ecco il report di combofix
malwarebytes non ha rilevato nulla.
PREMETTO quando avira mi ha trovato quei 3 trojan ho fatto elimina.
In un secondo tempo ho seguito quanto tu mi hai detto, cioe' scansione comboFix etc.
Comunque ecco il reporto:
ComboFix 12-03-08.04 - Utente 12/03/2012 19.01.00.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.735.400 [GMT 1:00]
Eseguito da: c:\docume~1\Utente\IMPOST~1\Temp\Directory temporanea 1 per ComboFix.zip\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {00000002-0002-0000-6C25-9E7C08000A00}
AV: AntiVir Desktop *Enabled/Updated* {00000002-0002-0000-7C25-9E7C08000A00}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Dati applicazioni\TEMP
c:\documents and settings\Utente\WINDOWS
c:\windows\$NtUninstallKB19508$
c:\windows\$NtUninstallKB19508$\166443552\@
c:\windows\$NtUninstallKB19508$\166443552\L\eynoqaxm
c:\windows\$NtUninstallKB19508$\166443552\loader.tlb
c:\windows\$NtUninstallKB19508$\166443552\U\@00000001
c:\windows\$NtUninstallKB19508$\166443552\U\@000000c0
c:\windows\$NtUninstallKB19508$\166443552\U\@000000cb
c:\windows\$NtUninstallKB19508$\166443552\U\@000000cf
c:\windows\$NtUninstallKB19508$\166443552\U\@80000000
c:\windows\$NtUninstallKB19508$\166443552\U\@800000c0
c:\windows\$NtUninstallKB19508$\166443552\U\@800000cb
c:\windows\$NtUninstallKB19508$\166443552\U\@800000cf
c:\windows\$NtUninstallKB19508$\776718427
c:\windows\IsUn0410.exe
D:\rundll32.exe
.
.
((((((((((((((((((((((((( Files Creati Da 2012-02-12 al 2012-03-12 )))))))))))))))))))))))))))))))))))
.
.
2012-03-12 16:14 . 2012-03-12 16:14 -------- d--h--w- c:\windows\system32\GroupPolicy
2012-03-12 10:52 . 2012-03-12 10:52 -------- d-----w- c:\programmi\Trend Micro
2012-03-12 10:38 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-03-10 14:12 . 2012-03-10 14:12 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-10 13:05 . 2012-03-12 09:18 -------- d-sh--w- c:\documents and settings\Utente\Impostazioni locali\Dati applicazioni\09ebba20
2012-03-06 19:43 . 2012-03-06 19:43 -------- d-----w- c:\documents and settings\Utente\Impostazioni locali\Dati applicazioni\Wajam
2012-03-06 19:43 . 2012-03-06 19:43 -------- d-----w- c:\programmi\Wajam
2012-03-06 19:43 . 2012-03-06 19:43 -------- d-----w- c:\programmi\Complitly
2012-03-06 19:43 . 2012-03-06 19:43 -------- d-----w- c:\documents and settings\Utente\Dati applicazioni\Complitly
2012-03-06 19:42 . 2012-03-06 19:42 237 ----a-w- C:\user.js
2012-03-06 19:42 . 2012-03-06 19:42 -------- d-----w- c:\programmi\BabylonToolbar
2012-03-06 19:42 . 2012-03-06 19:42 -------- d-----w- c:\documents and settings\Utente\Impostazioni locali\Dati applicazioni\Babylon
2012-03-06 19:42 . 2012-03-06 19:42 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Babylon
2012-03-06 19:42 . 2012-03-06 19:42 -------- d-----w- c:\documents and settings\Utente\Dati applicazioni\Babylon
2012-02-15 10:57 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-02 08:16 . 2011-05-17 17:15 414368 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-12 17:20 . 2004-08-19 13:31 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:43 . 2004-08-19 13:39 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-17 19:43 . 2004-08-19 13:39 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:43 . 2004-08-19 13:39 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-16 12:22 . 2004-08-19 13:26 385024 ----a-w- c:\windows\system32\html.iec
2012-02-17 17:50 . 2011-10-04 15:40 134104 ----a-w- c:\programmi\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor"="c:\programmi\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-02-08 95800]
"WMPNSCFG"="c:\programmi\Windows Media Player\WMPNSCFG.exe" [2006-11-02 204288]
"Facebook Update"="c:\documents and settings\Utente\Impostazioni locali\Dati applicazioni\Facebook\Update\FacebookUpdate.exe" [2011-10-18 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"SiSPower"="SiSPower.dll" [2005-03-03 49152]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-29 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\programmi\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]
.
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
HP Digital Imaging Monitor.lnk - c:\programmi\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-11-28 266240]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programmi\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\programmi\SUPERAntiSpyware\SASWINLO.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\VideoLAN\\VLC\\vlc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Programmi\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Documents and Settings\\Utente\\Impostazioni locali\\Dati applicazioni\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [19/11/2008 19.34.51 28544]
R1 SASDIFSV;SASDIFSV;c:\programmi\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 10.25.50 12872]
R1 SASKUTIL;SASKUTIL;c:\programmi\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 10.15.58 66632]
R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [16/02/2009 8.52.42 93544]
R2 WajamUpdater;WajamUpdater;c:\programmi\Wajam\Updater\WajamUpdater.exe [13/02/2012 17.56.36 109064]
R3 Stmatm;ATM/ADSL miniport;c:\windows\system32\drivers\stmatm.sys [01/12/2005 21.56.13 59466]
S2 0072571292437910mcinstcleanup;McAfee Application Installer Cleanup (0072571292437910); [x]
S2 0115851300135590mcinstcleanup;McAfee Application Installer Cleanup (0115851300135590); [x]
S2 gupdate;Servizio di Google Update (gupdate);c:\programmi\Google\Update\GoogleUpdate.exe [08/07/2011 16.50.07 136176]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [27/03/2010 17.33.35 112640]
S3 gupdatem;Servizio Google Update (gupdatem);c:\programmi\Google\Update\GoogleUpdate.exe [08/07/2011 16.50.07 136176]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [27/03/2010 17.33.35 100736]
S3 SASENUM;SASENUM;c:\programmi\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 10.15.58 12872]
S3 TaurusUsb;ADSL Modem USB Service;c:\windows\system32\drivers\torususb.sys [01/12/2005 21.56.13 538925]
S3 USBFMC;SvcDesc=USB Flash Memory Controller Service;c:\windows\system32\drivers\USBFMC.sys [04/02/2006 15.37.20 34612]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [16/02/2009 8.53.18 717296]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contenuto della cartella 'Scheduled Tasks'
.
2012-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2007-01-10 13:42]
.
2012-03-12 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-436374069-602609370-725345543-1003Core.job
- c:\documents and settings\Utente\Impostazioni locali\Dati applicazioni\Facebook\Update\FacebookUpdate.exe [2011-10-18 15:49]
.
2012-03-12 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-436374069-602609370-725345543-1003UA.job
- c:\documents and settings\Utente\Impostazioni locali\Dati applicazioni\Facebook\Update\FacebookUpdate.exe [2011-10-18 15:49]
.
2012-03-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2011-07-08 15:49]
.
2012-03-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2011-07-08 15:49]
.
2012-03-12 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: Interfaces\{510D4167-5DBF-4271-BF6A-8BC83388C07E}: NameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Utente\Dati applicazioni\Mozilla\Firefox\Profiles\r3tdqcps.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2582604&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2582604&q=
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110004
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - e039f6ba0000000000000015f29aaf96
FF - user.js: extensions.BabylonToolbar_i.hardId - e039f6ba0000000000000015f29aaf96
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15405
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1720:42
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
Notify-WgaLogon - (no file)
AddRemove-GiD Route 99 - c:\windows\IsUn0410.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
GMER - Rootkit Detector and Remover
Rootkit scan 2012-03-12 19:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
@DACL=(02 0000)
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'winlogon.exe'(560)
c:\programmi\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2568)
c:\windows\system32\WININET.dll
c:\programmi\Windows Media Player\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Avira\AntiVir Desktop\sched.exe
c:\programmi\Avira\AntiVir Desktop\avguard.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\SOUNDMAN.EXE
c:\programmi\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Ora fine scansione: 2012-03-12 19:19:31 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2012-03-12 18:19
.
Pre-Run: 68.781.318.144 byte disponibili
Post-Run: 68.768.776.192 byte disponibili
.
- - End Of File - - 779CA6A0C02B002BB57C2C44D39AA189