Virus/Rootkit "Windows XP Repair 2011" (Falso antivirus)

**ElKunAguero10** · 19-06-2011, 21:37

Salve sono nuovo del forum!
Il mio pc ha questo sistema operativo: WIndows XP Professional SP3
Purtroppo ieri navigando sul web sono incappato nel famoso falso antivirus "Windows XP Repair 2011" che, autoistallatosi, ha iniziato a darmi falsi messaggi di errore riguardo hard disk e ram. Altri effetti del virus sono stati la scomparsa delle icone sul desktop e del contenuto del menu di avvio e tutti i programmi nonche la sostituzione dello sfondo del desktop con una schermata nera. Non essendo nuovo a problemi del genere ho scaricato malwarebytes' antimalware e fatto 2 volte la scansione una volta in modalità provvisoria dove ha trovato 7 infezioni e una volta in modalità normale con 6 infezioni. Entrambe le volte il programma ha eliminato le infezioni e quindi il programma malevolo e io sono riuscito a recuperare i dati che erano solamente nascosti e non cancellati. Ho anche installato spyware doctor che ha rilevato 202 infezioni e 6 minacce comunque disinfettate dallo stesso programma (anche se tale programma (scaricato da html.it) non mi è paiciuto molto in termini di funzionamento). Altri problemi che ancora sussistono causati dal virus sono:
1) Il fatto che non si sente l'audio su internet explorer (sul pc sì e anche su google chrome scaricato per fare appunto la prova audio) (su internet explorer a strumenti-->opzioni internet---> avanzate riproduci suoni nel web non è spuntato e se lo spunto l'audio non funziona comunque e al riavvio del pc la casella è di nuovo non spuntata)
2) Problema più grave= Il virus ha lasciato tracce: In entrambi i browser quando clicco su qualsiasi link da google vengo reindirizzato su siti di advertising come cupcakes.com clickbattery.org fantasyhockey.us ecc.(Se clicco più volte sul link alla fine mi reindirizza sulla pagina vera). Inoltre i browser sono un po più lenti di prima.
Navigando e cercando informazioni ho scoperto che probabilmente la causa di questo reindirizzamento è che windows xp repair è anche un rootkit che reindirizza il browser e consigliano per l'eliminazione tdss killer di kaspersky lab. Scaricato e posizionato sul desktop tale tool facendo doppio click su questo non si avvia: problema comune che molti risolvono rinominando il file in 123.com ma anche facendo così il programma non parte!
Ultima cosa: ho notato che in pannello di controllo strumenti di amministrazione è vuoto!
Ringrazio anticipatamente chi mi aiuterà visto che non vorrei formattare l'hard disk perché il pc mi serve per motivi di studio.

EDIT: DImenticavo: COme antivirus ho eset nod32 4 aggiornato e spyware doctor dop oaver fatto la scansione l'ho disattivato!

**menatwork** · 19-06-2011, 21:50

ciao ElKunAguero10

vediamo se riusciamo ad eliminare cio' che rimane delle infezioni

scarica combofix sul desktop

alla richiesta se vuoi installare la recovery console clicca su NO

esegui ComboFix.exe

segui le instruzioni

finita la scansione portati in C:\ eallega nella tua prossima risposta, il contenuto del file di testo Combofix.txt

come usare correttamente combofix

posta anche un log di hijackthis

**ElKunAguero10** · 20-06-2011, 12:22

Ciao menatwork!
Grazie per la celere risposta e scusa per no nessere riuscito a postare ieri sera i log richiesti!
Ho eseguito entrambe le scansioni con combofix e hijackthis!
Con Hijackthis nessun problema con combofix un problemino all'inizio: Non appena ho lanciato il programma ha iniziato a estrarre file e si è bloccato circa al 40/50 % :a quel punto il pc si è riavviato da solo e al riavvio mi ha dato errore critico di sistema.
Ho tuttavia continauto lanciando id nuovo combofix che ha ripreso l'estrazione dal 40/50% e si è avviato. Subito ha rilevato un rootkit e per eliminarlo ha richiesto un secondo riavvio del pc.
Fatto il riavvio ha terminato la scansione e creato 2 log uno in c:/ e uno chiamato catchme.log sul desktop in cui parla solo del rootkit.
Credo che il rootit sia stato rimosso in quanto no nvedo reindirizzamenti del browser e è ricomparso il suono su internet explorer! Una cosa che mi ero scordato di dire è che in pannello di controllo Strumenti di amministrazione è vuoto (credo a causa del virus) ancora ora dopo l'utilizzo di combofix! (Ma questo è un problema minore quindi prima vogli oassicurarmi dlel'eliminazione totale del rootkit!)
Allego dunque ora i log dei due programmi più i lterzo log catchme.log:
EDIT: Non sono riuscito ad allegare quindi li psoto per esteso:
1) ComboFix.txt in C:\
ComboFix 11-06-17.04 - Del Bove Giulio 19/06/2011 22.19.58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.511.221 [GMT 2:00]
Eseguito da: c:\documents and settings\Del Bove Giulio\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active
.
.
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
c:\windows\IsUn0410.exe
.
La copia infetta di c:\windows\system32\drivers\volsnap.sys è stata trovata e disinfettata
ipristinata copia da - Kitty had a snack

.
((((((((((((((((((((((((( Files Creati Da 2011-05-19 al 2011-06-19 )))))))))))))))))))))))))))))))))))
.
.
2011-06-19 11:52 . 2011-06-19 11:52 -------- d-----w- c:\documents and settings\Del Bove Giulio\Impostazioni locali\Dati applicazioni\Threat Expert
2011-06-19 11:28 . 2011-06-19 11:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-06-19 10:41 . 2011-06-19 20:16 -------- d-----w- c:\programmi\PC Tools Security
2011-06-19 10:41 . 2011-06-19 20:14 -------- d---a-w- c:\documents and settings\All Users\Dati applicazioni\TEMP
2011-06-19 10:35 . 2011-06-19 20:14 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\PC Tools
2011-06-18 22:51 . 2011-06-18 22:51 -------- d-sh--w- c:\documents and settings\Del Bove Giulio\PrivacIE
2011-06-18 22:48 . 2011-06-18 22:48 -------- d-sh--w- c:\documents and settings\Del Bove Giulio\IETldCache
2011-06-18 22:43 . 2011-06-18 22:44 -------- dc-h--w- c:\windows\ie8
2011-06-18 22:17 . 2011-06-18 22:17 -------- d-----w- c:\windows\Sun
2011-06-18 22:16 . 2011-06-18 22:16 -------- d-----w- c:\programmi\File comuni\Java
2011-06-18 22:15 . 2011-06-18 22:15 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-18 22:15 . 2011-06-18 22:15 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-18 22:15 . 2011-06-18 22:15 -------- d-----w- c:\programmi\Java
2011-06-18 17:44 . 2011-06-18 17:44 -------- d-----w- c:\documents and settings\Del Bove Giulio\Dati applicazioni\Malwarebytes
2011-06-18 17:22 . 2011-05-29 07:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-18 17:21 . 2011-06-18 17:21 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2011-06-18 17:21 . 2011-06-18 17:22 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2011-06-18 14:31 . 2011-06-19 14:29 -------- d-----w- c:\documents and settings\Administrator
2011-06-07 10:35 . 2011-06-07 10:35 103864 ----a-w- c:\programmi\Mozilla Firefox\plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
2011-05-19 13:16 . 2011-05-19 13:16 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-27 . 8E036EEC565910417EA020CE0962AA24 . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2008-04-27 . D5E120A3BA164D2E7307A6688FEB26B2 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"swg"="c:\programmi\Google\GoogleToolbarNotifier\G oogleToolbarNotifier.exe" [2010-10-31 39408]
"msnmsgr"="c:\programmi\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"DAEMON Tools Lite"="c:\programmi\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"PC Suite Tray"="c:\programmi\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMAXPnP"="c:\programmi\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"Motive SmartBridge"="c:\progra~1\ALICET~1\SMARTB~1\Motive SB.exe" [2006-04-21 438359]
"ATICCC"="c:\programmi\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"egui"="c:\programmi\ESET\ESET NOD32 Antivirus\egui.exe" [2010-08-12 2215064]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"HP Component Manager"="c:\programmi\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"GrooveMonitor"="c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2010-11-29 421888]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"TkBellExe"="c:\programmi\Real\RealPlayer\update\r ealsched.exe" [2011-03-08 273544]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\Del Bove Giulio\Menu Avvio\Programmi\Esecuzione automatica\
Utilit… controllo supporti di PMB.lnk - c:\programmi\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-11-13 333088]
.
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18/11/2010 17.44.46 691696]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [29/07/2010 14.31.26 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfw tdir.sys [03/08/2010 14.28.36 95896]
R2 ekrn;ESET Service;c:\programmi\ESET\ESET NOD32 Antivirus\ekrn.exe [12/08/2010 15.16.26 810144]
S2 gupdate;Servizio di Google Update (gupdate);c:\programmi\Google\Update\GoogleUpdate. exe [31/10/2010 16.34.21 136176]
S2 MBAMService;MBAMService;c:\programmi\Malwarebytes' Anti-Malware\mbamservice.exe [18/06/2011 19.22.00 366640]
S2 Network WanMiniport First Position;Network WanMiniport First Position;c:\programmi\Telecom Italia\WanMiniport1st\srvany.exe [31/10/2010 13.20.24 8192]
S3 gupdatem;Servizio Google Update (gupdatem);c:\programmi\Google\Update\GoogleUpdate .exe [31/10/2010 16.34.21 136176]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system3 2\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\dr ivers\mbamswissarmy.sys [18/06/2011 19.22.00 39984]
.
Contenuto della cartella 'Scheduled Tasks'
.
2011-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-10-31 14:34]
.
2011-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-10-31 14:34]
.
2011-06-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-688789844-1547161642-1003Core.job
- c:\documents and settings\Del Bove Giulio\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2011-06-18 08:44]
.
2011-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-688789844-1547161642-1003UA.job
- c:\documents and settings\Del Bove Giulio\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2011-06-18 08:44]
.
2011-05-28 c:\windows\Tasks\hpwebreg_CN07H2958D05D1.job
- c:\programmi\HP\HP Deskjet 2050 J510 series\Bin\hpwebreg.exe [2010-02-02 10:20]
.
2011-06-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1957994488-688789844-1547161642-1003.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2011-01-24 13:25]
.
2011-06-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1957994488-688789844-1547161642-1003.job
- c:\programmi\Real\RealUpgrade\realupgrade.exe [2011-01-24 13:25]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\programmi\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5 017F567343CA.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
HKLM-Run-DXDllRegExe - dxdllreg.exe
AddRemove-Adobe Photoshop 6.0 - c:\windows\ISUN0410.EXE
AddRemove-Adobe SVG Viewer - c:\windows\IsUn0410.exe
.
.
.
************************************************** ************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-19 22:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
************************************************** ************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll
.
Ora fine scansione: 2011-06-19 22:30:28
ComboFix-quarantined-files.txt 2011-06-19 20:30
.
Pre-Run: 56.849.711.104 byte disponibili
Post-Run: 57.340.739.584 byte disponibili
.
- - End Of File - - B940A8C9738F5DBBD93DBDF8E89D4CF9
2) catchme.log sul desktop (creato da combofix)
File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully
File list cleared

**ElKunAguero10** · 20-06-2011, 12:30

3)Log di HIjackthis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12.04.27, on 20/06/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\Telecom Italia\WanMiniport1st\srvany.exe
C:\Programmi\CDBurnerXP\NMSAccessU.exe
C:\Programmi\Telecom Italia\WanMiniport1st\WanMiniport1st_srv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
C:\PROGRA~1\ALICET~1\vendors\AliceRE\content\templ ate\DRIVEN~1\syncer\MCCITR~1.EXE
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\Real\RealPlayer\update\realsched.exe
C:\Programmi\File comuni\Java\Java Update\jusched.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleTo olbarNotifier.exe
C:\Programmi\Windows Live\Messenger\msnmsgr.exe
C:\Programmi\DAEMON Tools Lite\DTLite.exe
C:\Programmi\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Programmi\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\Programmi\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Programmi\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\internet explorer\iexplore.exe
C:\Programmi\internet explorer\iexplore.exe
C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.EXE
C:\Programmi\Alice ti aiuta\bin\mad.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Dati applicazioni\Real\RealPlayer\BrowserRecordPlugin\I E\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programmi\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.7.6406 .1642\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugi n.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programmi\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AliceRE_McciTrayApp] C:\PROGRA~1\ALICET~1\vendors\AliceRE\content\templ ate\DRIVEN~1\syncer\MCCITR~1.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [egui] "C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\Real\RealPlayer\update\realsched.exe " -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\File comuni\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Programmi\Google\GoogleToolbarNotifier\GoogleT oolbarNotifier.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programmi\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Programmi\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: Utilità controllo supporti di PMB.lnk = C:\Programmi\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Programmi\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5 017F567343CA.dll/cmsidewiki.html
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Programmi\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Servizio di Google Update (gupdate) (gupdate) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Servizio Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Programmi\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Network WanMiniport First Position - Unknown owner - C:\Programmi\Telecom Italia\WanMiniport1st\srvany.exe
O23 - Service: NMSAccess - Unknown owner - C:\Programmi\CDBurnerXP\NMSAccessU.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 9569 bytes

Grazie ancora e scusa per il disordine!

**menatwork** · 20-06-2011, 12:43

pensavo peggio.....mentre controllo combofix sai dirmi se hai eseguito tds killer?

prova cosi'

Start > Esegui > copia/incolla il seguente comando e dai OK.

"%userprofile%\Desktop\TDSSKiller.exe" >>> virgolette comprese

Clicca su Start Scan.
Se c’è un’infezione, l'azione di default sarà cure. Clicca su continua.
Se c’è il sospetto di un’infezione, l'azione di default sarà skip. Clicca su continua.
Se viene richiesto il riavvio, accetta.
Il rapporto si troverà in C:, sotto queste sembianze: TDSSKiller.[Version]_[Date]_[Time]_log.txt

**ElKunAguero10** · 20-06-2011, 13:04

Stavolta tdsskiller è partito normalmente senza problemi ocn un semplice doppio click sull'exe. (Penso sia segno dlel'eliminazione del rootkit che ha "liberato il programma"!
Comunque ha trovato una sola minaccia (Threat) ma solo sospetta azione scelta: skip
Il file precisamente é :
C:\WINDOWS\system32\Drivers\sptd.sys dice che è un file bloccato (locked file)
Posto comunque il log:

2011/06/20 12:54:50.0937 2064 TDSS rootkit removing tool 2.5.5.0 Jun 16 2011 15:25:15

2011/06/20 12:54:51.0406 2064 ============================
2011/06/20 12:54:51.0406 2064 SystemInfo:
OS Version: 5.1.2600 ServicePack: 3.0
2011/06/20 12:54:51.0406 2064 Product type: Workstation
2011/06/20 12:54:51.0406 2064 ComputerName: GIULIO
2011/06/20 12:54:51.0406 2064 UserName: Del Bove Giulio
2011/06/20 12:54:51.0406 2064 Windows directory: C:\WINDOWS
2011/06/20 12:54:51.0406 2064 System windows directory: C:\WINDOWS
2011/06/20 12:54:51.0406 2064 Processor architecture: Intel x86
2011/06/20 12:54:51.0406 2064 Number of processors: 2
2011/06/20 12:54:51.0406 2064 Page size: 0x1000
2011/06/20 12:54:51.0406 2064 Boot type: Normal boot
2011/06/20 12:54:51.0406 2064
2011/06/20 12:54:52.0859 2064 Initialize success
2011/06/20 12:54:59.0062 3268

2011/06/20 12:54:59.0062 3268 Scan started
2011/06/20 12:54:59.0062 3268 Mode: Manual;
2011/06/20 12:54:59.0062 3268

2011/06/20 12:55:00.0937 3268 ACPI (d766e636187b8f240bbfbabcd51eb2c6) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/06/20 12:55:01.0078 3268 ACPIEC (49ac5cd87fbdda62f3e25190019e7627) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/06/20 12:55:01.0312 3268 aeaudio (e696e749bedcda8b23757b8b5ea93780) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/06/20 12:55:01.0453 3268 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/06/20 12:55:01.0609 3268 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
2011/06/20 12:55:01.0734 3268 AFS2K (c719341a1cf6afd4fa0808ae3d23d6a3) C:\WINDOWS\system32\drivers\AFS2K.sys
2011/06/20 12:55:01.0843 3268 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/06/20 12:55:02.0937 3268 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/06/20 12:55:03.0046 3268 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/06/20 12:55:03.0375 3268 ati2mtag (492bd2a5f65f218d4ede5764a3bb67e9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/06/20 12:55:03.0562 3268 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/06/20 12:55:03.0687 3268 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/06/20 12:55:03.0859 3268 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/06/20 12:55:04.0093 3268 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/06/20 12:55:04.0359 3268 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/06/20 12:55:04.0484 3268 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/06/20 12:55:04.0625 3268 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/06/20 12:55:05.0359 3268 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/06/20 12:55:05.0640 3268 dmboot (82bc125a8ed33f5f0e75f2aac1065323) C:\WINDOWS\system32\drivers\dmboot.sys
2011/06/20 12:55:05.0921 3268 dmio (e959ddc0ea7ac11ee5e5602e2a364310) C:\WINDOWS\system32\drivers\dmio.sys
2011/06/20 12:55:06.0062 3268 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/06/20 12:55:06.0171 3268 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/06/20 12:55:06.0421 3268 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/06/20 12:55:06.0578 3268 eamon (1ceb779239965000b8f6adee17d4515b) C:\WINDOWS\system32\DRIVERS\eamon.sys
2011/06/20 12:55:06.0734 3268 ehdrv (7d300a43a7bd8769e0f901bf9e1ae367) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
2011/06/20 12:55:06.0859 3268 EL2000 (25fe70646afe37801ab540b5d3b12cf9) C:\WINDOWS\system32\DRIVERS\EL2K_XP.sys
2011/06/20 12:55:06.0984 3268 epfwtdir (ecd5f68e32ff5c6a728eb03dc892ae7f) C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
2011/06/20 12:55:07.0140 3268 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/06/20 12:55:07.0281 3268 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/06/20 12:55:07.0437 3268 Fips (2cfea3326981a18c6baf2bd9be76225b) C:\WINDOWS\system32\drivers\Fips.sys
2011/06/20 12:55:07.0578 3268 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/06/20 12:55:07.0703 3268 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/06/20 12:55:07.0828 3268 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/06/20 12:55:07.0968 3268 Ftdisk (f3269a6ee547ea87b949a1cea4816b38) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/06/20 12:55:08.0109 3268 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/06/20 12:55:08.0375 3268 HPZid412 (287a63bd8509bd78e7978823b38afa81) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/06/20 12:55:08.0500 3268 HPZipr12 (0b4fda2657c3e0315eaa57f9c6d4fd1f) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/06/20 12:55:08.0656 3268 HPZius12 (29559db25258b60510a60c4e470fce32) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/06/20 12:55:08.0796 3268 HSFHWBS2 (970178e8e003eb1481293830069624b9) C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys
2011/06/20 12:55:08.0953 3268 HSF_DP (ebb354438a4c5a3327fb97306260714a) C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys
2011/06/20 12:55:09.0140 3268 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/06/20 12:55:09.0515 3268 i8042prt (610726e28af55b95043c5c35a727e320) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/06/20 12:55:09.0656 3268 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/06/20 12:55:09.0921 3268 IntelIde (027fe9b28fb0f861c181d25923b31e78) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/06/20 12:55:10.0046 3268 intelppm (ebd830a0970c438047006a49c23e287f) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/06/20 12:55:10.0187 3268 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/06/20 12:55:10.0328 3268 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/06/20 12:55:10.0453 3268 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/06/20 12:55:10.0609 3268 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/06/20 12:55:10.0750 3268 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/06/20 12:55:10.0921 3268 isapnp (0953594beb81cc72fcc62d37921b25a6) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/06/20 12:55:11.0062 3268 Kbdclass (28b6eace513ca7eaba3b809ad4bc274d) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/06/20 12:55:11.0218 3268 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/06/20 12:55:11.0359 3268 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/06/20 12:55:11.0750 3268 MBAMSwissArmy (b309912717c29fc67e1ba4730a82b6dd) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/06/20 12:55:11.0890 3268 mdmxsdk (195741aee20369980796b557358cd774) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/06/20 12:55:12.0015 3268 MidiSyn (63c34814492aa65fc517b002de77b191) C:\WINDOWS\system32\drivers\MidiSyn.sys
2011/06/20 12:55:12.0187 3268 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/06/20 12:55:12.0328 3268 Modem (8cb6636806d76b85fafaee94d75f5129) C:\WINDOWS\system32\drivers\Modem.sys
2011/06/20 12:55:12.0453 3268 Mouclass (e904ebed608055a2bfb824c07f59766c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/06/20 12:55:12.0640 3268 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/06/20 12:55:12.0906 3268 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/06/20 12:55:13.0046 3268 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/06/20 12:55:13.0218 3268 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/06/20 12:55:13.0359 3268 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/06/20 12:55:13.0515 3268 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/06/20 12:55:13.0656 3268 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/06/20 12:55:13.0781 3268 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/06/20 12:55:13.0921 3268 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/06/20 12:55:14.0078 3268 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/06/20 12:55:14.0218 3268 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/06/20 12:55:14.0359 3268 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/06/20 12:55:14.0484 3268 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/06/20 12:55:14.0640 3268 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/06/20 12:55:14.0781 3268 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/06/20 12:55:14.0937 3268 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/06/20 12:55:15.0109 3268 nmwcd (357ddb51e03cae598c096d95497373d0) C:\WINDOWS\system32\drivers\ccdcmb.sys

**ElKunAguero10** · 20-06-2011, 13:05

2011/06/20 12:55:15.0250 3268 nmwcdc (7cd443f9d36c80e152fadb274089577a) C:\WINDOWS\system32\drivers\ccdcmbo.sys
2011/06/20 12:55:15.0390 3268 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/06/20 12:55:15.0546 3268 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/06/20 12:55:15.0687 3268 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/06/20 12:55:15.0828 3268 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/06/20 12:55:15.0968 3268 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/06/20 12:55:16.0125 3268 Parport (4e9408a178b2d955871c2cdd278de3c3) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/06/20 12:55:16.0234 3268 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/06/20 12:55:16.0390 3268 ParVdm (0dabef655a444cb1e193626fb1d24b9f) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/06/20 12:55:16.0562 3268 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
2011/06/20 12:55:16.0718 3268 PCI (f40a46892afebb0314536b849d57c11e) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/06/20 12:55:16.0953 3268 PCIIde (b2df00d650fd6c4ee781740ed3c8e67f) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/06/20 12:55:17.0078 3268 Pcmcia (815c50f2b1d1562800bdce8be895000e) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/06/20 12:55:17.0937 3268 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/06/20 12:55:18.0078 3268 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/06/20 12:55:18.0265 3268 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/06/20 12:55:18.0390 3268 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/06/20 12:55:19.0109 3268 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/06/20 12:55:19.0250 3268 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/06/20 12:55:19.0437 3268 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/06/20 12:55:19.0593 3268 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/06/20 12:55:19.0703 3268 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/06/20 12:55:19.0828 3268 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/06/20 12:55:19.0953 3268 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/06/20 12:55:20.0093 3268 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/06/20 12:55:20.0218 3268 redbook (393fc252593323b624b230eca6b85e63) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/06/20 12:55:20.0421 3268 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/06/20 12:55:20.0578 3268 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/06/20 12:55:20.0718 3268 Serial (fdbd9d64e2e03270021d424f0dccf79d) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/06/20 12:55:20.0843 3268 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/06/20 12:55:21.0125 3268 smwdm (7d9b50329af9fd94b0529282530d2cb7) C:\WINDOWS\system32\drivers\smwdm.sys
2011/06/20 12:55:21.0390 3268 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/06/20 12:55:21.0578 3268 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2011/06/20 12:55:21.0578 3268 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/06/20 12:55:21.0578 3268 sptd - detected LockedFile.Multi.Generic (1)
2011/06/20 12:55:21.0703 3268 sr (618718cae288bf7cbd8fcbab2577d932) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/06/20 12:55:21.0843 3268 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/06/20 12:55:22.0000 3268 StarOpen (f92254b0bcfcd10caac7bccc7cb7f467) C:\WINDOWS\system32\drivers\StarOpen.sys
2011/06/20 12:55:22.0125 3268 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/06/20 12:55:22.0265 3268 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/06/20 12:55:22.0859 3268 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/06/20 12:55:23.0015 3268 Tcpip (8e036eec565910417ea020ce0962aa24) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/06/20 12:55:23.0125 3268 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/06/20 12:55:23.0234 3268 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/06/20 12:55:23.0390 3268 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/06/20 12:55:23.0671 3268 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/06/20 12:55:23.0937 3268 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/06/20 12:55:24.0093 3268 upperdev (15629e4d65f97ab5432d6d9597cf6a33) C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys
2011/06/20 12:55:24.0218 3268 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/06/20 12:55:24.0375 3268 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/06/20 12:55:24.0500 3268 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/06/20 12:55:24.0703 3268 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/06/20 12:55:24.0843 3268 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/06/20 12:55:24.0984 3268 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\drivers\usbser.sys
2011/06/20 12:55:25.0093 3268 UsbserFilt (5c17e6a11aa8be53f79fd364ba19f0ce) C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys
2011/06/20 12:55:25.0218 3268 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/06/20 12:55:25.0375 3268 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/06/20 12:55:25.0500 3268 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/06/20 12:55:25.0781 3268 VolSnap (e46c1b5a56da7da603d09dfcc79ec59e) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/06/20 12:55:25.0937 3268 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/06/20 12:55:26.0093 3268 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/06/20 12:55:26.0359 3268 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/06/20 12:55:26.0500 3268 winachsf (1225ebea76aac3c84df6c54fe5e5d8be) C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys
2011/06/20 12:55:26.0703 3268 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/06/20 12:55:26.0875 3268 WudfPf (6ff66513d372d479ef1810223c8d20ce) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/06/20 12:55:27.0000 3268 WudfRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/06/20 12:55:27.0062 3268 MBR (0x1B8) (828e02d5c4a4fbe53441ee9dbee51f43) \Device\Harddisk0\DR0
2011/06/20 12:55:27.0187 3268

2011/06/20 12:55:27.0187 3268 Scan finished
2011/06/20 12:55:27.0187 3268

2011/06/20 12:55:27.0203 3948 Detected object count: 1
2011/06/20 12:55:27.0203 3948 Actual detected object count: 1
2011/06/20 12:56:11.0359 3948 LockedFile.Multi.Generic(sptd) - User select action: Skip
2011/06/20 12:56:15.0171 0192 Deinitialize success

**menatwork** · 20-06-2011, 13:14

Comunque ha trovato una sola minaccia (Threat) ma solo sospetta azione scelta: skip Il file precisamente é : C:\WINDOWS\system32\Drivers\sptd.sys dice che è un file bloccato (locked file)

no lascialo se non erro quel file appartiene a DAEMON Tools

ora vai in C: e rimuovi la cartella QOOBOX

riesegui la pulizia con ccleaner e controlla se in Strumenti di amministrazione riesci a controllarlo

**ElKunAguero10** · 20-06-2011, 13:18

la cartella Qoobox non me la fa eliminare: accesso negato (più specificatamente accesso negato alla cartella BackEnv che si trova dentro Qoobox.
Che significa "controlla se in "Strumenti di amministrazione riesci a controllarlo"? Intendi ccleaner? Ti ricordo che strumenti di amministrazione nel pannello di controllo è vuoto...
Aspetto anche per eseguire la pulizia con ccleaner...

**menatwork** · 20-06-2011, 13:27

non mi sono espressso chiaramente ,volevo dire se strumenti di amministrazione è ancora vuoto e se non hai risolto prova WinRecover

ora fai pulizia con ccleaner

scarica OTC by OldTimer

eseguilo
Clicca su CleanUp.
Alla richiesta di riavvio clicca SI

Discussione: Virus/Rootkit "Windows XP Repair 2011" (Falso antivirus)

Strumenti discussione

Ricerca discussione

Visualizza

Virus/Rootkit "Windows XP Repair 2011" (Falso antivirus)

Permessi di invio