Olimpo Informatico

surfing86 · Mortale devoto Registrato: 14/05/08 14:17 Messaggi: 7

Salve sono nuovo.
S.o. utilizzato = Win XP sp2
Antivirus = McAfee VirusScan 8.0 (agggiornato)
Ripristino configurazione di sistema DISattivato
Praticamente il suddetto antivirus mi rileva il trojan così :

WLCtrl32.dll Downloader.gen.a (Cavallo di Troia).

lo elimina, ma al riavvio ricompare.Allora ho utilizzato Malwarebytes Antimalware, ho fatto la scansione e mi ha eliminato la chiave di registro che ri-genera il .dll

Niente da fare, il .dll viene rigenerato al riavvio del pc
Una cosa molto strana è che non riesco a installare HijackThis, perckè si riavvia il desktop ogni qual volta tento solo di selezionare il file.

Vi allego il log di Malwarebytes:

Malwarebytes' Anti-Malware 1.12
Versione del database: 745

Tipo di scansione: Scansione rapida
Elementi scansionati: 43251
Tempo trascorso: 6 minute(s), 40 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 2
Valori di registro infetti: 1
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 4

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime (Rootkit.Agent) -> Quarantined and deleted successfully.

Valori di registro infetti:
HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\ntuser (Trojan.Agent) -> Quarantined and deleted successfully.

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
C:\WINDOWS\system32\dllsys.dll (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3_exception.nls (Trojan.Tibs) -> Quarantined and deleted successfully.

e quello della scansione completa effettuata in seguito:

Malwarebytes' Anti-Malware 1.12
Versione del database: 745

Tipo di scansione: Scansione completa (C:\|)
Elementi scansionati: 306401
Tempo trascorso: 44 minute(s), 40 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 0

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
(Nessun elemento malevolo rilevato)

Aiutatemi sono esasperato, grazie mille!

chemicalbit · Dio maturo Registrato: 01/04/05 18:59 Messaggi: 18597 Residenza: Milano

bdoriano

Giusto per sicurezza, fai anche questo controllo. Think

surfing86 · Mortale devoto Registrato: 14/05/08 14:17 Messaggi: 7

chemicalbit · Dio maturo Registrato: 01/04/05 18:59 Messaggi: 18597 Residenza: Milano

E Combofix?
E il controllo nel registro che ha detto bdoriano?

surfing86 · Mortale devoto Registrato: 14/05/08 14:17 Messaggi: 7

surfing86 · Mortale devoto Registrato: 14/05/08 14:17 Messaggi: 7

Altra buona notizia: sono riuscito a installara hijack this senza problemi(molto probabilmente era stesso il trojan che nn mi permetteva di farlo)

log :

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:29, on 2008-05-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\Network Associates\Common Framework\FrameworkService.exe
C:\Programmi\Network Associates\VirusScan\Mcshield.exe
C:\Programmi\Network Associates\VirusScan\VsTskMgr.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
C:\Programmi\Network Associates\VirusScan\SHSTAT.EXE
C:\Programmi\Microsoft Hardware\Mouse\point32.exe
C:\Programmi\File comuni\Network Associates\TalkBack\TBMon.exe
C:\Programmi\Network Associates\Common Framework\UpdaterUI.exe
C:\Programmi\Lexmark 2300 Series\lxcgmon.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Microsoft Hardware\Keyboard\type32.exe
C:\Programmi\Ahead\InCD\InCD.exe
C:\Programmi\Lexmark 2300 Series\ezprint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Programmi\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\s****\Documenti\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgilio.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Programmi\DAP\DAPBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-000000000000} - C:\Documents and Settings\l***i\426172526.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Programmi\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programmi\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Programmi\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Programmi\File comuni\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programmi\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Programmi\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Programmi\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EzPrint] "C:\Programmi\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [NBJ] "C:\Programmi\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Programmi\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O12 - Plugin for .csm: C:\Programmi\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Programmi\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Programmi\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Programmi\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Programmi\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Programmi\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Programmi\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Programmi\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Programmi\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Programmi\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Programmi\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Programmi\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Programmi\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Programmi\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Programmi\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Programmi\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Programmi\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Programmi\Internet Explorer\Plugins\npchime.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab
O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programmi\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programmi\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programmi\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programmi\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: sysfldr - sysfldr.dll (file missing)
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programmi\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Programmi\MATLAB7\webserver\bin\win32\matlabserver.exe
O23 - Service: Servizio di framework di McAfee (McAfeeFramework) - Network Associates, Inc. - C:\Programmi\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programmi\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programmi\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programmi\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe

chemicalbit · Dio maturo Registrato: 01/04/05 18:59 Messaggi: 18597 Residenza: Milano

Log di combofix è quello, ma è (decisamente!) troncato.

L'hai aaccorciatuo tu?
Se sì postalo pe rintero.

Altimenti prova a rifarlo.

ah, e ricordati di disattivare gli antivirus in tempo reale
(e tutti i programmi inutili) prima di avviare Combofix.

surfing86 · Mortale devoto Registrato: 14/05/08 14:17 Messaggi: 7

dal log di hijack this siete riusciti a percepire qualcosa di anomalo o tutto va bene?
Il log di combofix non l ho troncato e l' ho eseguito con antivirus disattivato e programmi chiusi.

daysleeper · Semidio Registrato: 25/04/08 00:01 Messaggi: 371

surfing86 · Mortale devoto Registrato: 14/05/08 14:17 Messaggi: 7

Grazie per l 'aiuto finalmente i virus sono stati tutti rimossi.
Però noto un forte rallentamento nel caricare i servizi iniziali, all' accensione del pc.
Come mai ?

bdoriano

Purtroppo, non ci sono abbastanza elementi (manca il log completo di combofix) per poterti dire qualcosa di più. Rolling Eyes

Riprova a fare la scansione con combofix.

surfing86 · Mortale devoto Registrato: 14/05/08 14:17 Messaggi: 7

ecco il log di combofix :

ComboFix 08-05-12.1 - s***o 2008-05-23 12:28:37.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.854 [GMT 2:00]
Eseguito da: C:\Documents and Settings\s****\Documenti\Download\Installazioni\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Programmi\Mozilla Firefox\plugins\NPNd2fn.dll
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
c:\windows\system32\Drivers\Cgj71.sys

.
((((((((((((((((((((((((( Files Creati Da 2008-04-23 al 2008-05-23 )))))))))))))))))))))))))))))))))))
.

2008-05-14 15:51 . 2008-05-14 15:51 <DIR> d-------- C:\Documents and Settings\amministratore\Dati applicazioni\Malwarebytes
2008-05-14 15:19 . 2008-05-14 15:25 100 --a------ C:\index.ini
2008-05-14 12:31 . 2008-05-15 20:56 <DIR> d-------- C:\Programmi\Malwarebytes' Anti-Malware
2008-05-14 12:31 . 2008-05-14 12:31 <DIR> d-------- C:\Documents and Settings\s***o\Dati applicazioni\Malwarebytes
2008-05-14 12:31 . 2008-05-14 12:31 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Malwarebytes
2008-05-14 09:31 . 2008-05-14 11:28 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Avira
2008-05-14 09:18 . 2008-05-14 09:18 <DIR> d-------- C:\Programmi\Uniblue
2008-05-14 09:18 . 2008-05-14 09:18 <DIR> d-------- C:\Documents and Settings\s***o\Dati applicazioni\Uniblue
2008-05-12 15:15 . 2008-05-12 15:15 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2008-05-11 20:56 . 2004-08-19 16:39 236,544 --a------ C:\WINDOWS\system32\rasapi32.dll
2008-05-11 20:56 . 2004-08-19 16:39 236,544 --a--c--- C:\WINDOWS\system32\dllcache\rasapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 12:08 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-05-21 12:08 --------- d-----w C:\Programmi\Sierra Entertainment
2008-05-20 20:09 --------- d-----w C:\Programmi\DAP
2008-05-19 06:32 --------- d-----w C:\Programmi\Lexmark 2300 Series
2008-05-18 18:47 --------- d-----w C:\Programmi\eMule
2008-05-18 15:08 --------- d-----w C:\Documents and Settings\s***\Dati applicazioni\OpenOffice.org2
2008-05-14 16:46 --------- d-----w C:\Programmi\INSTAFINK
2008-05-05 20:31 --------- d-----w C:\Programmi\DivX
2008-04-26 15:07 --------- d-----w C:\Programmi\Rebel Raiders Operation Nighthawk
2008-04-17 18:20 --------- d-----w C:\Programmi\GTactix
2008-04-14 18:41 --------- d-----w C:\Documents and Settings\papà\Dati applicazioni\OpenOffice.org2
2008-03-30 11:55 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\MsvThumbs
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2004-03-01 11:25 114,688 ----a-w C:\Programmi\internet explorer\plugins\ChimeShim.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-15_11.15.37.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-15 08:36:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 10:24:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14D1A72D-8705-11D8-B120-000000000000}]
C:\Documents and Settings\l****i\426172526.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"NBJ"="C:\Programmi\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 19:25 1961984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"ShStatEXE"="C:\Programmi\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00 94208]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2007-04-13 23:24 282624]
"POINTER"="point32.exe" []
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-11 01:26 406016]
"PCLEUSBTip"="C:\Programmi\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [ ]
"Network Associates Error Reporting Service"="C:\Programmi\File comuni\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48 147514]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"McAfeeUpdaterUI"="C:\Programmi\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50 139320]
"lxcgmon.exe"="C:\Programmi\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 08:07 200704]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"IntelliType"="C:\Programmi\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 06:41 94208]
"InCD"="C:\Programmi\Ahead\InCD\InCD.exe" [2005-07-26 04:01 1397760]
"EzPrint"="C:\Programmi\Lexmark 2300 Series\ezprint.exe" [2005-08-01 14:05 94208]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-19 14:00 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 14:00 15360]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
BlueSoleil.lnk - C:\Programmi\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-04-28 10:41:24 633856]
Microsoft Office.lnk - C:\Programmi\Microsoft Office\Office\OSA9.EXE [1999-02-17 23:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sysfldr]
sysfldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Cgj71.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Programmi\\eMule\\emule.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Programmi\\DAP\\DAP.exe"=
"C:\\Programmi\\Messenger\\msmsgs.exe"=
"C:\\Programmi\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Programmi\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Programmi\\ViaVoice\\Bin\\engine.exe"=
"C:\\Programmi\\ViaVoice\\Bin\\userwiz.exe"=
"C:\\Programmi\\ViaVoice\\Bin\\smart.exe"=
"C:\\Programmi\\ViaVoice\\Bin\\ewiz.exe"=
"C:\\Programmi\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"C:\\Programmi\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"C:\\Programmi\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"C:\\Programmi\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Programmi\\MATLAB7\\bin\\win32\\MATLAB.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Programmi\\Java\\jdk1.5.0_12\\bin\\javaw.exe"=
"C:\\Programmi\\Java\\jdk1.5.0_12\\bin\\java.exe"=
"C:\\Programmi\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"C:\\Programmi\\SpeedBit Video Accelerator\\VideoAcceleratorEngine.exe"=
"C:\\Programmi\\iTunes\\iTunes.exe"=
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programmi\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Programmi\\Sierra Entertainment\\Versione demo di World in Conflict\\wic.exe"=
"C:\\Programmi\\Sierra Entertainment\\World in Conflict Trial\\wic_online.exe"=
"C:\\Programmi\\Sierra Entertainment\\World in Conflict Trial\\wic_ds.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1755:TCP"= 1755:TCP:emuleTCP
"1756:UDP"= 1756:UDP:emuleUDP

R1 Ext2fs;Ext2fs;C:\WINDOWS\system32\DRIVERS\ext2fs.sys [2006-10-23 19:20]
R1 IfsDrives;IfsDrives;C:\WINDOWS\system32\DRIVERS\IfsDrives.sys [2004-09-25 01:28]
R2 sbbotdi;sbbotdi;C:\PROGRA~1\SPEEDB~1\sbbotdi.sys [2007-06-25 13:40]
R2 SBKUPNT;SBKUPNT;C:\WINDOWS\system32\Drivers\SBKUPNT.SYS [2001-07-13 14:56]
S3 CommDrv;CommDrv;C:\WINDOWS\system32\CommDrv.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 23:10]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 18:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 18:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 18:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b4fa0ac-820f-11db-a98f-00030d000001}]
\Shell\AutoRun\command - setupSNK.exe

*Newly Created Service* - ENTDRV51
.
Contenuto della cartella 'Scheduled Tasks'
"2008-02-17 16:08:39 C:\WINDOWS\Tasks\aacf.job"
- c:\windows\system32\lsatcufc.exe
"2007-07-30 18:00:54 C:\WINDOWS\Tasks\aalvjz.job"
- c:\windows\system32\lsatcufc.exe
"2007-04-28 11:22:17 C:\WINDOWS\Tasks\abh.job"
- c:\windows\system32\lsatcufc.exe
"2007-09-04 06:09:59 C:\WINDOWS\Tasks\abl.job"

bdoriano

Crea un file di testo con le seguenti istruzioni (ricordati di mettere il nome utente al posto degli asterischi, altrimenti c'è il rischio di danni):