Condividi:        

TR/Spy.Gen

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

TR/Spy.Gen

Postdi Alexand3r » 03/04/10 16:50

Ciao a tutti,
DA qualche giorno il mio computer va lento e dalla scansione di Avira ho visto che il computer ha rilevato due virus:
TR/Spy.Gen
TR/Vapsup.ues
Sarei molto grato se sapreste dirmi che tipo di virus sono, che possono causare e se Avira e in grado di toglierli.
Grazie Mille.
Alexand3r
Newbie
 
Post: 8
Iscritto il: 03/04/10 16:42

Sponsor
 

Re: TR/Spy.Gen

Postdi shel » 03/04/10 17:00

ciao

sono dei trojan ma e' meglio se posti un log di hijackthis, non vorrei che ci fosse la famigliola al completo

scarica hijackthis da qui

mettilo in una cartella appositamente dedicata, tipo C:\ hijackthis, poi avvialo, premi "do a system scan and save a log file", al termine sarà generato un report, copialo e incollalo in un post.
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: TR/Spy.Gen

Postdi Alexand3r » 03/04/10 17:37

Ciao, Grazie per avermi Risposto
Ecco il Logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18.34.36, on 03/04/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Programmi\File comuni\InterVideo\DeviceService\DevSvc.exe
C:\Programmi\File comuni\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\Programmi\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Programmi\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Programmi\Electronic Arts\EADM\Core.exe
C:\Documents and Settings\User\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\User\otb.exe \s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programmi\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Programmi\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [EA Core] "C:\Programmi\Electronic Arts\EADM\Core.exe" -silent
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PartyPoker.it - {4B21E152-BA59-4ebf-B522-8C55B265EE1A} - C:\Programmi\PartyItalia\PartyPokerIt\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.it - {4B21E152-BA59-4ebf-B522-8C55B265EE1A} - C:\Programmi\PartyItalia\PartyPokerIt\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Programmi\File comuni\InterVideo\DeviceService\DevSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Programmi\File comuni\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: ServiceLayer - Nokia - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5814 bytes
Alexand3r
Newbie
 
Post: 8
Iscritto il: 03/04/10 16:42

Re: TR/Spy.Gen

Postdi shel » 03/04/10 18:03

disattiva il tuo antivirus e dopo aver scaricato questi programmi disconnettiti dalla rete

malwarebytes

combofix


lancia malwarebytes Aggiornalo: clicca sulla scheda "aggiornamenti" => "controlla aggiornamenti"
Esegui una "scansione completa" (seleziona l'opzione)
A scansione completa, fai clic su OK => Mostra i Risultati.
Assicurarti che tutto sia selezionato e clicca clic su Rimuovi selezionati.
Se ti chiede di riavviare, riavvia per completare il processo di pulizia.
Posta il rapporto .


Finita la scansione fai partire combofix
(non installare la recovery console)
Lascia lavorare il programma senza interferire
Allega il rapporto C:\ComboFix.txt nella tua risposta.
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: TR/Spy.Gen

Postdi Alexand3r » 04/04/10 09:20

Innanzitutto Auguri di Buona Pasqua a tutti voi del Forum
Ecco i Report di Malwarebytes e Combofix

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Versione database: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

04/04/2010 0.47.02
mbam-log-2010-04-04 (00-47-02).txt

Tipo di scansione: Scansione completa (C:\|E:\|)
Elementi esaminati: 333786
Tempo trascorso: 1 ore, 53 minuti, 17 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Voci infette nei dati di registro: 1
Cartelle infette: 0
File infetti: 3

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
(Non sono stati rilevati elementi nocivi)

Valori di registro infetti:
(Non sono stati rilevati elementi nocivi)

Voci infette nei dati di registro:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\User\otb.exe \s) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Cartelle infette:
(Non sono stati rilevati elementi nocivi)

File infetti:
C:\Programmi\Adobe\Adobe Photoshop CS3\Msvcrt.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Programmi\Adobe\Adobe Photoshop CS3\Shfolder.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Dati applicazioni\sysReserve.ini (Malware.Trace) -> Quarantined and deleted successfully.

COMBOFIX

ComboFix 10-04-03.02 - User 04/04/2010 9.55.23.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.2047.1462 [GMT 2:00]
Eseguito da: c:\documents and settings\User\Documenti\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {00000002-0002-0000-7C25-9E7C08000A00}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-14EF-9D7C08000A00}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-3C24-9E7C08000A00}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-6C25-9E7C08000A00}
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AppPatch\AcAdProc.dll
c:\windows\system32\winlogon.bak

.
((((((((((((((((((((((((( Files Creati Da 2010-03-04 al 2010-04-04 )))))))))))))))))))))))))))))))))))
.

2010-04-03 16:34 . 2010-04-03 16:34 -------- d-----w- c:\programmi\Trend Micro
2010-04-03 14:21 . 2010-04-03 14:21 7792 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-31 07:43 . 2010-03-31 07:48 -------- d-----w- c:\programmi\PartyItalia
2010-03-29 18:01 . 2010-03-29 18:40 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\SpeedBit
2010-03-15 17:54 . 2006-05-03 21:53 174592 ------w- c:\windows\system32\framedyn.dll
2010-03-15 17:53 . 2010-04-02 11:11 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers
2010-03-15 17:53 . 2006-07-24 15:05 5632 ------w- c:\windows\system32\drivers\StarOpen.sys
2010-03-15 12:55 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-03-14 13:39 . 2010-03-14 13:39 -------- d-----w- c:\documents and settings\User\dwhelper
2010-03-11 17:05 . 2010-03-11 17:05 -------- d-----w- c:\programmi\Total Uninstall 5
2010-03-11 17:05 . 2010-03-11 17:05 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Martau
2010-03-10 17:40 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-04 07:57 . 2010-01-19 13:43 521444 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-04-03 21:05 . 2009-08-19 14:52 -------- d-----w- c:\programmi\Google
2010-04-03 20:52 . 2010-01-01 20:40 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2010-04-03 20:51 . 2010-04-03 20:51 5918776 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-03 15:17 . 2009-07-30 14:39 -------- d-----w- c:\documents and settings\User\Dati applicazioni\vlc
2010-04-03 09:27 . 2009-12-16 15:56 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Electronic Arts
2010-04-03 09:26 . 2009-12-16 14:38 -------- d-----w- c:\programmi\Electronic Arts
2010-04-03 09:18 . 2009-07-17 20:09 -------- d--h--w- c:\programmi\InstallShield Installation Information
2010-04-02 17:50 . 2010-01-02 16:21 407960 ----a-w- c:\documents and settings\User\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-04-02 15:32 . 2009-07-28 15:46 1 ----a-w- c:\documents and settings\User\Dati applicazioni\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-02 11:10 . 2009-11-27 10:10 -------- d-----w- c:\programmi\Creative
2010-04-02 11:04 . 2009-12-16 18:00 -------- d-----w- c:\programmi\DivX
2010-04-02 11:01 . 2009-07-31 08:57 -------- d-----w- c:\programmi\ATI Technologies
2010-04-01 12:39 . 2009-08-31 13:57 4873640 ----a-w- c:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\FontCache3.0.0.0.dat
2010-04-01 07:30 . 2010-03-01 19:12 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Autodesk
2010-03-29 22:46 . 2010-01-01 20:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 22:45 . 2010-01-01 20:40 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 18:40 . 2010-01-18 14:16 -------- d---a-w- c:\documents and settings\All Users\Dati applicazioni\TEMP
2010-03-27 21:47 . 2009-07-17 17:59 -------- d-----w- c:\programmi\uTorrent
2010-03-27 15:47 . 2009-07-17 17:58 -------- d-----w- c:\documents and settings\User\Dati applicazioni\uTorrent
2010-03-08 13:00 . 2010-03-01 19:12 -------- d-----w- c:\documents and settings\User\Dati applicazioni\Autodesk
2010-03-01 19:21 . 2010-03-01 19:21 36864 ----a-w- c:\documents and settings\User\Dati applicazioni\Autodesk\AutoCAD 2010\R18.0\ita\ContextualTabSelectorRules.dll
2010-03-01 19:20 . 2010-03-01 19:20 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\FLEXnet
2010-03-01 19:14 . 2010-03-01 19:14 -------- d-----w- c:\programmi\File comuni\Macrovision Shared
2010-02-27 13:19 . 2009-07-31 11:50 -------- d-----w- c:\documents and settings\User\Dati applicazioni\dvdcss
2010-02-25 06:16 . 2004-08-19 12:00 916480 ------w- c:\windows\system32\wininet.dll
2010-02-18 19:17 . 2009-07-28 06:29 -------- d-----w- c:\documents and settings\User\Dati applicazioni\PC Suite
2010-02-18 13:58 . 2010-02-18 13:58 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\KONAMI
2010-02-13 18:49 . 2010-02-13 18:49 0 ------w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2010-02-13 18:49 . 2010-02-13 18:49 0 ------w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2010-02-13 18:49 . 2009-07-28 06:29 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\PC Suite
2010-02-11 14:26 . 2009-07-28 06:29 -------- d-----w- c:\documents and settings\User\Dati applicazioni\Nokia
2010-02-11 14:22 . 2010-02-11 14:22 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Nokia
2010-02-11 14:22 . 2010-02-10 18:07 -------- d-----w- c:\programmi\File comuni\Nokia
2010-02-11 14:22 . 2010-02-10 18:06 -------- d-----w- c:\programmi\Nokia
2010-02-11 14:21 . 2010-02-11 14:21 36864 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\Sleep.exe
2010-02-11 14:21 . 2010-02-11 14:21 3351812 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\msxml6Exec.exe
2010-02-11 14:21 . 2010-02-11 14:21 3203453 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\vcredistExec.exe
2010-02-11 14:21 . 2009-07-28 06:27 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Installations
2010-02-10 18:59 . 2010-02-11 14:22 24419312 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\NokiaSoftwareUpdaterSetup_it.exe
2010-02-10 18:07 . 2010-02-10 18:07 -------- d-----w- c:\programmi\File comuni\PCSuite
2010-02-10 18:07 . 2010-02-10 18:07 -------- d-----w- c:\programmi\DIFX
2010-02-10 18:07 . 2010-02-10 18:07 -------- d-----w- c:\programmi\PC Connectivity Solution
2010-02-10 18:06 . 2010-02-10 18:06 95232 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2010-02-10 18:06 . 2010-02-10 18:06 8192 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2010-02-10 18:06 . 2010-02-10 18:06 61440 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-02-10 18:06 . 2010-02-10 18:06 10240 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe
2010-02-10 18:05 . 2010-02-10 18:06 34541248 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_ita_web.exe
2010-02-05 18:05 . 2010-02-02 15:04 -------- d-----w- c:\documents and settings\User\Dati applicazioni\Nero
2010-02-03 12:56 . 2010-01-15 17:05 26176 ------w- c:\windows\system32\hamachi.sys
2010-01-11 17:40 . 2009-07-18 09:18 691696 ------w- c:\windows\system32\drivers\sptd.sys
2010-01-05 18:39 . 2010-01-05 18:38 5415 ----a-w- c:\windows\BricoPackFoldersDelete.cmd
2010-01-05 18:39 . 2009-09-04 09:56 71886 ----a-w- c:\windows\BricoPackUninst.cmd
2010-01-05 18:39 . 2004-08-19 12:00 219648 ------w- c:\windows\system32\uxtheme.dll
.

------- Sigcheck -------

[-] 2009-12-25 . 90F406811EE1EEE294792D00E21CA16C . 510464 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2009-11-13 . 1DBD3966123AC2F6ADE783F7F17F8C7F . 504832 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 . 9259170D29B5A256735FCB8B80280857 . 510464 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\programmi\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"PC Suite Tray"="c:\programmi\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]
"msnmsgr"="c:\programmi\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"EA Core"="c:\programmi\Electronic Arts\EADM\Core.exe" [2009-03-28 3325952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Alice ti aiuta.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Alice ti aiuta.lnk
backup=c:\windows\pss\Alice ti aiuta.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Utility Tray.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Utility Tray.lnk
backup=c:\windows\pss\Utility Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Avvio^Programmi^Esecuzione automatica^AeroShake.lnk]
path=c:\documents and settings\User\Menu Avvio\Programmi\Esecuzione automatica\AeroShake.lnk
backup=c:\windows\pss\AeroShake.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Avvio^Programmi^Esecuzione automatica^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\User\Menu Avvio\Programmi\Esecuzione automatica\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Avvio^Programmi^Esecuzione automatica^Refresh Icon Cache.lnk]
path=c:\documents and settings\User\Menu Avvio\Programmi\Esecuzione automatica\Refresh Icon Cache.lnk
backup=c:\windows\pss\Refresh Icon Cache.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Avvio^Programmi^Esecuzione automatica^Styler toolbar.lnk]
path=c:\documents and settings\User\Menu Avvio\Programmi\Esecuzione automatica\Styler toolbar.lnk
backup=c:\windows\pss\Styler toolbar.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Avvio^Programmi^Esecuzione automatica^Styler.lnk]
path=c:\documents and settings\User\Menu Avvio\Programmi\Esecuzione automatica\Styler.lnk
backup=c:\windows\pss\Styler.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Avvio^Programmi^Esecuzione automatica^VisualTaskTips.lnk]
path=c:\documents and settings\User\Menu Avvio\Programmi\Esecuzione automatica\VisualTaskTips.lnk
backup=c:\windows\pss\VisualTaskTips.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Avvio^Programmi^Esecuzione automatica^YzShadow.lnk]
path=c:\documents and settings\User\Menu Avvio\Programmi\Esecuzione automatica\YzShadow.lnk
backup=c:\windows\pss\YzShadow.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ggm]
c:\windows\system32\ggm.exe \u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\programmi\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 02:27 144784 ----a-w- c:\programmi\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 00:00 90112 ----a-w- c:\windows\Updreg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programmi\\SopCast\\SopCast.exe"=
"c:\\Programmi\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\Programmi\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Programmi\\File comuni\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Programmi\\Electronic Arts\\EADM\\Core.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"1708:TCP"= 1708:TCP:Services
"8170:TCP"= 8170:TCP:fnvdbgah
"4144:TCP"= 4144:TCP:Services

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [31/07/2008 20.45.42 19592]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18/07/2009 11.18.10 691696]
S2 nscxgkpr;Universal Installer;c:\windows\system32\svchost.exe -k netsvcs [19/08/2004 14.00.00 14336]
S2 Sukoku Service;Sukoku Service; [x]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [24/09/2009 14.38.42 22528]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\programmi\Lavalys\EVEREST Ultimate Edition\kerneld.wnt --> c:\programmi\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [?]
S3 fsjyudtnl;fsjyudtnl;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [02/07/2008 14.58.48 25480]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [10/02/2010 20.06.55 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [10/02/2010 20.06.55 8320]
S3 ygnfvzhta;ygnfvzhta;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S4 PskSvcRetailInst;PskSvcRetailInst;c:\docume~1\User\IMPOST~1\Temp\ISSCAN\PskSvc.exe --> c:\docume~1\User\IMPOST~1\Temp\ISSCAN\PskSvc.exe [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
nscxgkpr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5570908-e19b-11de-88f3-0017c2ba26e1}]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f913ec81-14c9-11df-8a18-0017c2ba26e1}]
\Shell\AutoRun\command - G:\Autorun.exe
.
.
------- Scansione supplementare -------
.
uStart Page = www.google.com
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=%s
IE: {{4B21E152-BA59-4ebf-B522-8C55B265EE1A} - c:\programmi\PartyItalia\PartyPokerIt\RunApp.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\User\Dati applicazioni\Mozilla\Firefox\Profiles\axqs6up4.default\
FF - prefs.js: browser.search.selectedEngine - Trova Rapido
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=
FF - component: c:\documents and settings\User\Dati applicazioni\Mozilla\Firefox\Profiles\axqs6up4.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\documents and settings\User\Impostazioni locali\Dati applicazioni\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.
.
------- Associazioni dei file -------
.
.scr=AutoCADScriptFile
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

MSConfigStartUp-USBToolTip - c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
AddRemove-Creative Installer Setup - c:\programmi\Creative\Uninstall\Installer.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-04 10:04
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spyw.sys >>UNKNOWN [0x8A5E5938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf7253cb8
\Driver\atapi -> atapi.sys @ 0xf71e8b40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
copy of MBR has been found in sector 0x01D1C06C0
malicious code @ sector 0x01D1C06C3 !
PE file found in sector at 0x01D1C06D9 !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\programmi\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fsjyudtnl]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ygnfvzhta]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nscxgkpr]
"ServiceDll"="c:\windows\system32\bbduiqam.dll"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-602162358-630328440-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008]
"GameDir"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2008\\games"
"ShortlistDir"=""
"ScreenshotsDir"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2008"
"SaveDir"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2008\\"
"LastSaveGame"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2008\\games\\fiorenza23.fm"
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"SkinID"=dword:00000001
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"WindowState"=dword:00000002
"Currency"=dword:0000001c
"WindowHeight"=dword:000001f5
"WindowWidth"=dword:000002e4
"WindowLeft"=dword:0000008e
"WindowTop"=dword:00000086
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""

[HKEY_USERS\S-1-5-21-602162358-630328440-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008\Columns\Clubs]


[HKEY_USERS\S-1-5-21-602162358-630328440-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008\Columns\Players]


[HKEY_USERS\S-1-5-21-602162358-630328440-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008\Columns\Staff]


[HKEY_USERS\S-1-5-21-602162358-630328440-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008\Rating Coefficients]


[HKEY_USERS\S-1-5-21-602162358-630328440-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2009 XE]
"GameDir"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2009\\games"
"ShortlistDir"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2009\\shortlists"
"ScreenshotsDir"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2009"
"SaveDir"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2009\\"
"LastSaveGame"=""
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"GraphStep"=dword:00000000
"SkinName"="Champions League"
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000067
"UniqueID"="15-8280-E85F"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
"Currency"=dword:00000056
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4932)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\programmi\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\programmi\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\programmi\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_ita.nlr
c:\programmi\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\programmi\Avira\AntiVir Desktop\sched.exe
c:\programmi\Avira\AntiVir Desktop\avguard.exe
c:\programmi\File comuni\InterVideo\DeviceService\DevSvc.exe
c:\programmi\File comuni\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\programmi\PC Connectivity Solution\ServiceLayer.exe
c:\programmi\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\programmi\PC Connectivity Solution\Transports\NclRSSrv.exe
.
**************************************************************************
.
Ora fine scansione: 2010-04-04 10:11:21 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-04-04 08:11
ComboFix2.txt 2010-01-10 18:04
ComboFix3.txt 2010-01-02 11:29

Pre-Run: 7.044.280.320 byte disponibili
Post-Run: 7.008.186.368 byte disponibili

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 5333D4E97E9EA9DFD6CB02CBBDB7376B
Alexand3r
Newbie
 
Post: 8
Iscritto il: 03/04/10 16:42

Re: TR/Spy.Gen

Postdi shel » 05/04/10 11:11

ciao

apri una pagina del blocco note e copia incolla quanto segue


Codice: Seleziona tutto
file::
F:\autorun.exe
G:\Autorun.exe
c:\windows\system32\01.tmp
c:\windows\system32\bbduiqam.dll

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fsjyudtnl]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ygnfvzhta]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nscxgkpr]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5570908-e19b-11de-88f3-0017c2ba26e1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f913ec81-14c9-11df-8a18-0017c2ba26e1}]

NetSvcs::
nscxgkpr

driver::
fsjyudtnl
ygnfvzhta
nscxgkpr


salva la pagina nominandola obligatoriamente in CFScript.txt

a questo punto trascina e lascia il file CFScript.txt sull'icona di combofix

Immagine

lascialo lavorare fino alla fine e posta il nuovo rapporto che rilascia
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: TR/Spy.Gen

Postdi Alexand3r » 06/04/10 10:09

ComboFix 10-04-04.01 - User 06/04/2010 10.51.10.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.2047.1607 [GMT 2:00]
Eseguito da: c:\documents and settings\User\Documenti\Downloads\ComboFix.exe
Opzioni usate :: c:\documents and settings\User\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {00000002-0002-0000-7C25-9E7C08000A00}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-14EF-9D7C08000A00}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-3C24-9E7C08000A00}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-6C25-9E7C08000A00}

FILE ::
"c:\windows\system32\01.tmp"
"c:\windows\system32\bbduiqam.dll"
"F:\autorun.exe"
"G:\Autorun.exe"
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NSCXGKPR
-------\Service_nscxgkpr


((((((((((((((((((((((((( Files Creati Da 2010-03-06 al 2010-04-06 )))))))))))))))))))))))))))))))))))
.

2010-04-03 16:34 . 2010-04-03 16:34 -------- d-----w- c:\programmi\Trend Micro
2010-04-03 14:21 . 2010-04-03 14:21 7792 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-31 07:43 . 2010-03-31 07:48 -------- d-----w- c:\programmi\PartyItalia
2010-03-29 18:01 . 2010-03-29 18:40 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\SpeedBit
2010-03-15 17:54 . 2006-05-03 21:53 174592 ------w- c:\windows\system32\framedyn.dll
2010-03-15 17:53 . 2010-04-02 11:11 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers
2010-03-15 17:53 . 2006-07-24 15:05 5632 ------w- c:\windows\system32\drivers\StarOpen.sys
2010-03-15 12:55 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-03-14 13:39 . 2010-03-14 13:39 -------- d-----w- c:\documents and settings\User\dwhelper
2010-03-11 17:05 . 2010-03-11 17:05 -------- d-----w- c:\programmi\Total Uninstall 5
2010-03-11 17:05 . 2010-03-11 17:05 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Martau
2010-03-10 17:40 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-06 09:02 . 2010-01-19 13:43 521444 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-04-05 20:37 . 2009-07-30 14:39 -------- d-----w- c:\documents and settings\User\Dati applicazioni\vlc
2010-04-05 20:25 . 2009-07-17 17:58 -------- d-----w- c:\documents and settings\User\Dati applicazioni\uTorrent
2010-04-03 21:05 . 2009-08-19 14:52 -------- d-----w- c:\programmi\Google
2010-04-03 20:52 . 2010-01-01 20:40 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2010-04-03 20:51 . 2010-04-03 20:51 5918776 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-03 09:27 . 2009-12-16 15:56 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Electronic Arts
2010-04-03 09:26 . 2009-12-16 14:38 -------- d-----w- c:\programmi\Electronic Arts
2010-04-03 09:18 . 2009-07-17 20:09 -------- d--h--w- c:\programmi\InstallShield Installation Information
2010-04-02 17:50 . 2010-01-02 16:21 407960 ----a-w- c:\documents and settings\User\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-04-02 15:32 . 2009-07-28 15:46 1 ----a-w- c:\documents and settings\User\Dati applicazioni\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-02 11:10 . 2009-11-27 10:10 -------- d-----w- c:\programmi\Creative
2010-04-02 11:04 . 2009-12-16 18:00 -------- d-----w- c:\programmi\DivX
2010-04-02 11:01 . 2009-07-31 08:57 -------- d-----w- c:\programmi\ATI Technologies
2010-04-01 12:39 . 2009-08-31 13:57 4873640 ----a-w- c:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\FontCache3.0.0.0.dat
2010-04-01 07:30 . 2010-03-01 19:12 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Autodesk
2010-03-29 22:46 . 2010-01-01 20:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 22:45 . 2010-01-01 20:40 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 18:40 . 2010-01-18 14:16 -------- d---a-w- c:\documents and settings\All Users\Dati applicazioni\TEMP
2010-03-27 21:47 . 2009-07-17 17:59 -------- d-----w- c:\programmi\uTorrent
2010-03-08 13:00 . 2010-03-01 19:12 -------- d-----w- c:\documents and settings\User\Dati applicazioni\Autodesk
2010-03-01 19:21 . 2010-03-01 19:21 36864 ----a-w- c:\documents and settings\User\Dati applicazioni\Autodesk\AutoCAD 2010\R18.0\ita\ContextualTabSelectorRules.dll
2010-03-01 19:20 . 2010-03-01 19:20 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\FLEXnet
2010-03-01 19:14 . 2010-03-01 19:14 -------- d-----w- c:\programmi\File comuni\Macrovision Shared
2010-02-27 13:19 . 2009-07-31 11:50 -------- d-----w- c:\documents and settings\User\Dati applicazioni\dvdcss
2010-02-25 06:16 . 2004-08-19 12:00 916480 ------w- c:\windows\system32\wininet.dll
2010-02-18 19:17 . 2009-07-28 06:29 -------- d-----w- c:\documents and settings\User\Dati applicazioni\PC Suite
2010-02-18 13:58 . 2010-02-18 13:58 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\KONAMI
2010-02-13 18:49 . 2010-02-13 18:49 0 ------w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2010-02-13 18:49 . 2010-02-13 18:49 0 ------w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2010-02-13 18:49 . 2009-07-28 06:29 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\PC Suite
2010-02-11 14:26 . 2009-07-28 06:29 -------- d-----w- c:\documents and settings\User\Dati applicazioni\Nokia
2010-02-11 14:22 . 2010-02-11 14:22 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Nokia
2010-02-11 14:22 . 2010-02-10 18:07 -------- d-----w- c:\programmi\File comuni\Nokia
2010-02-11 14:22 . 2010-02-10 18:06 -------- d-----w- c:\programmi\Nokia
2010-02-11 14:21 . 2010-02-11 14:21 36864 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\Sleep.exe
2010-02-11 14:21 . 2010-02-11 14:21 3351812 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\msxml6Exec.exe
2010-02-11 14:21 . 2010-02-11 14:21 3203453 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\vcredistExec.exe
2010-02-11 14:21 . 2009-07-28 06:27 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Installations
2010-02-10 18:59 . 2010-02-11 14:22 24419312 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\NokiaSoftwareUpdaterSetup_it.exe
2010-02-10 18:07 . 2010-02-10 18:07 -------- d-----w- c:\programmi\File comuni\PCSuite
2010-02-10 18:07 . 2010-02-10 18:07 -------- d-----w- c:\programmi\DIFX
2010-02-10 18:07 . 2010-02-10 18:07 -------- d-----w- c:\programmi\PC Connectivity Solution
2010-02-10 18:06 . 2010-02-10 18:06 95232 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2010-02-10 18:06 . 2010-02-10 18:06 8192 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2010-02-10 18:06 . 2010-02-10 18:06 61440 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-02-10 18:06 . 2010-02-10 18:06 10240 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe
2010-02-10 18:05 . 2010-02-10 18:06 34541248 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_ita_web.exe
2010-02-05 18:05 . 2010-02-02 15:04 -------- d-----w- c:\documents and settings\User\Dati applicazioni\Nero
2010-02-03 12:56 . 2010-01-15 17:05 26176 ------w- c:\windows\system32\hamachi.sys
2010-01-11 17:40 . 2009-07-18 09:18 691696 ------w- c:\windows\system32\drivers\sptd.sys
.

------- Sigcheck -------

[-] 2009-12-25 . 90F406811EE1EEE294792D00E21CA16C . 510464 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2009-11-13 . 1DBD3966123AC2F6ADE783F7F17F8C7F . 504832 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 . 9259170D29B5A256735FCB8B80280857 . 510464 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\programmi\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"PC Suite Tray"="c:\programmi\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]
"msnmsgr"="c:\programmi\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"EA Core"="c:\programmi\Electronic Arts\EADM\Core.exe" [2009-03-28 3325952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Alice ti aiuta.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Alice ti aiuta.lnk
backup=c:\windows\pss\Alice ti aiuta.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Utility Tray.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Utility Tray.lnk
backup=c:\windows\pss\Utility Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Avvio^Programmi^Esecuzione automatica^AeroShake.lnk]
path=c:\documents and settings\User\Menu Avvio\Programmi\Esecuzione automatica\AeroShake.lnk
backup=c:\windows\pss\AeroShake.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Avvio^Programmi^Esecuzione automatica^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\User\Menu Avvio\Programmi\Esecuzione automatica\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Avvio^Programmi^Esecuzione automatica^Refresh Icon Cache.lnk]
path=c:\documents and settings\User\Menu Avvio\Programmi\Esecuzione automatica\Refresh Icon Cache.lnk
backup=c:\windows\pss\Refresh Icon Cache.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Avvio^Programmi^Esecuzione automatica^Styler toolbar.lnk]
path=c:\documents and settings\User\Menu Avvio\Programmi\Esecuzione automatica\Styler toolbar.lnk
backup=c:\windows\pss\Styler toolbar.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Avvio^Programmi^Esecuzione automatica^Styler.lnk]
path=c:\documents and settings\User\Menu Avvio\Programmi\Esecuzione automatica\Styler.lnk
backup=c:\windows\pss\Styler.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Avvio^Programmi^Esecuzione automatica^VisualTaskTips.lnk]
path=c:\documents and settings\User\Menu Avvio\Programmi\Esecuzione automatica\VisualTaskTips.lnk
backup=c:\windows\pss\VisualTaskTips.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Avvio^Programmi^Esecuzione automatica^YzShadow.lnk]
path=c:\documents and settings\User\Menu Avvio\Programmi\Esecuzione automatica\YzShadow.lnk
backup=c:\windows\pss\YzShadow.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ggm]
c:\windows\system32\ggm.exe \u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\programmi\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 02:27 144784 ----a-w- c:\programmi\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 00:00 90112 ----a-w- c:\windows\Updreg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programmi\\SopCast\\SopCast.exe"=
"c:\\Programmi\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\Programmi\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Programmi\\File comuni\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Programmi\\Electronic Arts\\EADM\\Core.exe"=
"e:\\Programmi\\KONAMI\\Pro Evolution Soccer 2010\\pes2010.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"1708:TCP"= 1708:TCP:Services
"8170:TCP"= 8170:TCP:fnvdbgah
"4144:TCP"= 4144:TCP:Services

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [31/07/2008 20.45.42 19592]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18/07/2009 11.18.10 691696]
S2 Sukoku Service;Sukoku Service; [x]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [24/09/2009 14.38.42 22528]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\programmi\Lavalys\EVEREST Ultimate Edition\kerneld.wnt --> c:\programmi\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [?]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [02/07/2008 14.58.48 25480]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [10/02/2010 20.06.55 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [10/02/2010 20.06.55 8320]
S4 PskSvcRetailInst;PskSvcRetailInst;c:\docume~1\User\IMPOST~1\Temp\ISSCAN\PskSvc.exe --> c:\docume~1\User\IMPOST~1\Temp\ISSCAN\PskSvc.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5570908-e19b-11de-88f3-0017c2ba26e1}]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f913ec81-14c9-11df-8a18-0017c2ba26e1}]
\Shell\AutoRun\command - G:\Autorun.exe
.
.
------- Scansione supplementare -------
.
uStart Page = www.google.com
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=%s
IE: {{4B21E152-BA59-4ebf-B522-8C55B265EE1A} - c:\programmi\PartyItalia\PartyPokerIt\RunApp.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\User\Dati applicazioni\Mozilla\Firefox\Profiles\axqs6up4.default\
FF - prefs.js: browser.search.selectedEngine - Trova Rapido
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=
FF - component: c:\documents and settings\User\Dati applicazioni\Mozilla\Firefox\Profiles\axqs6up4.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\documents and settings\User\Impostazioni locali\Dati applicazioni\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-06 11:00
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spao.sys >>UNKNOWN [0x8A5CA938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf7253cb8
\Driver\atapi -> atapi.sys @ 0xf71e8b40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
copy of MBR has been found in sector 0x01D1C06C0
malicious code @ sector 0x01D1C06C3 !
PE file found in sector at 0x01D1C06D9 !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\programmi\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-602162358-630328440-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008]
"GameDir"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2008\\games"
"ShortlistDir"=""
"ScreenshotsDir"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2008"
"SaveDir"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2008\\"
"LastSaveGame"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2008\\games\\fiorenza23.fm"
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"SkinID"=dword:00000001
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"WindowState"=dword:00000002
"Currency"=dword:0000001c
"WindowHeight"=dword:000001f5
"WindowWidth"=dword:000002e4
"WindowLeft"=dword:0000008e
"WindowTop"=dword:00000086
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""

[HKEY_USERS\S-1-5-21-602162358-630328440-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008\Columns\Clubs]

[HKEY_USERS\S-1-5-21-602162358-630328440-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008\Columns\Players]

[HKEY_USERS\S-1-5-21-602162358-630328440-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008\Columns\Staff]


[HKEY_USERS\S-1-5-21-602162358-630328440-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008\Rating Coefficients]


[HKEY_USERS\S-1-5-21-602162358-630328440-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2009 XE]
"GameDir"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2009\\games"
"ShortlistDir"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2009\\shortlists"
"ScreenshotsDir"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2009"
"SaveDir"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2009\\"
"LastSaveGame"=""
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"GraphStep"=dword:00000000
"SkinName"="Champions League"
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000067
"UniqueID"="15-8280-E85F"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
"Currency"=dword:00000056
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(5692)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\programmi\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\programmi\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\programmi\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_ita.nlr
c:\programmi\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
c:\progra~1\SPYBOT~1\SDHelper.dll
c:\programmi\File comuni\Nero\SMC\NeroDigitalExt.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\programmi\Avira\AntiVir Desktop\sched.exe
c:\programmi\Avira\AntiVir Desktop\avguard.exe
c:\programmi\File comuni\InterVideo\DeviceService\DevSvc.exe
c:\programmi\File comuni\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\programmi\PC Connectivity Solution\ServiceLayer.exe
c:\programmi\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\programmi\PC Connectivity Solution\Transports\NclRSSrv.exe
.
**************************************************************************
.
Ora fine scansione: 2010-04-06 11:06:23 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-04-06 09:06
ComboFix2.txt 2010-04-04 08:11
ComboFix3.txt 2010-01-10 18:04
ComboFix4.txt 2010-01-02 11:29

Pre-Run: 6.692.446.208 byte disponibili
Post-Run: 6.636.646.400 byte disponibili

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - AD97B858E8076A641AA1C029C52EF27F
Alexand3r
Newbie
 
Post: 8
Iscritto il: 03/04/10 16:42

Re: TR/Spy.Gen

Postdi shel » 06/04/10 11:25

combofix non ha elliminato alcune infezioni perche' probabilmente non e' stato eseguito correttamente

va eseguito dal desktop tu lo hai in un percorso non corretto

Eseguito da: c:\documents and settings\User\Documenti\Downloads\ComboFix.exe


disinstallalo con questo tool

scaricalo nuovamente e trascina di nuovo lo script che ti ho postato
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: TR/Spy.Gen

Postdi shel » 06/04/10 11:56

edit


appena finito dobbiamo eseguire la procedura per pulire l'MBR , lo hai infetto
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: TR/Spy.Gen

Postdi Alexand3r » 08/04/10 20:17

Ciao,
Scusate se rispondo tardi
Ecco il Log:

ComboFix 10-04-07.04 - User 08/04/2010 21.02.44.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.2047.1606 [GMT 2:00]
Eseguito da: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {00000002-0002-0000-7C25-9E7C08000A00}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-14EF-9D7C08000A00}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-3C24-9E7C08000A00}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-6C25-9E7C08000A00}
.

((((((((((((((((((((((((( Files Creati Da 2010-03-08 al 2010-04-08 )))))))))))))))))))))))))))))))))))
.

2010-04-08 18:36 . 2010-04-08 18:36 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-04-06 11:30 . 2010-04-06 11:30 -------- d-----w- c:\windows\ShellNew
2010-04-06 11:30 . 2010-04-06 11:33 -------- d-----w- c:\programmi\AutoIt3
2010-04-06 09:51 . 2010-04-06 16:05 -------- d-----w- c:\programmi\JDownloader
2010-04-06 09:25 . 2010-04-06 09:25 -------- d-----w- c:\programmi\SystemRequirementsLab
2010-04-06 09:25 . 2010-04-06 09:25 -------- d-----w- c:\documents and settings\User\SystemRequirementsLab
2010-04-06 09:24 . 2010-04-06 09:24 503808 ----a-w- c:\documents and settings\User\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6d2e5148-n\msvcp71.dll
2010-04-06 09:24 . 2010-04-06 09:24 499712 ----a-w- c:\documents and settings\User\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6d2e5148-n\jmc.dll
2010-04-06 09:24 . 2010-04-06 09:24 348160 ----a-w- c:\documents and settings\User\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6d2e5148-n\msvcr71.dll
2010-04-06 09:24 . 2010-04-06 09:24 61440 ----a-w- c:\documents and settings\User\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b0eb9a1-n\decora-sse.dll
2010-04-06 09:24 . 2010-04-06 09:24 12800 ----a-w- c:\documents and settings\User\Dati applicazioni\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b0eb9a1-n\decora-d3d.dll
2010-04-06 09:24 . 2010-04-06 09:24 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-03 20:51 . 2010-04-03 20:51 5918776 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-03 16:34 . 2010-04-03 16:34 -------- d-----w- c:\programmi\Trend Micro
2010-04-03 14:21 . 2010-04-03 14:21 7792 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-31 07:43 . 2010-03-31 07:48 -------- d-----w- c:\programmi\PartyItalia
2010-03-29 18:01 . 2010-03-29 18:40 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\SpeedBit
2010-03-15 17:54 . 2006-05-03 21:53 174592 ------w- c:\windows\system32\framedyn.dll
2010-03-15 17:53 . 2010-04-02 11:11 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers
2010-03-15 17:53 . 2006-07-24 15:05 5632 ------w- c:\windows\system32\drivers\StarOpen.sys
2010-03-15 12:55 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-03-14 13:39 . 2010-03-14 13:39 -------- d-----w- c:\documents and settings\User\dwhelper
2010-03-11 17:05 . 2010-03-11 17:05 -------- d-----w- c:\programmi\Total Uninstall 5
2010-03-11 17:05 . 2010-03-11 17:05 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Martau
2010-03-10 17:40 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-08 18:59 . 2010-01-02 16:21 407960 ----a-w- c:\documents and settings\User\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-04-07 09:02 . 2010-01-19 13:43 521444 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-04-06 11:45 . 2009-07-30 14:39 -------- d-----w- c:\documents and settings\User\Dati applicazioni\vlc
2010-04-06 11:27 . 2009-07-31 11:50 -------- d-----w- c:\documents and settings\User\Dati applicazioni\dvdcss
2010-04-06 09:24 . 2009-07-17 20:22 -------- d-----w- c:\programmi\File comuni\Java
2010-04-06 09:24 . 2009-07-17 20:22 -------- d-----w- c:\programmi\Java
2010-04-05 20:25 . 2009-07-17 17:58 -------- d-----w- c:\documents and settings\User\Dati applicazioni\uTorrent
2010-04-03 21:05 . 2009-08-19 14:52 -------- d-----w- c:\programmi\Google
2010-04-03 20:52 . 2010-01-01 20:40 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2010-04-03 09:27 . 2009-12-16 15:56 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Electronic Arts
2010-04-03 09:26 . 2009-12-16 14:38 -------- d-----w- c:\programmi\Electronic Arts
2010-04-03 09:18 . 2009-07-17 20:09 -------- d--h--w- c:\programmi\InstallShield Installation Information
2010-04-02 15:32 . 2009-07-28 15:46 1 ----a-w- c:\documents and settings\User\Dati applicazioni\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-02 11:10 . 2009-11-27 10:10 -------- d-----w- c:\programmi\Creative
2010-04-02 11:04 . 2009-12-16 18:00 -------- d-----w- c:\programmi\DivX
2010-04-02 11:01 . 2009-07-31 08:57 -------- d-----w- c:\programmi\ATI Technologies
2010-04-01 12:39 . 2009-08-31 13:57 4873640 ----a-w- c:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\FontCache3.0.0.0.dat
2010-04-01 07:30 . 2010-03-01 19:12 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Autodesk
2010-03-29 22:46 . 2010-01-01 20:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 22:45 . 2010-01-01 20:40 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 18:40 . 2010-01-18 14:16 -------- d---a-w- c:\documents and settings\All Users\Dati applicazioni\TEMP
2010-03-27 21:47 . 2009-07-17 17:59 -------- d-----w- c:\programmi\uTorrent
2010-03-08 13:00 . 2010-03-01 19:12 -------- d-----w- c:\documents and settings\User\Dati applicazioni\Autodesk
2010-03-01 19:21 . 2010-03-01 19:21 36864 ----a-w- c:\documents and settings\User\Dati applicazioni\Autodesk\AutoCAD 2010\R18.0\ita\ContextualTabSelectorRules.dll
2010-03-01 19:20 . 2010-03-01 19:20 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\FLEXnet
2010-03-01 19:14 . 2010-03-01 19:14 -------- d-----w- c:\programmi\File comuni\Macrovision Shared
2010-02-25 06:16 . 2004-08-19 12:00 916480 ------w- c:\windows\system32\wininet.dll
2010-02-18 19:17 . 2009-07-28 06:29 -------- d-----w- c:\documents and settings\User\Dati applicazioni\PC Suite
2010-02-18 13:58 . 2010-02-18 13:58 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\KONAMI
2010-02-13 18:49 . 2010-02-13 18:49 0 ------w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2010-02-13 18:49 . 2010-02-13 18:49 0 ------w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2010-02-13 18:49 . 2009-07-28 06:29 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\PC Suite
2010-02-11 14:26 . 2009-07-28 06:29 -------- d-----w- c:\documents and settings\User\Dati applicazioni\Nokia
2010-02-11 14:22 . 2010-02-11 14:22 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Nokia
2010-02-11 14:22 . 2010-02-10 18:07 -------- d-----w- c:\programmi\File comuni\Nokia
2010-02-11 14:22 . 2010-02-10 18:06 -------- d-----w- c:\programmi\Nokia
2010-02-11 14:21 . 2010-02-11 14:21 36864 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\Sleep.exe
2010-02-11 14:21 . 2010-02-11 14:21 3351812 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\msxml6Exec.exe
2010-02-11 14:21 . 2010-02-11 14:21 3203453 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\vcredistExec.exe
2010-02-11 14:21 . 2009-07-28 06:27 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Installations
2010-02-10 18:59 . 2010-02-11 14:22 24419312 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\NokiaSoftwareUpdaterSetup_it.exe
2010-02-10 18:07 . 2010-02-10 18:07 -------- d-----w- c:\programmi\File comuni\PCSuite
2010-02-10 18:07 . 2010-02-10 18:07 -------- d-----w- c:\programmi\DIFX
2010-02-10 18:07 . 2010-02-10 18:07 -------- d-----w- c:\programmi\PC Connectivity Solution
2010-02-10 18:06 . 2010-02-10 18:06 95232 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2010-02-10 18:06 . 2010-02-10 18:06 8192 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2010-02-10 18:06 . 2010-02-10 18:06 61440 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-02-10 18:06 . 2010-02-10 18:06 10240 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe
2010-02-10 18:05 . 2010-02-10 18:06 34541248 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_ita_web.exe
2010-02-03 12:56 . 2010-01-15 17:05 26176 ------w- c:\windows\system32\hamachi.sys
2010-01-11 17:40 . 2009-07-18 09:18 691696 ------w- c:\windows\system32\drivers\sptd.sys
.

------- Sigcheck -------

[-] 2009-12-25 . 90F406811EE1EEE294792D00E21CA16C . 510464 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2009-11-13 . 1DBD3966123AC2F6ADE783F7F17F8C7F . 504832 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 . 9259170D29B5A256735FCB8B80280857 . 510464 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\programmi\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"PC Suite Tray"="c:\programmi\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]
"msnmsgr"="c:\programmi\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"EA Core"="c:\programmi\Electronic Arts\EADM\Core.exe" [2009-03-28 3325952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Alice ti aiuta.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Alice ti aiuta.lnk
backup=c:\windows\pss\Alice ti aiuta.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Utility Tray.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Utility Tray.lnk
backup=c:\windows\pss\Utility Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Avvio^Programmi^Esecuzione automatica^AeroShake.lnk]
path=c:\documents and settings\User\Menu Avvio\Programmi\Esecuzione automatica\AeroShake.lnk
backup=c:\windows\pss\AeroShake.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Avvio^Programmi^Esecuzione automatica^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\User\Menu Avvio\Programmi\Esecuzione automatica\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Avvio^Programmi^Esecuzione automatica^Refresh Icon Cache.lnk]
path=c:\documents and settings\User\Menu Avvio\Programmi\Esecuzione automatica\Refresh Icon Cache.lnk
backup=c:\windows\pss\Refresh Icon Cache.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Avvio^Programmi^Esecuzione automatica^Styler toolbar.lnk]
path=c:\documents and settings\User\Menu Avvio\Programmi\Esecuzione automatica\Styler toolbar.lnk
backup=c:\windows\pss\Styler toolbar.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Avvio^Programmi^Esecuzione automatica^Styler.lnk]
path=c:\documents and settings\User\Menu Avvio\Programmi\Esecuzione automatica\Styler.lnk
backup=c:\windows\pss\Styler.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Avvio^Programmi^Esecuzione automatica^VisualTaskTips.lnk]
path=c:\documents and settings\User\Menu Avvio\Programmi\Esecuzione automatica\VisualTaskTips.lnk
backup=c:\windows\pss\VisualTaskTips.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Menu Avvio^Programmi^Esecuzione automatica^YzShadow.lnk]
path=c:\documents and settings\User\Menu Avvio\Programmi\Esecuzione automatica\YzShadow.lnk
backup=c:\windows\pss\YzShadow.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ggm]
c:\windows\system32\ggm.exe \u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\programmi\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 02:27 144784 ----a-w- c:\programmi\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 00:00 90112 ----a-w- c:\windows\Updreg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programmi\\SopCast\\SopCast.exe"=
"c:\\Programmi\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\Programmi\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Programmi\\File comuni\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Programmi\\Electronic Arts\\EADM\\Core.exe"=
"e:\\Programmi\\KONAMI\\Pro Evolution Soccer 2010\\pes2010.exe"=
"c:\\Programmi\\Java\\jre6\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"1708:TCP"= 1708:TCP:Services
"8170:TCP"= 8170:TCP:fnvdbgah
"4144:TCP"= 4144:TCP:Services

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [31/07/2008 20.45.42 19592]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18/07/2009 11.18.10 691696]
S2 Sukoku Service;Sukoku Service; [x]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [24/09/2009 14.38.42 22528]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\programmi\Lavalys\EVEREST Ultimate Edition\kerneld.wnt --> c:\programmi\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [?]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [02/07/2008 14.58.48 25480]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [10/02/2010 20.06.55 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [10/02/2010 20.06.55 8320]
S4 PskSvcRetailInst;PskSvcRetailInst;c:\docume~1\User\IMPOST~1\Temp\ISSCAN\PskSvc.exe --> c:\docume~1\User\IMPOST~1\Temp\ISSCAN\PskSvc.exe [?]
.
.
------- Scansione supplementare -------
.
uStart Page = www.google.com
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=%s
IE: {{4B21E152-BA59-4ebf-B522-8C55B265EE1A} - c:\programmi\PartyItalia\PartyPokerIt\RunApp.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\User\Dati applicazioni\Mozilla\Firefox\Profiles\axqs6up4.default\
FF - prefs.js: browser.search.selectedEngine - Trova Rapido
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=
FF - component: c:\documents and settings\User\Dati applicazioni\Mozilla\Firefox\Profiles\axqs6up4.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\documents and settings\User\Impostazioni locali\Dati applicazioni\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
.
------- Associazioni dei file -------
.
.scr=AutoCADScriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-08 21:09
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\programmi\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-602162358-630328440-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008]
"GameDir"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2008\\games"
"ShortlistDir"=""
"ScreenshotsDir"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2008"
"SaveDir"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2008\\"
"LastSaveGame"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2008\\games\\fiorenza23.fm"
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"SkinID"=dword:00000001
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"WindowState"=dword:00000002
"Currency"=dword:0000001c
"WindowHeight"=dword:000001f5
"WindowWidth"=dword:000002e4
"WindowLeft"=dword:0000008e
"WindowTop"=dword:00000086
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""

[HKEY_USERS\S-1-5-21-602162358-630328440-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008\Columns\Clubs]


[HKEY_USERS\S-1-5-21-602162358-630328440-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008\Columns\Players]


[HKEY_USERS\S-1-5-21-602162358-630328440-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008\Columns\Staff]


[HKEY_USERS\S-1-5-21-602162358-630328440-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2008\Rating Coefficients]

[HKEY_USERS\S-1-5-21-602162358-630328440-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2009 XE]
"GameDir"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2009\\games"
"ShortlistDir"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2009\\shortlists"
"ScreenshotsDir"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2009"
"SaveDir"="c:\\Documents and Settings\\User\\Documenti\\Sports Interactive\\Football Manager 2009\\"
"LastSaveGame"=""
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"GraphStep"=dword:00000000
"SkinName"="Champions League"
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000067
"UniqueID"="15-8280-E85F"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
"Currency"=dword:00000056
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\windows\system32\Ati2evxx.dll
.
Ora fine scansione: 2010-04-08 21:11:07
ComboFix-quarantined-files.txt 2010-04-08 19:11

Pre-Run: 11.735.523.328 byte disponibili
Post-Run: 11.778.347.008 byte disponibili

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 4A3F0DA51262E65CC44A0587D586D19B


P.S.: Queste infezioni sul computer e sull MBR possono essere causa di ralentamenti nei giochi? Dispongo di una RAM di 2 gb e una Dual-Core duo da 2.80 Ghz ma giochi che richiedono requisiti minori non girano bene (scusate l'off topic è per curiosità)
Alexand3r
Newbie
 
Post: 8
Iscritto il: 03/04/10 16:42

Re: TR/Spy.Gen

Postdi shel » 08/04/10 21:30

analizza sul sito virus total questo file

c:\windows\system32\ggm.exe
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: TR/Spy.Gen

Postdi Alexand3r » 09/04/10 12:15

Non c'e nessun ggm.exe nel percorso..
Alexand3r
Newbie
 
Post: 8
Iscritto il: 03/04/10 16:42

Re: TR/Spy.Gen

Postdi shel » 09/04/10 15:41

combofix non segnala piu' l'infezione nel'MBR
facciamo comunque un controllo

scarica MBR:EXE direttamente nella Directory C:\

vai in provvisoria

Da Start - Esegui - digita C:\mbr.exe e clicca su OK

posta il log che trovi in C:\ come mbr.log
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: TR/Spy.Gen

Postdi Alexand3r » 09/04/10 16:11

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x01D1C06C0
malicious code @ sector 0x01D1C06C3 !
PE file found in sector at 0x01D1C06D9 !
Alexand3r
Newbie
 
Post: 8
Iscritto il: 03/04/10 16:42

Re: TR/Spy.Gen

Postdi shel » 10/04/10 10:36

scarica drweb cureit

Doppio click su cureit.exe e clicca sull'opzione "Avvia" ti chiederà se vuoi effettuare un controllo rapido rispondi SI(Ok)
Finita la scansione, metti il puntino nella casella "completa scansione" clicca sul tasto "Play" per far partire la scansione, se trova qualcosa di infetto hai la possibilità di rimuoverlo subito oppure a fine scansione, finita la scansione fai rimuovere gli elementi infetti, salva il report di fine scansione clicca su File>Salva lista report, poi posta il report che hai salvato
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56


Torna a Sicurezza e Privacy

Chi c’è in linea

Visitano il forum: Nessuno e 28 ospiti