invasione virus o malware..

xthrashx · 11 Aprile 2011

il mio problema è questo: per avviare firefox devo cliccarci più volte. una volta avviato tra i processi ci sono molti firefox.exe per non parlare di svchost.exe.. mentre uso il pc avast continua a rilevarmi malware e a bloccare "url maligni" riferendosi a questi processi firefox.exe e più spesso svchost.exe. ho fatto una scansione con avast e mi ha trovato 4 file infetti.. ho selezionato sposta in quarantena e li ha spostati tutti tranne uno che mi dice che non è stato trovato (dopo allego le immagini e i log che sono riuscito a salvare). successivamente ho avviato malwarebytes ed ho eseguito una scansione completa.. mi ha trovato 4 file infetti (3 malware e un trojan) ho salvato il log prima e dopo averli rimossi... infine una volta riavviato ho eseguito svchost analyzer e ha trovato 2 processi anomali.. Imageshack - avastm.png
ImageShack® - Online Photo and Video Hosting
ImageShack® - Online Photo and Video Hosting

questo è il log di malwarebytes prima della cura
alwarebytes' Anti-Malware 1.50.1.1100
Malwarebytes

Versione database: 6287

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

11/04/2011 13:14:25
mbam-log-2011-04-11 (13-14-14).txt

Tipo di scansione: Scansione completa (C:\|D:\|E:\|)
Elementi esaminati: 282872
Tempo trascorso: 33 minuti, 26 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Voci infette nei dati di registro: 0
Cartelle infette: 0
File infetti: 4

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
(Non sono stati rilevati elementi nocivi)

Valori di registro infetti:
(Non sono stati rilevati elementi nocivi)

Voci infette nei dati di registro:
(Non sono stati rilevati elementi nocivi)

Cartelle infette:
(Non sono stati rilevati elementi nocivi)

File infetti:
c:\Users\administrator\giochi scaricati\fifa manager 11\f11m_nymp\fifa.m11_web-arsivi.com\activation.exe (Malware.Packer.gen) -> No action taken.
c:\Users\administrator\giochi scaricati\fifa manager 11\fm 11 ncd only by vanheggio\activation.exe (Malware.Packer.gen) -> No action taken.
c:\program files\ea sports\fifa manager 11\activation.exe (Malware.Packer.gen) -> No action taken.
c:\Windows\System32\gnuhashes.ini (Trojan.Tracur) -> No action taken.

dopo tutto questo continuano ad arrivarmi le segnalazioni di avast sul processo svchost.exe (soprattutto). cosa devo fare? non sono esperto di questo cose...

The_MadHatter · 11 Aprile 2011

adesso sai cosa significa scaricare i giochi craccati illegalmente :)

comunque ti consiglio di fare una scansione con hijackthis e postare qui il log, così gente più esperta potrà darti una mano.

pegifr · 11 Aprile 2011

@ xthrashx

Fai anche questo...

Scarica DeFogger > http://download.bleepingcomputer.com/jpshortstuff/Defogger.exe
Salvalo sul desktop ed eseguilo. Su Vista e 7 eseguilo come amministratore.
Clicca su Disable. Conferma.Premi OK. Chiudi la schermata precedente. Verrà prodotto un log sul desktop (DeFogger_Disable.txt). Se ti viene richiesto il riavvio, accetta.

Poi, disattiva tutti i programmi di sicurezza e:

Scarica DDS > http://www.bleepingcomputer.com/download/anti-virus/dds
Clicca su Download Now. Salvalo sul desktop ed eseguilo. Su Vista e 7 eseguilo come amministratore.
Aspetta la fine della scansione. Si apriranno due reports: DDS.txt ed Attach.txt
Salvali ed allegali per un controllo.

xthrashx · 11 Aprile 2011

innanzitutto grazie per la risposta.. rispondo prima a the madhatter.. :D quel gioco l'ho scaricato molto tempo fa ma nn mi ha dato problemi. i problemi sono sorti da quando stavo cercando film in streaming e sono entrato in un sito ed è sucito il primo avviso di avast. :)

ho scaricato hijack e ho fatto la scansione.. vi posto il log:

Codice:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:08:59, on 11/04/2011
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16722)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Alice ti aiuta\McciTrayApp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\hijack\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.it
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: kikin Plugin - {E601996F-E400-41CA-804B-CD6373A7EEE2} - C:\Program Files\kikin\ie_kikin.dll
O2 - BHO: OfferBox - {FC0D62C2-9640-4AEB-A5D5-CF25DF11FA8C} - C:\Program Files\OfferBox\OfferBoxBHO.dll
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AliceRV_McciTrayApp] C:\Program Files\Alice ti aiuta\McciTrayApp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus DX4800 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /F "C:\Windows\TEMP\E_S21.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIZIO DI RETE')
O4 - Startup: Ritaglio schermata e avvio di OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Program Files\kikin\ie_kikin.dll
O9 - Extra 'Tools' menuitem: My kikin - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Program Files\kikin\ie_kikin.dll
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{28DBB6BB-DC31-471F-BF9B-BFA84D3D7F9E}: NameServer = 193.70.152.15 193.70.152.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{28DBB6BB-DC31-471F-BF9B-BFA84D3D7F9E}: NameServer = 193.70.152.15 193.70.152.25
O17 - HKLM\System\CS2\Services\Tcpip\..\{28DBB6BB-DC31-471F-BF9B-BFA84D3D7F9E}: NameServer = 193.70.152.15 193.70.152.25
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Servizio Acronis Scheduler2 (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service:  Servizio Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Futuremark SystemInfo Service - Futuremark Corporation - C:\Program Files\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe
O23 - Service: Servizio di Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2011c\RpcAgentSrv.exe
O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe

ora che devo fare?.. pegifr procedo con quello che mi hai consigliato?

xthrashx · 12 Aprile 2011

nessuno che mi aiuta?!...

pegifr · 12 Aprile 2011

Riesegui HJT. Clicca su Scan, spunta le caselle relative alle voci indicate e, con tutte le applicazioni chiuse e disconnesso da Internet, clicca su Fix Checked.

O2 - BHO: kikin Plugin - {E601996F-E400-41CA-804B-CD6373A7EEE2} - C:\Program Files\kikin\ie_kikin.dll
O2 - BHO: OfferBox - {FC0D62C2-9640-4AEB-A5D5-CF25DF11FA8C} - C:\Program Files\OfferBox\OfferBoxBHO.dll
O9 - Extra button: (no name) - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Program Files\kikin\ie_kikin.dll
O9 - Extra 'Tools' menuitem: My kikin - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Program Files\kikin\ie_kikin.dll

Rifai la scansione con MBAM, questa volta però aggiornalo…

Gli altri programmi che ti ho consigliato servono solo per vedere se c’è dell’altro. Se ritieni che non siano necessarie non farle.

xthrashx · 13 Aprile 2011

grazie..

allora, ho fatto quello che mi hai detto... ho aggiornato mbam e ho fatto una scansione completa che non mi ha segnalato problemi, però continuano ad arrivarmi questi avvisi insistenti con avast che blocca "url maligno" svchost.exe. che posso fare?

pegifr · 13 Aprile 2011

Io l’indicazione te l’ho data!!!
Spiegami solo che problema hai ad eseguire DDS dopo aver fatto girare DeFogger.

xthrashx · 13 Aprile 2011

si scusa.. ci sono riuscito ora.

ti posto i log

Codice:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows 7 Ultimate 
Boot Device: \Device\HarddiskVolume1
Install Date: 05/01/2011 19:59:01
System Uptime: 13/04/2011 18:01:21 (0 hours ago)
.
Motherboard: PEGATRON CORPORATION |  | Benicia
Processor: Intel(R) Core(TM)2 Quad CPU    Q9400  @ 2.66GHz | CPU 1 | 2667/1333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 635 GiB total, 386,532 GiB free.
D: is FIXED (NTFS) - 49 GiB total, 42,751 GiB free.
E: is FIXED (NTFS) - 14 GiB total, 1,991 GiB free.
F: is CDROM (CDFS)
H: is Removable
I: is Removable
J: is Removable
K: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: SM/xD-Picture   
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_SM#XD-PICTURE&REV_1.00#7&15BE85E8&0&20060413092100000&1#
Manufacturer: Generic-
Name: I:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_SM#XD-PICTURE&REV_1.00#7&15BE85E8&0&20060413092100000&1#
Service: WUDFRd
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Compact Flash   
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.00#7&15BE85E8&0&20060413092100000&0#
Manufacturer: Generic-
Name: H:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.00#7&15BE85E8&0&20060413092100000&0#
Service: WUDFRd
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: MS/MS-Pro       
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_MS#MS-PRO&REV_1.00#7&15BE85E8&0&20060413092100000&3#
Manufacturer: Generic-
Name: K:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_MS#MS-PRO&REV_1.00#7&15BE85E8&0&20060413092100000&3#
Service: WUDFRd
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: SD/MMC          
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_SD#MMC&REV_1.00#7&15BE85E8&0&20060413092100000&2#
Manufacturer: Generic-
Name: J:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_SD#MMC&REV_1.00#7&15BE85E8&0&20060413092100000&2#
Service: WUDFRd
.
==== System Restore Points ===================
.
RP86: 01/04/2011 13:02:41 - Windows Update
RP87: 08/04/2011 19:40:29 - Punto di controllo pianificato
RP88: 11/04/2011 20:06:44 - Installed HiJackThis
RP90: 13/04/2011 10:32:34 - Rimosso Assassin's Creed II
.
==== Installed Programs ======================
.
3DMark 11
Acronis True Image Home
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.2 - Italiano
Adobe Shockwave Player 11.5

xthrashx · 13 Aprile 2011

questo è il secondo

Codice:

.
DDS (Ver_11-03-05.01) - NTFSx86  
Run by Administrator at 18:04:13,38 on 13/04/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.39.1040.18.3327.2446 [GMT 2:00]
.
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Alice ti aiuta\McciTrayApp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\explorer.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Users\Administrator\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.it
uDefault_Page_URL = hxxp://www.google.it
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} -  c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} -  c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper:  {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common  files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AliceRV_McciTrayApp] c:\program files\alice ti aiuta\McciTrayApp.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [EPSON Stylus DX4800 Series]  c:\windows\system32\spool\drivers\w32x86\3\e_fatiade.exe /f  "c:\windows\temp\E_S21.tmp" /EF "HKLM"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder:  c:\users\admini~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\ritagl~1.lnk  - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&sporta in Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {28DBB6BB-DC31-471F-BF9B-BFA84D3D7F9E} = 193.70.152.15 193.70.152.25
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} -  c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook:  {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft  office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\9b0whxf9.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\programdata\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program  files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: FoxTrick: {9d1f059c-cada-4111-9696-41a62d64e3ba} - %profile%\extensions\{9d1f059c-cada-4111-9696-41a62d64e3ba}
FF - Ext: PsicoTSI: {7E77F5DF-8022-40e3-9122-F03DEBEFC43B} - %profile%\extensions\{7E77F5DF-8022-40e3-9122-F03DEBEFC43B}
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 tdrpman255;Acronis Try&Decide and Restore Points filter (build  255);c:\windows\system32\drivers\tdrpm255.sys [2011-1-5 911552]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-1-5 165584]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2011-1-5 2326920]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-1-5 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-1-5 50768]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-5 40384]
R2 gupdate;Servizio di Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-14 136176]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-2-11 172328]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2011-1-5 159168]
R3 netr28;Driver wireless 802.11n Ralink per Windows Vista;c:\windows\system32\drivers\netr28.sys [2009-6-10 530944]
R3 RTL8167;Driver Realtek 8167 NT;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN  v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe  [2010-3-18 130384]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-5 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-5 40384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 Futuremark SystemInfo Service;Futuremark SystemInfo  Service;c:\program files\common files\futuremark shared\futuremark  systeminfo\FMSISvc.exe [2011-1-11 129440]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program  files\sisoftware\sisoftware sandra lite 2011c\RpcAgentSrv.exe [2011-1-13  93848]
S3 WatAdminSvc;Servizio Windows Activation Technologies;c:\windows\system32\wat\WatAdminSvc.exe [2011-1-8 1343400]
.

continua...

xthrashx · 13 Aprile 2011

Codice:

=============== Created Last 30 ================
.
2011-04-11 18:06:58    388096    ----a-r-    c:\users\admini~1\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-04-11 18:06:57    --------    d-----w-    c:\program files\hijack
2011-04-07 17:39:21    0    ----a-w-    c:\windows\system32\dot3prov32.dll
2011-04-07 17:39:12    --------    d-----w-    c:\windows\system32\89B72B081ADE5338C55EAD5BFDC85B8C
2011-04-06 14:32:05    --------    d-----w-    c:\users\admini~1\appdata\roaming\Malwarebytes
2011-04-06 14:32:01    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-06 14:32:00    --------    d-----w-    c:\progra~2\Malwarebytes
2011-04-06 14:31:58    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2011-04-06 14:31:57    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2011-04-04 12:37:38    --------    d-----w-    c:\users\admini~1\appdata\roaming\OfferBox
2011-04-04 12:37:38    --------    d-----w-    c:\program files\OfferBox
2011-04-01 11:02:56    6792528    ----a-w-    c:\progra~2\microsoft\windows defender\definition updates\{9f46514b-5937-492a-aabf-ad5aafded19d}\mpengine.dll
.
==================== Find3M  ====================
.
2011-03-02 10:55:41    108144    ----a-w-    c:\windows\system32\CmdLineExt.dll
2011-02-19 05:33:11    802304    ----a-w-    c:\windows\system32\FntCache.dll
2011-02-19 05:32:48    1074176    ----a-w-    c:\windows\system32\DWrite.dll
2011-02-19 05:32:35    739840    ----a-w-    c:\windows\system32\d2d1.dll
2011-02-02 17:11:20    222080    ------w-    c:\windows\system32\MpSigStub.exe
2011-01-15 22:57:59    13751    ----a-w-    c:\progra~2\xmlD94.tmp
2011-01-13 17:50:19    0    ----a-w-    c:\progra~2\xml94E3.tmp
2011-01-13 17:50:19    0    ----a-w-    c:\progra~2\xml9456.tmp
2011-01-13 17:05:35    0    ----a-w-    c:\progra~2\xmlA009.tmp
2011-01-13 17:05:35    0    ----a-w-    c:\progra~2\xml9F4D.tmp
2011-01-13 16:52:59    0    ----a-w-    c:\progra~2\xml149C.tmp
2011-01-13 16:52:59    0    ----a-w-    c:\progra~2\xml13FF.tmp
2011-01-13 16:45:41    0    ----a-w-    c:\progra~2\xml6856.tmp
2011-01-13 16:45:41    0    ----a-w-    c:\progra~2\xml678A.tmp
.
=================== ROOTKIT  ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: SAMSUNG_ rev.1AA0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0 
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F6C439]<< 
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f727d0]; MOV EAX, [0x86f7284c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX;  }
1 ntkrnlpa!IofCallDriver[0x82A73448] -> \Device\Harddisk0\DR0[0x86F3C7E8]
3 CLASSPNP[0x831A459E] -> ntkrnlpa!IofCallDriver[0x82A73448] -> [0x87531F08]
\Driver\iaStorV[0x86F55428] -> IRP_MJ_CREATE -> 0x86F6C439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP;  }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskSAMSUNG_HD753LJ_________________________1AA01114#4&1820ec13&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!! 
sectors 1465149166 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 18:04:46,77 ===============

grazie per l'aiuto...:)

pegifr · 14 Aprile 2011

Scarica TDSSKiller > http://support.kaspersky.com/downloads/utils/tdsskiller.zip e salvalo sul desktop. Estrai il contenuto sul desktop ed avvialo.
Clicca su Start Scan.
Se c’è un’infezione, l'azione di default sarà cure. Clicca su continua.
Se c’è il sospetto di un’infezione, l'azione di default sarà skip. Clicca su continua.
Se viene richiesto il riavvio, accetta.
Il rapporto si troverà in > C:\TDSSKiller.[Version]_[Date]_[Time]_log.txt
Se non è stato richiesto il riavvio, chiudi e clicca su report . Salva il contenuto in un file di testo per poi allegarlo.
Caricalo su Wikisend > http://wikisend.com/ e posta il forum link che ti viene assegnato.

NB: Devi caricarlo senza nessuna estensione quindi visualizza le estensioni dei file conosciuti e togli .txt

Poi scarica OTM e salvalo sul desktop > http://oldtimer.geekstogo.com/OTM.exe
Eseguilo. Su seven va eseguito come amministratore.
Incolla il codice sottostante, quello in verde, sotto la barra gialla e clicca su MoveIt!

:Files
c:\windows\system32\dot3prov32.dll
c:\windows\system32\89B72B081ADE5338C55EAD5BFDC85B8C
c:\users\admini~1\appdata\roaming\OfferBox
c:\program files\OfferBox
c:\progra~2\xmlD94.tmp
c:\progra~2\xml94E3.tmp
c:\progra~2\xml9456.tmp
c:\progra~2\xmlA009.tmp
c:\progra~2\xml9F4D.tmp
c:\progra~2\xml149C.tmp
c:\progra~2\xml13FF.tmp
c:\progra~2\xml6856.tmp
c:\progra~2\xml678A.tmp
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[emptyflash]
[resethosts]
[createrestorepoint]

Posta il log che ti si aprirà automaticamente > C:\_OTM\MovedFiles \mmddyyyy_hhmmss.log

xthrashx · 14 Aprile 2011

pegifr ha detto:
Scarica TDSSKiller > http://support.kaspersky.com/downloads/utils/tdsskiller.zip e salvalo sul desktop. Estrai il contenuto sul desktop ed avvialo.
Clicca su Start Scan.
Se c’è un’infezione, l'azione di default sarà cure. Clicca su continua.
Se c’è il sospetto di un’infezione, l'azione di default sarà skip. Clicca su continua.
Se viene richiesto il riavvio, accetta.
Il rapporto si troverà in > C:\TDSSKiller.[Version]_[Date]_[Time]_log.txt
Se non è stato richiesto il riavvio, chiudi e clicca su report . Salva il contenuto in un file di testo per poi allegarlo.
Caricalo su Wikisend > http://wikisend.com/ e posta il forum link che ti viene assegnato.

NB: Devi caricarlo senza nessuna estensione quindi visualizza le estensioni dei file conosciuti e togli .txt

Poi scarica OTM e salvalo sul desktop > http://oldtimer.geekstogo.com/OTM.exe
Eseguilo. Su seven va eseguito come amministratore.
Incolla il codice sottostante, quello in verde, sotto la barra gialla e clicca su MoveIt!

:Files
c:\windows\system32\dot3prov32.dll
c:\windows\system32\89B72B081ADE5338C55EAD5BFDC85B8C
c:\users\admini~1\appdata\roaming\OfferBox
c:\program files\OfferBox
c:\progra~2\xmlD94.tmp
c:\progra~2\xml94E3.tmp
c:\progra~2\xml9456.tmp
c:\progra~2\xmlA009.tmp
c:\progra~2\xml9F4D.tmp
c:\progra~2\xml149C.tmp
c:\progra~2\xml13FF.tmp
c:\progra~2\xml6856.tmp
c:\progra~2\xml678A.tmp
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[emptyflash]
[resethosts]
[createrestorepoint]

Posta il log che ti si aprirà automaticamente > C:\_OTM\MovedFiles \mmddyyyy_hhmmss.log

ok.. ho fatto tutto quello che mi hai detto.. l'unica cosa è che l'ultimo log, quello che si è aperto automaticamente, non ha quel nome ma tutti numeri. ora te li posto.
TDSSKiller.2.4.21.0_14.04.2011_17.21.53_log

Codice:

All processes killed
========== FILES ==========
LoadLibrary failed for c:\windows\system32\dot3prov32.dll
c:\windows\system32\dot3prov32.dll moved successfully.
File/Folder c:\windows\system32\89B72B081ADE5338C55EAD5BFDC85B 8C not found.
c:\users\admini~1\appdata\roaming\OfferBox folder moved successfully.
c:\program files\OfferBox\res folder moved successfully.
c:\program files\OfferBox\offerboxffx@offerbox.com\components folder moved successfully.
c:\program files\OfferBox\offerboxffx@offerbox.com\chrome\content folder moved successfully.
c:\program files\OfferBox\offerboxffx@offerbox.com\chrome folder moved successfully.
c:\program files\OfferBox\offerboxffx@offerbox.com folder moved successfully.
c:\program files\OfferBox folder moved successfully.
c:\progra~2\xmlD94.tmp moved successfully.
c:\progra~2\xml94E3.tmp moved successfully.
c:\progra~2\xml9456.tmp moved successfully.
c:\progra~2\xmlA009.tmp moved successfully.
c:\progra~2\xml9F4D.tmp moved successfully.
c:\progra~2\xml149C.tmp moved successfully.
c:\progra~2\xml13FF.tmp moved successfully.
c:\progra~2\xml6856.tmp moved successfully.
c:\progra~2\xml678A.tmp moved successfully.
[COLOR=#a23bec]< ipconfig /flushdns /c >[/COLOR]
Configurazione IP di Windows
Cache del resolver DNS svuotata.
C:\Users\Administrator\Desktop\cmd.bat deleted successfully.
C:\Users\Administrator\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 278423092 bytes
->Temporary Internet Files folder emptied: 48905841 bytes
->Java cache emptied: 2252527 bytes
->FireFox cache emptied: 107592094 bytes
->Flash cache emptied: 4092 bytes
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2794755 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 420,00 mb
 
HOSTS file reset successfully

 
OTM by OldTimer - Version 3.1.17.2 log created on 04142011_173400

Files moved on Reboot...
File move failed. C:\Windows\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

pegifr · 16 Aprile 2011

Ciao xthrashx,

se avessi usato Defogger, TDSSKiller non avrebbe avuto da pensare… anche DDS in questo modo ha rischiato un abbaglio ma comunque è andata bene.

Cancella questa cartella > c:\windows\system32\89B72B081ADE5338C55EAD5BFDC85B8C

E per concludere, fai una scansione on line con ESET Online Scanner

Con Internet Explorer
Clicca su Run Eset Online Scanner.
Spunta Yes, I accept the terms of use e clicca su Start.
Installa l’ActiveX On line Scanner.cab
Togli la spunta da Remove found threats e mettila a Scan archives.
In Advanced setting, spunta Scan for potentialy unsafe applications ed assicurati che ci sia la spunta anche a Scan for potentialy unwanted applications e ad Enable Anti-Stealth technology. Avvia la scansione cliccando su Start.
Salva il risultato in un file di testo oppure recupera il rapporto >
C:\Program files\Eset\Eset Online Scanner\log.txt
Posta il log per un controllo.

Con altri Browsers
Devi scaricare esetsmartinstaller_enu.exe ed avviare l’applicazione separatamente.

xthrashx · 16 Aprile 2011

ok.. ne ha trovati 2 si file infetti... ti posto il log

Codice:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=d97effc74d2dd743879b6a271d762458
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-04-16 03:36:37
# local_time=2011-04-16 05:36:37 (+0100, ora legale Europa occidentale)
# country="Italy"
# lang=1033
# osver=6.1.7600 NT 
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=770 16774141 100 100 8667297 79625425 0 0
# compatibility_mode=5893 16776573 100 94 37716 55359483 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=120026
# found=2
# cleaned=0
# scan_time=5844
C:\Users\Administrator\Giochi scaricati\Fifa Manager 11\FM 11 NCD ONLY By Vanheggio.rar    a variant of Win32/Packed.VMProtect.AAD trojan (unable to clean)    00000000000000000000000000000000    I
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\3cc664c-7bf55fac    Java/TrojanDownloader.OpenStream.NBS trojan (unable to clean)    00000000000000000000000000000000    I

invasione virus o malware..

xthrashx

Utente Attivo

The_MadHatter

Utente Attivo

pegifr

Bannato a Vita

xthrashx

Utente Attivo

xthrashx

Utente Attivo

pegifr

Bannato a Vita

xthrashx

Utente Attivo

pegifr

Bannato a Vita

xthrashx

Utente Attivo

xthrashx

Utente Attivo

xthrashx

Utente Attivo

pegifr

Bannato a Vita

xthrashx

Utente Attivo

pegifr

Bannato a Vita

xthrashx

Utente Attivo