RISOLTO Aiuto, possibile virus "lubwuhedofym.exe"

[Starhammer]

Ciao a tutti,
sono nuovo in questo forum, quindi perdonate la mia ignoranza ed eventuali errori comportamentali.
Temo di essere infetto da un qualche virus. In realtà ne sono praticamente certo, e vi spiego perché:
ieri sera notavo che il mio pc era più lento del solito, e non capivo perché. Quando ho deciso di spegnerlo, mi diceva che c'era un'applicazione che non era ancora stata chiusa "eti93405873405" e anche quando finiva di "terminarla" il pc, mi diceva che l'applicazione non rispondeva, dunque sospettoso ho fatto termine operazione però riavviando il sistema. Una volta riavviatosi, Panda mi ha trovato ed eliminato (così dice) un virus -e la cosa si ripete ad ogni avvio-:

lo identifica come Trj/Necurs.B, e lo trova sottoforma di questi file:

-C:\WINDOWS\system32\drivers\19aa5.sys
-C:\WINDOWS\system32\drivers\1bd40.sys
-C:\WINDOWS\system32\drivers\1ed87.sys


ho fatto andare Malwarebyte's Antimalware in modalità provvisoria e normale facendo una scansione completa ma non ha trovato nulla, però ho notato questo strano file:

"lubwuhedofym" che dovrebbe essere di tipo ".exe" che, indovinate, è stato creato ieri sera alle 21.45! :vv:
ho cercato in internet informazioni su questo lubwuhedofym e ci sono solo due risultati: uno di 3 giorni fa ed uno di ieri, uno è un sito croato che ho tradotto con google translator (immaginate il risultato) e se non capisco male è correlato ad un virus, l'altro deve esser un rapporto di un qualche antivirus ma non son esperto, non capisco :boh:.

Potete aiutarmi? Il computer lo posso usare ancora, non mi pare ci sia nulla di interdetto, ma è lento e comunque infetto!
Grazie in anticipo per le risposte :inchino:

 

[tecnico24]

re: Aiuto, possibile virus "lubwuhedofym.exe"

http://www.tomshw.it/forum/sicurezz...omputer-infetto-leggere-prima-di-postare.html
http://www.tomshw.it/forum/sicurezza/106542-guida-hijackthis-come-creare-e-allegare-il-log.html

Segui queste due guide ed allega rispettivamente:
il log di combofix
il log di Hijackthis.

 

[Starhammer]

Re: Aiuto, possibile virus "lubwuhedofym.exe"

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15.26.43, on 02/10/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Programmi\File comuni\Java\Java Update\jusched.exe
C:\Programmi\Panda Security\Panda Cloud Antivirus\PSUAMain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\Packard Bell\Software Suite\PBSoftSuite.exe
C:\Programmi\TomTom HOME 2\TomTomHOMERunner.exe
C:\Documents and Settings\Administrator\lubwuhedofym.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Programmi\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
C:\Programmi\Microsoft Office\Office12\ONENOTEM.EXE
C:\Programmi\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Programmi\Packard Bell\Software Suite\PowerSave\PSPBSSS.exe
C:\Programmi\Panda Security\Panda Cloud Antivirus\PSUAService.exe
C:\Programmi\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\TomTom HOME 2\TomTomHOMEService.exe
C:\Programmi\Canon\CAL\CALMAIN.exe
C:\Programmi\Packard Bell\Software Suite\pbDevDetect.exe
C:\Programmi\File comuni\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\File comuni\Java\Java Update\jucheck.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Windows Live\Toolbar\wltuser.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [URL="http://go.microsoft.com/fwlink/?LinkId=54896"]Bing[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [URL="http://go.microsoft.com/fwlink/?LinkId=69157"]MSN.com[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [URL="http://go.microsoft.com/fwlink/?LinkId=54896"]Bing[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [URL="http://go.microsoft.com/fwlink/?LinkId=54896"]Bing[/URL]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [URL="http://go.microsoft.com/fwlink/?LinkId=69157"]MSN.com[/URL]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [URL="http://go.microsoft.com/fwlink/?LinkId=74005"]Customize Your Settings[/URL]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programmi\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programmi\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre6\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programmi\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programmi\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Snap] C:\Programmi\Webcam videocap\Camera Snap.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APSDaemon] "C:\Programmi\File comuni\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\File comuni\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [PSUAMain] "C:\Programmi\Panda Security\Panda Cloud Antivirus\PSUAMain.exe" /LaunchSysTray
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Software Suite] "C:\Programmi\Packard Bell\Software Suite\PBSoftSuite.exe" /RUN
O4 - HKCU\..\Run: [Packard Bell Software Suite] "C:\Programmi\Packard Bell\Software Suite\PBSoftSuite.exe" /run
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Programmi\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [lubwuhedofym] C:\Documents and Settings\Administrator\lubwuhedofym.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Ritaglio schermata e avvio di OneNote 2007.lnk = C:\Programmi\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Programmi\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
O8 - Extra context menu item: Add to AMV/AVI Video Converter... - C:\Programmi\Media Player Utilities 4.36\AMVConverter\grab.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - [URL]http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab[/URL]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [URL]http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab[/URL]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programmi\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programmi\Canon\CAL\CALMAIN.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Panda Cloud Antivirus Service (NanoServiceMain) - Panda Security, S.L. - C:\Programmi\Panda Security\Panda Cloud Antivirus\PSANHost.exe
O23 - Service: Olympus DVR Service - OLYMPUS IMAGING CORP. - C:\Programmi\File comuni\Olympus Shared\DeviceManager\olydvrsv.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PowerSave Service (PowerSave) - Packard Bell Services - C:\Programmi\Packard Bell\Software Suite\PowerSave\PSPBSSS.exe
O23 - Service: Panda Product Service (PSUAService) - Panda Security, S.L. - C:\Programmi\Panda Security\Panda Cloud Antivirus\PSUAService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Programmi\TomTom HOME 2\TomTomHOMEService.exe
--
End of file - 10368 bytes

ComboFix 12-10-02.02 - Administrator 02/10/2012  15.36.03.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.39.1040.18.1023.401 [GMT 2:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
FW: Cloud Antivirus Firewall *Disabled* {1337562C-110A-4AF8-B12B-750C0B30E802}
.
.
(((((((((((((((((((((((((((((((((((((   Altre eliminazioni   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Dati applicazioni\Microsoft\Internet Explorer\Quick Launch\System Repair.lnk
c:\documents and settings\Administrator\lubwuhedofym.exe
c:\documents and settings\Administrator\WINDOWS
c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE
c:\windows\dasetup.log
c:\windows\system32\FE05DA0D.dll
c:\windows\system32\FE05EFED.dll
c:\windows\system32\FE05F051.dll
c:\windows\system32\FE05F17D.dll
c:\windows\system32\FE05F3D5.dll
c:\windows\system32\FE05F3D6.dll
c:\windows\system32\FE05F3D7.dll
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\unin0410.exe
.
.
(((((((((((((((((((((((((   Files Creati Da 2012-09-02 al 2012-10-02  )))))))))))))))))))))))))))))))))))
.
.
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-02 10:14 . 2011-10-30 10:08 1208206 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-09-07 15:04 . 2010-12-07 16:39 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-28 17:37 . 2012-03-30 07:34 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-28 17:37 . 2012-02-29 22:22 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-13 05:02 . 2012-07-13 05:02 120616 ----a-w- c:\windows\system32\drivers\PSINProt.sys
2012-07-13 05:02 . 2012-07-13 05:02 179112 ----a-w- c:\windows\system32\drivers\PSINKNC.sys
2012-07-13 05:02 . 2012-07-13 05:02 114728 ----a-w- c:\windows\system32\drivers\PSINProc.sys
2012-07-13 05:02 . 2012-07-13 05:02 101544 ----a-w- c:\windows\system32\drivers\PSINFile.sys
2012-07-13 05:02 . 2012-07-13 05:02 149032 ----a-w- c:\windows\system32\drivers\PSINAflt.sys
2012-07-12 09:18 . 2012-07-12 09:18 206632 ----a-w- c:\windows\system32\drivers\NNSStrm.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-12-16 . 074E6FBFACA5986EA5F32FD64052D0DE . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati. 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Software Suite"="c:\programmi\Packard Bell\Software Suite\PBSoftSuite.exe" [2009-10-01 3144736]
"Packard Bell Software Suite"="c:\programmi\Packard Bell\Software Suite\PBSoftSuite.exe" [2009-10-01 3144736]
"TomTomHOME.exe"="c:\programmi\TomTom HOME 2\TomTomHOMERunner.exe" [2011-04-22 247728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2010-09-03 19573352]
"GrooveMonitor"="c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"REGSHAVE"="c:\programmi\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-06-03 81920]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2012-03-18 421888]
"APSDaemon"="c:\programmi\File comuni\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2012-01-18 254696]
"PSUAMain"="c:\programmi\Panda Security\Panda Cloud Antivirus\PSUAMain.exe" [2012-07-13 37152]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]
"_nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\
Ritaglio schermata e avvio di OneNote 2007.lnk - c:\programmi\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Device Detector 4.lnk - c:\programmi\OLYMPUS\DeviceDetector\DeviceDetector4.exe [2009-12-1 402832]
EPSON SMART PANEL for Scanner.lnk - c:\programmi\EPSON\EPSON SMART PANEL for Scanner\espmain.exe [2010-12-16 180224]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\File comuni\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R1 NNSALPC;NNSAlpc;c:\windows\system32\drivers\NNSAlpc.sys [27/06/2012 15.51.03 82472]
R1 NNSHTTP;NNSHttp;c:\windows\system32\drivers\NNSHttp.sys [27/06/2012 15.51.03 120744]
R1 NNSIDS;NNSids;c:\windows\system32\drivers\NNSIds.sys [27/06/2012 15.51.04 122664]
R1 NNSPICC;NNSPicc;c:\windows\system32\drivers\NNSpicc.sys [27/06/2012 15.51.04 93992]
R1 NNSPOP3;NNSPop3;c:\windows\system32\drivers\NNSPop3.sys [27/06/2012 15.51.05 104104]
R1 NNSPROT;NNSProt;c:\windows\system32\drivers\NNSProt.sys [27/06/2012 15.51.06 286376]
R1 NNSPRV;NNSPrv;c:\windows\system32\drivers\NNSPrv.sys [27/06/2012 15.51.06 153000]
R1 NNSSMTP;NNSSmtp;c:\windows\system32\drivers\NNSSmtp.sys [27/06/2012 15.51.06 106536]
R1 NNSSTRM;NNSStrm;c:\windows\system32\drivers\NNSStrm.sys [12/07/2012 11.18.32 206632]
R1 NNSTLSC;NNSTlsc;c:\windows\system32\drivers\NNStlsc.sys [27/06/2012 15.51.07 92840]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [13/07/2012 7.02.47 179112]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\programmi\Panda Security\Panda Cloud Antivirus\PSANHost.exe [13/07/2012 6.57.41 140064]
R2 PowerSave;PowerSave Service;c:\programmi\Packard Bell\Software Suite\PowerSave\PSPBSSS.exe [06/04/2009 5.35.46 1002016]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [13/07/2012 7.02.46 149032]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [13/07/2012 7.02.47 101544]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [13/07/2012 7.02.47 114728]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [13/07/2012 7.02.48 120616]
R2 PSUAService;Panda Product Service;c:\programmi\Panda Security\Panda Cloud Antivirus\PSUAService.exe [13/07/2012 7.15.56 36640]
R2 TomTomHOMEService;TomTomHOMEService;c:\programmi\TomTom HOME 2\TomTomHOMEService.exe [22/04/2011 14.21.10 92592]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [30/03/2012 9.34.14 250568]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [01/12/2010 0.24.10 1691480]
S3 devlower;Audio Driver Afilter;c:\windows\system32\drivers\devlower.sys [29/12/2011 14.34.11 9216]
S3 NNSNAHS;Network Activity Hook Server Service;c:\windows\system32\drivers\NNSNAHS.sys [09/09/2011 13.54.48 38536]
S3 Olympus DVR Service;Olympus DVR Service;c:\programmi\File comuni\Olympus Shared\DeviceManager\olydvrsv.exe [21/04/2010 16.33.28 176128]
S3 usbcamcl;Driver for video Device;c:\windows\system32\drivers\usbcamcl.sys [29/12/2011 14.34.11 31232]
S4 NNSPIHS;NNSPihs;c:\windows\system32\drivers\NNSpihs.sys [27/06/2012 15.51.05 51496]
.
--- Altri Servizi/Drivers In Memoria ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - PSKMAD
.
Contenuto della cartella 'Scheduled Tasks'
.
2012-10-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 17:37]
.
2012-10-02 c:\windows\Tasks\User_Feed_Synchronization-{AF809476-7145-4430-B94A-1080F8599296}.job
- c:\windows\system32\msfeedssync.exe [2008-09-11 03:31]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.com/
IE: Add to AMV/AVI Video Converter... - c:\programmi\Media Player Utilities 4.36\AMVConverter\grab.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
ShellIconOverlayIdentifiers-{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6} - c:\programmi\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
ShellIconOverlayIdentifiers-{9AE343CB-BA45-4618-AF6A-0230EE6FC793} - c:\programmi\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
HKCU-Run-lubwuhedofym - c:\documents and settings\Administrator\lubwuhedofym.exe
HKLM-Run-RegisterDropHandler - c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE
HKLM-Run-Snap - c:\programmi\Webcam videocap\Camera Snap.exe
AddRemove-Adobe Acrobat 4.0 - c:\windows\ISUN0410.EXE
AddRemove-Adobe PhotoDeluxe Home Edition 4.0 - c:\windows\IsUn0410.exe
AddRemove-Icy Tower v1.5.1_is1 - c:\documents and settings\Administrator\Desktop\icytower151\unins000.exe
AddRemove-LTspice IV - c:\documents and settings\Administrator\Documenti\Frank\LTSpice\scad3.exe
AddRemove-SMART PANEL for Scanner - c:\windows\unin0410.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [URL="http://www.gmer.net"]GMER - Rootkit Detector and Remover[/URL]
Rootkit scan 2012-10-02 15:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ... 
.
scansione entrate autostart nascoste ... 
.
Scansione files nascosti ... 
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_USERS\S-1-5-21-2000478354-1935655697-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]  @[URL="http://www.tomshw.it/forum/member.php?u=97929"]DenieD[/URL]: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,02,7c,2c,46,96,33,49,a5,b1,4e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,02,7c,2c,46,96,33,49,a5,b1,4e,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]  @[URL="http://www.tomshw.it/forum/member.php?u=97929"]DenieD[/URL]: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]  @[URL="http://www.tomshw.it/forum/member.php?u=97929"]DenieD[/URL]: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'winlogon.exe'(1508)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1208)
c:\windows\system32\WININET.dll
c:\progra~1\TEXTBR~1.0\Bin\TBMHOOK.dll
c:\windows\system32\webcheck.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\programmi\File comuni\Microsoft Shared\VS7DEBUG\mdm.exe
c:\programmi\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\RTHDCPL.EXE
c:\programmi\Canon\CAL\CALMAIN.exe
c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
c:\programmi\Packard Bell\Software Suite\pbDevDetect.exe
c:\programmi\File comuni\Sony Shared\AVLib\SSScsiSV.exe
.
**************************************************************************
.
Ora fine scansione: 2012-10-02  15:45:15 - Il pc è stato riavviato
ComboFix-quarantined-files.txt  2012-10-02 13:45
.
Pre-Run: 3.462.664.192 byte disponibili
Post-Run: 4.211.826.688 byte disponibili
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 10B1CADDBF5A4AEA2C4DE30DB61B007B

- - - Updated - - -

Avrei dovuto eseguire prima quello di ComboFix e poi di Hijackthis o l'ordine è indifferente?

P.s.: già ora il computer lavora a velocità ragionevole, penso che almeno qualcosa (spero tutto!) sia stato risolto!

 

[tecnico24]

re: Aiuto, possibile virus "lubwuhedofym.exe"

Abbiamo quasi finito , rimuoviamo solo un pò le voci inutili.

Scarica qua in basso il file in allegato (CFScript.txt) sul desktop e trascinalo con il tasto sinistro del mouse sull'icona di combofix a forma di leone colorata di rosso.

Dopo il riavvio del pc , ti appare il report delle operazioni , postalo.

Scarica Ccleaner
Scarica CCleaner 3.23.1823 - FileHippo.com
Installa e avvia il programma
Portati in Opzioni - Impostazioni e metti il segno di spunta in "sicura" per quanto riguarda il tipo di cancellazione.
Pulisci i file temporanei
Pulisci il registro

Scarica OTC
http://oldtimer.geekstogo.com/OTC.exe
Doppo click su OTC.exe
Clicca su Cleanup
Il pc si riavvierà da solo.

Abbiamo finito , saluti.