PROBLEMA Pc infetto?

Mattia Esposito

Nuovo Utente
4
0
Salve è sa giorni che Avg mi segnala la presenza di malware in seguito all'aggiornamento di utorrent.
Il primo avviso riguardava il trojan generic, ma ai successivi riavvii mi segnalava nomi che terminavano in exe.
(Chiedo scusa per il linguaggio poco tecnico, ma non sono un genio in questo campo, come si è potuto notare)

Così informandomi su questo forum ho esguito la guida dell'installazione di combofix e questo è il Log che è risultato dall'analisi.


ComboFix 14-10-29.01 - antonella 02/11/2014 14:56:48.1.1 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.39.1040.18.1919.1056 [GMT 1:00]
Eseguito da: c:\users\antonella\Downloads\ComboFix.exe
AV: AVG AntiVirus Free Edition 2015 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG AntiVirus Free Edition 2015 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Creato nuovo punto di ripristino
.
.
((((((((((((((((((((((((( Files Creati Da 2014-10-02 al 2014-11-02 )))))))))))))))))))))))))))))))))))
.
.
2014-11-02 14:08 . 2014-11-02 14:08 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2014-11-02 14:08 . 2014-11-02 14:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-10-27 20:02 . 2014-09-22 12:13 43688 ----a-w- c:\windows\system32\drivers\iSafeNetFilter.sys
2014-10-27 20:02 . 2014-10-08 10:15 38016 ----a-w- c:\windows\system32\drivers\iSafeKrnlBoot.sys
2014-10-27 20:02 . 2014-10-27 20:02 -------- d-----w- c:\program files\Elex-tech
2014-10-27 20:02 . 2014-10-27 20:02 -------- d-----w- c:\users\antonella\AppData\Roaming\Elex-tech
2014-10-27 12:05 . 2014-10-27 12:05 -------- d-----w- c:\users\antonella\AppData\Roaming\AVG2015
2014-10-27 11:57 . 2014-10-27 12:03 -------- d-----w- c:\programdata\AVG2015
2014-10-27 11:48 . 2014-10-27 12:20 -------- d-----w- c:\users\antonella\AppData\Local\Avg2015
2014-10-16 17:12 . 2014-09-29 00:41 2379264 ----a-w- c:\windows\system32\win32k.sys
2014-10-16 17:10 . 2014-09-18 01:32 2363904 ----a-w- c:\windows\system32\msi.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-09-25 01:40 . 2014-10-02 13:22 519680 ----a-w- c:\windows\system32\qdvd.dll
2014-09-09 21:47 . 2014-09-24 10:44 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-01 08:46 . 2013-11-30 22:16 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2014-08-23 01:46 . 2014-08-29 10:07 305152 ----a-w- c:\windows\system32\gdi32.dll
2014-08-20 20:49 . 2014-08-20 20:49 193304 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2014-08-12 09:02 . 2013-12-07 11:24 42784 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2014-08-06 20:38 . 2014-08-06 20:38 98584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2014-01-02 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7601.17514] . . c:\windows\System32\user32.dll
[7] 2010-11-20 . F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 . 811520 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
[7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG_UI"="c:\program files\AVG\AVG2015\avgui.exe" [2014-09-05 3593744]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-08-21 959176]
"NBAgent"="c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-03-26 1234216]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2013-11-30 280576]
.
c:\users\antonella\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Ritaglio schermata e avvio di OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2006-10-26 98632]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.8.150\SSScheduler.exe [2014-4-9 279456]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2015\avgidsagent.exe [2014-09-05 3364368]
R2 vToolbarUpdater18.1.9;vToolbarUpdater18.1.9;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\ToolbarUpdater.exe [x]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [2011-11-10 167264]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-09-19 108032]
R3 iSafeKrnlBoot;YAC Boot Driver;c:\windows\system32\DRIVERS\iSafeKrnlBoot.sys [2014-10-08 38016]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.8.150\McCHSvc.exe [2014-04-09 235696]
R3 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [2010-03-25 490280]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Servizio Windows Activation Technologies;c:\windows\system32\Wat\WatAdminSvc.exe [2014-01-02 1343400]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [2014-06-18 147736]
S0 Avglogx;AVG Logging Driver;c:\windows\system32\DRIVERS\avglogx.sys [2014-07-18 230680]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2014-06-18 27416]
S1 Avgdiskx;AVG Disk Driver;c:\windows\system32\DRIVERS\avgdiskx.sys [2014-06-18 121624]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [2014-07-24 204056]
S1 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [2014-06-18 21272]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2014-08-20 193304]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2014-07-02 199448]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2014-08-12 42784]
S1 iSafeKrnl;YAC Mini-Filter Driver;c:\program files\Elex-tech\YAC\iSafeKrnl.sys [2014-10-08 215080]
S1 iSafeKrnlKit;YAC Kit Driver;c:\program files\Elex-tech\YAC\iSafeKrnlKit.sys [2014-10-08 83112]
S1 iSafeKrnlR3;YAC Ring3 Driver;c:\program files\Elex-tech\YAC\iSafeKrnlR3.sys [2014-10-08 38440]
S1 iSafeNetFilter;YAC NDIS Driver;c:\windows\system32\DRIVERS\iSafeNetFilter.sys [2014-09-22 43688]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2015\avgwdsvc.exe [2014-09-05 293448]
S2 iSafeService;YAC Service;c:\program files\Elex-tech\YAC\iSafeSvc.exe [2014-10-08 118048]
S3 RTL8187B;Scheda di rete USB 2.0 54 Mbps 802.11b/g Realtek RTL8187B;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-07-13 347136]
.
.
Contenuto della cartella 'Scheduled Tasks'
.
2014-10-29 c:\windows\Tasks\Epson Printer Software Downloader.job
- c:\program files\EPSON\EPAPDL\E_SAPDL2.EXE [2009-05-26 09:43]
.
2014-11-02 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1968309384-3124937998-1629498125-1000Core.job
- c:\users\antonella\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-09-14 13:37]
.
2014-11-02 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1968309384-3124937998-1629498125-1000UA.job
- c:\users\antonella\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-09-14 13:37]
.
2014-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1968309384-3124937998-1629498125-1000Core.job
- c:\users\antonella\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-25 14:58]
.
2014-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1968309384-3124937998-1629498125-1000UA.job
- c:\users\antonella\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-25 14:58]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://start.facemoods.com/?a=nv1
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\users\antonella\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\users\antonella\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B3DD622E-FAD5-446D-8DFA-49D331841DBB}: NameServer = 8.8.8.8,8.8.4.4
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
HKCU-Run-uTorrent - c:\program files\uTorrent\uTorrent.exe
.
.
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @DenieD: (Full) (Everyone)
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'Explorer.exe'(5124)
c:\windows\System32\ieframe.dll
.
Ora fine scansione: 2014-11-02 15:11:08
ComboFix-quarantined-files.txt 2014-11-02 14:11
.
Pre-Run: 13.217.837.056 byte disponibili
Post-Run: 13.168.508.928 byte disponibili
.
- - End Of File - - BD57B40C9536E8FCE1114DBB5D00CD5B
A36C5E4F47E84449FF07ED3517B43A31



Come devo procedere? Grazie (:

- - - Updated - - -

Dopo averlo riavviato mi si è aperta una pagina di chrome chiedendomi di aggiornarlo, ma ho rifiutato e Avg mi ha segnalato 4 minacce così:
"";"Minaccia Fake Flash Player (type 1734), www.flashplayerupgradesup.com/?cch=cd&dc=12";"Protetto"
 

Mattia Esposito

Nuovo Utente
4
0
Ora non mi rileva nulla, ma avevo scritto su un foglio il nome del primo rilevamento: utt7447.tmp.exe
svchost.exe tenta di modificare alcuni comandi ma YAC glielo nega.
Credo che il priblema sia torrent che non mi permette di disinstallarlo e mi invia richieste di modifica che io non acconsento.
Non so se l'ho già detto ma il tutto è partito da un aggiornamento di torrent.
 

Mattia Esposito

Nuovo Utente
4
0
Non ho ben capito il problema, ho installato AVIRA, ma non capisco perché devo disinstallare YAC. Secondo lei deriva da lì il problema? Grazie per la disponibilità!
 

Entra

oppure Accedi utilizzando
Discord Ufficiale Entra ora!