w32/spamta.aip.worm

di **trilok83** » 16/03/10 20:43

non riesco ad eliminare questo tremendo worm, ki sa darmi una mano?

di **shel** » 16/03/10 22:30

ciao

scarica e avvia rkill

a seguire scarica combofix

disconnetiti da internet
- disattiva l'antivirus
- esegui ComboFix.exe
- digita 1
- segui le instruzioni
- finita la scansione portati in C:\ e copia/incolla, nella tua prossima risposta, il contenuto del file di testo Combofix.txt

di **trilok83** » 18/03/10 20:36

grazie x l'aiuto....

ComboFix 10-03-16.05 - Andrea 18/03/2010 19.57.38.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.39.1040.18.3582.2710 [GMT 1:00]
Eseguito da: c:\users\Andrea\Desktop\ComboFix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Creati Da 2010-02-18 al 2010-03-18 )))))))))))))))))))))))))))))))))))
.

2010-03-18 19:24 . 2010-03-18 19:25 -------- d-----w- c:\users\Andrea\AppData\Local\temp
2010-03-18 19:24 . 2010-03-18 19:24 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-18 19:24 . 2010-03-18 19:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-12 20:08 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-12 20:07 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-12 20:07 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-11 23:08 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-03-06 14:35 . 2010-03-06 14:35 -------- d-----w- c:\users\Andrea\AppData\Roaming\Panda Security
2010-03-06 14:35 . 2010-03-06 14:35 264 ----a-w- c:\windows\system32\PSUNCpl.dat
2010-03-06 14:34 . 2010-03-06 14:34 -------- d-----w- c:\programdata\Panda Security
2010-03-06 14:34 . 2010-03-06 14:34 -------- d-----w- c:\program files\Panda Security
2010-03-05 18:59 . 2010-03-05 18:59 -------- d-----w- c:\users\Andrea\AppData\Roaming\IObit
2010-03-05 18:59 . 2010-03-05 18:59 -------- d-----w- c:\program files\IObit
2010-02-28 13:04 . 2010-02-28 13:05 -------- d-----w- c:\program files\Paint.NET
2010-02-28 13:03 . 2010-02-28 13:09 -------- d-----w- c:\users\Andrea\AppData\Local\Paint.NET
2010-02-28 11:34 . 2010-02-28 11:34 -------- d-----w- c:\program files\CCleaner
2010-02-28 11:25 . 2009-12-16 15:05 471040 ----a-w- c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
2010-02-28 11:25 . 2009-12-16 15:05 347136 ----a-w- c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-02-28 11:25 . 2009-12-16 15:05 340992 ----a-w- c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-02-28 11:25 . 2009-12-16 15:05 43008 ----a-w- c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-02-28 11:25 . 2009-12-16 15:05 1452032 ----a-w- c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-02-24 19:57 . 2010-02-24 19:57 52224 ----a-w- c:\users\Andrea\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-24 19:17 . 2010-03-04 19:16 117760 ----a-w- c:\users\Andrea\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-24 19:17 . 2010-02-24 19:17 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-02-24 19:16 . 2010-02-24 19:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-24 19:16 . 2010-02-24 19:16 -------- d-----w- c:\users\Andrea\AppData\Roaming\SUPERAntiSpyware.com
2010-02-24 19:14 . 2010-02-24 19:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-24 19:08 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 19:08 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 19:08 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 19:08 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 19:08 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 19:08 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-24 19:08 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 19:08 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-24 19:08 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-24 19:07 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-24 19:07 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-24 19:07 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-23 23:57 . 2010-02-23 23:57 -------- d-----w- c:\program files\Sophos
2010-02-23 23:00 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-23 22:45 . 2010-02-23 22:45 -------- d-----w- c:\users\Andrea\AppData\Roaming\Uniblue
2010-02-23 22:38 . 2010-02-23 22:38 -------- d-----w- c:\program files\Uniblue
2010-02-22 13:47 . 2010-03-06 14:34 -------- d-----w- c:\programdata\avg9
2010-02-20 00:21 . 2010-02-20 00:21 -------- d-----w- c:\programdata\Alwil Software
2010-02-19 19:03 . 2010-02-19 19:03 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-18 19:03 . 2007-11-21 06:37 662608 ----a-w- c:\windows\system32\perfh010.dat
2010-03-18 19:03 . 2007-11-21 06:37 120120 ----a-w- c:\windows\system32\perfc010.dat
2010-03-16 21:57 . 2008-05-16 12:23 -------- d-----w- c:\programdata\Microsoft Help
2010-03-16 21:41 . 2009-06-02 14:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-16 21:40 . 2009-07-20 22:42 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-11 23:08 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-11 23:04 . 2008-12-21 09:40 -------- d-----w- c:\program files\Mozilla Firefox 3 Beta 5
2010-03-03 19:07 . 2008-04-30 20:38 118824 ----a-w- c:\users\Andrea\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-03 19:04 . 2009-01-29 19:43 -------- d-----w- c:\users\Andrea\AppData\Roaming\vlc
2010-03-03 19:04 . 2009-01-04 20:40 -------- d-----w- c:\users\Andrea\AppData\Roaming\dvdcss
2010-03-03 19:04 . 2008-07-31 22:44 -------- d-----w- c:\users\Andrea\AppData\Roaming\DAEMON Tools
2010-03-03 19:04 . 2009-12-24 12:39 -------- d-----w- c:\program files\3DSolarSystem3_9
2010-03-03 19:04 . 2008-07-31 22:47 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-02-28 11:58 . 2010-01-11 15:46 -------- d-----w- c:\programdata\Corel
2010-02-28 11:58 . 2009-05-10 15:56 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2010-02-28 11:58 . 2009-05-10 15:56 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2010-02-24 08:16 . 2009-10-02 17:58 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 23:52 . 2008-04-30 20:38 680 ----a-w- c:\users\Andrea\AppData\Local\d3d9caps.dat
2010-02-22 13:47 . 2008-07-05 11:34 -------- d-----w- c:\program files\AVG
2010-02-15 22:14 . 2008-05-01 20:20 -------- d-----w- c:\program files\QuickTime
2010-02-15 22:13 . 2008-05-01 20:20 -------- d-----w- c:\programdata\Apple Computer
2010-02-13 15:30 . 2010-02-08 22:17 -------- d-----w- c:\users\Andrea\AppData\Roaming\xVideoServiceThief
2010-02-08 23:35 . 2010-02-08 23:35 -------- d-----w- c:\program files\Nuclear Coffee
2010-02-08 22:17 . 2010-02-08 22:17 -------- d-----w- c:\program files\Xesc & Technology
2010-02-02 22:03 . 2008-12-28 10:43 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-02 22:03 . 2007-11-20 22:43 -------- d-----w- c:\program files\Java
2010-01-28 19:00 . 2010-01-28 19:00 -------- d-----w- c:\program files\Secunia
2010-01-26 18:55 . 2008-05-13 22:50 -------- d-----w- c:\program files\DivX
2010-01-11 22:19 . 2010-01-11 22:19 10134 ----a-r- c:\users\Andrea\AppData\Roaming\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2010-01-11 15:51 . 2009-05-10 15:56 88 --sh--r- c:\programdata\8811DCDF7C.sys
2010-01-11 15:51 . 2009-05-10 15:56 88 --sh--r- c:\programdata\8811DCDF7C.sys
2010-01-07 15:07 . 2009-06-02 14:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 15:07 . 2009-06-02 14:28 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 15:38 . 2010-02-24 19:07 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-24 19:07 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-24 19:07 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-02-24 19:07 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-02 06:38 . 2010-01-23 13:48 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-23 13:48 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-23 13:48 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-23 13:48 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-19 14:06 . 2009-12-19 14:06 407304 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2007-11-21 06:51 . 2007-11-21 06:39 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2009-11-02 08:00 312576 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Pending Delete Icon]
@="{0847B599-9191-4A27-BD61-DE11598D3B1B}"
[HKEY_CLASSES_ROOT\CLSID\{0847B599-9191-4A27-BD61-DE11598D3B1B}]
2009-11-02 08:00 312576 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2009-11-02 08:00 312576 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-12 1414144]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-03-28 3325952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [BU]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"tsnp2std"="c:\windows\tsnp2std.exe" [2006-01-16 114688]
"ZSSnp211"="c:\windows\ZSSnp211.exe" [2006-08-18 49152]
"Domino"="c:\windows\Domino.exe" [2006-08-18 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-01-10 92704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-10 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-10 88608]
"DefragTaskBar"="c:\program files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe" [2008-10-09 173408]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-02 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2009-10-30 361728]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-5-1 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):2d,82,11,37,7b,47,ca,01

R0 ElbyVCD;ElbyVCD;c:\windows\system32\DRIVERS\ElbyVCD.sys [x]
R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-07-31 717296]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2009-06-17 12648]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-11-23 7408]
R3 YBPWJPTKZ;YBPWJPTKZ;c:\users\Andrea\AppData\Local\Temp\YBPWJPTKZ.exe [x]
S1 PSINKNC;PSINKNC;c:\windows\system32\DRIVERS\psinknc.sys [2009-10-13 114184]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-11-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-11-23 74480]
S2 NanoServiceMain;NanoServiceMain;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [2009-10-30 136448]
S2 PSINAflt;PSINAflt;c:\windows\system32\DRIVERS\PSINAflt.sys [2009-10-30 146440]
S2 PSINFile;PSINFile;c:\windows\system32\DRIVERS\PSINFile.sys [2009-10-13 97800]
S2 PSINProc;PSINProc;c:\windows\system32\DRIVERS\PSINProc.sys [2009-10-13 101384]

--- Altri Servizi/Drivers In Memoria ---

*Deregistered* - wkwzeh

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contenuto della cartella 'Scheduled Tasks'

2010-03-18 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-03-05 12:51]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.libero.it/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Settings,ProxyOverride = local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://it.yhs.search.yahoo.com/avg/sear ... -web_it&p=
FF - component: c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
.
------- Associazioni dei file -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-18 20:25
Windows 6.0.6002 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\wkwzeh]

.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Ora fine scansione: 2010-03-18 20:26:13
ComboFix-quarantined-files.txt 2010-03-18 19:26
ComboFix2.txt 2010-03-01 20:05

Pre-Run: 408.151.650.304 byte disponibili
Post-Run: 407.094.177.792 byte disponibili

Current=1 Default=1 Failed=0 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
- - End Of File - - B1D6CF5658E933E7175131948339E52C

di **Luke57** » 18/03/10 21:47

Ciao, prepara un file di testo, al suo interno copia e incolla il seguente testo:

Codice: Seleziona tutto: File:: c:\users\Andrea\AppData\Local\Temp\YBPWJPTKZ.exe Folder:: c:\users\Andrea\AppData\Local\Temp Driver:: YBPWJPTKZ Registry:: [-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\wkwzeh]

salvalo obbligatoriamente con il nome di CFScript.txt sul desktop. Trascinalo con il puntatore del mouse sull'icona di combofix ; il programma avvierà una nuova scansione come la precedente.
Al termine di essa, posta il nuovo report prodotto.

di **trilok83** » 19/03/10 20:35

ecco il nuovo log.....

ComboFix 10-03-16.05 - Andrea 19/03/2010 20.12.13.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.39.1040.18.3582.2700 [GMT 1:00]
Eseguito da: c:\users\Andrea\Desktop\ComboFix.exe
Opzioni usate :: c:\users\Andrea\Desktop\CFScript.txt
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\users\Andrea\AppData\Local\Temp\YBPWJPTKZ.exe"
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Andrea\AppData\Local\Temp
c:\users\Andrea\AppData\Local\Temp\NGLATempNokia\Nokia Sans Wide Bold v3.1.ttf
c:\users\Andrea\AppData\Local\Temp\NGLATempNokia\Nokia Sans Wide BolIta v3.1.ttf
c:\users\Andrea\AppData\Local\Temp\NGLATempNokia\Nokia Sans Wide Italic v3.1.ttf
c:\users\Andrea\AppData\Local\Temp\NGLATempNokia\Nokia Sans Wide v3.1.ttf
c:\users\Andrea\AppData\Local\Temp\NGLATempNokia\qt_temp.em3392
c:\users\Andrea\AppData\Local\Temp\NGLATempNokia\qt_temp.gq3392
c:\users\Andrea\AppData\Local\Temp\NGLATempNokia\qt_temp.Hp3392
c:\users\Andrea\AppData\Local\Temp\NGLATempNokia\qt_temp.Uh3392

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_YBPWJPTKZ

((((((((((((((((((((((((( Files Creati Da 2010-02-19 al 2010-03-19 )))))))))))))))))))))))))))))))))))
.

2010-03-19 19:19 . 2010-03-19 19:19 -------- d-----w- c:\users\Andrea\AppData\Local\Temp
2010-03-19 19:17 . 2010-03-19 19:17 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-19 19:17 . 2010-03-19 19:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-12 20:08 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-12 20:07 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-12 20:07 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-11 23:08 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-03-06 14:35 . 2010-03-06 14:35 -------- d-----w- c:\users\Andrea\AppData\Roaming\Panda Security
2010-03-06 14:35 . 2010-03-06 14:35 264 ----a-w- c:\windows\system32\PSUNCpl.dat
2010-03-06 14:34 . 2010-03-06 14:34 -------- d-----w- c:\programdata\Panda Security
2010-03-06 14:34 . 2010-03-06 14:34 -------- d-----w- c:\program files\Panda Security
2010-03-05 18:59 . 2010-03-05 18:59 -------- d-----w- c:\users\Andrea\AppData\Roaming\IObit
2010-03-05 18:59 . 2010-03-05 18:59 -------- d-----w- c:\program files\IObit
2010-02-28 13:04 . 2010-02-28 13:05 -------- d-----w- c:\program files\Paint.NET
2010-02-28 13:03 . 2010-02-28 13:09 -------- d-----w- c:\users\Andrea\AppData\Local\Paint.NET
2010-02-28 11:34 . 2010-02-28 11:34 -------- d-----w- c:\program files\CCleaner
2010-02-24 19:17 . 2010-02-24 19:17 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-02-24 19:16 . 2010-02-24 19:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-24 19:16 . 2010-02-24 19:16 -------- d-----w- c:\users\Andrea\AppData\Roaming\SUPERAntiSpyware.com
2010-02-24 19:14 . 2010-02-24 19:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-24 19:08 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 19:08 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 19:08 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 19:08 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 19:08 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 19:08 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-24 19:08 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 19:08 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-24 19:08 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-24 19:07 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-24 19:07 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-24 19:07 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-23 23:57 . 2010-02-23 23:57 -------- d-----w- c:\program files\Sophos
2010-02-23 23:00 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-23 22:45 . 2010-02-23 22:45 -------- d-----w- c:\users\Andrea\AppData\Roaming\Uniblue
2010-02-23 22:38 . 2010-02-23 22:38 -------- d-----w- c:\program files\Uniblue
2010-02-22 13:47 . 2010-03-06 14:34 -------- d-----w- c:\programdata\avg9
2010-02-20 00:21 . 2010-02-20 00:21 -------- d-----w- c:\programdata\Alwil Software
2010-02-19 19:03 . 2010-02-19 19:03 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-19 19:16 . 2007-11-21 06:37 662608 ----a-w- c:\windows\system32\perfh010.dat
2010-03-19 19:16 . 2007-11-21 06:37 120120 ----a-w- c:\windows\system32\perfc010.dat
2010-03-16 21:57 . 2008-05-16 12:23 -------- d-----w- c:\programdata\Microsoft Help
2010-03-16 21:41 . 2009-06-02 14:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-16 21:40 . 2009-07-20 22:42 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-11 23:08 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-11 23:04 . 2008-12-21 09:40 -------- d-----w- c:\program files\Mozilla Firefox 3 Beta 5
2010-03-04 19:16 . 2010-02-24 19:17 117760 ----a-w- c:\users\Andrea\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-03 19:07 . 2008-04-30 20:38 118824 ----a-w- c:\users\Andrea\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-03 19:04 . 2009-01-29 19:43 -------- d-----w- c:\users\Andrea\AppData\Roaming\vlc
2010-03-03 19:04 . 2009-01-04 20:40 -------- d-----w- c:\users\Andrea\AppData\Roaming\dvdcss
2010-03-03 19:04 . 2008-07-31 22:44 -------- d-----w- c:\users\Andrea\AppData\Roaming\DAEMON Tools
2010-03-03 19:04 . 2009-12-24 12:39 -------- d-----w- c:\program files\3DSolarSystem3_9
2010-03-03 19:04 . 2008-07-31 22:47 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-02-28 11:58 . 2010-01-11 15:46 -------- d-----w- c:\programdata\Corel
2010-02-28 11:58 . 2009-05-10 15:56 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2010-02-28 11:58 . 2009-05-10 15:56 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2010-02-24 19:57 . 2010-02-24 19:57 52224 ----a-w- c:\users\Andrea\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-24 08:16 . 2009-10-02 17:58 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 23:52 . 2008-04-30 20:38 680 ----a-w- c:\users\Andrea\AppData\Local\d3d9caps.dat
2010-02-22 13:47 . 2008-07-05 11:34 -------- d-----w- c:\program files\AVG
2010-02-15 22:14 . 2008-05-01 20:20 -------- d-----w- c:\program files\QuickTime
2010-02-15 22:13 . 2008-05-01 20:20 -------- d-----w- c:\programdata\Apple Computer
2010-02-13 15:30 . 2010-02-08 22:17 -------- d-----w- c:\users\Andrea\AppData\Roaming\xVideoServiceThief
2010-02-08 23:35 . 2010-02-08 23:35 -------- d-----w- c:\program files\Nuclear Coffee
2010-02-08 22:17 . 2010-02-08 22:17 -------- d-----w- c:\program files\Xesc & Technology
2010-02-02 22:03 . 2008-12-28 10:43 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-02 22:03 . 2007-11-20 22:43 -------- d-----w- c:\program files\Java
2010-01-28 19:00 . 2010-01-28 19:00 -------- d-----w- c:\program files\Secunia
2010-01-26 18:55 . 2008-05-13 22:50 -------- d-----w- c:\program files\DivX
2010-01-11 22:19 . 2010-01-11 22:19 10134 ----a-r- c:\users\Andrea\AppData\Roaming\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2010-01-11 15:51 . 2009-05-10 15:56 88 --sh--r- c:\programdata\8811DCDF7C.sys
2010-01-11 15:51 . 2009-05-10 15:56 88 --sh--r- c:\programdata\8811DCDF7C.sys
2010-01-07 15:07 . 2009-06-02 14:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 15:07 . 2009-06-02 14:28 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 15:38 . 2010-02-24 19:07 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-24 19:07 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-24 19:07 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-02-24 19:07 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-02 06:38 . 2010-01-23 13:48 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-23 13:48 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-23 13:48 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-23 13:48 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2007-11-21 06:51 . 2007-11-21 06:39 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2009-11-02 08:00 312576 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Pending Delete Icon]
@="{0847B599-9191-4A27-BD61-DE11598D3B1B}"
[HKEY_CLASSES_ROOT\CLSID\{0847B599-9191-4A27-BD61-DE11598D3B1B}]
2009-11-02 08:00 312576 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2009-11-02 08:00 312576 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-12 1414144]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-03-28 3325952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [BU]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"tsnp2std"="c:\windows\tsnp2std.exe" [2006-01-16 114688]
"ZSSnp211"="c:\windows\ZSSnp211.exe" [2006-08-18 49152]
"Domino"="c:\windows\Domino.exe" [2006-08-18 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-01-10 92704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-10 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-10 88608]
"DefragTaskBar"="c:\program files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe" [2008-10-09 173408]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-02 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2009-10-30 361728]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-5-1 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):2d,82,11,37,7b,47,ca,01

R0 ElbyVCD;ElbyVCD;c:\windows\system32\DRIVERS\ElbyVCD.sys [x]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2009-06-17 12648]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-11-23 7408]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-07-31 717296]
S1 PSINKNC;PSINKNC;c:\windows\system32\DRIVERS\psinknc.sys [2009-10-13 114184]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-11-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-11-23 74480]
S2 NanoServiceMain;NanoServiceMain;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [2009-10-30 136448]
S2 PSINAflt;PSINAflt;c:\windows\system32\DRIVERS\PSINAflt.sys [2009-10-30 146440]
S2 PSINFile;PSINFile;c:\windows\system32\DRIVERS\PSINFile.sys [2009-10-13 97800]
S2 PSINProc;PSINProc;c:\windows\system32\DRIVERS\PSINProc.sys [2009-10-13 101384]

--- Altri Servizi/Drivers In Memoria ---

*Deregistered* - wkwzeh

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contenuto della cartella 'Scheduled Tasks'

2010-03-19 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-03-05 12:51]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.libero.it/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Settings,ProxyOverride = local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://it.yhs.search.yahoo.com/avg/sear ... -web_it&p=
FF - component: c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-19 20:19
Windows 6.0.6002 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85AA71F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8bba7d24
\Driver\ACPI -> acpi.sys @ 0x80742d68
\Driver\atapi -> 0x85aa61f8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\wkwzeh]

.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'Explorer.exe'(3508)
c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_ita.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\program files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conime.exe
c:\program files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragMonitorService.exe
c:\program files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe
c:\program files\Secunia\PSI\psi.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\program files\Panda Security\Panda Cloud Antivirus\PSANToManager.exe
.
**************************************************************************
.
Ora fine scansione: 2010-03-19 20:24:10 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-03-19 19:24
ComboFix2.txt 2010-03-18 19:26
ComboFix3.txt 2010-03-01 20:05

Pre-Run: 406.998.802.432 byte disponibili
Post-Run: 406.666.125.312 byte disponibili

Current=1 Default=1 Failed=0 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
- - End Of File - - 47FB5E5C93F5A2D7A1705792E4FCEF97

di **trilok83** » 22/03/10 20:17

Ed ora?....cosa devo fare?

di **shel** » 22/03/10 21:54

apri blocco note e incollaci questo script

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\wkwzeh]
;

salvalo sul desktop come fix.reg >>tutti i file

doppio click sul file .reg e accetta le modifiche

di **trilok83** » 23/03/10 20:41

fatto....ed ora?

di **shel** » 23/03/10 21:47

fai una scansione cautelativa con malwarebytes
Aggiornalo: clicca sulla scheda "aggiornamenti" => "controlla aggiornamenti"
Esegui una "scansione completa" (seleziona l'opzione)
A scansione completata, posta il rapporto.

di **trilok83** » 25/03/10 00:15

Log di Malware...thanks

Malwarebytes' Anti-Malware 1.44
Versione del database: 3909
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

25/03/2010 0.10.51
mbam-log-2010-03-25 (00-10-44).txt

Tipo di scansione: Scansione completa (C:\|D:\|E:\|G:\|H:\|I:\|J:\|K:\|)
Elementi scansionati: 322193
Tempo trascorso: 59 minute(s), 42 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 1

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
C:\Windows\System32\drivers\wkwzeh.sys (Rootkit.Agent) -> No action taken.

di **trilok83** » 27/03/10 15:03

ed ora?....il virus è ancora li.... grazie cmq per l'aiuto e per il tempo ke mi stai dedicando

di **shel** » 28/03/10 12:49

ripeti la scansione con malwarebytes metti la spunta accanto alle voci e premi ''rimuovi elementi selezionati''

posta anche un log di hijack aggiornato

di **trilok83** » 04/04/10 16:36

Ecco i Log da te richiesti:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15.01.17, on 27/02/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Safe mode

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {bd0e4d83-654e-4213-965b-fcbe887061f4} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [tsnp2std] C:\Windows\tsnp2std.exe
O4 - HKLM\..\Run: [ZSSnp211] C:\Windows\ZSSnp211.exe
O4 - HKLM\..\Run: [Domino] C:\Windows\Domino.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DefragTaskBar] "C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW,SYSTRAY
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO DI RETE')
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: StupAssist.lnk = C:\Program Files\Common Files\Nikon\Utilities\StupAssist.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B06D7E80-51A0-4541-BE62-327CD32B276C}: NameServer = 213.230.155.10 213.230.130.222
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ashampoo Defrag Service (AshampooDefragService) - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: YBPWJPTKZ - Sysinternals - www.sysinternals.com - C:\Users\Andrea\AppData\Local\Temp\YBPWJPTKZ.exe

--
End of file - 8109 bytes

Log Mbam:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Versione database: 3952

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

04/04/2010 17.21.39
mbam-log-2010-04-04 (17-21-39).txt

Tipo di scansione: Scansione completa (C:\|D:\|E:\|G:\|H:\|I:\|J:\|K:\|)
Elementi esaminati: 288159
Tempo trascorso: 1 ore, 0 minuti, 54 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Voci infette nei dati di registro: 0
Cartelle infette: 0
File infetti: 1

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
(Non sono stati rilevati elementi nocivi)

Valori di registro infetti:
(Non sono stati rilevati elementi nocivi)

Voci infette nei dati di registro:
(Non sono stati rilevati elementi nocivi)

Cartelle infette:
(Non sono stati rilevati elementi nocivi)

File infetti:
C:\Windows\System32\drivers\wkwzeh.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Dopo aver fatto la scansione con malware, qui dice ke il virus è stato eliminato e messo in quarantena, solo che nel momento in qui eseguo il percorso del virus lo trovo sempre li....cosa significa? aspetto tuoi suggerimenti...auguri di Buona Pasqua

di **Luke57** » 05/04/10 10:56

Ciao, Scarica SystemScan
http://www.suspectfile.com/systemscan

Disconnetti il pc da internet => disattiva l'antivirus => esegui systemscan => clicca su "Scan Now". Finita la scansione, carica il rapporto che trovi sul desktop (file .zip)su freefilehosting o in altro sito di hosting (wikifortio, rapidshare ecc.)
http://www.freefilehosting.net/index.cfm

Posta il link che ti sarà fornito dopo l'upload del file (generalmente il primo link).

di **shel** » 08/04/10 21:58

prova a caricarlo qui altrimenti rimane difficile leggerlo

di **shel** » 08/04/10 22:00

ho digitato male

caricalo qui

di **trilok83** » 08/04/10 22:06

Perdonami ma quando carico il log (carico il file txt) nel sito da te indicato me lo ridà uguale...ho ptovato anke ad inserire il zip solo ke poi una volta scaricato mi dice ke è danneggiato, ke devo fa?

di **shel** » 09/04/10 08:55

copialo in un nuovo file di testo, mettilo in una cartella e zippalo

prova a caricarlo qui

di **trilok83** » 09/04/10 20:17

Perdonami, forse non ho capito bene, ma una volta ke invio il file li dove mi dici tu cosa devo fare di preciso?...xkè praticamente il file me lo fa scaricare così come gli e lo passo io. A quel punto a te come lo invio?....xkè qui mi dice ke supero la quantità di lettere ke ho a disposizione x scrivere. Il file io lo passo zippato con il txt del log all'interno e così mi ritorna!!!!!Ma cosa dovrebbe succedere quando passo il file su Megaupload ad esempio, per curiosità?

di **Luke57** » 10/04/10 21:16

Ciao, comprendo che tu non sappia come fare, ma inserire un report così lungo in 25 messaggi mi sembra un pò troppo.
Devi prendere il file .zip, andare qui:
http://www.wikisend.com/

nella pagina che si apre, scegli Sfoglia, individui il tuo file, poi premi Upload. Al termine del caricamento del file sul sito, ti verrà fornito un link. Copialo e incollalo in un prossimo post, così, cliccando su quel link si potrà andare a vedere il file.

P.S. Non utilizzare il linguaggio sms in quanto è vietato dal regolamento, grazie.

w32/spamta.aip.worm

w32/spamta.aip.worm

Re: w32/spamta.aip.worm

Re: w32/spamta.aip.worm

Re: w32/spamta.aip.worm

Re: w32/spamta.aip.worm

Re: w32/spamta.aip.worm

Re: w32/spamta.aip.worm

Re: w32/spamta.aip.worm

Re: w32/spamta.aip.worm

Re: w32/spamta.aip.worm

Re: w32/spamta.aip.worm

Re: w32/spamta.aip.worm

Re: w32/spamta.aip.worm

Re: w32/spamta.aip.worm

Re: w32/spamta.aip.worm

Re: w32/spamta.aip.worm

Re: w32/spamta.aip.worm

Re: w32/spamta.aip.worm

Re: w32/spamta.aip.worm

Re: w32/spamta.aip.worm

Topic correlati a "w32/spamta.aip.worm":

Chi c’è in linea