Ciao ragazzi ogni tanto mi becco qualcosa....
Avevo preso il virus della polizia di stato e non so come ma sono riuscito a eliminarlo ma non penso di avere fatto bene perche' ora volevo installare avira ma qualcosa me lo impedisce ho fatto una scansione con combofix e vi metto il log
per me c'e qualcosa da eliminare... se mi date una mano grazie mille
ComboFix 12-12-29.02 - Roberto 29/12/2012 20.05.30.7.2 - x86
Eseguito da: c:\documents and settings\Roberto\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Creati Da 2012-11-28 al 2012-12-29 )))))))))))))))))))))))))))))))))))
.
.
2012-12-23 08:44 . 2012-12-23 08:44 -------- d-----w- c:\programmi\SweetIM
2012-12-23 08:44 . 2012-12-23 08:44 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\SweetIM
2012-12-21 23:03 . 2012-12-21 23:03 -------- d-----w- c:\documents and settings\Roberto\Impostazioni locali\Dati applicazioni\Max Secure Software
2012-12-21 23:02 . 2012-12-23 08:52 -------- d-----w- c:\documents and settings\Roberto\Dati applicazioni\GetRightToGo
2012-12-21 22:51 . 2012-12-21 22:51 3009 ----a-w- c:\documents and settings\All Users\Dati applicazioni\dsgsdgdsgdsgw.js
2012-12-21 19:25 . 2012-12-21 19:25 -------- d-----w- c:\documents and settings\Roberto\Dati applicazioni\AVS4YOU
2012-12-21 19:24 . 2012-12-21 19:36 -------- d-----w- c:\programmi\File comuni\AVSMedia
2012-12-21 19:24 . 2012-12-21 19:24 -------- d-----w- c:\windows\system32\drivers\umdf
2012-12-21 19:23 . 2012-12-21 19:25 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\AVS4YOU
2012-12-21 19:23 . 2012-03-23 18:59 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2012-12-21 19:23 . 2012-03-23 18:59 24576 ----a-w- c:\windows\system32\msxml3a.dll
2012-12-05 11:38 . 2012-12-05 11:38 -------- d-----w- c:\documents and settings\Roberto\Impostazioni locali\Dati applicazioni\Help
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-16 12:23 . 2004-08-19 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-12-12 18:48 . 2012-03-30 16:40 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-12 18:48 . 2011-11-11 17:57 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-22 15:15 . 2012-11-22 15:15 998624 ----a-w- C:\install_flashplayer11x32au_mssa_aih.exe
2012-11-13 11:55 . 2004-08-19 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-02 02:02 . 2004-08-19 12:00 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 03:28 . 2004-08-19 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 03:28 . 2004-08-19 12:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 03:28 . 2004-08-19 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2012-11-01 03:28 . 2004-08-19 12:00 17408 ------w- c:\windows\system32\corpol.dll
2012-10-18 14:21 . 2012-10-18 14:21 0 ----a-w- c:\windows\system32\REN278.tmp
2012-10-18 14:21 . 2012-10-18 14:21 0 ----a-w- c:\windows\system32\REN277.tmp
2012-10-02 18:04 . 2004-08-19 12:00 58368 ----a-w- c:\windows\system32\synceng.dll
2012-07-28 15:49 . 2012-07-28 13:49 1603672 ----a-w- c:\programmi\avira_cloud_tech_preview_setup.exe
2011-11-11 18:24 . 2011-11-11 18:14 6626544 ----a-w- c:\programmi\Shockwave_Installer_Slim.exe
2011-10-26 17:06 . 2011-10-26 17:06 812344 ----a-w- c:\programmi\HJTInstall.exe
2011-08-04 00:19 . 2011-08-04 00:18 31504896 ----a-w- c:\programmi\AGTPro_1.1k.msi
2012-12-06 16:10 . 2012-12-06 16:10 262112 ----a-w- c:\programmi\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\documents and settings\Roberto\Impostazioni locali\Dati applicazioni\Facebook\Update\FacebookUpdate.exe" [2012-10-10 138096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2012-07-03 252848]
"SweetIM"="c:\programmi\SweetIM\Messenger\SweetIM.exe" [2012-05-29 115032]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programmi\\SopCast\\SopCast.exe"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Programmi\\Veetle\\Player\\VeetleNet.exe"=
"c:\\Documents and Settings\\Roberto\\Impostazioni locali\\Dati applicazioni\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Gestione remota Windows
"3557:UDP"= 3557:UDP:Windows Media Format SDK (plugin-container.exe)
"3556:UDP"= 3556:UDP:Windows Media Format SDK (plugin-container.exe)
"3561:UDP"= 3561:UDP:Windows Media Format SDK (plugin-container.exe)
.
R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [x]
R3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v3.sys [x]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\DRIVERS\EAPPkt.sys [x]
S4 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x]
.
.
--- Altri Servizi/Drivers In Memoria ---
.
*Deregistered* - avipbb
*Deregistered* - ssmdrv
.
Contenuto della cartella 'Scheduled Tasks'
.
2012-12-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 18:48]
.
2012-12-27 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1801674531-920026266-725345543-1003Core.job
- c:\documents and settings\Roberto\Impostazioni locali\Dati applicazioni\Facebook\Update\FacebookUpdate.exe [2012-10-10 18:08]
.
2012-12-28 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1801674531-920026266-725345543-1003UA.job
- c:\documents and settings\Roberto\Impostazioni locali\Dati applicazioni\Facebook\Update\FacebookUpdate.exe [2012-10-10 18:08]
.
2012-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2012-12-27 19:04]
.
2012-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2012-12-27 19:04]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{48B0BFA7-086E-4D11-966F-61B58AB4611F}: NameServer = 208.67.222.222 208.67.220.220
TCP: Interfaces\{88DCE650-EA03-422C-B755-71E188D5B535}: NameServer = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\udl8qn5w.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it
FF - prefs.js: keyword.URL - hxxp://utils.chatzum.com/?url=
FF - ExtSQL: 2012-12-23 09:55; {EEE6C361-6118-11DC-9C72-001320C79847}; c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\udl8qn5w.default\extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi
FF - ExtSQL: !HIDDEN! 2010-04-30 22:24; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: extentions.y2layers.installId - 881c2bd4-bf6d-47a9-a80a-1be0dfa41d3a
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,BuzzdockTease,DropDownDeals,DropDownDeals,
FF - user.js: extentions.y2layers.installId - 5fb17ec4-4150-42d7-8830-19a02fee7904
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,BuzzdockTease,DropDownDeals,DropDownDeals,
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-12-29 20:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @DenieD: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @DenieD: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'explorer.exe'(1932)
c:\windows\system32\WININET.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Ora fine scansione: 2012-12-29 20:09:17
ComboFix-quarantined-files.txt 2012-12-29 19:09
ComboFix2.txt 2012-12-23 09:04
.
Pre-Run: 17.935.097.856 byte disponibili
Post-Run: 17.926.029.312 byte disponibili
.
- - End Of File - - AA23C3660B169827BE0E5231EE8BD2FB
- - - Updated - - -
Ecco l'altra scansione
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20.18.57, on 29/12/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17115)
Boot mode: Normal
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Programmi\Java\jre7\bin\jqs.exe
C:\windows\system32\svchost.exe
C:\Programmi\File comuni\Java\Java Update\jusched.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\windows\system32\wscntfy.exe
C:\windows\explorer.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre7\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Adobe ARM] "C:\Programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\File comuni\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SweetIM] C:\Programmi\SweetIM\Messenger\SweetIM.exe
O4 - HKCU\..\Run: [Facebook Update] "C:\Documents and Settings\Roberto\Impostazioni locali\Dati applicazioni\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
O4 - HKUS\S-1-5-21-1801674531-920026266-725345543-1003\..\Run: [Facebook Update] "C:\Documents and Settings\Roberto\Impostazioni locali\Dati applicazioni\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver (User '?')
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\windows\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\windows\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\windows\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/it/mjss/MJSS.cab109791.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{48B0BFA7-086E-4D11-966F-61B58AB4611F}: NameServer = 208.67.222.222 208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{88DCE650-EA03-422C-B755-71E188D5B535}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Servizio Google Update (gupdate) (gupdate) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Servizio Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Programmi\Java\jre7\bin\jqs.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Programmi\Mozilla Maintenance Service\maintenanceservice.exe
--
End of file - 4817 bytes
Avevo preso il virus della polizia di stato e non so come ma sono riuscito a eliminarlo ma non penso di avere fatto bene perche' ora volevo installare avira ma qualcosa me lo impedisce ho fatto una scansione con combofix e vi metto il log
per me c'e qualcosa da eliminare... se mi date una mano grazie mille
ComboFix 12-12-29.02 - Roberto 29/12/2012 20.05.30.7.2 - x86
Eseguito da: c:\documents and settings\Roberto\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Creati Da 2012-11-28 al 2012-12-29 )))))))))))))))))))))))))))))))))))
.
.
2012-12-23 08:44 . 2012-12-23 08:44 -------- d-----w- c:\programmi\SweetIM
2012-12-23 08:44 . 2012-12-23 08:44 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\SweetIM
2012-12-21 23:03 . 2012-12-21 23:03 -------- d-----w- c:\documents and settings\Roberto\Impostazioni locali\Dati applicazioni\Max Secure Software
2012-12-21 23:02 . 2012-12-23 08:52 -------- d-----w- c:\documents and settings\Roberto\Dati applicazioni\GetRightToGo
2012-12-21 22:51 . 2012-12-21 22:51 3009 ----a-w- c:\documents and settings\All Users\Dati applicazioni\dsgsdgdsgdsgw.js
2012-12-21 19:25 . 2012-12-21 19:25 -------- d-----w- c:\documents and settings\Roberto\Dati applicazioni\AVS4YOU
2012-12-21 19:24 . 2012-12-21 19:36 -------- d-----w- c:\programmi\File comuni\AVSMedia
2012-12-21 19:24 . 2012-12-21 19:24 -------- d-----w- c:\windows\system32\drivers\umdf
2012-12-21 19:23 . 2012-12-21 19:25 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\AVS4YOU
2012-12-21 19:23 . 2012-03-23 18:59 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2012-12-21 19:23 . 2012-03-23 18:59 24576 ----a-w- c:\windows\system32\msxml3a.dll
2012-12-05 11:38 . 2012-12-05 11:38 -------- d-----w- c:\documents and settings\Roberto\Impostazioni locali\Dati applicazioni\Help
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-16 12:23 . 2004-08-19 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-12-12 18:48 . 2012-03-30 16:40 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-12 18:48 . 2011-11-11 17:57 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-22 15:15 . 2012-11-22 15:15 998624 ----a-w- C:\install_flashplayer11x32au_mssa_aih.exe
2012-11-13 11:55 . 2004-08-19 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-02 02:02 . 2004-08-19 12:00 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 03:28 . 2004-08-19 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 03:28 . 2004-08-19 12:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 03:28 . 2004-08-19 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2012-11-01 03:28 . 2004-08-19 12:00 17408 ------w- c:\windows\system32\corpol.dll
2012-10-18 14:21 . 2012-10-18 14:21 0 ----a-w- c:\windows\system32\REN278.tmp
2012-10-18 14:21 . 2012-10-18 14:21 0 ----a-w- c:\windows\system32\REN277.tmp
2012-10-02 18:04 . 2004-08-19 12:00 58368 ----a-w- c:\windows\system32\synceng.dll
2012-07-28 15:49 . 2012-07-28 13:49 1603672 ----a-w- c:\programmi\avira_cloud_tech_preview_setup.exe
2011-11-11 18:24 . 2011-11-11 18:14 6626544 ----a-w- c:\programmi\Shockwave_Installer_Slim.exe
2011-10-26 17:06 . 2011-10-26 17:06 812344 ----a-w- c:\programmi\HJTInstall.exe
2011-08-04 00:19 . 2011-08-04 00:18 31504896 ----a-w- c:\programmi\AGTPro_1.1k.msi
2012-12-06 16:10 . 2012-12-06 16:10 262112 ----a-w- c:\programmi\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\documents and settings\Roberto\Impostazioni locali\Dati applicazioni\Facebook\Update\FacebookUpdate.exe" [2012-10-10 138096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2012-07-03 252848]
"SweetIM"="c:\programmi\SweetIM\Messenger\SweetIM.exe" [2012-05-29 115032]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programmi\\SopCast\\SopCast.exe"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Programmi\\Veetle\\Player\\VeetleNet.exe"=
"c:\\Documents and Settings\\Roberto\\Impostazioni locali\\Dati applicazioni\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Gestione remota Windows
"3557:UDP"= 3557:UDP:Windows Media Format SDK (plugin-container.exe)
"3556:UDP"= 3556:UDP:Windows Media Format SDK (plugin-container.exe)
"3561:UDP"= 3561:UDP:Windows Media Format SDK (plugin-container.exe)
.
R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [x]
R3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v3.sys [x]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\DRIVERS\EAPPkt.sys [x]
S4 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x]
.
.
--- Altri Servizi/Drivers In Memoria ---
.
*Deregistered* - avipbb
*Deregistered* - ssmdrv
.
Contenuto della cartella 'Scheduled Tasks'
.
2012-12-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 18:48]
.
2012-12-27 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1801674531-920026266-725345543-1003Core.job
- c:\documents and settings\Roberto\Impostazioni locali\Dati applicazioni\Facebook\Update\FacebookUpdate.exe [2012-10-10 18:08]
.
2012-12-28 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1801674531-920026266-725345543-1003UA.job
- c:\documents and settings\Roberto\Impostazioni locali\Dati applicazioni\Facebook\Update\FacebookUpdate.exe [2012-10-10 18:08]
.
2012-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2012-12-27 19:04]
.
2012-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2012-12-27 19:04]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{48B0BFA7-086E-4D11-966F-61B58AB4611F}: NameServer = 208.67.222.222 208.67.220.220
TCP: Interfaces\{88DCE650-EA03-422C-B755-71E188D5B535}: NameServer = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\udl8qn5w.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it
FF - prefs.js: keyword.URL - hxxp://utils.chatzum.com/?url=
FF - ExtSQL: 2012-12-23 09:55; {EEE6C361-6118-11DC-9C72-001320C79847}; c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\udl8qn5w.default\extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi
FF - ExtSQL: !HIDDEN! 2010-04-30 22:24; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: extentions.y2layers.installId - 881c2bd4-bf6d-47a9-a80a-1be0dfa41d3a
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,BuzzdockTease,DropDownDeals,DropDownDeals,
FF - user.js: extentions.y2layers.installId - 5fb17ec4-4150-42d7-8830-19a02fee7904
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,BuzzdockTease,DropDownDeals,DropDownDeals,
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-12-29 20:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @DenieD: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @DenieD: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'explorer.exe'(1932)
c:\windows\system32\WININET.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Ora fine scansione: 2012-12-29 20:09:17
ComboFix-quarantined-files.txt 2012-12-29 19:09
ComboFix2.txt 2012-12-23 09:04
.
Pre-Run: 17.935.097.856 byte disponibili
Post-Run: 17.926.029.312 byte disponibili
.
- - End Of File - - AA23C3660B169827BE0E5231EE8BD2FB
- - - Updated - - -
Ecco l'altra scansione
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20.18.57, on 29/12/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17115)
Boot mode: Normal
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Programmi\Java\jre7\bin\jqs.exe
C:\windows\system32\svchost.exe
C:\Programmi\File comuni\Java\Java Update\jusched.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\windows\system32\wscntfy.exe
C:\windows\explorer.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre7\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Adobe ARM] "C:\Programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\File comuni\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SweetIM] C:\Programmi\SweetIM\Messenger\SweetIM.exe
O4 - HKCU\..\Run: [Facebook Update] "C:\Documents and Settings\Roberto\Impostazioni locali\Dati applicazioni\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
O4 - HKUS\S-1-5-21-1801674531-920026266-725345543-1003\..\Run: [Facebook Update] "C:\Documents and Settings\Roberto\Impostazioni locali\Dati applicazioni\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver (User '?')
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\windows\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\windows\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\windows\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/it/mjss/MJSS.cab109791.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{48B0BFA7-086E-4D11-966F-61B58AB4611F}: NameServer = 208.67.222.222 208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{88DCE650-EA03-422C-B755-71E188D5B535}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Servizio Google Update (gupdate) (gupdate) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Servizio Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Programmi\Java\jre7\bin\jqs.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Programmi\Mozilla Maintenance Service\maintenanceservice.exe
--
End of file - 4817 bytes
