Aiuto Trojan Generic 12.AQDS

[januarius]

Salve, appena apro ie mi appare la schermata di avg "minaccia rilevata"
Nome file : C:\Windows\system32\msqpdxdoedcloq.dll
Trojan Generic 12.AQDS
rilevata all'apertura
dettagli nome processo C:\Program Files\Internet Explorer\iexplore.exe
id processo 1888

se lo elimino, nn riesco + a navigare, o meglio alcune pagine non si caricano, ovviamente quando riavvio il pc e lancio ie il problema riappare

usando Malwarebit antimalware, durante la scansione schermata blu e riavvio di Windows Vista

di seguito posto il log di HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11.28.06, on 13/01/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Protector Suite QL\upeksvr.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Windows\system32\FortiSslvpnDaemon.exe
C:\Program Files\FreePOPs\freepopsservice.exe
C:\Program Files\FreePOPs\freepopsd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Windows\System32\tcpsvcs.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\javaw.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Windows\system32\wermgr.exe
C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe
E:\Vista Utente\Desktop\backup penne\Sicurezza_Antivirus_AdAware\HiJackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: 195.72.134.100 www.bwin.com
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [a-squared] "C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe" /d=60
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Uranium] C:\Program Files\FreeSoft\Uranium\Uranium.exe reg
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MyWirelessCard] C:\Programmi\H3G\3G HSDPA Wireless Modem MD-@\WirelessCard.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO DI RETE')
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Startup: html2pop3hidden.bat.lnk = E:\html2pop3232src\html2pop3hidden.bat
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: Ritaglio schermata e avvio di OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PokerStars.it - {C4046502-6524-4d87-896C-878F57D1FF07} - C:\Program Files\PokerStars.IT\PokerStarsUpdate.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net ... plugin.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-24-0.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-U ... E_UNO1.cab
O16 - DPF: {B0882EB7-81A5-4A11-8D45-71888F973933} (fortisslvpn Class) - https://extranet.beniculturali.it/sslvpn.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Ba ... b57213.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-27-0.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Application Driver Auto Removal Service (01) (appdrvrem01) - Protection Technology - C:\Windows\System32\appdrvrem01.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FortiSslvpnDaemon - Fortinet Inc. - C:\Windows\system32\FortiSslvpnDaemon.exe
O23 - Service: FreePOPs - Unknown owner - C:\Program Files\FreePOPs\freepopsservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 15330 bytes

Grazie a tutti

[januarius]

Facendo partire combofix in modalità provvisoria, mi rileva dei rootkit e precisamente

C:\Windows\system32\drivers\msqpdxotqbpfim.sys
C:\Windows\system32\msqpdxoedcloq.dll

file che nn esistono!!!

dopo aver trovato i rootkit si combofix fa riavviare il sistema ......

[Luke57]

Ciao, a parte il fatto che combfix dovrebbe essere usato in modalità normale, posta il report di combofix medesimo.

[januarius]

ciao, allora...ho fatto partire combofix in modalità normale (scusa ma pensavo il contrario)
ecco il report sembra abbia eliminato sia il .dll che il .sys

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\resycled
C:\resycled\boot.com
C:\Windows\system32\drivers\msqpdxotqbpfim.sys
C:\Windows\system32\drivers\npf.sys
C:\Windows\system32\msqpdxdoedcloq.dll
D:\Autorun.inf
D:\resycled
D:\resycled\boot.com
E:\Autorun.inf
E:\resycled
E:\resycled\boot.com
F:\Autorun.inf
F:\resycled
F:\resycled\boot.com

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSQPDXSERV.SYS
-------\Service_MSQPDXSERV.SYS
-------\Service_NPF


((((((((((((((((((((((((( Files Creati Da 2008-12-13 al 2009-01-13 )))))))))))))))))))))))))))))))))))
.

2009-01-13 13:49 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2009-01-13 11:03 . 2009-01-13 11:23 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2009-01-12 20:24 . 2009-01-12 20:34 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2009-01-12 20:24 . 2009-01-12 20:24 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2009-01-12 20:24 . 2009-01-12 20:34 <DIR> d-------- C:\PROGRA~2\Spybot - Search & Destroy
2009-01-12 11:54 . 2009-01-13 14:16 <DIR> dr------- C:\Users\JanuariusVISTA\Documents
2009-01-12 11:54 . 2007-03-23 03:05 29,272 -ra------ C:\Windows\System32\AdobePDF.dll
2009-01-12 11:44 . 2009-01-12 11:44 25,280 --a------ C:\Windows\System32\drivers\hamachi.sys
2009-01-12 11:01 . 2009-01-12 11:11 <DIR> d-------- C:\Windows\System32\ExeToService
2009-01-12 11:00 . 2009-01-12 11:00 <DIR> d-------- C:\Program Files\Exe To Service
2009-01-12 10:47 . 2009-01-12 10:47 <DIR> d-------- C:\Program Files\NetRun
2009-01-10 03:07 . 2009-01-13 17:15 <DIR> d-------- C:\Users\JanuariusVISTA\AppData\Roaming\Hamachi
2009-01-10 03:06 . 2009-01-12 11:44 <DIR> d-------- C:\Program Files\Hamachi
2009-01-09 02:08 . 2009-01-09 02:08 <DIR> d-------- C:\Users\JanuariusVISTA\AppData\Roaming\Malwarebytes
2009-01-09 02:08 . 2009-01-09 02:08 <DIR> d-------- C:\Users\All Users\Malwarebytes
2009-01-09 02:08 . 2009-01-09 02:08 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-09 02:08 . 2009-01-09 02:08 <DIR> d-------- C:\PROGRA~2\Malwarebytes
2009-01-09 02:08 . 2009-01-04 18:38 38,496 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2009-01-09 02:08 . 2009-01-04 18:38 15,504 --a------ C:\Windows\System32\drivers\mbam.sys
2009-01-09 01:54 . 2009-01-09 01:54 <DIR> d-------- C:\Program Files\FileASSASSIN
2009-01-07 19:09 . 2009-01-07 19:09 <DIR> d-------- C:\Users\JanuariusVISTA\AppData\Roaming\Thunderbird
2009-01-07 19:09 . 2009-01-07 19:09 <DIR> d-------- C:\Users\JanuariusVISTA\AppData\Roaming\Talkback
2009-01-07 14:11 . 2009-01-07 14:11 410,984 --a------ C:\Windows\System32\deploytk.dll
2009-01-02 22:49 . 2009-01-02 22:49 249,856 --------- C:\Windows\Setup1.exe
2009-01-02 22:49 . 2009-01-02 22:49 73,216 --a------ C:\Windows\ST6UNST.EXE
2008-12-21 17:58 . 2008-12-21 17:58 <DIR> d-------- C:\Poker
2008-12-17 14:02 . 2008-12-17 14:02 <DIR> d-------- C:\Program Files\SocksCapV2
2008-12-17 13:25 . 2008-12-17 13:26 <DIR> d-------- C:\Program Files\Your Freedom
2008-12-17 12:01 . 2008-12-20 20:41 <DIR> d-------- C:\Program Files\PokerStars.IT
2008-12-14 03:07 . 2008-10-22 02:22 2,048 --a------ C:\Windows\System32\tzres.dll
2008-12-13 15:06 . 2008-11-01 02:21 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-12-13 15:06 . 2008-11-01 04:44 28,672 --a------ C:\Windows\System32\Apphlpdm.dll
2008-12-13 15:02 . 2008-10-21 06:25 296,960 --a------ C:\Windows\System32\gdi32.dll
2008-12-13 14:57 . 2008-10-29 07:29 2,927,104 --a------ C:\Windows\explorer.exe
2008-12-13 14:57 . 2008-10-16 05:47 827,392 --a------ C:\Windows\System32\wininet.dll
2008-12-13 14:56 . 2008-06-23 02:59 2,868,736 --a------ C:\Windows\System32\mf.dll
2008-12-13 14:56 . 2008-06-23 02:59 996,352 --a------ C:\Windows\System32\WMNetMgr.dll
2008-12-13 14:56 . 2008-06-23 02:58 94,720 --a------ C:\Windows\System32\logagent.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 16:16 --------- d-----w C:\Users\JanuariusVISTA\AppData\Roaming\OpenOffice.org2
2009-01-13 16:04 --------- d-----w C:\Users\JanuariusVISTA\AppData\Roaming\Free Download Manager
2009-01-12 17:07 --------- d-----w C:\Program Files\bwin
2009-01-12 11:14 --------- d-----w C:\Users\JanuariusVISTA\AppData\Roaming\uTorrent
2009-01-12 11:00 --------- d-----w C:\PROGRA~2\Avg8
2009-01-10 12:31 121,782 ----a-w C:\Users\JanuariusVISTA\AppData\Roaming\nvModes.dat
2009-01-07 13:11 --------- d-----w C:\Program Files\Java
2009-01-02 21:38 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-12-14 02:19 --------- d-----w C:\Program Files\Windows Mail
2008-12-14 02:14 --------- d-----w C:\PROGRA~2\Microsoft Help
2008-12-10 07:35 --------- d-----w C:\Users\JanuariusVISTA\AppData\Roaming\dvdcss
2008-11-24 19:35 --------- d-----w C:\PROGRA~2\Office Genuine Advantage
2008-11-16 17:57 --------- d-----w C:\Program Files\Windows Media Components
2008-11-01 03:44 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-09-23 19:04 822 ----a-w C:\Users\JanuariusVISTA\all cardes.reg
2008-09-20 20:20 834 ----a-w C:\Users\JanuariusVISTA\all cardds.reg
2008-05-24 11:41 28,694 ----a-w C:\Users\All Users\nvModes.dat
2008-05-24 11:41 28,694 ----a-w C:\PROGRA~2\nvModes.dat
2008-05-21 21:46 174 --sha-w C:\Program Files\desktop.ini
2008-05-21 18:39 76 --sh--r C:\Windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-03-28 18:59 2953216 --a------ C:\Program Files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-03-28 18:59 2953216 --a------ C:\Program Files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-18 22:33 1233920]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 14:08 136136]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 14:35 202024]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2008-05-25 21:00 5724184]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [2008-05-20 16:27 2474031]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-09-10 21:56 218032]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-18 22:33 125952]
"MyWirelessCard"="C:\Programmi\H3G\3G HSDPA Wireless Modem MD-@\WirelessCard.exe" [2007-06-08 09:11 634880]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-10 21:56 218032]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2007-03-28 18:23 49168]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-24 17:02 174616]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2009-01-07 14:11 136600]
"DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 15:43 118784]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 06:00 33648]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 08:51 1836328]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-14 01:52 2595480]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-14 02:02 905056]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-14 01:55 140568]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 21:38 623992]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-11-12 22:37 86016]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [2007-07-02 12:29 159744]
"Windows Mobile Device Center"="C:\Windows\WindowsMobile\wmdc.exe" [2007-05-31 08:21 648072]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-10 21:56 86960]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-11-12 22:37 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-11-12 22:37 8534560]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-11-12 22:37 81920]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-11-27 22:30 1261336]
"a-squared"="C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe" [2008-12-14 08:56 2782352]

C:\Users\JanuariusVISTA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
hamachi.lnk - C:\Program Files\Hamachi\hamachi.exe [2009-01-12 11:44:12 624416]
html2pop3hidden.bat.lnk - E:\html2pop3232src\html2pop3hidden.bat [2008-05-22 11:22:35 260]
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 14:41:28 393216]
Ritaglio schermata e avvio di OneNote 2007.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 19:44:36 101440]

C:\PROGRA~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-03 16:55:50 703280]
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe [2008-02-22 16:01:38 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-28 18:46 90112 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{81A53D6F-A798-40E8-92CE-313B9576D0B3}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{F1BF8EFE-FA6D-4A5E-8666-003C00A46230}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{A7BC2942-73B0-432B-9698-BDA8752A1963}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{A849E20F-D8D7-4DDA-A1EA-5965836DEED8}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6237D3DF-7729-4C87-91CA-D1F5C0E85DFB}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{CF2C02D2-6DCD-43C8-9FCC-52112475BBCA}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{E57BC615-5240-4687-975A-3D9658520138}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{2CFE8557-5C99-46DE-AF64-409320CDC6D7}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{D5DFD79D-36EB-42F6-A254-80EFEC638F9F}E:\\vista utente\\desktop\\putty.exe"= UDP:E:\vista utente\desktop\putty.exe:SSH, Telnet and Rlogin client
"UDP Query User{4FF8B269-2992-4B8F-8463-9451432A9E1F}E:\\vista utente\\desktop\\putty.exe"= TCP:E:\vista utente\desktop\putty.exe:SSH, Telnet and Rlogin client
"TCP Query User{1CA2D61D-98F7-4ADB-8ADE-996521436169}E:\\vista utente\\desktop\\putty.exe"= UDP:E:\vista utente\desktop\putty.exe:SSH, Telnet and Rlogin client
"UDP Query User{3524D9E1-2C18-459D-A4B8-0EF5E2B50CAD}E:\\vista utente\\desktop\\putty.exe"= TCP:E:\vista utente\desktop\putty.exe:SSH, Telnet and Rlogin client
"TCP Query User{208B3279-2074-4143-BBB0-6830A1E44C7C}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{4C4AA9F0-4AD1-49BC-80E2-6C92DE5E7B51}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{005766FA-1B13-4C1A-A656-11604AB850C6}C:\\program files\\microsoft office\\office12\\winword.exe"= UDP:C:\program files\microsoft office\office12\winword.exe:Microsoft Office Word
"UDP Query User{A83BE2BC-A7C8-4950-888B-998DAC14C7DD}C:\\program files\\microsoft office\\office12\\winword.exe"= TCP:C:\program files\microsoft office\office12\winword.exe:Microsoft Office Word
"TCP Query User{746ED792-66E0-4002-88B5-0BC428FB1B93}E:\\vista utente\\documenti\\hfs.exe"= UDP:E:\vista utente\documenti\hfs.exe:hfs
"UDP Query User{304C584C-537F-47CC-A3CD-435835B89126}E:\\vista utente\\documenti\\hfs.exe"= TCP:E:\vista utente\documenti\hfs.exe:hfs
"TCP Query User{0DB8ABE4-536C-4763-981E-4F789465246D}C:\\program files\\free download manager\\fdm.exe"= UDP:C:\program files\free download manager\fdm.exe:Free Download Manager
"UDP Query User{42CCF6FD-4990-45A9-8A95-33A55DF40B6B}C:\\program files\\free download manager\\fdm.exe"= TCP:C:\program files\free download manager\fdm.exe:Free Download Manager
"TCP Query User{0911602F-EFF5-4657-AB14-270F33680190}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{41E8D5D5-98B6-46F9-B312-C93658B95776}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"{B92A2029-4684-4438-A656-D5905D3E0286}"= UDP:C:\Program Files\Cyanide\GameCenter\GameCenter.exe:GameCenter
"{1F0B275D-2857-48EA-8D1D-DDEBEC83198B}"= TCP:C:\Program Files\Cyanide\GameCenter\GameCenter.exe:GameCenter
"{09C8C521-FDA4-49FD-B966-1AA3A3612A30}"= UDP:E:\Giochi\Pro Cycling Manager - Season 2008\PCM.exe:Pro Cycling Manager - Season 2008
"{32AC37AB-BA20-4063-A254-065B302390D6}"= TCP:E:\Giochi\Pro Cycling Manager - Season 2008\PCM.exe:Pro Cycling Manager - Season 2008
"{A22AC4B5-4A9F-4FDF-81D2-71D929AF0141}"= UDP:E:\Giochi\Pro Cycling Manager - Season 2008\Autorun\Exe\Autorun.exe:Pro Cycling Manager - Season 2008 - AutoRun
"{AB27D1E2-55CA-4E27-A4F2-1050569923B6}"= TCP:E:\Giochi\Pro Cycling Manager - Season 2008\Autorun\Exe\Autorun.exe:Pro Cycling Manager - Season 2008 - AutoRun
"{6DB87BE2-5C4C-4FED-B710-F3A00BF79249}"= UDP:C:\Program Files\FreePOPs\freepopsd.exe:FreePOPs
"{2406533E-E469-4312-B7E9-9F96F7D36843}"= TCP:C:\Program Files\FreePOPs\freepopsd.exe:FreePOPs
"TCP Query User{C372DB6C-608E-4419-A5DF-1D465F372E62}E:\\vista utente\\download\\hfs.exe"= UDP:E:\vista utente\download\hfs.exe:hfs
"UDP Query User{B46B4FB3-B58D-4D7E-A759-DFE38DD95DA7}E:\\vista utente\\download\\hfs.exe"= TCP:E:\vista utente\download\hfs.exe:hfs
"TCP Query User{03B1FAC2-3219-492C-9135-0980C63348AB}C:\\program files\\save2ftp\\save2ftp.exe"= UDP:C:\program files\save2ftp\save2ftp.exe:Save2FTP
"UDP Query User{44D2ADE0-7F66-4526-B4B5-A8D8C95D8FB0}C:\\program files\\save2ftp\\save2ftp.exe"= TCP:C:\program files\save2ftp\save2ftp.exe:Save2FTP
"TCP Query User{7AD6725C-B8B7-4C92-B63A-2B0DE064901D}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{1431FE5D-DA6D-42FC-A524-9C7CA66AB62D}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule
"{2865A4E6-1CB4-48E0-B3F2-2EB2DCCE533E}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"{27D1B587-1C48-4C14-ABD4-2B25B0091167}"= UDP:E:\Diablo II\Diablo II.exe:Diablo II - Lord of Destruction
"{74B6FEDD-63FD-4AC3-8B05-537AD90719A2}"= TCP:E:\Diablo II\Diablo II.exe:Diablo II - Lord of Destruction
"{7705C833-7272-494F-A4E8-B0056DE3F655}"= UDP:6112:6112
"{9DB9D710-97EB-44D3-A035-6B13FE0DAC1E}"= TCP:6112:6112
"{6309164F-F35D-4D0F-A421-3D967D8D5C6D}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{5DE2DC1A-5629-4C76-B440-F957DF3D7BE7}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{ACFA15FB-2641-4807-960D-52C87EFCB25B}C:\\program files\\konami\\yu-gi-oh! power of chaos joey the passion\\joey_pc.exe"= UDP:C:\program files\konami\yu-gi-oh! power of chaos joey the passion\joey_pc.exe:joey_pc
"UDP Query User{8C3CC753-B9B1-4ADD-BA96-3D4F8CCC24F2}C:\\program files\\konami\\yu-gi-oh! power of chaos joey the passion\\joey_pc.exe"= TCP:C:\program files\konami\yu-gi-oh! power of chaos joey the passion\joey_pc.exe:joey_pc
"TCP Query User{89FCBC94-1F09-4FE8-A1C1-C2B1824FE364}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{F3294ABD-1890-43FE-B8CB-763EE8206D85}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:µTorrent
"TCP Query User{61D9DDAE-FDEC-4DD4-86E1-44A9283E5FA8}C:\\program files\\free download manager\\fdm.exe"= UDP:C:\program files\free download manager\fdm.exe:Free Download Manager
"UDP Query User{CE3ADE0F-7C1A-4CA0-A717-4CD905B14144}C:\\program files\\free download manager\\fdm.exe"= TCP:C:\program files\free download manager\fdm.exe:Free Download Manager
"TCP Query User{144BF005-5159-4DCA-BCDF-4E482F2E8019}C:\\program files\\your freedom\\freedom.exe"= UDP:C:\program files\your freedom\freedom.exe:freedom
"UDP Query User{AFC83E32-E527-446A-9FAC-D9EEE9F059B6}C:\\program files\\your freedom\\freedom.exe"= TCP:C:\program files\your freedom\freedom.exe:freedom
"TCP Query User{EDAA5687-08B2-4997-A795-ECDC03736EE4}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{9C45E5FF-ACA5-41A0-BF61-4B63E5568163}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule
"TCP Query User{9C771AA0-4573-4E77-B732-C06400BCDA8C}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{73F8B568-7222-46DA-B3AE-AE6123B9111E}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\TRENDnet\\PS Utility\\PSUTILITY.EXE"= C:\Program Files\TRENDnet\PS Utility\PSUTILITY.EXE:*:Enabled:PsUtility

R1 appdrv01;Application Driver (01);C:\Windows\System32\drivers\appdrv01.sys [2008-07-14 12:01:42 2915944]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\Windows\System32\drivers\avgldx86.sys [2008-08-25 09:16:33 97928]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\Windows\System32\drivers\OEM02Dev.sys [2007-10-10 16:03:00 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\Windows\System32\drivers\OEM02Vfx.sys [2008-05-21 19:36:49 7424]
R3 pppop;PPPoP WAN Adapter;C:\Windows\System32\drivers\pppop.sys [2007-06-06 14:03:54 30208]
R4 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-25 09:16:31 231704]
R4 FortiSslvpnDaemon;FortiSslvpnDaemon;C:\Windows\System32\FortiSslvpnDaemon.exe [2008-11-16 18:21:21 501280]
S3 bsusbser;H3G USB Device for Legacy Serial Communication;C:\Windows\System32\drivers\bsusbser.sys [2008-08-16 18:53:46 94848]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\mbamswissarmy.sys [2009-01-09 02:08:01 38496]
S3 Winacusb;Winacusb;C:\Windows\System32\drivers\winacusb.sys [2008-08-17 20:08:23 829952]
S4 appdrvrem01;Application Driver Auto Removal Service (01);C:\Windows\System32\appdrvrem01.exe svc --> C:\Windows\System32\appdrvrem01.exe svc [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - sptd

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0493841e-6baf-11dd-b4b4-001e4ce0e000}]
\shell\AutoRun\command - H:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{345e219d-275e-11dd-b9ba-001e4ce0e000}]
\shell\AutoRun\command - H:\.\run\autorun.exe
\shell\open\Command - H:\.\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{950ebd1b-c52a-11dd-b7e6-001e4ce0e000}]
\shell\AutoRun\command - H:\.\run\autorun.exe
\shell\open\Command - H:\.\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a48b4576-35de-11dd-a26f-001e4ce0e000}]
\shell\Auto\command - Start.exe
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad0fea32-2765-11dd-8e7b-001e4ce0e000}]
\shell\AutoRun\command - .\run\autorun.exe
\shell\open\Command - .\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5421546-276f-11dd-892f-001e4ce0e000}]
\shell\AutoRun\command - I:\setup.exe
.
- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-Uranium - C:\Program Files\FreeSoft\Uranium\Uranium.exe
HKLM-Run-nwiz - nwiz.exe


.
------- Supplementare di scansione -------
.
uStart Page = hxxp://www.google.it/
IE: {{C4046502-6524-4d87-896C-878F57D1FF07} - C:\Program Files\PokerStars.IT\PokerStarsUpdate.exe

C:\Windows\FortiSSLVPNd.exe - C:\Windows\System32\fortisslclient.key
C:\Windows\System32\fortisslclient.crt
C:\Windows\System32\fortisslcacert.pem
C:\Windows\System32\pppop.sys
C:\Windows\Downloaded Program Files\forticontrol.dll
O16 -: {B0882EB7-81A5-4A11-8D45-71888F973933}
hxxps://extranet.beniculturali.it/sslvpn.cab
C:\Windows\Downloaded Program Files\sslvpn.inf

C:\Windows\Downloaded Program Files\EPUWALcontrol.dll - O16 -: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB}
hxxp://tools.ebayimg.com/eps/wl/activex ... 0-27-0.cab
C:\Windows\Downloaded Program Files\EPUWALcontrol.inf
FF - ProfilePath - C:\Users\JANUAR~1\AppData\Roaming\Mozilla\Firefox\Profiles\d8lpm1a9.default\
FF - component: C:\Program Files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: C:\Users\JanuariusVISTA\AppData\Roaming\Mozilla\Firefox\Profiles\d8lpm1a9.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: C:\Users\JanuariusVISTA\AppData\Roaming\Mozilla\Firefox\Profiles\d8lpm1a9.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
.

[januarius]

Ciao, sembra che il probelma si scomparso....nel log vedi qualcosa di strano?

Ciao e grazie per l'aiuto

[Luke57]

Ciao, apri un file di testo, al suo interno copia e incolla il seguente script:

Codice: Seleziona tutto

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0493841e-6baf-11dd-b4b4-001e4ce0e000}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{345e219d-275e-11dd-b9ba-001e4ce0e000}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{950ebd1b-c52a-11dd-b7e6-001e4ce0e000}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a48b4576-35de-11dd-a26f-001e4ce0e000}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad0fea32-2765-11dd-8e7b-001e4ce0e000}]
;

salvalo sul desktop, cambiando l'estensione da .txt a .reg (tipo di file=tutti i file) e chiamandolo fix.reg

Poi doppio click su di esso e accetta le modifiche proposte.
Serve a eliminare alcune voci di registro immesse dal malware.

[januarius]

Ok fatto tutto

Ti ringrazio, sei stato molto gentile ....