www.MegaLab.it

[veeto]

Da ieri ho un problema con lo spyware Virtumode, dopo che inconsciamente ho permesso ad un file di agire sul Pc (come firewall uso COMODO), pensando fosse un programma che avevo appena avviato.
Nel tentativo di risolvere il problema devo aver combinato qualcosa nel sistema, non ho cancellato nulla, ho modificato dei programmi in avvio su Esegui/msconfig, perché c'erano alcune cose che non ricordo di aver mai visto prima d'ora, come calc, protect e i 2 scandisk

Ho fatto varie scansioni con spybot, Vundofix e VirtumondeBeGone, dopo aver riavviato mi spuntano questi 2 messaggi.



Questo era ieri, stamattina quando ho riavviato invece di questi erano apparsi alcuni prompt dei comandi uno sopra l'altro che poi sono spariti dopo un paio di secondi, riavviando di nuovo non è apparso più nulla. Fatto sta che non riesco ad usare la modalità provvisoria (ne quella normale ne quella con rete). Io premo F8 all'avvio, inzia a caricare tutto, poi esce il segnale "Assenza del segnale" (avviso del monitor) e si riavvia.
La modalità provvisoria dovrebbe servirmi per liberarmi definitivamente di Virtumonde.


Se può esservi utile, questo è il mio log.
Ho XP e questo che uso è un Pc nuovo, che ho da circa 2 settimane.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:55, on 24.09.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\Programmi\Nortek Office Multimedia Keyboard & Mouse Driver\MouseDrv.exe
C:\Programmi\Nortek Office Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Internet Download Manager\IDMan.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programmi\Internet Download Manager\IEMonitor.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\OpenOffice.org 3\program\swriter.exe
C:\Programmi\OpenOffice.org 3\program\soffice.exe
C:\Programmi\OpenOffice.org 3\program\soffice.bin
C:\Programmi\Flock\flock.exe
C:\Programmi\VideoLAN\VLC\vlc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Programmi\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Programmi\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [WireLessMouse] C:\Programmi\Nortek Office Multimedia Keyboard & Mouse Driver\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Programmi\Nortek Office Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Programmi\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\ADMINI~1\protect.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [IDMan] C:\Programmi\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: scandisk.dll
O4 - Startup: scandisk.lnk = ?
O8 - Extra context menu item: Download all links with IDM - C:\Programmi\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Programmi\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Programmi\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Programmi\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Programmi\TVersity\Media Server\MediaServer.exe

--
End of file - 6453 bytes

[Amantide]

O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\ADMINI~1\protect.dll,_IWMPEvents@0

Ci sono questi 2 file in avvio che sono molto strani

Intanto deseleziona questi file dall'avvio automatico e poi caricali su www.virustotal.com e vedi di cosa si tratta, poi scarica ComboFix , salvandolo sul desktop con un nome di fantasia, ed esegui la scansione seguendo queste istruzioni (giù in fondo). Al termine della scansione verrà creato il file di report C:\combofix.txt, posta qui il suo contenuto.

[veeto]

Allora,
c'è un problema con combofix, non so se è normale, ma quando lo installo il firewall mi segnala queste 2 cosette



Non sapenso cosa siano, scelgo di bloccare tutto.
Come hai detto, il file l'ho rinominato (in uuu.exe).

[Amantide]

Vai tranquillo e riprova con Combofix chiudendo prima sia l'antivirus che il firewall

[veeto]

Fatta la scansione, ma non riuscendo a chiudere l'antivirus, l'ho lasciato aperto. Ho potuto solo disattivare la guardia.
Durante e dopo la scenzione antivir mi ha segnalato la presenza di un trojan che a quanto pare si trovava proprio sul file protect.dll.
Ecco il log

ComboFix 09-09-23.02 - Administrator 26.09.2009 0:10:27.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.2047.1637 [GMT 2:00]
: C:\Documents and Settings\Administrator\Desktop\Downloads\yyyyy.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {0012EF58-EE90-0012-58EF-1200F85B927C}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-14EF-9D7C08000A00}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {001300D4-0000-0000-1000-00006C4D927C}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {001300D4-0000-0000-1000-00007454927C}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {001300D4-0000-0000-1000-00007C52927C}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {0015A6F8-A6D8-0015-90F5-707300000000}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}


.


.

C:\Documents and Settings\Administrator\protect.dll
C:\Documents and Settings\LocalService\protect.dll
C:\Documents and Settings\NetworkService\protect.dll
C:\WINDOWS\akefiqej.dll
C:\WINDOWS\system32\config\systemprofile\protect.dll
C:\WINDOWS\system32\drivers\gasfkyotextarm.sys
C:\WINDOWS\system32\gasfkycfmimpvy.dat
C:\WINDOWS\system32\gasfkyheyfqxyu.dll
C:\WINDOWS\system32\gasfkyiexutevs.dll
C:\WINDOWS\system32\gasfkymepubnyk.dll
C:\WINDOWS\system32\gasfkytevssfvp.dat
C:\WINDOWS\system32\msssc.dll

.
((((((((((((((((((((((((((((((((((((((( )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkyvfmtklrl
-------\Legacy_gasfkyvfmtklrl



.

2009-09-25 11:00:39 . 2008-04-13 18:45:34 15104 -c--a-w- C:\WINDOWS\system32\dllcache\usbscan.sys
2009-09-25 11:00:39 . 2008-04-13 18:45:34 15104 ----a-w- C:\WINDOWS\system32\drivers\usbscan.sys
2009-09-25 09:13:30 . 2006-12-27 22:00:00 66560 ----a-w- C:\WINDOWS\system32\eswia7e.dll
2009-09-25 09:13:30 . 2006-12-27 22:00:00 208896 ----a-w- C:\WINDOWS\system32\esint7e.dll
2009-09-25 09:13:30 . 2006-03-09 22:00:00 3584 ----a-w- C:\WINDOWS\system32\eswiaml.dll
2009-09-25 09:12:25 . 2007-01-11 11:02:00 113664 ----a-w- C:\Documents and Settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S40RP7.EXE
2009-09-25 09:12:23 . 2009-09-25 09:12:25 0 d-----w- C:\Documents and Settings\All Users\Dati applicazioni\EPSON
2009-09-25 09:12:20 . 2004-09-11 03:12:28 49152 ----a-w- C:\WINDOWS\system32\E_DCINST.DLL
2009-09-25 09:12:19 . 2006-12-08 09:04:00 76800 ----a-w- C:\WINDOWS\system32\E_FLBCAE.DLL
2009-09-25 09:12:19 . 2006-04-19 09:00:00 62976 ----a-w- C:\WINDOWS\system32\E_FD4BCAE.DLL
2009-09-25 09:11:52 . 2009-09-25 09:13:30 0 d-----w- C:\Programmi\EPSON
2009-09-25 09:09:27 . 2008-04-13 18:47:38 25856 -c--a-w- C:\WINDOWS\system32\dllcache\usbprint.sys
2009-09-25 09:09:27 . 2008-04-13 18:47:38 25856 ----a-w- C:\WINDOWS\system32\drivers\usbprint.sys
2009-09-25 09:09:00 . 2008-04-13 18:45:40 32128 -c--a-w- C:\WINDOWS\system32\dllcache\usbccgp.sys
2009-09-25 09:09:00 . 2008-04-13 18:45:40 32128 ----a-w- C:\WINDOWS\system32\drivers\usbccgp.sys
2009-09-23 22:05:06 . 2009-09-23 22:05:06 0 d-----w- C:\Programmi\Trend Micro
2009-09-23 21:59:06 . 2009-09-15 14:58:02 106867 ----a-w- C:\Documents and Settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\FAILSAVE\aevdf.dll
2009-09-23 21:59:05 . 2009-09-21 15:27:58 479611 ----a-w- C:\Documents and Settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\FAILSAVE\aescript.dll
2009-09-23 21:59:05 . 2009-09-17 09:06:40 364916 ----a-w- C:\Documents and Settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\FAILSAVE\aegen.dll
2009-09-23 21:59:05 . 2009-09-15 14:58:00 422261 ----a-w- C:\Documents and Settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\FAILSAVE\aepack.dll
2009-09-23 21:59:05 . 2009-09-03 14:24:42 237940 ----a-w- C:\Documents and Settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\FAILSAVE\aehelp.dll
2009-09-23 21:59:05 . 2009-09-03 14:24:42 127346 ----a-w- C:\Documents and Settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\FAILSAVE\aescn.dll
2009-09-23 21:59:05 . 2009-08-18 13:02:16 1921400 ----a-w- C:\Documents and Settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\FAILSAVE\aeheur.dll
2009-09-23 21:59:05 . 2009-07-14 16:08:26 430452 ----a-w- C:\Documents and Settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\FAILSAVE\aerdl.dll
2009-09-23 21:59:05 . 2009-06-17 13:32:46 196987 ----a-w- C:\Documents and Settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\FAILSAVE\aeoffice.dll
2009-09-23 21:59:05 . 2008-10-15 09:49:36 393588 ----a-w- C:\Documents and Settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\FAILSAVE\aeemu.dll
2009-09-23 21:59:04 . 2009-09-15 14:57:58 184693 ----a-w- C:\Documents and Settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\FAILSAVE\aecore.dll
2009-09-23 21:59:04 . 2008-10-15 09:49:34 53618 ----a-w- C:\Documents and Settings\All Users\Dati applicazioni\Avira\AntiVir Desktop\FAILSAVE\aebb.dll
2009-09-23 21:45:16 . 2009-09-23 21:45:16 0 d-----w- C:\VundoFix Backups
2009-09-23 11:21:57 . 2009-09-24 07:47:32 22528 --sha-w- C:\WINDOWS\system32\calc.dll
2009-09-23 10:29:08 . 2009-09-23 10:29:12 0 d-----w- C:\Programmi\Nvu
2009-09-23 10:23:05 . 2009-09-23 10:23:05 13851 ----a-w- C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-09-23 10:23:05 . 2008-10-16 19:58:09 5096824 ----a-w- C:\WINDOWS\system32\SpoonUninstall.exe
2009-09-23 10:23:03 . 2009-09-23 10:23:03 0 d-----w- C:\Programmi\Illustrate
2009-09-22 14:57:31 . 2009-09-24 14:12:42 0 d-----w- C:\Programmi\Metin2_Italiano
2009-09-21 21:34:47 . 2009-09-21 21:34:47 0 d-----w- C:\Documents and Settings\All Users\Dati applicazioni\Canneverbe Limited
2009-09-19 21:22:42 . 2009-08-16 15:08:36 178176 ----a-w- C:\WINDOWS\system32\unrar.dll
2009-09-19 21:22:41 . 2004-01-25 16:18:44 217088 ----a-w- C:\WINDOWS\system32\yv12vfw.dll
2009-09-19 21:22:40 . 2009-05-29 21:37:40 205824 ----a-w- C:\WINDOWS\system32\xvidvfw.dll
2009-09-19 21:22:40 . 2009-05-29 21:31:52 881664 ----a-w- C:\WINDOWS\system32\xvidcore.dll
2009-09-19 21:22:39 . 2009-09-17 18:00:00 85504 ----a-w- C:\WINDOWS\system32\ff_vfw.dll
2009-09-19 21:22:38 . 2009-09-19 21:22:41 0 d-----w- C:\Programmi\K-Lite Codec Pack
2009-09-18 10:23:23 . 2009-09-19 21:21:20 0 d-----w- C:\Programmi\TVersity Codec Pack
2009-09-18 10:21:47 . 2009-09-18 10:21:47 0 d-----w- C:\Programmi\TVersity
2009-09-18 10:11:46 . 2009-09-18 16:55:34 0 d-----w- C:\Programmi\Adobe Photoshop CS3 (Portable)
2009-09-18 09:50:43 . 2009-04-07 18:14:52 0 d-----w- C:\Programmi\Photoshop
2009-09-17 16:17:48 . 2009-09-17 16:17:49 0 d-----w- C:\Programmi\SmartFTP Client 2.0
2009-09-17 08:53:24 . 2009-09-17 08:53:24 0 d-sh--w- C:\Documents and Settings\Administrator\PrivacIE
2009-09-17 08:49:45 . 2009-09-17 08:49:45 0 d-----w- C:\Documents and Settings\All Users\Dati applicazioni\Office Genuine Advantage
2009-09-17 08:24:24 . 2009-09-17 08:26:16 5423 ----a-w- C:\WINDOWS\BricoPackFoldersDelete.cmd
2009-09-17 07:59:17 . 2009-09-17 07:59:17 0 d-sh--w- C:\WINDOWS\system32\config\systemprofile\IETldCache
2009-09-16 21:51:26 . 2009-09-16 21:51:26 0 d-----w- C:\WINDOWS\l2schemas
2009-09-16 21:51:25 . 2009-09-16 21:51:25 0 d-----w- C:\WINDOWS\system32\it
2009-09-16 21:51:25 . 2009-09-16 21:51:25 0 d-----w- C:\WINDOWS\system32\bits
2009-09-16 13:08:02 . 2009-09-23 13:45:23 0 d-----w- C:\Programmi\Wolfenstein - Enemy Territory
2009-09-15 17:53:36 . 2005-02-26 05:34:40 442368 ----a-r- C:\WINDOWS\system32\vp6vfw.dll
2009-09-15 17:53:35 . 2009-09-15 21:32:33 0 d-----w- C:\Programmi\EA GAMES
2009-09-14 16:09:16 . 2009-09-14 16:09:16 0 d-----w- C:\WINDOWS\Sun
2009-09-14 12:12:20 . 2009-09-14 12:12:20 0 d-sh--w- C:\Documents and Settings\LocalService\IETldCache
2009-09-14 11:52:47 . 2009-09-14 11:52:47 0 d-----w- C:\WINDOWS\system32\LogFiles
2009-09-14 08:21:52 . 2009-09-14 08:21:53 0 d-----w- C:\WINDOWS\system32\XPSViewer
2009-09-14 08:21:47 . 2009-09-14 08:21:47 0 d-----w- C:\Programmi\MSBuild
2009-09-14 08:21:37 . 2009-09-14 08:21:37 0 d-----w- C:\Programmi\Reference Assemblies
2009-09-14 08:20:51 . 2008-07-06 12:06:10 89088 -c----w- C:\WINDOWS\system32\dllcache\filterpipelineprintproc.dll
2009-09-14 08:20:51 . 2008-07-06 12:06:10 575488 -c----w- C:\WINDOWS\system32\dllcache\xpsshhdr.dll
2009-09-14 08:20:51 . 2008-07-06 12:06:10 575488 ------w- C:\WINDOWS\system32\xpsshhdr.dll
2009-09-14 08:20:51 . 2008-07-06 12:06:10 117760 ------w- C:\WINDOWS\system32\prntvpt.dll
2009-09-14 08:20:51 . 2008-07-06 10:50:03 597504 -c----w- C:\WINDOWS\system32\dllcache\printfilterpipelinesvc.exe
2009-09-14 08:20:50 . 2008-07-06 12:06:10 1676288 -c----w- C:\WINDOWS\system32\dllcache\xpssvcs.dll
2009-09-14 08:20:50 . 2008-07-06 12:06:10 1676288 ------w- C:\WINDOWS\system32\xpssvcs.dll
2009-09-14 08:20:48 . 2009-09-14 08:21:23 0 d-----w- C:\3a9fec21e5410f92ccd2af
2009-09-14 08:07:56 . 2009-09-14 08:07:56 0 d-----w- C:\Programmi\MSXML 6.0
2009-09-14 00:35:40 . 2009-09-14 00:35:42 0 d-----w- C:\44801168820970ff5bbf9b2a18
2009-09-14 00:35:38 . 2009-09-14 00:35:39 0 d-----w- C:\91db199682b712cdc40c
2009-09-14 00:35:14 . 2009-09-14 00:35:14 0 d-sh--w- C:\Documents and Settings\Administrator\IECompatCache
2009-09-13 21:40:00 . 2009-09-13 21:40:00 0 d-sh--w- C:\Documents and Settings\NetworkService\IETldCache
2009-09-13 21:39:43 . 2009-09-13 21:39:43 0 d-sh--w- C:\Documents and Settings\Administrator\IETldCache
2009-09-13 21:34:01 . 2009-08-07 08:48:40 100352 -c----w- C:\WINDOWS\system32\dllcache\iecompat.dll
2009-09-13 21:33:50 . 2009-09-14 10:04:02 0 d-----w- C:\WINDOWS\ie8updates
2009-09-13 21:33:44 . 2009-07-19 16:42:52 11067392 -c----w- C:\WINDOWS\system32\dllcache\ieframe.dll
2009-09-13 21:33:44 . 2009-07-03 16:55:22 12800 -c----w- C:\WINDOWS\system32\dllcache\xpshims.dll
2009-09-13 21:33:44 . 2009-07-03 16:55:16 594432 -c----w- C:\WINDOWS\system32\dllcache\msfeeds.dll
2009-09-13 21:33:44 . 2009-07-03 16:55:16 55296 -c----w- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2009-09-13 21:33:44 . 2009-07-03 16:55:14 1985536 -c----w- C:\WINDOWS\system32\dllcache\iertutil.dll
2009-09-13 21:33:44 . 2009-07-03 16:55:12 246272 -c----w- C:\WINDOWS\system32\dllcache\ieproxy.dll
2009-09-13 21:33:07 . 2009-09-17 08:13:31 0 dc-h--w- C:\WINDOWS\ie8
2009-09-13 21:33:07 . 2009-09-17 08:13:12 0 d-----w- C:\WINDOWS\system32\it-IT
2009-09-13 21:20:04 . 2009-09-16 21:47:48 0 d-----w- C:\WINDOWS\ServicePackFiles
2009-09-13 21:14:58 . 2004-08-03 20:29:42 11871 ------w- C:\WINDOWS\system32\drivers\wadv09nt.sys
2009-09-13 21:14:52 . 2004-08-03 20:41:42 129535 ------w- C:\WINDOWS\system32\drivers\slnt7554.sys
2009-09-13 21:14:46 . 2001-08-31 15:00:00 22060 -c----w- C:\WINDOWS\system32\dllcache\npds.zip
2009-09-13 21:14:45 . 2002-04-03 12:35:24 403 -c----w- C:\WINDOWS\system32\dllcache\npdrmv2.zip
2009-09-13 21:14:30 . 2004-08-03 20:41:56 1041536 ------w- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2009-09-13 21:08:45 . 2004-08-03 20:29:32 63663 ------w- C:\WINDOWS\system32\drivers\ati1rvxx.sys
2009-09-13 21:08:45 . 2004-08-03 20:29:32 29455 ------w- C:\WINDOWS\system32\drivers\ati1xbxx.sys
2009-09-13 21:08:45 . 2004-08-03 20:29:32 26367 ------w- C:\WINDOWS\system32\drivers\ati1snxx.sys
2009-09-13 21:08:45 . 2004-08-03 20:29:32 21343 ------w- C:\WINDOWS\system32\drivers\ati1ttxx.sys
2009-09-13 21:08:45 . 2004-08-03 20:29:32 13824 ------w- C:\WINDOWS\system32\drivers\atinttxx.sys
2009-09-13 21:08:45 . 2004-08-03 20:29:30 14336 ------w- C:\WINDOWS\system32\drivers\atinpdxx.sys
2009-09-13 21:08:45 . 2004-08-03 20:29:30 13824 ------w- C:\WINDOWS\system32\drivers\atinmdxx.sys
2009-09-13 18:35:38 . 2008-06-14 17:32:08 272768 -c----w- C:\WINDOWS\system32\dllcache\bthport.sys
2009-09-13 18:35:37 . 2008-06-14 17:32:08 272768 ------w- C:\WINDOWS\system32\drivers\bthport.sys
2009-09-13 18:19:38 . 2009-03-06 14:19:00 286208 -c----w- C:\WINDOWS\system32\dllcache\pdh.dll
2009-09-13 18:19:38 . 2009-02-09 11:23:10 2192768 -c----w- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2009-09-13 18:19:38 . 2009-02-09 11:22:49 111104 -c----w- C:\WINDOWS\system32\dllcache\services.exe
2009-09-13 18:19:38 . 2009-02-09 10:51:44 401408 -c----w- C:\WINDOWS\system32\dllcache\rpcss.dll
2009-09-13 18:19:38 . 2009-02-06 10:10:02 227840 -c----w- C:\WINDOWS\system32\dllcache\wmiprvse.exe
2009-09-13 18:19:37 . 2009-06-25 08:25:23 735744 -c----w- C:\WINDOWS\system32\dllcache\lsasrv.dll
2009-09-13 18:19:37 . 2009-02-09 10:51:44 683520 -c----w- C:\WINDOWS\system32\dllcache\advapi32.dll
2009-09-13 18:19:37 . 2009-02-09 10:51:43 736256 -c----w- C:\WINDOWS\system32\dllcache\ntdll.dll
2009-09-13 18:19:37 . 2009-02-09 10:51:43 473600 -c----w- C:\WINDOWS\system32\dllcache\fastprox.dll
2009-09-13 18:19:37 . 2009-02-09 10:51:42 453120 -c----w- C:\WINDOWS\system32\dllcache\wmiprvsd.dll
2009-09-13 18:19:36 . 2009-02-09 11:23:08 2027520 -c----w- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2009-09-13 18:19:36 . 2009-02-09 11:22:54 2148864 -c----w- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2009-09-13 18:13:06 . 2008-05-08 14:02:52 203136 -c----w- C:\WINDOWS\system32\dllcache\rmcast.sys
2009-09-13 18:09:52 . 2008-12-11 10:57:09 333952 -c----w- C:\WINDOWS\system32\dllcache\srv.sys
2009-09-13 17:57:38 . 2008-10-15 16:36:15 337408 -c----w- C:\WINDOWS\system32\dllcache\netapi32.dll
2009-09-13 17:54:49 . 2008-04-21 21:14:24 219136 -c----w- C:\WINDOWS\system32\dllcache\wordpad.exe
2009-09-13 17:04:27 . 2008-10-24 11:21:09 455296 -c----w- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2009-09-13 16:56:39 . 2009-07-10 13:26:37 1315328 -c----w- C:\WINDOWS\system32\dllcache\msoe.dll
2009-09-13 16:56:05 . 2008-04-11 19:04:32 691712 -c----w- C:\WINDOWS\system32\dllcache\inetcomm.dll
2009-09-13 16:45:00 . 2008-03-25 03:48:06 54400 ----a-r- C:\WINDOWS\system32\drivers\NVENETFD.sys
2009-09-13 16:45:00 . 2008-03-25 03:47:16 200704 ----a-r- C:\WINDOWS\system32\fdco1.dll
2009-09-13 16:44:55 . 2008-03-25 03:46:46 9216 ----a-r- C:\WINDOWS\system32\bdco1.dll
2009-09-13 16:44:55 . 2008-03-14 02:47:26 35840 ----a-r- C:\WINDOWS\system32\nvconrm.dll

.

.
2009-09-25 22:19:14 . 2009-09-25 22:19:14 22528 --sha-w- C:\Documents and Settings\LocalService\protect.dll
2009-09-25 22:19:13 . 2009-09-25 22:19:13 22528 --sha-w- C:\Documents and Settings\Administrator\protect.dll
2009-09-23 11:22:13 . 2009-09-23 11:22:11 159856 ----a-w- C:\WINDOWS\system32\config\systemprofile\Dati applicazioni\lizkavd.exe
2009-09-17 08:26:16 . 2004-08-19 13:39:30 219648 ----a-w- C:\WINDOWS\system32\uxtheme.dll
2009-09-17 08:01:31 . 2001-08-31 15:00:00 479180 ----a-w- C:\WINDOWS\system32\perfh010.dat
2009-09-17 08:01:30 . 2001-08-31 15:00:00 79514 ----a-w- C:\WINDOWS\system32\perfc010.dat
2009-09-12 20:11:10 . 2009-09-03 16:25:50 0 d--h--w- C:\Programmi\InstallShield Installation Information
2009-09-12 16:20:53 . 2009-09-12 16:23:47 905 ----a-w- C:\Programmi\Spybot - Search & Destroy.lnk
2009-09-11 12:48:38 . 2009-09-03 16:25:41 0 d-----w- C:\Programmi\File comuni\InstallShield
2009-09-03 14:44:40 . 2009-09-03 14:44:40 0 d-----w- C:\Programmi\microsoft frontpage
2009-09-03 14:43:17 . 2009-09-03 14:43:17 0 d-----w- C:\Programmi\Servizi in linea
2009-09-03 14:41:39 . 2009-09-03 14:41:39 21840 ----a-w- C:\WINDOWS\system32\emptyregdb.dat
2009-08-05 08:59:33 . 2004-08-19 13:39:20 205312 ----a-w- C:\WINDOWS\system32\mswebdvd.dll
2009-07-29 04:34:31 . 2004-08-19 13:39:30 119808 ----a-w- C:\WINDOWS\system32\t2embed.dll
2009-07-29 04:34:31 . 2001-08-31 15:00:00 81920 ----a-w- C:\WINDOWS\system32\fontsub.dll
2009-07-26 14:44:56 . 2009-07-26 14:44:56 48448 ----a-w- C:\WINDOWS\system32\sirenacm.dll
2009-07-17 19:01:40 . 2004-08-19 13:39:04 58880 ----a-w- C:\WINDOWS\system32\atl.dll
2009-07-12 10:21:50 . 2004-08-19 13:39:34 233472 ----a-w- C:\WINDOWS\system32\wmpdxm.dll
2009-07-03 16:55:22 . 2004-08-19 13:39:30 906240 ----a-w- C:\WINDOWS\system32\wininet.dll
.


.
.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"calc"="C:\DOCUME~1\LOCALS~1\protect.dll" [2009-09-25 22:19:14 22528]
"IDMan"="C:\Programmi\Internet Download Manager\IDMan.exe" [2009-09-12 16:41:49 2606512]
"Google Update"="C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" [2009-09-25 08:51:17 133104]

[Amantide]

Un po' di schifezze Combofix ha rimosso, però è rimasto ancora qualcosina.

Copia ed incolla il seguente testo su blocconote e salva il file su desktop con il nome CFScript.txt.

Codice: Seleziona tutto

File::
C:\WINDOWS\system32\calc.dll
C:\WINDOWS\system32\config\systemprofile\Dati applicazioni\lizkavd.exe
C:\Documents and Settings\LocalService\protect.dll
C:\Documents and Settings\Administrator\protect.dll

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"calc"=-


Ora trascina il file CFScript.txt sull'icona di ComboFix. Aspetta il termine della scansione e posta il nuovo log di Combofix.

Hai controllato se modalità provvisoria ora funziona? Se no - prova a ripararla con questo file http://www.MegaLab.it/4089/bagle-restore

Fai anche la scansione completa con Malwarebytes Antimalware.

[veeto]

Ok, vedrò di farlo entro oggi. comunque con il ripristino con Bagle Restore, precisamente cosa succede?
Tutte le impostazioni verrebbero resettate?
Nel caso uno dei files di sistema sia infetto, tipo il rundle32, con il ripristino il trojan/virus/spyware verrà soppresso o sarà presente anche nel nuovo?

[Amantide]

Ok, vedrò di farlo entro oggi. comunque con il ripristino con Bagle Restore, precisamente cosa succede?Tutte le impostazioni verrebbero resettate?

No, questo file ti ripristina solo le parti mancanti nel registro di sistema.

Nel caso uno dei files di sistema sia infetto, tipo il rundle32, con il ripristino il trojan/virus/spyware verrà soppresso o sarà presente anche nel nuovo?

Per questo devi fare le scansioni con antivirus/antimalware.

[veeto]

Allora,
ho usato quel programmino e la modalità provvisoria è tornata a funzionare
Ho installato, aggiornato e scansionato (scanzione rapida) Malware bytes, e non ha rilevato nulla. Log

Malwarebytes' Anti-Malware 1.41
Versione del database: 2775
Windows 5.1.2600 Service Pack 3

29.09.2009 10:21:13
mbam-log-2009-09-29 (10-21-13).txt

Tipo di scansione: Scansione rapida
Elementi scansionati: 84763
Tempo trascorso: 3 minute(s), 17 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 0

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
(Nessun elemento malevolo rilevato)

Poco prima di fare quella operazione con combofix, ho fatto una scansione completa con spybot, questo è il risultato (il file trovato l'ho eliminato).

Quindi virtumonde sembra sia scomparso, però stranamente appare il nome nella barra di stato

Questo è il log di combofix

ComboFix 09-09-28.01 - Administrator 29.09.2009 11:44.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.2047.1612 [GMT 2:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\Downloads\Combofix.exe
Opzioni usate :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {0012EF58-EE90-0012-58EF-1200F85B927C}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-14EF-9D7C08000A00}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-7C25-9E7C08000A00}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {001300D4-0000-0000-1000-00006C4D927C}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {001300D4-0000-0000-1000-00007454927C}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {001300D4-0000-0000-1000-00007C52927C}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {0015A6F8-A6D8-0015-90F5-707300000000}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

FILE ::
"c:\documents and settings\Administrator\protect.dll"
"c:\documents and settings\LocalService\protect.dll"
"c:\windows\system32\calc.dll"
"c:\windows\system32\config\systemprofile\Dati applicazioni\lizkavd.exe"
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\calc.dll
.
---- Esecuzione precedente -------
.
c:\documents and settings\Administrator\protect.dll
c:\documents and settings\LocalService\protect.dll
c:\documents and settings\NetworkService\protect.dll
c:\windows\akefiqej.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\drivers\gasfkyotextarm.sys
c:\windows\system32\gasfkycfmimpvy.dat
c:\windows\system32\gasfkyheyfqxyu.dll
c:\windows\system32\gasfkyiexutevs.dll
c:\windows\system32\gasfkymepubnyk.dll
c:\windows\system32\gasfkytevssfvp.dat
c:\windows\system32\msssc.dll

.
((((((((((((((((((((((((((((((((((((((( )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkyvfmtklrl
-------\Legacy_gasfkyvfmtklrl


((((((((((((((((((((((((( Files Creati Da 2009-08-28 al 2009-09-29 )))))))))))))))))))))))))))))))))))
.

2009-09-29 08:15 . 2009-09-10 12:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-28 22:38 . 2009-09-28 22:38 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Malwarebytes
2009-09-28 22:38 . 2009-09-28 22:38 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-09-28 22:38 . 2009-09-10 12:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-28 22:38 . 2009-09-29 08:15 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2009-09-27 16:45 . 2009-09-27 16:52 -------- d-----w- c:\programmi\Nero 9.0.9
2009-09-25 11:28 . 2009-09-25 11:28 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Identities
2009-09-25 11:00 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-09-25 11:00 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-09-25 09:13 . 2006-12-27 22:00 66560 ----a-w- c:\windows\system32\eswia7e.dll
2009-09-25 09:13 . 2006-12-27 22:00 208896 ----a-w- c:\windows\system32\esint7e.dll
2009-09-25 09:13 . 2006-03-09 22:00 3584 ----a-w- c:\windows\system32\eswiaml.dll
2009-09-25 09:12 . 2009-09-25 09:12 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\EPSON
2009-09-25 09:12 . 2004-09-11 03:12 49152 ----a-w- c:\windows\system32\E_DCINST.DLL
2009-09-25 09:12 . 2006-12-08 09:04 76800 ----a-w- c:\windows\system32\E_FLBCAE.DLL
2009-09-25 09:12 . 2006-04-19 09:00 62976 ----a-w- c:\windows\system32\E_FD4BCAE.DLL
2009-09-25 09:11 . 2009-09-25 09:13 -------- d-----w- c:\programmi\EPSON
2009-09-25 09:09 . 2008-04-13 18:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-09-25 09:09 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-09-25 09:09 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-09-25 09:09 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-09-25 08:51 . 2009-09-25 08:52 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Temp
2009-09-25 08:51 . 2009-09-25 08:52 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Google
2009-09-23 22:05 . 2009-09-23 22:05 -------- d-----w- c:\programmi\Trend Micro
2009-09-23 21:45 . 2009-09-23 21:45 -------- d-----w- C:\VundoFix Backups
2009-09-23 10:29 . 2009-09-23 10:29 -------- d-----w- c:\programmi\Nvu
2009-09-23 10:23 . 2009-09-23 10:23 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\AccurateRip
2009-09-23 10:23 . 2009-09-23 10:23 13851 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-09-23 10:23 . 2008-10-16 19:58 5096824 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-09-23 10:23 . 2009-09-23 10:23 -------- d-----w- c:\programmi\Illustrate
2009-09-23 07:14 . 2009-09-23 07:14 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Media Player Classic
2009-09-22 14:57 . 2009-09-24 14:12 -------- d-----w- c:\programmi\Metin2_Italiano
2009-09-21 21:34 . 2009-09-21 21:34 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Canneverbe_Limited
2009-09-21 21:34 . 2009-09-21 21:34 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Canneverbe Limited
2009-09-19 21:22 . 2009-08-16 15:08 178176 ----a-w- c:\windows\system32\unrar.dll
2009-09-19 21:22 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2009-09-19 21:22 . 2009-05-29 21:37 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2009-09-19 21:22 . 2009-05-29 21:31 881664 ----a-w- c:\windows\system32\xvidcore.dll
2009-09-19 21:22 . 2009-09-17 18:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-09-19 21:22 . 2009-09-19 21:22 -------- d-----w- c:\programmi\K-Lite Codec Pack
2009-09-18 10:23 . 2009-09-19 21:21 -------- d-----w- c:\programmi\TVersity Codec Pack
2009-09-18 10:21 . 2009-09-18 10:21 -------- d-----w- c:\programmi\TVersity
2009-09-18 10:17 . 2009-09-18 10:17 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\WMTools Downloaded Files
2009-09-18 10:11 . 2009-09-18 16:55 -------- d-----w- c:\programmi\Adobe Photoshop CS3 (Portable)
2009-09-18 09:50 . 2009-04-07 18:14 -------- d-----w- c:\programmi\Photoshop
2009-09-17 16:17 . 2009-09-17 16:17 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\SmartFTP
2009-09-17 16:17 . 2009-09-17 16:17 -------- d-----w- c:\programmi\SmartFTP Client 2.0
2009-09-17 08:53 . 2009-09-17 08:53 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-09-17 08:49 . 2009-09-17 08:49 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Office Genuine Advantage
2009-09-17 08:24 . 2009-09-17 08:26 5423 ----a-w- c:\windows\BricoPackFoldersDelete.cmd
2009-09-17 07:59 . 2009-09-17 07:59 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-16 21:51 . 2009-09-16 21:51 -------- d-----w- c:\windows\l2schemas
2009-09-16 21:51 . 2009-09-16 21:51 -------- d-----w- c:\windows\system32\it
2009-09-16 21:51 . 2009-09-16 21:51 -------- d-----w- c:\windows\system32\bits
2009-09-16 13:08 . 2009-09-23 13:45 -------- d-----w- c:\programmi\Wolfenstein - Enemy Territory
2009-09-15 17:53 . 2005-02-26 05:34 442368 ----a-r- c:\windows\system32\vp6vfw.dll
2009-09-15 17:53 . 2009-09-15 21:32 -------- d-----w- c:\programmi\EA GAMES
2009-09-14 16:09 . 2009-09-14 16:09 -------- d-----w- c:\windows\Sun
2009-09-14 12:12 . 2009-09-14 12:12 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-14 11:52 . 2009-09-14 11:52 -------- d-----w- c:\windows\system32\LogFiles
2009-09-14 11:14 . 2009-09-14 11:14 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\OpenOffice.org
2009-09-14 08:21 . 2009-09-14 08:21 -------- d-----w- c:\windows\system32\XPSViewer
2009-09-14 08:21 . 2009-09-14 08:21 -------- d-----w- c:\programmi\MSBuild
2009-09-14 08:21 . 2009-09-14 08:21 -------- d-----w- c:\programmi\Reference Assemblies
2009-09-14 08:20 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-09-14 08:20 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-09-14 08:20 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-09-14 08:20 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-09-14 08:20 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-09-14 08:20 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-09-14 08:20 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-09-14 08:20 . 2009-09-14 08:21 -------- d-----w- C:\3a9fec21e5410f92ccd2af
2009-09-14 08:07 . 2009-09-14 08:07 -------- d-----w- c:\programmi\MSXML 6.0
2009-09-14 00:35 . 2009-09-14 00:35 -------- d-----w- C:\44801168820970ff5bbf9b2a18
2009-09-14 00:35 . 2009-09-14 00:35 -------- d-----w- C:\91db199682b712cdc40c
2009-09-14 00:35 . 2009-09-14 00:35 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-09-13 21:40 . 2009-09-13 21:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-13 21:39 . 2009-09-13 21:39 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-13 21:34 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-09-13 21:33 . 2009-09-14 10:04 -------- d-----w- c:\windows\ie8updates
2009-09-13 21:33 . 2009-07-19 16:42 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-09-13 21:33 . 2009-07-03 16:55 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-13 21:33 . 2009-07-03 16:55 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-13 21:33 . 2009-07-03 16:55 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-13 21:33 . 2009-07-03 16:55 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-09-13 21:33 . 2009-07-03 16:55 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-13 21:33 . 2009-09-17 08:13 -------- dc-h--w- c:\windows\ie8
2009-09-13 21:33 . 2009-09-17 08:13 -------- d-----w- c:\windows\system32\it-IT
2009-09-13 21:20 . 2009-09-16 21:47 -------- d-----w- c:\windows\ServicePackFiles
2009-09-13 21:14 . 2004-08-03 20:29 11871 ------w- c:\windows\system32\drivers\wadv09nt.sys
2009-09-13 21:14 . 2004-08-03 20:41 129535 ------w- c:\windows\system32\drivers\slnt7554.sys
2009-09-13 21:14 . 2001-08-31 15:00 22060 -c----w- c:\windows\system32\dllcache\npds.zip
2009-09-13 21:14 . 2002-04-03 12:35 403 -c----w- c:\windows\system32\dllcache\npdrmv2.zip
2009-09-13 21:14 . 2004-08-03 20:41 1041536 ------w- c:\windows\system32\drivers\hsfdpsp2.sys
2009-09-13 21:08 . 2004-08-03 20:29 63663 ------w- c:\windows\system32\drivers\ati1rvxx.sys
2009-09-13 21:08 . 2004-08-03 20:29 29455 ------w- c:\windows\system32\drivers\ati1xbxx.sys
2009-09-13 21:08 . 2004-08-03 20:29 26367 ------w- c:\windows\system32\drivers\ati1snxx.sys
2009-09-13 21:08 . 2004-08-03 20:29 21343 ------w- c:\windows\system32\drivers\ati1ttxx.sys
2009-09-13 21:08 . 2004-08-03 20:29 13824 ------w- c:\windows\system32\drivers\atinttxx.sys
2009-09-13 21:08 . 2004-08-03 20:29 14336 ------w- c:\windows\system32\drivers\atinpdxx.sys
2009-09-13 21:08 . 2004-08-03 20:29 13824 ------w- c:\windows\system32\drivers\atinmdxx.sys
2009-09-13 18:35 . 2008-06-14 17:32 272768 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-09-13 18:35 . 2008-06-14 17:32 272768 ------w- c:\windows\system32\drivers\bthport.sys
2009-09-13 18:19 . 2009-03-06 14:19 286208 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-09-13 18:19 . 2009-02-09 11:23 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-09-13 18:19 . 2009-02-09 11:22 111104 -c----w- c:\windows\system32\dllcache\services.exe
2009-09-13 18:19 . 2009-02-09 10:51 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-09-13 18:19 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-09-13 18:19 . 2009-06-25 08:25 735744 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-09-13 18:19 . 2009-02-09 10:51 683520 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-09-13 18:19 . 2009-02-09 10:51 736256 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-09-13 18:19 . 2009-02-09 10:51 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-09-13 18:19 . 2009-02-09 10:51 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-09-13 18:19 . 2009-02-09 11:23 2027520 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-09-13 18:19 . 2009-02-09 11:22 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-09-13 18:13 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-09-13 18:09 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-09-13 17:57 . 2008-10-15 16:36 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-09-13 17:54 . 2008-04-21 21:14 219136 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-09-13 17:04 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-09-13 16:56 . 2009-07-10 13:26 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-09-13 16:56 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-09-13 16:50 . 2009-09-13 16:50 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Ahead
2009-09-13 16:45 . 2008-03-25 03:48 54400 ----a-r- c:\windows\system32\drivers\NVENETFD.sys
2009-09-13 16:45 . 2008-03-25 03:47 200704 ----a-r- c:\windows\system32\fdco1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-17 08:26 . 2004-08-19 13:39 219648 ----a-w- c:\windows\system32\uxtheme.dll
2009-09-17 08:01 . 2001-08-31 15:00 479180 ----a-w- c:\windows\system32\perfh010.dat
2009-09-17 08:01 . 2001-08-31 15:00 79514 ----a-w- c:\windows\system32\perfc010.dat
2009-09-12 20:11 . 2009-09-03 16:25 -------- d--h--w- c:\programmi\InstallShield Installation Information
2009-09-12 16:20 . 2009-09-12 16:23 905 ----a-w- c:\programmi\Spybot - Search & Destroy.lnk
2009-09-11 12:48 . 2009-09-03 16:25 -------- d-----w- c:\programmi\File comuni\InstallShield
2009-09-03 14:44 . 2009-09-03 14:44 -------- d-----w- c:\programmi\microsoft frontpage
2009-09-03 14:43 . 2009-09-03 14:43 -------- d-----w- c:\programmi\Servizi in linea
2009-09-03 14:41 . 2009-09-03 14:41 21840 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-05 08:59 . 2004-08-19 13:39 205312 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:34 . 2004-08-19 13:39 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:34 . 2001-08-31 15:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-26 14:44 . 2009-07-26 14:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-17 19:01 . 2004-08-19 13:39 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 10:21 . 2004-08-19 13:39 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 16:55 . 2004-08-19 13:39 906240 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-25_22.19.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-01 22:08 . 2006-12-01 23:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
- 2006-12-01 22:08 . 2006-12-01 22:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-01 22:08 . 2006-12-01 23:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
- 2006-12-01 22:08 . 2006-12-01 22:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
- 2006-12-01 22:08 . 2006-12-01 22:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-01 22:08 . 2006-12-01 23:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-01 22:08 . 2006-12-01 23:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
- 2006-12-01 22:08 . 2006-12-01 22:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-01 22:08 . 2006-12-01 23:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
- 2006-12-01 22:08 . 2006-12-01 22:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
- 2006-12-01 22:08 . 2006-12-01 22:08 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-01 22:08 . 2006-12-01 23:08 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-01 22:08 . 2006-12-01 23:08 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
- 2006-12-01 22:08 . 2006-12-01 22:08 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-01 22:08 . 2006-12-01 23:08 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
- 2006-12-01 22:08 . 2006-12-01 22:08 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
- 2006-12-01 22:08 . 2006-12-01 22:08 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-01 22:08 . 2006-12-01 23:08 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
- 2009-09-12 16:22 . 2009-09-23 22:53 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-09-12 16:22 . 2009-09-28 00:04 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2006-12-01 20:54 . 2006-12-01 21:54 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
- 2006-12-01 20:54 . 2006-12-01 20:54 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
- 2006-12-01 20:54 . 2006-12-01 20:54 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-01 20:54 . 2006-12-01 21:54 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
- 2006-12-01 20:54 . 2006-12-01 20:54 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-01 20:54 . 2006-12-01 21:54 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\programmi\Internet Download Manager\IDMan.exe" [2009-09-12 2606512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DSLSTATEXE"="c:\program files\D-Link\DSL-200\dslstat.exe" [2005-12-12 344064]
"DSLAGENTEXE"="c:\program files\D-Link\DSL-200\dslagent.exe" [2005-08-25 65536]
"WireLessMouse"="c:\programmi\Nortek Office Multimedia Keyboard & Mouse Driver\MouseDrv.exe" [2005-11-03 286720]
"WireLessKeyboard"="c:\programmi\Nortek Office Multimedia Keyboard & Mouse Driver\PS2USBKbdDrv.exe" [2005-11-03 925696]
"StartCCC"="c:\programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"COMODO Internet Security"="c:\programmi\COMODO\COMODO Internet Security\cfp.exe" [2009-09-23 1799952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-10-28 17331200]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\
scandisk.lnk - c:\windows\system32\rundll32.exe [2004-8-19 33280]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Menu Avvio^Programmi^Esecuzione automatica^scandisk.dll]
path=c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\scandisk.dll
backup=c:\windows\pss\scandisk.dllStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Menu Avvio^Programmi^Esecuzione automatica^scandisk.lnk]
path=c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\scandisk.lnk
backup=c:\windows\pss\scandisk.lnkStartup

[HKLM\~\startupfolder\^NTUSER.DAT]
path=\NTUSER.DAT
backup=c:\windows\pss\NTUSER.DATStartup

[HKLM\~\startupfolder\^ntuser.dat.LOG]
path=\ntuser.dat.LOG
backup=c:\windows\pss\ntuser.dat.LOGStartup

[HKLM\~\startupfolder\^ntuser.ini]
path=\ntuser.ini
backup=c:\windows\pss\ntuser.iniStartup

[HKLM\~\startupfolder\^protect.dll]
path=\protect.dll
backup=c:\windows\pss\protect.dllStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"c:\\Programmi\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"c:\\Programmi\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\Programmi\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Programmi\\TVersity\\Media Server\\MediaServer.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [12.09.2009 19:12 132296]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [12.09.2009 19:12 25160]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [11.09.2009 14:50 93184]
S2 firjvxsiikp;firjvxsiikp;\??\c:\windows\system32\drivers\mywspwalqfb.sys c:\windows\system32\drivers\mywspwalqfb.sys
S2 ifdchzfc;ifdchzfc;\??\c:\windows\system32\drivers\ijinksqycodowp.sys c:\windows\system32\drivers\ijinksqycodowp.sys

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contenuto della cartella 'Scheduled Tasks'

2009-09-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1292428093-725345543-500Core.job
- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2009-09-25 08:51]

2009-09-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1292428093-725345543-500UA.job
- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2009-09-25 08:51]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://google.it/
uInternet Connection Wizard,ShellNext = hxxp://www.adobe.com/
IE: Download all links with IDM - c:\programmi\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\programmi\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\programmi\Internet Download Manager\IEExt.htm
LSP: c:\windows\system32\idmmbc.dll
FF - ProfilePath - c:\documents and settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\qw4fhqs4.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.it
FF - component: c:\documents and settings\Administrator\Dati applicazioni\IDM\idmmzcc2\components\idmmzcc.dll
FF - plugin: c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKLM-Run-calc - c:\windows\system32\calc.dll
HKU-Default-Run-calc - c:\docume~1\LOCALS~1\protect.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-29 11:50
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-2025429265-1292428093-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,30,49,4f,b4,73,1d,a1,44,9f,48,17,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,30,49,4f,b4,73,1d,a1,44,9f,48,17,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(804)
c:\windows\system32\scecli.dll
c:\windows\system32\idmmbc.dll
.
Ora fine scansione: 2009-09-29 11:53
ComboFix-quarantined-files.txt 2009-09-29 09:53

Pre-Run: 419'652'222'976 byte disponibili
Post-Run: 419'642'236'928 byte disponibili

WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

355 --- E O F --- 2009-09-19 22:17

[Amantide]

Quindi virtumonde sembra sia scomparso, però stranamente appare il nome nella barra di stato

Puoi spiegarti meglio o meglio ancora postare lo screenshot?

Comunque ora il pc sembra essere pulito, ora per disinstallare Combofix devi devi andare su Start>> Esegui ed eseguire questo comando combofix /u

[veeto]

Se vedi nell'img, in basso, vicino ai numeri c'è scritto Virtumonde.

[ba_61]

Se vedi nell'img, in basso, vicino ai numeri c'è scritto Virtumonde.

E' un file del Database di Spybot: in quel momento sta verificando l'eventuale presenza di Virtumond.sdn.

[veeto]

Ok,
ora rimane solo questo scandisk che vedo dal menù di avvio di msnconfig.

Anche se lo deselziono, al riavvio è di nuovo spuntato...

[Amantide]

Ho provato a fare un po' di ricerche, ma non si capisce precisamente di cosa si tratta.
Intanto carica il file scandisk.dll su www.virustotal.com e vedi di cosa si tratta. Caso mai lo potrai anche rinominare il file, tipo scandisk.old e se non succederà niente di che , potrai anche rimuoverlo..