sradicare SERVICES.exe e rootkit

[Mollycon]

Sono un nuovo utente del Forum e, dopo aver apprezzato la professionalità e la serietà dei moderatori, ho deciso di iscrivermi per cercare di risolvere un pò di problemi che affliggono il mio PC. Il principale elemento di disturbo è il famigerato services.exe che mi si ripresenta ad ogni riavvio del pc, probabilmente collegato ad un paio di svchost.exe che apparentemente non sono agganciati a nessun servizio attivo (lo vedo aprendo il process explorer, come da immagine allegata), ma che poi crea un file .tmp in Windows\temp (il nome cambia sempre) e che per fortuna il mio antivirus (GData) individua immediatamente e immunizza. Altro probema è rappresentato dal file msxsltsso.dll presente in system 32 che viene riconosciuto da GData come win32:rootkitgen e posto in quarantena. Infine, proprio stamattina ho effettuato uno scan con Sdfix in modalità provvisoria ed è stato individuato un trojan in Documents and settings\utente\impostazioni locali\temp\ denominato ubi3D.tmp.exe che è stato eliminato. Benchè il mio PC vada comunque bene ed il mio antivirus (Gdata Internet Security 2010) riesca ad intercettare queste minacce, vorrei comunque potermene liberare una volta per tutte. Mi potete aiutare? Approfitto per augurare a tutto il forum auguri di buona Pasqua!!

[menatwork]

Buongiorno e Buona Pasqua


scarica hijackthis da qui

lancia il programma cliccando l’eseguibile e avvia la scansione, scegliendo la voce "Do a system scan and save a logfile"

Ricordati di mettere HIJACKTHIS in una cartella a lui dedicata (in Programmi o Documenti), l'importante è che non si trovi sul desktop o in cartelle temporanee è importante se vuoi salvare i backup

Posta il log che rilascia

[Mollycon]

Ecco il log di Hijackthis (scusa, ho fatto casino nel postare il log, cercavo di allegare l'immagine e non tutto il testo, ora è a posto):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11.47.47, on 04/04/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\File comuni\G DATA\AVKProxy\AVKProxy.exe
C:\Programmi\G Data\InternetSecurity\AVK\AVKService.exe
C:\Programmi\G Data\InternetSecurity\AVK\AVKWCtl.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\File comuni\G DATA\GDScan\GDScan.exe
C:\Programmi\File comuni\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Programmi\BUFFALO\NASNAVI\nassvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\CDBurnerXP\NMSAccessU.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\Programmi\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\G Data\InternetSecurity\AVKTray\AVKTray.exe
C:\ADVANC~1\wh_exec.exe
C:\Programmi\BUFFALO\NASNAVI\NasNavi.exe
C:\Programmi\BUFFALO\NASNAVI\nassche.exe
C:\Documents and Settings\mauro\Impostazioni locali\Dati applicazioni\Google\Update\1.2.183.23\GoogleCrashH andler.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Antimalware vari\Hijackthis\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askR...8&gct=&gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askR...8&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askR...gct=&gc=1&q=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Programmi\AskSearch\bin\DefaultSearch.dll
O2 - BHO: G Data WebFilter Class - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Programmi\G Data\InternetSecurity\Webfilter\AVKWebIE.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O3 - Toolbar: G Data WebFilter - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Programmi\G Data\InternetSecurity\Webfilter\AVKWebIE.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [G DATA AntiVirus Trayapplication] C:\Programmi\G Data\InternetSecurity\AVKTray\AVKTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WheelMouse] C:\ADVANC~1\wh_exec.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\mauro\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\RunOnce: [WiseStubReboot] MSIEXEC /quiet SKIP_PPU_DRIVER_INSTALL=1 /I "C:\Programmi\File comuni\Wise Installation Wizard\WISC5C1C0F0D62F4DBF81D4D7EF397C228B_9_09_08 14.MSI" TRANSFORMS="C:\Programmi\File comuni\Wise Installation Wizard\WISC5C1C0F0D62F4DBF81D4D7EF397C228B_9_09_08 14.MST" WISE_SETUP_EXE_PATH="c:\nvidia\displaydriver\190.6 2\international\PhysX_9.09.0814_SystemSoftware.exe "
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: AutorunsDisabled (User 'SYSTEM')
O4 - S-1-5-18 Startup: BUFFALO NAS Navigator.lnk = C:\Programmi\BUFFALO\NASNAVI\NasNavi.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: NAS Scheduler.lnk = C:\Programmi\BUFFALO\NASNAVI\nassche.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutorunsDisabled (User 'Default user')
O4 - .DEFAULT Startup: BUFFALO NAS Navigator.lnk = C:\Programmi\BUFFALO\NASNAVI\NasNavi.exe (User 'Default user')
O4 - .DEFAULT Startup: NAS Scheduler.lnk = C:\Programmi\BUFFALO\NASNAVI\nassche.exe (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Startup: BUFFALO NAS Navigator.lnk = C:\Programmi\BUFFALO\NASNAVI\NasNavi.exe
O4 - Startup: NAS Scheduler.lnk = C:\Programmi\BUFFALO\NASNAVI\nassche.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PokerStars.it - {C4046502-6524-4d87-896C-878F57D1FF07} - C:\Programmi\PokerStars.IT\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O21 - SSODL: GootkitSSO - {C2F8BE0B-F46E-4ACB-BAC0-DF964668C0E1} - C:\WINDOWS\System32\msxsltsso.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: G Data AntiVirus Proxy (AVKProxy) - G Data Software AG - C:\Programmi\File comuni\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: G Data Scheduler (AVKService) - G Data Software AG - C:\Programmi\G Data\InternetSecurity\AVK\AVKService.exe
O23 - Service: G Data Guardiano del file system (AVKWCtl) - G Data Software AG - C:\Programmi\G Data\InternetSecurity\AVK\AVKWCtl.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: G Data Scanner (GDScan) - G Data Software AG - C:\Programmi\File comuni\G DATA\GDScan\GDScan.exe
O23 - Service: Servizio di Google Update (gupdate) (gupdate) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Programmi\File comuni\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NAS PM Service (NasPmService) - BUFFALO INC. - C:\Programmi\BUFFALO\NASNAVI\nassvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programmi\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Programmi\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 8126 bytes

[menatwork]

Lancia HiJackThis -> Clicca Do a scan only -> Metti la spunta a fianco della riga che ti segnalo qui sotto -> Clicca su Fix Checked

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/ask...amp;gc=1&q=

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/ask...amp;gc=1&q=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/ask...p;gc=1&q=%s

O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)

O21 - SSODL: GootkitSSO - {C2F8BE0B-F46E-4ACB-BAC0-DF964668C0E1} - C:\WINDOWS\System32\msxsltsso.dll (file missing)

scarica malwarebytes

Aggiornalo: clicca sulla scheda "aggiornamenti" => "controlla aggiornamenti"
Esegui una "scansione completa" (seleziona l'opzione)
A scansione completa, fai clic su OK => Mostra i Risultati.
Assicurarti che tutto sia selezionato e clicca clic su Rimuovi selezionati.
Se ti chiede di riavviare, riavvia per completare il processo di pulizia.
Posta il rapporto .

[Mollycon]

Ecco il rapporto di scanszione di malwarebytes:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Versione database: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

04/04/2010 16.09.45
mbam-log-2010-04-04 (16-09-45).txt

Tipo di scansione: Scansione completa (C:\|)
Elementi esaminati: 188581
Tempo trascorso: 24 minuti, 36 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 1
Valori di registro infetti: 0
Voci infette nei dati di registro: 0
Cartelle infette: 0
File infetti: 0

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Valori di registro infetti:
(Non sono stati rilevati elementi nocivi)

Voci infette nei dati di registro:
(Non sono stati rilevati elementi nocivi)

Cartelle infette:
(Non sono stati rilevati elementi nocivi)

File infetti:
(Non sono stati rilevati elementi nocivi)

[menatwork]

fai un po' di pulizia

scarica ccleaner da qui


In fase d’installazione togli la spunta altrimenti viene installata Yahoo Tollbar.
Avvialo e clicca su:
- Opzioni Avanzate
Togli la spunta da:
- Elimina file solo se più vecchi di 48 ore
Clicca i tasti:
- Pulizia (il primo in alto a Sinistra)
- Analizza ( Pulsante in basso Centrale)
- Avvia Pulizia (Pulsante in basso a Destra)

Correzione errori File di Registro
CCleaner
Clicca i tasti:
- Registro (Secondo tasto in alto a Sinistra)
- Trova Problemi (Pulsante in basso Centrale)
- Ripara selezionati Pulsante in basso a Destra
- alla domanda:
- Vuoi eseguire il Backup delle modifiche del Registro”
- clicca:
- SI

scarica ATF-Cleaner
(Non richiede installazione)

Spunta la voce:
- Select all
Premi il tasto:
- Empty Select


disattiva l'antivirus


scarica combofix sul desktop ed eseguilo

(non installare la recovery console)
Lascia lavorare il programma senza interferire
Allega il rapporto C:\ComboFix.txt nella tua risposta.

[Mollycon]

Ho già il CCleaner versione 225 posso usare questa o è meglio riscaricarla dal link che mi hai dato tu? A proposito, il tuo link mi rimanda ad un altro sito per il download (vedi allegato), va bene?

[menatwork]

il link che ti ho dato e' quello del sito ufficiale

http://www.ccleaner.com/

[Mollycon]

Allego il report finale di combofix (sono due parti poichè troppo lungo). Tengo tuttavia a precisare che alla fine del processo Combofix ha riavviato il pc e appena riattivato l'antivirus ecco riapparire il "maledetto" services.exe, ecco il report di Gdata, che lo hai poi disinfettato:

Virus: Win32:Malware-gen
File: BNB.tmp
Directory: C:\WINDOWS\temp
Processo: services.exe

Comunque ho la sensazione che questo malware venga richiamato da uno dei due svchost di cui ti ho parlato nel primo post ma potrei sbagliare.

log combofix parte prima
-----------------------
ComboFix 10-04-03.02 - mauro 04/04/2010 18.36.23.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.3326.2748 [GMT 2:00]
Eseguito da: c:\antimalware vari\Combofix\ComboFix.exe
AV: G Data InternetSecurity 2010 *On-access scanning disabled* (Updated) {71310606-6F3B-49F2-9A81-8315AA75FBB3}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) )
.

c:\$recycle.bin\S-1-5-21-2020141486-3086581876-3591650722-1001
c:\documents and settings\All Users\Desktop\AntiMalware.lnk
c:\documents and settings\mauro\Dati applicazioni\plugcach.fon
c:\programmi\AskSearch\bin\DeFAultsearch.dll
c:\windows\AppPatch\AcAdProc.dll
c:\windows\eSellerateEngine.dll
c:\windows\Install.txt
c:\windows\system32\Install.txt

.
((((((((((((((((((((((((( Files Creati Da 2010-03-04 al 2010-04-04 )))))))))))))))))))))))))))))))))))
.

2010-04-04 16:16 . 2010-04-04 16:29 -------- d-----w- c:\programmi\CCleaner
2010-03-29 15:47 . 2010-03-29 15:47 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2010-03-27 20:54 . 2010-03-27 20:54 -------- d-----w- c:\documents and settings\mauro\Dati applicazioni\Ubisoft
2010-03-27 20:54 . 2010-03-27 20:54 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Ubisoft
2010-03-27 12:18 . 2010-04-04 13:36 5918776 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-26 16:52 . 2009-09-04 16:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-03-26 16:52 . 2009-09-04 16:44 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2010-03-26 16:52 . 2009-09-04 16:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2010-03-26 16:52 . 2009-09-04 16:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2010-03-26 16:52 . 2009-09-04 16:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2010-03-19 20:48 . 2010-03-19 20:48 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Pendulo Studios
2010-03-14 11:30 . 2010-03-22 19:41 -------- d-----w- c:\documents and settings\mauro\Dati applicazioni\vlc
2010-03-10 18:20 . 2010-03-10 18:20 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
2010-04-04 16:40 . 2009-12-25 14:28 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-04-04 16:40 . 2009-12-25 14:27 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-04-04 13:37 . 2009-12-28 12:29 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2010-03-30 17:24 . 2010-01-27 10:50 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Zoom Player
2010-03-29 22:46 . 2009-12-28 12:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 22:45 . 2009-12-28 12:29 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 15:52 . 2009-09-21 14:09 -------- d-----w- c:\programmi\AskBarDis
2010-03-28 06:31 . 2004-08-30 20:00 79514 ----a-w- c:\windows\system32\perfc010.dat
2010-03-28 06:31 . 2004-08-30 20:00 479180 ----a-w- c:\windows\system32\perfh010.dat
2010-03-27 20:41 . 2009-12-05 18:04 -------- d-----w- c:\programmi\Ubisoft
2010-03-27 20:41 . 2009-09-21 13:17 -------- d--h--w- c:\programmi\InstallShield Installation Information
2010-03-27 13:14 . 2009-10-02 13:24 -------- d-----w- c:\programmi\PokerStars.IT
2010-03-16 17:30 . 2009-11-27 08:20 -------- d-----w- c:\programmi\Driver Cleaner
2010-03-13 12:56 . 2009-09-22 18:30 -------- d-----w- c:\programmi\File comuni\Adobe
2010-03-06 19:07 . 2010-03-04 14:35 -------- d-----w- c:\programmi\Activision
2010-03-06 13:13 . 2009-09-21 13:30 61072 ----a-w- c:\documents and settings\mauro\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-03-05 16:13 . 2010-01-29 20:21 -------- d-----w- c:\documents and settings\mauro\Dati applicazioni\dvdcss
2010-03-05 16:02 . 2010-03-05 16:02 -------- d-----w- c:\programmi\eMule
2010-03-03 17:14 . 2010-01-03 11:46 -------- d-----w- c:\documents and settings\mauro\Dati applicazioni\Canon
2010-03-03 13:45 . 2010-03-03 13:40 -------- d-----w- c:\programmi\Jasc Software Inc
2010-03-03 13:04 . 2010-03-03 13:02 -------- d-----w- c:\programmi\Psp7 portable
2010-02-27 09:05 . 2010-02-27 09:05 -------- d-----w- c:\programmi\Tipard Studio
2010-02-27 08:44 . 2010-01-31 10:31 -------- d-----w- c:\documents and settings\mauro\Dati applicazioni\WindSolutions
2010-02-27 08:44 . 2010-01-31 10:31 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\WindSolutions
2010-02-21 09:35 . 2010-02-21 09:35 -------- d-----w- c:\documents and settings\mauro\Dati applicazioni\HandBrake
2010-02-21 09:35 . 2010-02-21 09:35 -------- d-----w- c:\programmi\Handbrake
2010-02-16 21:20 . 2009-09-21 14:09 -------- d-----w- c:\programmi\Glary Utilities
2010-02-14 17:19 . 2010-02-14 17:19 -------- d-----w- c:\programmi\Google
2010-02-10 10:36 . 2010-02-10 10:36 -------- d-----w- c:\programmi\Logitech Touch Mouse Server
2010-02-09 18:54 . 2010-02-09 18:54 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\KONAMI
2010-02-07 21:51 . 2010-02-07 21:51 54272 ----a-w- c:\documents and settings\mauro\Dati applicazioni\GanymedeNet\Online Games\Common\ielauncher.exe
2010-02-07 21:51 . 2010-02-07 21:51 4 ----a-w- c:\windows\system32\proc-1037709799.bin
2010-02-07 21:51 . 2010-02-07 21:51 -------- d-----w- c:\documents and settings\mauro\Dati applicazioni\GanymedeNet
2010-02-06 08:07 . 2009-09-21 14:11 -------- d-----w- c:\programmi\CDBurnerXP
2010-02-05 20:15 . 2010-02-05 20:15 -------- d-----w- c:\programmi\File comuni\DirectX
2010-02-05 19:52 . 2010-02-05 19:52 -------- d-----w- c:\documents and settings\mauro\Dati applicazioni\Canneverbe Limited
2010-02-04 17:25 . 2010-02-04 17:25 -------- d-----w- c:\documents and settings\mauro\Dati applicazioni\CopyTransPhoto
2010-01-28 13:30 . 2010-01-28 13:30 41112 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-27 10:52 . 2010-01-27 10:52 3159059 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Zoom Player\Cache\ffmpeg_0.5.exe
2010-01-27 10:52 . 2010-01-27 10:52 126326 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Zoom Player\Cache\cdda.1.0.0.1_nt.exe
2010-01-27 10:52 . 2010-01-27 10:52 177990 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Zoom Player\Cache\osavisplitter.1.3.1249.0_nt.exe
2010-01-27 10:52 . 2010-01-27 10:52 146497 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Zoom Player\Cache\osdtssource.1.2.908.0.exe
2010-01-27 10:52 . 2010-01-27 10:51 5013239 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Zoom Player\Cache\realmedia_nt.exe
2010-01-27 10:51 . 2010-01-27 10:51 35852 ----a-w- c:\windows\system32\unins000.dat
2010-01-27 10:51 . 2010-01-27 10:51 708658 ----a-w- c:\windows\system32\unins000.exe
2010-01-17 19:08 . 2009-09-28 20:26 2871064 ----a-w- c:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\FontCache3.0.0.0.dat
2010-01-08 19:21 . 2009-09-27 13:28 55624 ----a-w- c:\windows\system32\drivers\MiniIcpt.sys
2010-01-08 19:20 . 2009-09-27 13:28 28616 ----a-w- c:\windows\system32\drivers\GDBehave.sys
2009-03-05 16:08 . 2009-09-22 16:15 49664 ----a-w- c:\programmi\mozilla firefox\components\FFComm.dll
.

------- Sigcheck -------

[-] 2009-09-26 . 1DF7F42665C94B825322FAE71721130D . 212224 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys
[7] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2004-08-30 . 1DF7F42665C94B825322FAE71721130D . 182912 . . [5.1.2600.5512] . . c:\windows\$NtServicePackUninstall$\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Google Update"="c:\documents and settings\mauro\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" [2009-09-21 133104]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce]
"WiseStubReboot"="MSIEXEC" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"G DATA AntiVirus Trayapplication"="c:\programmi\G Data\InternetSecurity\AVKTray\AVKTray.exe" [2010-01-06 951880]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2009-11-20 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]
"WheelMouse"="c:\advanc~1\wh_exec.exe" [2007-11-10 98304]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2009-11-10 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\mauro\Menu Avvio\Programmi\Esecuzione automatica\
BUFFALO NAS Navigator.lnk - c:\programmi\BUFFALO\NASNAVI\NasNavi.exe [2009-9-21 1553800]
NAS Scheduler.lnk - c:\programmi\BUFFALO\NASNAVI\nassche.exe [2009-9-21 206128]

c:\documents and settings\mauro\Menu Avvio\Programmi\Esecuzione automatica\AutorunsDisabled
Logitech . Registrazione prodotti.lnk - c:\programmi\Logitech\Logitech WebCam Software\eReg.exe [2009-10-14 517384]
Logitech Touch Mouse Server.lnk - c:\programmi\Logitech Touch Mouse Server\iTouch-Server-Win.exe [2009-10-23 228352]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"scan"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-disabled]
"Corel File Shell Monitor"=c:\programmi\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
"QuickTime Task"="c:\programmi\QuickTime\QTTask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Programmi\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Giochi\\Pro Evolution Soccer 2010\\pes2010.exe"=
"c:\\Programmi\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Programmi\\QuickTime\\QuickTimePlayer.exe "=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\Logitech Touch Mouse Server\\iTouch-Server-Win.exe"=
"c:\\Programmi\\Logitech\\Logitech Vid\\Vid.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Programmi\\Ubisoft\\The Settlers 7 - La strada verso il regno\\Data\\Base\\_Dbg\\Bin\\Release\\Settlers7R. exe"=
"c:\\Programmi\\Ubisoft\\Assassin's Creed II\\AssassinsCreedIIGame.exe"=
"c:\\Programmi\\Ubisoft\\Assassin's Creed II\\AssassinsCreedII.exe"=
"c:\\Programmi\\Ubisoft\\Assassin's Creed II\\UPlayBrowser.exe"=
"c:\\Programmi\\BUFFALO\\NASNAVI\\NasNavi.exe" =

[Mollycon]

log combofix parte seconda (scusa ma non sapevo come fare diversamente)
--------------------------
R0 GDBehave;GDBehave;c:\windows\system32\drivers\GDBe have.sys [27/09/2009 15.28.00 28616]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [20/10/2009 20.38.52 64288]
R1 GRD;G Data Rootkit Detector Driver;c:\windows\system32\drivers\GRD.sys [27/09/2009 15.31.11 68976]
R2 AVKProxy;G Data AntiVirus Proxy;c:\programmi\File comuni\G DATA\AVKProxy\AVKProxy.exe [10/08/2009 12.03.44 1054792]
R2 AVKService;G Data Scheduler;c:\programmi\G Data\InternetSecurity\AVK\AVKService.exe [10/08/2009 12.03.44 397896]
R2 AVKWCtl;G Data Guardiano del file system;c:\programmi\G Data\InternetSecurity\AVK\AVKWCtl.exe [30/07/2009 12.33.30 1251488]
R2 GDScan;G Data Scanner;c:\programmi\File comuni\G DATA\GDScan\GDScan.exe [27/07/2009 3.03.58 302152]
R2 GDTdiInterceptor;GDTdiInterceptor;c:\windows\syste m32\drivers\GDTdiIcpt.sys [27/09/2009 15.28.01 51784]
R2 NasPmService;NAS PM Service;c:\programmi\BUFFALO\NASNAVI\nassvc.exe -Service_Execute -dcyc=60 -dto=3 -dluc=0 -dmin=1 -dmax=60 -dflc=0 -apc=0 -log=0 -pm=1 -pall=1 -phttp=0 -pbc=0 -ppro=0 -pcyc=0 -pmin=1 -pmax=60 -pflc=0 --> c:\programmi\BUFFALO\NASNAVI\nassvc.exe -Service_Execute -dcyc=60 -dto=3 -dluc=0 -dmin=1 -dmax=60 -dflc=0 -apc=0 -log=0 -pm=1 -pall=1 -phttp=0 -pbc=0 -ppro=0 -pcyc=0 -pmin=1 -pmax=60 -pflc=0 [?]
R3 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\Mini Icpt.sys [27/09/2009 15.28.58 55624]
R3 HookCentre;HookCentre;c:\windows\system32\drivers\ HookCentre.sys [28/09/2009 17.11.16 34632]
R3 whfltr2k;WheelMouse USB Lower Filter Driver;c:\windows\system32\drivers\whfltr2k.sys [26/01/2007 0.45.02 6784]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S2 gupdate;Servizio di Google Update (gupdate);c:\programmi\Google\Update\GoogleUpdate. exe [14/02/2010 19.19.09 135664]
S3 GrabsterSeries.X86;GRABSTER SERIES, Service X86;c:\windows\system32\drivers\GrabsterSeries.X86 .SYS [28/11/2007 2.21.56 310016]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 VirtDiskBus;Virtual disk Enumerator;c:\windows\system32\drivers\VirtDiskBus .sys [20/06/2009 20.08.31 63640]
S4 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys --> c:\windows\system32\drivers\bdfm.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contenuto della cartella 'Scheduled Tasks'

2010-04-04 c:\windows\Tasks\GlaryInitialize.job
- c:\programmi\Glary Utilities\initialize.exe [2009-09-21 22:01]

2010-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-02-14 17:19]

2010-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-02-14 17:19]

2010-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1659004503-839522115-1003Core.job
- c:\documents and settings\mauro\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2009-09-21 13:24]

2010-04-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1659004503-839522115-1003UA.job
- c:\documents and settings\mauro\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2009-09-21 13:24]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.gmail.com/
uInternet Settings,ProxyOverride = *.local
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{C4046502-6524-4d87-896C-878F57D1FF07} - c:\programmi\PokerStars.IT\PokerStarsUpdate.exe
TCP: {76EC4220-67B5-423F-A407-8F6513FEF47A} = 192.168.2.1
FF - ProfilePath - c:\documents and settings\mauro\Dati applicazioni\Mozilla\Firefox\Profiles\49h9oay9.def ault\
FF - prefs.js: browser.startup.homepage - www.libero.it
FF - plugin: c:\documents and settings\mauro\Dati applicazioni\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\documents and settings\mauro\Impostazioni locali\Dati applicazioni\Google\Update\1.2.183.23\npGoogleOneC lick8.dll
FF - plugin: c:\programmi\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\programmi\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programmi\Google\Update\1.2.183.23\npGoogleOneC lick8.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\NPPOKER.dll

---- FIREFOX POLICIES ----
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabl ed", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_every where__temporarily_available_pref", true);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_bro ken", false);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

SafeBoot-Lavasoft Ad-Aware Service
AddRemove-WinImage - d:\winimage\WINIMAGE.EXE



************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-04 18:41
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

************************************************** ************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe >>UNKNOWN [0x8A61B500]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb810cf28
\Driver\ACPI -> ACPI.sys @ 0xb7f7fcb8
\Driver\atapi -> atapi.sys @ 0xb7f11852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel(R) PRO/1000 PL Network Connection -> SendCompleteHandler -> NDIS.sys @ 0x8a602bb0
PacketIndicateHandler -> NDIS.sys @ 0x8a5f1a0d
SendHandler -> NDIS.sys @ 0x8a605b40
user & kernel MBR OK

************************************************** ************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-2025429265-1659004503-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:8c,c0,bc,73,d9,e2,a4,81,02,ae,43,6c ,c9,a4,bb,ac,38,f8,0b,77,b5,
bc,c7,b8,bf,a1,35,4c,59,43,56,c7,0e,fa,f8,d5,71,3d ,0c,ed,96,e7,e2,fa,47,63,\
"rkeysecu"=hex:44,c8,b9,9f,32,57,3b,cb,d1,4b,2e,c3 ,b7,6d,88,b1
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(6488)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\advanc~1\wh_hook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\programmi\Bonjour\mDNSResponder.exe
c:\programmi\File comuni\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\programmi\BUFFALO\NASNAVI\nassvc.exe
c:\programmi\CDBurnerXP\NMSAccessU.exe
c:\programmi\CyberLink\Shared files\RichVideo.exe
c:\programmi\Photodex\ProShowGold\ScsiAccess.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\documents and settings\mauro\Impostazioni locali\Dati applicazioni\Google\Update\1.2.183.23\GoogleCrashH andler.exe
.
************************************************** ************************
.
Ora fine scansione: 2010-04-04 18:45:14 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-04-04 16:45

Pre-Run: 78.960.529.408 byte disponibili
Post-Run: 78.937.948.160 byte disponibili

- - End Of File - - B6ACF2C7154C6A0A05C782CE95A8BCDB