Help malware

[redncmt]

Ciao a tutti, dopo aver incautamente scaricato programmi da un sito che credevo attendibile, devo aver beccato una qualche forma di malware. I sintomi sono dati dal blocco del sistema all'avvio che dopo qualche minuto culmina nel messaggio di errore "esplora risorse ha smesso di funzionare e verrà riavviato". dopo di che tutto pare funzionare correttamente (pare).

Dopo l'infezione ho notato che in msconfig sono stati aggiunti due servizi, che ho disabilitato senza successo:
Serv Updater autore serviceupd
Software Upd autore SoftwareUpdService

Non so se possano essere correlati all'infezione, ma prima non c'erano...

Seguendo il forum, pur non essendo esperto in materia ho eseguito hijackthis e combofix con i seguenti risultati:

HIJACKTHIS:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:36:17, on 16/12/2012
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.ex e" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

--
End of file - 2096 bytes






COMBOFIX

ComboFix 12-12-14.01 - samsung 16/12/2012 23:37:53.4.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.39.1040.18.3033.2164 [GMT 1:00]
Eseguito da: c:\users\samsung\Desktop\ComboFix.exe
AV: McAfee VirusScan *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Personal Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee VirusScan *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
c:\users\samsung\AppData\Local\assembly\tmp
.
.
((((((((((((((((((((((((( Files Creati Da 2012-11-16 al 2012-12-16 )))))))))))))))))))))))))))))))))))
.
.
2012-12-16 22:44 . 2012-12-16 22:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-16 22:18 . 2012-12-16 22:36 -------- d-----w- C:\hijackthis
2012-12-15 14:23 . 2012-12-16 22:44 -------- d-----w- c:\users\samsung\AppData\Local\temp
2012-12-15 08:42 . 2012-12-15 08:42 -------- d-----w- C:\Intel
2012-12-14 21:01 . 2012-12-14 21:01 63115 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\te mp\wlidui_WLIDSVC\USERTILE.JS
2012-12-14 20:59 . 2012-12-14 20:59 -------- d-----w- c:\users\samsung\AppData\Roaming\Auslogics
2012-12-14 20:53 . 2012-12-14 20:53 -------- d-----w- c:\program files\CCleaner
2012-12-14 14:31 . 2001-09-05 02:18 77824 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2012-12-14 14:31 . 2001-09-05 02:18 225280 ----a-w- c:\program files\Common Files\InstallShield\IScript\iscript.dll
2012-12-14 14:31 . 2001-09-05 02:14 176128 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2012-12-14 14:31 . 2001-09-05 02:13 32768 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2012-12-14 14:31 . 2002-07-25 07:07 614532 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
2012-12-14 13:53 . 2012-12-14 14:06 -------- d-----w- C:\Canon
2012-12-14 13:39 . 2012-12-14 15:02 -------- d-----w- c:\users\samsung\AppData\Local\PosService
2012-12-14 13:39 . 2012-12-14 13:41 -------- d-----w- c:\users\samsung\AppData\Local\ServUpdater
2012-12-14 13:24 . 2012-12-14 13:42 -------- d-----w- c:\users\samsung\AppData\Local\SoftwareUpdater
2012-12-14 13:24 . 2012-12-14 13:24 -------- d-----w- c:\program files\Softi Software
2012-12-14 13:24 . 2012-12-14 13:24 -------- d-----w- c:\users\samsung\AppData\Roaming\Softi Software
2012-12-07 01:20 . 2012-11-19 00:04 6812136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{770D4EFE-D785-4C0D-9BA1-F24AD07200B3}\mpengine.dll
2012-12-05 21:07 . 2012-12-05 21:07 -------- d-----w- c:\program files\Synaptics
2012-11-19 08:08 . 2012-11-19 08:08 -------- d-----w- c:\program files\ReviverSoft
2012-11-19 08:07 . 2012-11-19 08:07 -------- d-----w- c:\users\samsung\AppData\Roaming\DVDVideoSoft
2012-11-19 08:07 . 2012-11-19 08:07 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2012-11-19 08:07 . 2012-11-19 08:07 -------- d-----w- c:\users\samsung\AppData\Roaming\OpenCandy
2012-11-18 20:32 . 2012-11-18 20:32 -------- d-----w- c:\users\samsung\Export
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
2012-12-05 21:06 . 2009-08-07 09:49 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2012-12-05 21:06 . 2010-02-26 09:33 242992 ----a-w- c:\windows\system32\drivers\SynTP.sys
2012-12-05 21:06 . 2010-02-26 09:31 165160 ----a-w- c:\windows\system32\SynTPAPI.dll
2012-12-05 21:06 . 2010-02-26 09:31 120104 ----a-w- c:\windows\system32\SynTPCo4.dll
2012-12-05 21:06 . 2010-02-26 09:31 210216 ----a-w- c:\windows\system32\SynCtrl.dll
2012-12-05 21:06 . 2010-02-26 09:31 173352 ----a-w- c:\windows\system32\SynCOM.dll
2011-05-16 12:15 . 2011-05-16 12:15 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.ex e" [2009-05-19 222504]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2012-12-05 1713448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-14 141848]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2009-11-14 151064]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-14 174104]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 09:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-03 21:51 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-11-01 22:25 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CDAServer]
2010-12-17 17:12 332288 ----a-w- c:\program files\Common Files\Common Desktop Agent\CDASrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-10-22 20:27 136176 ----atw- c:\users\samsung\AppData\Local\Google\Update\Googl eUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-09 16:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 16:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbE xDisk.SYS [x]
R3 ONDAusbmdm6k;ONDA Proprietary USB Driver;c:\windows\system32\DRIVERS\ONDAusbmdm6k.sy s [x]
R3 ONDAusbnmea;ONDA NMEA Port;c:\windows\system32\DRIVERS\ONDAusbnmea.sys [x]
R3 ONDAusbser6k;ONDA Diagnostic Port;c:\windows\system32\DRIVERS\ONDAusbser6k.sys [x]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
R3 WatAdminSvc;Servizio Windows Activation Technologies;c:\windows\system32\Wat\WatAdminSvc.e xe [x]
R4 ServUpdater;Serv Updater;c:\users\samsung\AppData\Local\ServUpdater \ServiceUpd.exe [x]
R4 SoftwareUpd;Software Upd;c:\users\samsung\AppData\Local\SoftwareUpdater \SoftwareUpdService.exe [x]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [x]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.s ys [x]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [x]
.
.
Contenuto della cartella 'Scheduled Tasks'
.
2012-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-14 11:15]
.
2012-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-14 11:15]
.
2012-12-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1871111397-3539990770-1974983793-1000Core.job
- c:\users\samsung\AppData\Local\Google\Update\Googl eUpdate.exe [2010-10-22 20:27]
.
2012-12-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1871111397-3539990770-1974983793-1000UA.job
- c:\users\samsung\AppData\Local\Google\Update\Googl eUpdate.exe [2010-10-22 20:27]
.
.
------- Scansione supplementare -------
.
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.43.1
TCP: Interfaces\{95DE52F9-5E06-47C9-BE22-4B7FE2603F77}: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\samsung\AppData\Roaming\Mozilla\Firefox\P rofiles\tkb15jvk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2530241&SearchSource=3&q={s earchTerms}
FF - prefs.js: browser.search.selectedEngine - ST-IT2 Customized Web Search
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2475029&SearchSource=2&q=
FF - prefs.js: network.proxy.type - 0
.
.
------- Associazioni dei file -------
.
.scr=AutoCADScriptFile
.
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PC W\Security]
@Denied: (Full) (Everyone)
.
Ora fine scansione: 2012-12-16 23:45:16
ComboFix-quarantined-files.txt 2012-12-16 22:45
ComboFix2.txt 2012-12-16 19:28
ComboFix3.txt 2012-12-15 15:01
ComboFix4.txt 2012-12-15 14:22
.
Pre-Run: 54.797.111.296 byte disponibili
Post-Run: 54.763.524.096 byte disponibili
.
- - End Of File - - 3984092B50C07E2700443FCA2B33EBAC




spero qualcuno possa aiutarmi, grazie anticipatamente!