impossibile eseguire applicazioni!

**brubla79** · 30-12-2010, 14:00

Buongiorno a tutti,
il mio PC è infetto...non riesco ad installare il nuovo antivirus perchè al doppio click sull'icona non mi aprte il file... stessa cosa genericamente succede con tutti i files applicazione.
Grazie anticipatamente
Bruno

**TDL3 Rootkit** · 31-12-2010, 15:48

Scarica Combofix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Nota:
● il programma devi scaricarlo preferibilmente con Internet Explorer

Posiziona Combofix sul Desktop ed esegui queste operazioni preliminari:
● disconnettiti da Internet
● sconnetti, fisicamente, il modem/router dal Computer

E' assolutamente necessario, se attivo:
● disattivare l'Antivirus in uso, dall'icona presente sulla traybar (accanto all'orologio di Windows)
● disattivare il Firewall eventualmente installato, dall'icona presente sulla traybar (accanto all'orologio di Windows)

Eseguiti i passaggi indicati sopra:
● lancia ComboFix con un account con privilegi di Amministratore e segui le istruzioni che verranno rilasciate per eseguire la scansione
● verrà richiesta la installazione della Console di ripristino di emergenza: non la installare
● senza eseguire nessuna altra operazione, lascia che il tool completi la scansione e la fase di creazione del log

Note - durante la scansione:
● verranno creati alcuni file sul Desktop e poi eliminati
● spariranno, per un attimo, tutte le icone presenti sul Desktop
● potrebbe venire rilasciato un messaggio in relazione all'Antivirus in uso: prosegui ignorando il messaggio
● il firewall, se attivo, potrebbe rilasciare un avviso circa la rimozione di alcuni driver: consenti
● potrebbe apparire sul Desktop l'icona di Internet Explorer, qualora già non ci fosse

Quando Combofix avrà concluso l'operazione di scansione:
● il sistema verrà riavviato automaticamente (in caso contrario, riavvialo tu)
● ricollega, fisicamente, il modem/router al Computer
● connettiti a Internet
● vai in Disco Locale C:, cerca il log dal nome combofix.txt ed allegalo

**brubla79** · 01-01-2011, 12:01

Ok, ho eseguito le operazioni...allego il file! Grazie!

**TDL3 Rootkit** · 02-01-2011, 12:07

Brubla, di file allegati io non ne vedo!
Sarà la vecchiaia che avanza?

**brubla79** · 02-01-2011, 17:55

e meno male che mi aveva detto "allegato con successo"!

ComboFix 10-12-31.02 - User 01/01/2011 10.33.14.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.895.546 [GMT 1:00]
Eseguito da: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {00000002-0002-0000-7C25-9E7C08000A00}
AV: Personal Internet Security 2011 *Enabled/Updated* {142275DC-C319-4547-90A1-B2DCF2B48514}
FW: Personal Internet Security 2011 *Enabled* {DDEB26A8-0140-4356-8CB4-04CF7FAC8416}
* Creato nuovo punto di ripristino

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) )
.

c:\documents and settings\All Users\Dati applicazioni\40b8e5
c:\documents and settings\All Users\Dati applicazioni\40b8e5\40b8e566434e2c5b2f1736c5c0a31c 12.ocx
c:\documents and settings\All Users\Dati applicazioni\40b8e5\6473.mof
c:\documents and settings\All Users\Dati applicazioni\40b8e5\BackUp\Avvio rapido di HP Image Zone.lnk
c:\documents and settings\All Users\Dati applicazioni\40b8e5\BackUp\HP Digital Imaging Monitor.lnk
c:\documents and settings\All Users\Dati applicazioni\40b8e5\kq0gln2p45e7tm9q01u8z6awgos8z6 f01u8g2p45ecsn.dll
c:\documents and settings\All Users\Dati applicazioni\40b8e5\PIS.ico
c:\documents and settings\User\Dati applicazioni\Microsoft\Internet Explorer\Quick Launch\Personal Internet Security 2011.lnk
c:\documents and settings\User\Dati applicazioni\PriceGong
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\1.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\a.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\b.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\c.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\d.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\e.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\f.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\g.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\h.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\i.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\J.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\k.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\l.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\m.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\mru.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\n.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\o.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\p.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\q.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\r.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\s.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\t.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\u.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\v.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\w.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\x.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\y.xml
c:\documents and settings\User\Dati applicazioni\PriceGong\Data\z.xml
c:\documents and settings\User\gsyzq.exe
c:\documents and settings\User\Menu Avvio\Personal Internet Security 2011.lnk
c:\documents and settings\User\Menu Avvio\Programmi\Personal Internet Security 2011.lnk
c:\documents and settings\User\Recent\ANTIGEN.exe
c:\documents and settings\User\Recent\ANTIGEN.sys
c:\documents and settings\User\Recent\ANTIGEN.tmp
c:\documents and settings\User\Recent\cb.dll
c:\documents and settings\User\Recent\cb.drv
c:\documents and settings\User\Recent\cb.tmp
c:\documents and settings\User\Recent\cid.drv
c:\documents and settings\User\Recent\cid.exe
c:\documents and settings\User\Recent\cid.sys
c:\documents and settings\User\Recent\cid.tmp
c:\documents and settings\User\Recent\CLSV.dll
c:\documents and settings\User\Recent\CLSV.drv
c:\documents and settings\User\Recent\CLSV.sys
c:\documents and settings\User\Recent\DBOLE.dll
c:\documents and settings\User\Recent\DBOLE.tmp
c:\documents and settings\User\Recent\ddv.exe
c:\documents and settings\User\Recent\ddv.sys
c:\documents and settings\User\Recent\eb.dll
c:\documents and settings\User\Recent\eb.drv
c:\documents and settings\User\Recent\eb.sys
c:\documents and settings\User\Recent\eb.tmp
c:\documents and settings\User\Recent\energy.dll
c:\documents and settings\User\Recent\energy.exe
c:\documents and settings\User\Recent\energy.tmp
c:\documents and settings\User\Recent\exec.dll
c:\documents and settings\User\Recent\exec.drv
c:\documents and settings\User\Recent\exec.sys
c:\documents and settings\User\Recent\exec.tmp
c:\documents and settings\User\Recent\fan.dll
c:\documents and settings\User\Recent\fan.tmp
c:\documents and settings\User\Recent\fix.drv
c:\documents and settings\User\Recent\fix.sys
c:\documents and settings\User\Recent\FS.dll
c:\documents and settings\User\Recent\FS.tmp
c:\documents and settings\User\Recent\grid.dll
c:\documents and settings\User\Recent\hymt.sys
c:\documents and settings\User\Recent\hymt.tmp
c:\documents and settings\User\Recent\kernel32.dll
c:\documents and settings\User\Recent\kernel32.exe
c:\documents and settings\User\Recent\kernel32.tmp
c:\documents and settings\User\Recent\pal.exe
c:\documents and settings\User\Recent\pal.sys
c:\documents and settings\User\Recent\PE.dll
c:\documents and settings\User\Recent\PE.drv
c:\documents and settings\User\Recent\PE.exe
c:\documents and settings\User\Recent\PE.sys
c:\documents and settings\User\Recent\PE.tmp
c:\documents and settings\User\Recent\ppal.dll
c:\documents and settings\User\Recent\ppal.drv
c:\documents and settings\User\Recent\runddl.tmp
c:\documents and settings\User\Recent\runddlkey.exe
c:\documents and settings\User\Recent\runddlkey.sys
c:\documents and settings\User\Recent\runddlkey.tmp
c:\documents and settings\User\Recent\SICKBOY.exe
c:\documents and settings\User\Recent\SICKBOY.tmp
c:\documents and settings\User\Recent\sld.exe
c:\documents and settings\User\Recent\sld.tmp
c:\documents and settings\User\Recent\SM.exe
c:\documents and settings\User\Recent\SM.tmp
c:\documents and settings\User\Recent\snl2w.drv
c:\documents and settings\User\Recent\snl2w.sys
c:\documents and settings\User\Recent\std.sys
c:\documents and settings\User\Recent\tempdoc.exe
c:\documents and settings\User\Recent\tempdoc.sys
c:\documents and settings\User\Recent\tjd.dll
c:\documents and settings\User\Recent\tjd.drv
c:\documents and settings\User\Recent\tjd.exe
c:\documents and settings\User\Recent\tjd.sys
c:\documents and settings\User\Recent\tjd.tmp

**brubla79** · 02-01-2011, 17:56

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS
-------\Service_SSHNAS

((((((((((((((((((((((((( Files Creati Da 2010-12-01 al 2011-01-01 )))))))))))))))))))))))))))))))))))
.

2010-12-29 14:45 . 2010-12-29 14:45 -------- d-----w- c:\documents and settings\User\Impostazioni locali\Dati applicazioni\Temp
2010-12-28 10:43 . 2010-12-28 10:43 -------- d-sh--w- c:\documents and settings\All Users\Dati applicazioni\PILPWMRYNS
2010-12-14 08:00 . 2010-12-14 08:00 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\regid.1986-12.com.adobe
2010-12-14 07:59 . 2010-12-14 07:59 -------- d-----w- c:\programmi\Adobe Media Player
2010-12-14 07:57 . 2010-12-14 07:57 -------- d-----w- c:\programmi\File comuni\Adobe AIR
2010-12-09 15:26 . 2010-12-09 15:26 -------- d-----w- c:\documents and settings\User\Dati applicazioni\BabylonToolbar
2010-12-09 15:24 . 2010-12-09 15:24 -------- d-----w- c:\programmi\FoxTabFlvConverter
2010-12-09 14:59 . 2010-12-09 14:59 -------- d-----w- C:\temp
2010-12-09 14:59 . 2010-12-09 14:59 -------- d-----w- C:\vv
2010-12-08 15:35 . 2010-12-09 17:11 -------- d-----w- C:\My E-Books
2010-12-08 15:35 . 2010-12-08 15:35 -------- d-----w- c:\documents and settings\User\Impostazioni locali\Dati applicazioni\Martview
2010-12-08 15:35 . 2010-12-09 17:10 -------- d-----w- c:\programmi\MartView
2010-12-08 11:08 . 2010-12-08 11:08 -------- d-----w- c:\programmi\SmartDraw VP
2010-12-08 11:00 . 2010-12-08 11:05 -------- d-----w- c:\programmi\Genealogia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
2010-11-18 14:08 . 2010-11-18 14:08 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2010-11-14 16:31 . 2010-11-14 16:32 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-14 16:31 . 2010-11-14 16:32 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-20 16:50 . 2010-10-20 16:59 89 -c--a-w- c:\documents and settings\Utente\Del15C9.bat
2010-10-20 16:50 . 2010-10-20 16:50 89 -c--a-w- c:\documents and settings\Default User.WINDOWS.0\Del15C9.bat
.

------- Sigcheck -------

[-] 2009-06-24 . D5E120A3BA164D2E7307A6688FEB26B2 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Mobile Partner"="c:\programmi\MD-@ HSUPA\MD-@ HSUPA.exe" [2010-06-04 110592]
"uTorrent"="c:\programmi\uTorrent\uTorrent.exe " [2010-06-10 322352]
"Skype"="c:\programmi\Skype\\Phone\Skype.exe" [2010-09-02 13351304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"nwiz"="nwiz.exe" [2008-05-02 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2008-05-02 86016]
"RTHDCPL"="RTHDCPL.EXE" [2009-01-13 16859136]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"PivotSoftware"="c:\programmi\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT ACR"="c:\programmi\File comuni\Portrait Displays\Shared\DT_startup.exe" [2008-06-06 81920]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AdobeAAMUpdater-1.0"="c:\programmi\File comuni\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility. exe" [2010-03-06 500208]
"SwitchBoard"="c:\programmi\File comuni\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\programmi\File comuni\Adobe\CS5ServiceManager\CS5ServiceManager.e xe" [2010-02-22 406992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2009-06-24 128512]
"_nltide_3"="advpack.dll" [2009-06-24 128512]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio rapido di HP Image Zone.lnk - c:\programmi\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
HP Digital Imaging Monitor.lnk - c:\programmi\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programmi\\MartView\\IeEmbed.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

R2 PdiService;Portrait Displays SDK Service;c:\programmi\File comuni\Portrait Displays\Drivers\pdisrvc.exe [27/10/2010 7.55.01 90112]
S3 SwitchBoard;SwitchBoard;c:\programmi\File comuni\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 13.37.14 517096]
.
Contenuto della cartella 'Scheduled Tasks'

2010-12-14 c:\windows\Tasks\AdobeAAMUpdater-1.0-USER-D7D4FCC85C-User.job
- c:\programmi\File comuni\Adobe\OOBE\PDApp\UWA\updaterstartuputility. exe [2010-12-14 02:44]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyServer = http=127.0.0.1:25490
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\programmi\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8 574934B26AC4.dll/cmsidewiki.html
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-01 10:39
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

************************************************** ************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macrome d\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUt il10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F 2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F 2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F 2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\Installer\UserData\LocalSystem\Componen ts\€–€|ÿÿÿÿÀ•€|ù•9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\s ystem32\\FM20ENU.DLL"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\V id_046d&Pid_c018\6&1915abf6&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(3064)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\progra~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DL L
c:\programmi\File comuni\Microsoft Shared\Web Components\10\1040\OWCI10.DLL
c:\progra~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DL L
c:\programmi\File comuni\Microsoft Shared\Web Components\11\1040\OWCI11.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\programmi\Portrait Displays\Pivot Software\winphook.dll
c:\programmi\Tracker Software\Shell Extensions\XCShInfo.dll
c:\programmi\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
c:\programmi\OpenOffice.org 3\Basis\program\shlxthdl\stlport_vc7145.dll
c:\programmi\File comuni\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\programmi\File comuni\Adobe\Acrobat\ActiveX\PDFShell.ITA
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\File comuni\Portrait Displays\Shared\DTSRVC.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\programmi\Acer Display\eDisplay Management\DTHtml.exe
c:\programmi\Portrait Displays\Pivot Software\floater.exe
c:\programmi\File comuni\Portrait Displays\Shared\HookManager.exe
c:\programmi\File comuni\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
c:\programmi\HP\Digital Imaging\bin\hpqgalry.exe
.
************************************************** ************************
.
Ora fine scansione: 2011-01-01 10:42:21 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2011-01-01 09:42

Pre-Run: 243.239.563.264 byte disponibili
Post-Run: 244.779.491.328 byte disponibili

- - End Of File - - 4D72DD713C3343F819C84FAB6DA91390

**TDL3 Rootkit** · 02-01-2011, 18:15

Eri pieno come un uovo.

Fai un click destro in un punto vuoto del Desktop
● scegli la voce Nuovo
● clicca su Documento di testo
● copia ed incolla, all'interno del documento appena creato, queste righe:

Folder::
C:\temp
C:\Windows\Tasks
C:\Windows\Temp

File::
c:\documents and settings\Utente\Del15C9.bat
c:\windows\system32\ConduitEngine.tmp

RegLock::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\V id_046d&Pid_c018\6&1915abf6&0&0000\LogConf]

● clicca su File
● clicca su Salva con nome
● accertati, nel menù a sinistra, che il file venga salvato sul Desktop: se cosi' non fosse, seleziona Desktop
● in Nome file: scrivi CFScript.txt
Ora:
● con il tasto sinistro del mouse, trascini sull' icona di ComboFix il file di testo: parte la scansione di ComboFix
● non toccare più nulla, finché non è finita: lascia lavorare il programma, senza interferire
● se il sistema non si riavvia da solo, riavvialo tu
● a questo punto, allega il log di ComboFix

**brubla79** · 03-01-2011, 11:29

ComboFix 10-12-31.02 - User 03/01/2011 10.16.57.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.895.509 [GMT 1:00]
Eseguito da: c:\documents and settings\User\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\User\Desktop\CFScript.txt
AV: AntiVir Desktop *Enabled/Updated* {00000002-0002-0000-7C25-9E7C08000A00}
AV: Personal Internet Security 2011 *Enabled/Updated* {142275DC-C319-4547-90A1-B2DCF2B48514}
FW: Personal Internet Security 2011 *Enabled* {DDEB26A8-0140-4356-8CB4-04CF7FAC8416}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!

FILE ::
"c:\documents and settings\Utente\Del15C9.bat"
"c:\windows\system32\ConduitEngine.tmp"
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) )
.

c:\documents and settings\Utente\Del15C9.bat
C:\temp
c:\windows\system32\ConduitEngine.tmp

.
((((((((((((((((((((((((( Files Creati Da 2010-12-03 al 2011-01-03 )))))))))))))))))))))))))))))))))))
.

2010-12-29 14:45 . 2010-12-29 14:45 -------- d-----w- c:\documents and settings\User\Impostazioni locali\Dati applicazioni\Temp
2010-12-28 10:43 . 2010-12-28 10:43 -------- d-sh--w- c:\documents and settings\All Users\Dati applicazioni\PILPWMRYNS
2010-12-14 08:00 . 2010-12-14 08:00 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\regid.1986-12.com.adobe
2010-12-14 07:59 . 2010-12-14 07:59 -------- d-----w- c:\programmi\Adobe Media Player
2010-12-14 07:57 . 2010-12-14 07:57 -------- d-----w- c:\programmi\File comuni\Adobe AIR
2010-12-09 15:26 . 2010-12-09 15:26 -------- d-----w- c:\documents and settings\User\Dati applicazioni\BabylonToolbar
2010-12-09 15:24 . 2010-12-09 15:24 -------- d-----w- c:\programmi\FoxTabFlvConverter
2010-12-09 14:59 . 2010-12-09 14:59 -------- d-----w- C:\vv
2010-12-08 15:35 . 2010-12-09 17:11 -------- d-----w- C:\My E-Books
2010-12-08 15:35 . 2010-12-08 15:35 -------- d-----w- c:\documents and settings\User\Impostazioni locali\Dati applicazioni\Martview
2010-12-08 15:35 . 2010-12-09 17:10 -------- d-----w- c:\programmi\MartView
2010-12-08 11:08 . 2010-12-08 11:08 -------- d-----w- c:\programmi\SmartDraw VP
2010-12-08 11:00 . 2010-12-08 11:05 -------- d-----w- c:\programmi\Genealogia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
2010-11-14 16:31 . 2010-11-14 16:32 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-14 16:31 . 2010-11-14 16:32 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-20 16:50 . 2010-10-20 16:50 89 -c--a-w- c:\documents and settings\Default User.WINDOWS.0\Del15C9.bat
.

------- Sigcheck -------

[-] 2009-06-24 . D5E120A3BA164D2E7307A6688FEB26B2 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-01-01_09.39.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-03 09:03 . 2011-01-03 09:03 16384 c:\windows\Temp\Perflib_Perfdata_5f8.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Mobile Partner"="c:\programmi\MD-@ HSUPA\MD-@ HSUPA.exe" [2010-06-04 110592]
"uTorrent"="c:\programmi\uTorrent\uTorrent.exe " [2010-06-10 322352]
"Skype"="c:\programmi\Skype\\Phone\Skype.exe" [2010-09-02 13351304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"nwiz"="nwiz.exe" [2008-05-02 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2008-05-02 86016]
"RTHDCPL"="RTHDCPL.EXE" [2009-01-13 16859136]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"PivotSoftware"="c:\programmi\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT ACR"="c:\programmi\File comuni\Portrait Displays\Shared\DT_startup.exe" [2008-06-06 81920]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AdobeAAMUpdater-1.0"="c:\programmi\File comuni\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility. exe" [2010-03-06 500208]
"SwitchBoard"="c:\programmi\File comuni\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\programmi\File comuni\Adobe\CS5ServiceManager\CS5ServiceManager.e xe" [2010-02-22 406992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2009-06-24 128512]
"_nltide_3"="advpack.dll" [2009-06-24 128512]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio rapido di HP Image Zone.lnk - c:\programmi\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
HP Digital Imaging Monitor.lnk - c:\programmi\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programmi\\MartView\\IeEmbed.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

R2 PdiService;Portrait Displays SDK Service;c:\programmi\File comuni\Portrait Displays\Drivers\pdisrvc.exe [27/10/2010 7.55.01 90112]
S3 SwitchBoard;SwitchBoard;c:\programmi\File comuni\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 13.37.14 517096]
.
Contenuto della cartella 'Scheduled Tasks'

2010-12-14 c:\windows\Tasks\AdobeAAMUpdater-1.0-USER-D7D4FCC85C-User.job
- c:\programmi\File comuni\Adobe\OOBE\PDApp\UWA\updaterstartuputility. exe [2010-12-14 02:44]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\programmi\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8 574934B26AC4.dll/cmsidewiki.html
TCP: {79AE9B24-8692-4758-B29C-255018A0D375} = 62.13.173.93 62.13.173.92
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-03 10:23
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

************************************************** ************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macrome d\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUt il10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F 2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F 2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F 2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\Installer\UserData\LocalSystem\Componen ts\€–€|ÿÿÿÿÀ•€|ù•9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\s ystem32\\FM20ENU.DLL"
.
Ora fine scansione: 2011-01-03 10:24:41
ComboFix-quarantined-files.txt 2011-01-03 09:24
ComboFix2.txt 2011-01-01 09:42

Pre-Run: 244.737.150.976 byte disponibili
Post-Run: 244.785.532.928 byte disponibili

- - End Of File - - 19D4ECA1B54D54B855D0A8A565FA4747

**TDL3 Rootkit** · 03-01-2011, 15:23

come va il pc

Scarica ed installa Hijackthis: http://www.trendmicro.com/ftp/produc...HiJackThis.msi
Nota: per lanciare Hijackthis su Windows Vista e Windows Seven, clicca con il tasto destro del mouse sull' icona di Hijackthis e nel menù contestuale scegli Esegui come Amministratore

● lancia Hijackthis
● clicca sul pulsante Do a system scan and save a logfile
● al termine della scansione, che durerà una manciata di secondi, verrà rilasciato un file di testo: allegalo

**brubla79** · 03-01-2011, 16:17

Adesso va molto meglio... ho istallato l'antivirus e adesso procedo ad ulteriore scansione!!
Grazie!

Discussione: impossibile eseguire applicazioni!

Strumenti discussione

Ricerca discussione

Visualizza

impossibile eseguire applicazioni! Help!

Permessi di invio