curato.;




MBRCheck

Codice: Seleziona tutto
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:         
Windows Version:      Windows XP Home Edition
Windows Information:      Service Pack 3 (build 2600)
Logical Drives Mask:      0x00000004

Kernel Drivers (total 124):
  0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
  0x806E5000 \WINDOWS\system32\hal.dll
  0xF7ABD000 \WINDOWS\system32\KDCOM.DLL
  0xF79CD000 \WINDOWS\system32\BOOTVID.dll
  0xF748E000 ACPI.sys
  0xF7ABF000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
  0xF747D000 pci.sys
  0xF75BD000 isapnp.sys
  0xF79D1000 compbatt.sys
  0xF79D5000 \WINDOWS\system32\DRIVERS\BATTC.SYS
  0xF7B85000 pciide.sys
  0xF783D000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
  0xF75CD000 MountMgr.sys
  0xF745E000 ftdisk.sys
  0xF79D9000 ACPIEC.SYS
  0xF7B86000 \WINDOWS\SYSTEM32\DRIVERS\OPRGHDLR.SYS
  0xF7845000 PartMgr.sys
  0xF75DD000 VolSnap.sys
  0xF7446000 atapi.sys
  0xF75ED000 disk.sys
  0xF75FD000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
  0xF7426000 fltMgr.sys
  0xF7414000 sr.sys
  0xF760D000 PxHelp20.sys
  0xF73FD000 KSecDD.sys
  0xF7370000 Ntfs.sys
  0xF7343000 NDIS.sys
  0xF7329000 Mup.sys
  0xF784D000 BMLoad.sys
  0xF7A99000 \SystemRoot\system32\DRIVERS\CmBatt.sys
  0xF7A9D000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
  0xF780D000 \SystemRoot\system32\DRIVERS\intelppm.sys
  0xF6448000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
  0xF6434000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
  0xF640C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
  0xF63EB000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
  0xF620E000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
  0xF794D000 \SystemRoot\system32\DRIVERS\usbuhci.sys
  0xF61EA000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
  0xF7955000 \SystemRoot\system32\DRIVERS\usbehci.sys
  0xF781D000 \SystemRoot\system32\DRIVERS\i8042prt.sys
  0xF795D000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
  0xF7965000 \SystemRoot\system32\DRIVERS\kbdclass.sys
  0xF61B9000 \SystemRoot\system32\DRIVERS\SynTP.sys
  0xF7AF3000 \SystemRoot\system32\DRIVERS\USBD.SYS
  0xF782D000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
  0xF6148000 \SystemRoot\System32\Drivers\wdf01000.sys
  0xF796D000 \SystemRoot\system32\DRIVERS\mouclass.sys
  0xF6057000 \SystemRoot\system32\DRIVERS\btkrnl.sys
  0xF7C2A000 \SystemRoot\system32\DRIVERS\audstub.sys
  0xF767D000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
  0xF7AB1000 \SystemRoot\system32\DRIVERS\ndistapi.sys
  0xF602F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
  0xF768D000 \SystemRoot\system32\DRIVERS\raspppoe.sys
  0xF769D000 \SystemRoot\system32\DRIVERS\raspptp.sys
  0xF797D000 \SystemRoot\system32\DRIVERS\TDI.SYS
  0xF601E000 \SystemRoot\system32\DRIVERS\psched.sys
  0xF76AD000 \SystemRoot\system32\DRIVERS\msgpc.sys
  0xF7985000 \SystemRoot\system32\DRIVERS\ptilink.sys
  0xF798D000 \SystemRoot\system32\DRIVERS\raspti.sys
  0xF76BD000 \SystemRoot\system32\DRIVERS\termdd.sys
  0xF7AFB000 \SystemRoot\system32\DRIVERS\swenum.sys
  0xF5FFB000 \SystemRoot\system32\DRIVERS\ks.sys
  0xF5F9D000 \SystemRoot\system32\DRIVERS\update.sys
  0xF7305000 \SystemRoot\system32\DRIVERS\mssmbios.sys
  0xF7995000 \SystemRoot\system32\DRIVERS\btport.sys
  0xF76CD000 \SystemRoot\System32\Drivers\NDProxy.SYS
  0xF5891000 \SystemRoot\system32\drivers\RtkHDAud.sys
  0xF586D000 \SystemRoot\system32\drivers\portcls.sys
  0xF76ED000 \SystemRoot\system32\drivers\drmk.sys
  0xF76FD000 \SystemRoot\system32\DRIVERS\usbhub.sys
  0xF7A81000 \SystemRoot\System32\Drivers\i2omgmt.SYS
  0xF7B09000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
  0xF7CD6000 \SystemRoot\System32\Drivers\Null.SYS
  0xF7B0B000 \SystemRoot\System32\Drivers\Beep.SYS
  0xF79C5000 \SystemRoot\System32\drivers\vga.sys
  0xF7B0D000 \SystemRoot\System32\Drivers\mnmdd.SYS
  0xF7B0F000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
  0xF785D000 \SystemRoot\System32\Drivers\Msfs.SYS
  0xF787D000 \SystemRoot\System32\Drivers\Npfs.SYS
  0xF7A89000 \SystemRoot\system32\DRIVERS\rasacd.sys
  0xF5790000 \SystemRoot\system32\DRIVERS\ipsec.sys
  0xF5737000 \SystemRoot\system32\DRIVERS\tcpip.sys
  0xF7885000 \SystemRoot\System32\Drivers\tcpipBM.SYS
  0xF570F000 \SystemRoot\system32\DRIVERS\netbt.sys
  0xF56E9000 \SystemRoot\system32\DRIVERS\ipnat.sys
  0xF7AA1000 \SystemRoot\System32\drivers\ws2ifsl.sys
  0xF56C7000 \SystemRoot\System32\drivers\afd.sys
  0xF771D000 \SystemRoot\system32\DRIVERS\netbios.sys
  0xF788D000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
  0xF569C000 \SystemRoot\system32\DRIVERS\rdbss.sys
  0xF562C000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
  0xF774D000 \SystemRoot\System32\Drivers\Fips.SYS
  0xF5569000 \SystemRoot\system32\DRIVERS\avipbb.sys
  0xF7B15000 \??\C:\Programmi\Avira\AntiVir Desktop\avgio.sys
  0xF7895000 \SystemRoot\system32\DRIVERS\usbccgp.sys
  0xF5558000 \SystemRoot\system32\DRIVERS\gtuhsbus.sys
  0xF776D000 \SystemRoot\system32\DRIVERS\LVUSBSta.sys
  0xF5330000 \SystemRoot\System32\Drivers\usbvideo.sys
  0xF7B1B000 \SystemRoot\system32\DRIVERS\gtuhsser.sys
  0xF789D000 \SystemRoot\System32\Drivers\Modem.SYS
  0xF777D000 \SystemRoot\system32\DRIVERS\wanarp.sys
  0xF52F0000 \SystemRoot\System32\Drivers\dump_atapi.sys
  0xF7B4F000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
  0xBF800000 \SystemRoot\System32\win32k.sys
  0xF57DB000 \SystemRoot\System32\drivers\Dxapi.sys
  0xF78ED000 \SystemRoot\System32\watchdog.sys
  0xBF000000 \SystemRoot\System32\drivers\dxg.sys
  0xF7CF1000 \SystemRoot\System32\drivers\dxgthk.sys
  0xBF01E000 \SystemRoot\System32\igxpdd32.dll
  0xBF012000 \SystemRoot\System32\igxprd32.dll
  0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
  0xEBD8A000 \SystemRoot\system32\DRIVERS\avgntflt.sys
  0xEBD73000 \SystemRoot\system32\DRIVERS\WudfPf.sys
  0xEBCFB000 \SystemRoot\system32\DRIVERS\ndisuio.sys
  0xEB9D6000 \SystemRoot\system32\DRIVERS\mrxdav.sys
  0xEB949000 \SystemRoot\system32\drivers\wdmaud.sys
  0xEBA63000 \SystemRoot\system32\drivers\sysaudio.sys
  0xEB5F4000 \SystemRoot\system32\DRIVERS\srv.sys
  0xF78CD000 \SystemRoot\system32\DRIVERS\LVPr2Mon.sys
  0xF5517000 \SystemRoot\System32\Drivers\HTTP.sys
  0xBA4C7000 \SystemRoot\system32\DRIVERS\asyncmac.sys
  0xBA390000 \SystemRoot\system32\drivers\kmixer.sys
  0x7C910000 \WINDOWS\system32\ntdll.dll

Processes (total 41):
       0 System Idle Process
       4 System
     764 C:\WINDOWS\system32\smss.exe
     812 csrss.exe
     840 C:\WINDOWS\system32\winlogon.exe
     884 C:\WINDOWS\system32\services.exe
     896 C:\WINDOWS\system32\lsass.exe
    1084 C:\WINDOWS\system32\svchost.exe
    1156 svchost.exe
    1228 C:\WINDOWS\system32\svchost.exe
    1324 C:\WINDOWS\system32\svchost.exe
    1520 svchost.exe
    1636 svchost.exe
    1916 C:\WINDOWS\system32\spoolsv.exe
    1964 C:\Programmi\File comuni\LogiShrd\LVMVFM\LVPrcSrv.exe
    1984 C:\Programmi\Avira\AntiVir Desktop\sched.exe
    2036 svchost.exe
     156 C:\Programmi\Avira\AntiVir Desktop\avguard.exe
     176 C:\Programmi\File comuni\Apple\Mobile Device Support\AppleMobileDeviceService.exe
     208 C:\Programmi\Bonjour\mDNSResponder.exe
     432 C:\Programmi\Option\Option WWAN Driver 5.0.29.0 Installer\GtDetectSc.exe
     500 C:\Programmi\Avira\AntiVir Desktop\avshadow.exe
     692 C:\Programmi\Java\jre6\bin\jqs.exe
     736 C:\Programmi\File comuni\LogiShrd\LVCOMSER\LVComSer.exe
    1208 C:\WINDOWS\system32\SupportAppXL\onda_mon.exe
    1432 C:\Programmi\Acer\Acer VCM\RS_Service.exe
    1524 C:\WINDOWS\system32\svchost.exe
    2072 C:\Programmi\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
    2096 C:\Programmi\File comuni\LogiShrd\LVCOMSER\LVComSer.exe
    2604 C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    3180 C:\WINDOWS\system32\wbem\wmiapsrv.exe
    3288 alg.exe
    3676 C:\WINDOWS\system32\taskmgr.exe
     596 C:\WINDOWS\explorer.exe
    3948 C:\Programmi\Mozilla Firefox\firefox.exe
    2820 C:\Programmi\Mozilla Firefox\plugin-container.exe
    1360 C:\Programmi\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
    3104 C:\WINDOWS\system32\wuauclt.exe
     164 C:\PROGRA~1\FREEDO~1\fdm.exe
    1936 C:\WINDOWS\system32\ctfmon.exe
    2000 C:\Documents and Settings\mauro\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`80100000  (NTFS)

PhysicalDrive0 Model Number: HitachiHTS543216L9SA00, Rev: FB2OC40C

      Size  Device Name          MBR Status
  --------------------------------------------
    149 GB  \\.\PhysicalDrive0   Windows 2008 MBR code detected
            SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Done!
lupin86
Newbie
 
Post: 4
Iscritto il: 26/10/10 12:02

Re: explorer.exe e winlogon.exe

Postdi Luke57 » 27/10/10 09:54

Ciao, Scarica il file http://support.kaspersky.com/downloads/ ... killer.exe

e salvalo sul desktop.Estrai il contenuto sul desktop.Doppio click su
TDSSKILLER.exe per avviare l'applicazione e poi su start scan.
Se un file infetto viene trovato,l'azione di default sarà cure,clicca su continua.
Se un file sospetto viene trovato,l'azione di default sarà skip,clicca su continua.
Se ti viene chiesto di riavviare il pc completa il processo.Clicca su riavvia ora.
Se nessun riavvio è richiesto clicca su report e salva il contenuto in un file di testo.
Se un riavvio è richiesto il report si trova in C:\folder in questa forma "TDSSKiller.[Version]_[Date]_[Time]_log.txt"

Dopo riesegui combofix e posta ancora il report.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10


Torna a Sicurezza e Privacy


Topic correlati a "explorer.exe e winlogon.exe":


Chi c’è in linea

Visitano il forum: Nessuno e 2 ospiti