Infezione da Antimalware doctor [Era:Ragazzi aiutatemi]

[Alberto_982]

Ragazzi aiutatemi sono sotto un continuo attacco di virus e messaggi di errore. Poi mi si attiva sempre un certo Antimalware doctor che fà finta di fare scansioni e mi inceppa tutto!!!

Questo è il log di Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 20.20.07, on 17/05/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Java\jre1.6.0_01\bin\jusched.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Windows\Documenti\Programmi&Giochi\Hijack This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alice.it/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - (no file)
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programmi\Windows Live\Toolbar\wltcore.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programmi\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: (no name) - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_01\bin\jusched.exe "
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: &Tastiera Virtuale - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: C&ontrollo URL - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1241204908359
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Kaspersky Anti-Virus (AVP) - Unknown owner - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" -r (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe

Che devo fare??? AIUTATEMI, Grazie

[menatwork]

ciao

scarica malwarebytes

Aggiornalo: clicca sulla scheda "aggiornamenti" => "controlla aggiornamenti"
Esegui una "scansione completa" (seleziona l'opzione)
A scansione completa, fai clic su OK => Mostra i Risultati.

disattiva il tuo antivirus

scarica combofix sul desktop ed eseguilo

- esegui ComboFix.exe
- digita 1
- segui le instruzioni
- finita la scansione portati in C:\ e copia/incolla, nella tua prossima risposta, il contenuto del file di testo Combofix.txt

[Alberto_982]

Adesso ci provo e ti posto i risultati!
Comunque il malware che mi ha attaccato si chiama "Antimalware doctor" e lo vedo anche in Pannello di controllo/Installazione applicazioni

[Alberto_982]

Ho eseguito la scansione con Malwarebytes e mi ha trovato 16 elementi infetti che ho provveduto ad eliminare (tra cui mi sembra c'era anche questo famoso Antimalware doctor).
Questo di seguito è il log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Versione database: 4110

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

17/05/2010 22.14.44
mbam-log-2010-05-17 (22-14-44).txt

Tipo di scansione: Scansione completa (C:\|)
Elementi esaminati: 206523
Tempo trascorso: 1 ore, 26 minuti, 46 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 5
Valori di registro infetti: 0
Voci infette nei dati di registro: 3
Cartelle infette: 1
File infetti: 7

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
HKEY_CLASSES_ROOT\CLSID\{b03a4be6-5e5a-b9b3-483e-c484d4b20b72} (Spyware.OnlineGames) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\NOD32KVBIT (Trojan.Frethog) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> No action taken.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> No action taken.

Valori di registro infetti:
(Non sono stati rilevati elementi nocivi)

Voci infette nei dati di registro:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Cartelle infette:
C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.

File infetti:
C:\Documents and Settings\Windows\Dati applicazioni\7F70BB0E012A286E89CA3C684C4169BA\gotn ewupdate000.exe (Malware.Packer.Gen) -> No action taken.
C:\Documents and Settings\Windows\Impostazioni locali\Temporary Internet Files\Content.IE5\A9WZ8HCN\gotnewupdate000[1].exe (Malware.Packer.Gen) -> No action taken.
C:\System Volume Information\_restore{92B71C1E-0A5B-47A2-8E6E-C4086EE97318}\RP234\A0206208.dll (Rogue.AntimalwareDoctor) -> No action taken.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken.
C:\WINDOWS\system32\softqq0.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\AhnRpta.exe (Trojan.Backdoor) -> No action taken.

[Alberto_982]

Questo invece è il log di combofix:

ComboFix 10-05-16.02 - Windows 17/05/2010 22.28.52.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.2047.1669 [GMT 2:00]
Eseguito da: c:\documents and settings\Windows\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) )
.

c:\documents and settings\Windows\Dati applicazioni\7F70BB0E012A286E89CA3C684C4169BA
c:\documents and settings\Windows\Dati applicazioni\7F70BB0E012A286E89CA3C684C4169BA\enem ies-names.txt
c:\documents and settings\Windows\Dati applicazioni\ATManager
c:\documents and settings\Windows\Dati applicazioni\ATManager\metafiles\e7e2135bcdfc87179 deacdb1cdac8b7a.torrent
c:\windows\system32\Cache
c:\windows\system32\vb40032.dll

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_AVPsys
-------\Service_Iprip


((((((((((((((((((((((((( Files Creati Da 2010-04-17 al 2010-05-17 )))))))))))))))))))))))))))))))))))
.

2010-05-17 18:46 . 2010-05-17 18:46 -------- d-----w- c:\documents and settings\Windows\Dati applicazioni\Malwarebytes
2010-05-17 18:45 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-17 18:45 . 2010-05-17 18:45 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2010-05-17 18:45 . 2010-05-17 18:45 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2010-05-17 18:45 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-17 18:33 . 2010-05-17 18:33 -------- d-----w- c:\programmi\Enigma Software Group
2010-05-17 18:32 . 2010-05-17 18:42 -------- d-----w- c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
2010-05-17 20:18 . 2009-11-17 15:21 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab
2010-05-17 19:15 . 2007-07-17 19:28 -------- d-----w- c:\programmi\Sports Interactive
2010-05-17 18:53 . 2004-08-03 22:07 223616 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-05-17 18:32 . 2009-03-04 19:09 -------- d-----w- c:\programmi\File comuni\Wise Installation Wizard
2010-05-16 21:42 . 2007-07-14 08:16 -------- d--h--w- c:\programmi\InstallShield Installation Information
2010-05-16 21:42 . 2009-07-10 21:02 -------- d-----w- c:\programmi\THQ
2010-05-05 11:34 . 2009-11-17 15:23 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-05-05 11:34 . 2009-11-17 15:23 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-04-12 03:56 . 2009-09-12 07:01 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\NOS
2010-03-28 07:18 . 2001-08-31 12:00 558014 ----a-w- c:\windows\system32\perfh010.dat
2010-03-28 07:18 . 2001-08-31 12:00 107996 ----a-w- c:\windows\system32\perfc010.dat
2010-03-25 07:37 . 2010-03-25 07:37 -------- d-----w- c:\programmi\NAMCO BANDAI Games
2010-03-25 07:35 . 2008-03-17 20:10 -------- d-----w- c:\documents and settings\Windows\Dati applicazioni\File de La Battaglia per la Terra di Mezzo™ II
2010-03-08 20:00 . 2010-03-08 20:00 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-03-08 18:41 . 2008-02-17 00:19 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-11-17 16:06 . 2009-11-17 16:06 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 16264192]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"MsmqIntCert"="mqrt.dll" [2004-08-19 177152]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.6.0_0 1\bin\jusched.exe" [2007-03-14 83608]
"Tweak UI"="TWEAKUI.CPL" [2006-01-15 106544]
"NeroFilterCheck"="c:\programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]
"nwiz"="nwiz.exe" [2006-08-11 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2006-08-11 86016]
"DAEMON Tools"="c:\programmi\DAEMON Tools\daemon.exe" [2005-11-08 128920]
"C-Media Mixer"="Mixer.exe" [2002-01-28 1228800]
"PCSuiteTrayApplication"="c:\programmi\Nokia\N okia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2009-01-05 413696]
"avp"="c:\programmi\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-05-25 303376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
"Nokia.PCSync"="c:\programmi\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programmi\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05 356352 ----a-w- c:\programmi\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Sony\\Media Manager for WALKMAN\\MediaManager.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\NAMCO BANDAI Games\\Warhammer® Mark of Chaos\\Warhammer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [15/12/2008 21.41.32 33808]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [17/07/2007 21.24.23 664064]
R1 SASDIFSV;SASDIFSV;c:\programmi\SUPERAntiSpyware\sa sdifsv.sys [17/02/2009 12.43.28 8944]
R1 SASKUTIL;SASKUTIL;c:\programmi\SUPERAntiSpyware\SA SKUTIL.SYS [17/02/2009 12.43.28 55024]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [13/05/2009 18.46.52 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [16/05/2009 21.59.44 19472]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regg uard.sys [27/12/2007 23.10.56 25837]
S3 SASENUM;SASENUM;c:\programmi\SUPERAntiSpyware\SASE NUM.SYS [17/02/2009 12.43.30 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.alice.it/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source? }
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Windows\Dati applicazioni\Mozilla\Firefox\Profiles\t9ry4dyq.def ault\
FF - component: c:\programmi\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\compone nts\KavLinkFilter.dll
.
.
------- Associazioni dei file -------
.
.scr=AutoCADScriptFile
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

URLSearchHooks-{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - (no file)
BHO-{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - (no file)
Toolbar-{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - (no file)
WebBrowser-{B2E293EE-FD7E-4C71-A714-5F4750D8D7B7} - (no file)



************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-17 22:36
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

************************************************** ************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe >>UNKNOWN [0x8A5320E8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x8a5320e8
\Driver\ACPI -> ACPI.sys @ 0xf74c3cb8
\Driver\atapi -> atapi.sys @ 0xf78452f0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8059ece9
ParseProcedure -> ntoskrnl.exe @ 0x8057e98a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8059ece9
ParseProcedure -> ntoskrnl.exe @ 0x8057e98a
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7a24ba0
PacketIndicateHandler -> NDIS.sys @ 0xf7a31b21
SendHandler -> NDIS.sys @ 0xf7a0f87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\T cpip6]
"ImagePath"="system32\drivers\tcpip6.kav"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(1228)
c:\programmi\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2848)
c:\windows\system32\WPDShServiceObj.dll
c:\programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\programmi\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\programmi\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_ita.nlr
c:\programmi\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\msdtc.exe
c:\windows\RTHDCPL.EXE
c:\windows\Mixer.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\windows\system32\inetsrv\inetinfo.exe
c:\programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\programmi\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\mqtgsvc.exe
.
************************************************** ************************
.
Ora fine scansione: 2010-05-17 22:43:49 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-05-17 20:43

Pre-Run: 7.367.876.608 byte disponibili
Post-Run: 7.264.366.592 byte disponibili

- - End Of File - - EF930938179E42AA112A05454FBA4B73


Che devo fare adesso???

[menatwork]

elimina quello che malwarebytes ha rile vato, nel frattempo controllo bene combofix, c'e' altro da eliminare

[Alberto_982]

Grazie mille menatwork sei stato gentilissimo.

Nel frattempo che mi fai sapere se c'è qualcos'altro da eliminare... sembra che il mio PC vada molto meglio adesso.

Quel lurido "Antimalware Doctor" sembra essere sparito (infatti in installazione applicazioni del pannello di controllo non lo vedo più)

[Alberto_982]

L'unico piccolo problema che vedo al momento (e spero sia un piccolo problema), è in basso a destra. E' molto strano che l'ora di windows venga riportata con uno zero davanti... tipo 08:00 cosa significa? Che io sappia lo zero davanti non c'è mai stato

[menatwork]

controlliamo l'MBR per ora e' piu' importante dell'orologio di windows


scarica mbr.exe in C:\

vai in provvisoria

Da Start - Esegui - digita C:\mbr.exe e dai OK

Posta il log che troverai in C:\ come mbr.log

[Alberto_982]

menatwork adesso sono al lavoro. Stasera quando torno a casa scarico questo MBR e ti posto il log. Una volta scaricato... come faccio ad andare in modalità provvisoria?