Olimpo Informatico

[zesergio]

KILLVBS.VBS qualcuno mi puo aiutare... cosa è il killvbs.vbs? aiuto e grazie

[bdoriano]

Ciao zesergio,

Un pò scarne come informazioni.
Che problemi riscontri?

Segui le istruzioni di questo topic per postare il log di hijackthis.

[zesergio]

avast Attenzione

HO TROVATO UN VIRUS

NOME DEL FILE: J:\KILLVBS.vbs
nome MALWARE VBS:autoVBS
TIPO DI MALWARE VIRUS/Worm

ke fare?

questo e quanto, provato a cancellare ma niente da fare, ciao grazie.

[zesergio]

inoltre mi appare windows script host


Caricamento dello script "J:\killVBS.vbs non riuscito (accesso negato)


J = USB ESTERNA DA 256


GRAZIE

[bdoriano]

Repetita iuvant:

[zesergio]

scusa la mia ignoranza ma per me è "arabo" cioe cosa vuol dire? cosa devo fare? scusa il disturbo, ciao

[zesergio]

cosa vuol dire postare il log?

[zesergio]

SPERO DI AVER FATTO BENE...ASPETTO NOTIZIE...GRAZIE..CIAO




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0.06.45, on 25/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\acs.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\TP-LINK\TWCU\TWCU.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Programmi\CDBurnerXP\NMSAccessU.exe
C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Programmi\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\Programmi\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Programmi\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\DOCUME~1\SERGIO~1.SER\IMPOST~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\SERGIO~1.SER\IMPOST~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\hj\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\killVBS.vbs
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [StartCCC] C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [TWCU] C:\Programmi\TP-LINK\TWCU\TWCU.exe -nogui
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Programmi\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Programmi\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Programmi\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.computercityhw.it
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Controllo AcPreview) - file:///C:/Programmi/AutoCAD%20LT%202002%20Ita/AcPreview.ocx
O23 - Service: TP-LINK Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Servizio Bonjour (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: NMSAccessU - Unknown owner - C:\Programmi\CDBurnerXP\NMSAccessU.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8155 bytes

[zesergio]

dimenticavo sistema operativo XP antivirus AVAST grazie ciao

[Sante62]

Ciao zesergio
disattiva il ripristino di sistema e avvia il PC in modalità provvisoria
Avvia Hijackthis, seleziona queste righe e clicca poi su fix checked, rispondendo si:

[zesergio]

ho fatto tutto quello che mi hai detto...mi sono perso solo nell'ultimo pezzo...quello su FrreFileHosting...dopo aver fatto sfoglia cosa deve succedere..

Di seguito:


LOG HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:53, on 2008-01-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\TP-LINK\TWCU\TWCU.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Programmi\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\IncrediMail\bin\IncMail.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Programmi\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programmi\Alwil Software\Avast4\setup\avast.setup
C:\Programmi\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\ati2sgag.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Sergio.SERVER-8BEC7D3D\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\killVBS.vbs
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [StartCCC] C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [TWCU] C:\Programmi\TP-LINK\TWCU\TWCU.exe -nogui
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Programmi\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Programmi\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Programmi\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.computercityhw.it
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Controllo AcPreview) - file:///C:/Programmi/AutoCAD%20LT%202002%20Ita/AcPreview.ocx
O23 - Service: TP-LINK Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Servizio Bonjour (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: NMSAccessU - Unknown owner - C:\Programmi\CDBurnerXP\NMSAccessU.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7782 bytes


RISULTATO COMBOFIX

ComboFix 08-01-23.1C - Sergio 2008-01-25 17:56:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.1592 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Sergio.SERVER-8BEC7D3D\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Creati Da 2007-12-25 al 2008-01-25 )))))))))))))))))))))))))))))))))))
.

2008-01-25 17:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-25 00:06 . 2008-01-25 00:06 <DIR> d-------- C:\hj
2008-01-24 23:17 . 2008-01-24 23:17 <DIR> d-------- C:\WINDOWS\Sun
2008-01-24 18:09 . 2008-01-24 18:29 3 --a------ C:\WINDOWS\Twain001.Mtx
2008-01-24 18:09 . 2008-01-24 18:09 0 --a------ C:\WINDOWS\Twunk003.MTX
2008-01-24 18:09 . 2008-01-24 18:09 0 --a------ C:\WINDOWS\Twunk002.MTX
2008-01-23 17:38 . 2008-01-23 17:38 <DIR> d-------- C:\Programmi\PC Connectivity Solution
2008-01-23 17:38 . 2008-01-23 17:38 <DIR> d-------- C:\Programmi\File comuni\PCSuite
2008-01-23 17:38 . 2008-01-23 17:38 <DIR> d-------- C:\Programmi\DIFX
2008-01-23 17:32 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-01-23 17:32 . 2007-02-22 10:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-01-23 17:32 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-01-23 17:32 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-01-23 17:32 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-01-23 17:31 . 2008-01-24 18:09 <DIR> d-------- C:\Programmi\Nokia
2008-01-23 17:31 . 2008-01-24 18:09 <DIR> d-------- C:\Programmi\File comuni\Nokia
2008-01-23 15:21 . 2008-01-23 15:21 <DIR> d-------- C:\spoolerlogs
2008-01-22 17:42 . 2008-01-22 17:42 <DIR> d-------- C:\Programmi\Riva
2008-01-22 17:42 . 2008-01-22 17:42 <DIR> d-------- C:\Programmi\File comuni\SWF Studio
2008-01-21 17:54 . 2008-01-22 21:38 <DIR> d-------- C:\CHIARA
2008-01-20 20:16 . 2008-01-25 17:54 13,827 --a------ C:\logfile
2008-01-20 20:15 . 2008-01-23 17:32 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-20 20:15 . 2007-06-06 09:57 2,363,392 --a------ C:\WINDOWS\system32\xerces-c_2_7.dll
2008-01-20 20:15 . 2007-06-06 09:18 45,056 --a------ C:\WINDOWS\system32\KPDDynCC.DLL
2008-01-20 20:15 . 2007-06-06 09:25 40,960 --a------ C:\WINDOWS\system32\KPDLM.dll
2008-01-20 20:14 . 2008-01-20 20:14 <DIR> d-------- C:\Programmi\File comuni\Kodak
2008-01-20 18:58 . 1999-07-22 00:04 271,872 -ra------ C:\WINDOWS\system32\ucs32p.dll
2008-01-20 18:58 . 1999-07-22 01:09 13,824 -ra------ C:\WINDOWS\system32\FB63Ucpl.cpl
2008-01-20 18:58 . 1999-07-22 00:02 11,556 -ra------ C:\WINDOWS\system32\drivers\FB630U.sys
2008-01-20 18:29 . 2008-01-20 18:29 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-01-20 18:29 . 2008-01-20 18:29 <DIR> d-------- C:\Programmi\QuickTime
2008-01-20 18:29 . 2008-01-20 18:29 <DIR> d-------- C:\Programmi\Bonjour
2008-01-20 18:28 . 2008-01-20 18:28 <DIR> d-------- C:\WINDOWS\system32\BWKDLogs
2008-01-20 18:28 . 2004-08-19 15:39 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-01-20 18:28 . 2006-04-20 14:27 64,512 --a------ C:\WINDOWS\system32\PTPITCP.dll
2008-01-20 18:28 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-20 18:28 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-20 18:28 . 2001-08-30 23:07 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-01-20 18:27 . 2008-01-20 20:01 <DIR> d-------- C:\WINDOWS\system32\color
2008-01-20 18:16 . 2008-01-20 18:47 395 --a------ C:\WINDOWS\I_VIEW32.INI
2008-01-20 18:12 . 2008-01-20 20:15 <DIR> d-------- C:\Programmi\Kodak
2008-01-20 18:00 . 2008-01-20 18:00 <DIR> d-------- C:\Programmi\Alwil Software
2008-01-20 17:59 . 2008-01-20 18:00 <DIR> d-------- C:\avast
2008-01-19 09:38 . 2008-01-19 09:38 <DIR> d-------- C:\Programmi\CDBurnerXP
2008-01-17 23:36 . 2008-01-17 23:36 <DIR> d-------- C:\Programmi\MSXML 4.0
2008-01-17 22:31 . 2008-01-19 23:01 <DIR> d-------- C:\Programmi\eMule
2008-01-17 22:21 . 2008-01-17 22:25 <DIR> d-------- C:\DOCFA 3.00.5
2008-01-17 21:50 . 2008-01-17 21:50 7,486 -rahs---- C:\WINDOWS\system32\killVBS.vbs
2008-01-17 21:21 . 2004-08-19 13:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-17 21:20 . 2008-01-17 21:20 <DIR> d-------- C:\Programmi\Iomega
2008-01-17 20:52 . 2008-01-17 20:52 <DIR> d-------- C:\ATI
2008-01-17 20:46 . 2008-01-17 20:46 <DIR> d-------- C:\Programmi\WexTech
2008-01-17 20:46 . 1997-12-17 18:33 304,128 --a------ C:\WINDOWS\IsUninst.exe
2008-01-17 20:46 . 2000-05-02 10:03 225,280 --a------ C:\WINDOWS\system32\awrtl30.dll
2008-01-17 20:46 . 1998-08-04 11:22 111,616 --------- C:\WINDOWS\system32\Ltih30tb.dll
2008-01-17 20:45 . 2000-10-20 22:25 487,184 --a------ C:\WINDOWS\system32\Mrt7enu.dll
2008-01-17 20:45 . 2000-10-20 22:25 446,464 --a------ C:\WINDOWS\system32\hhactivex.dll
2008-01-17 20:45 . 1999-08-02 10:13 301,568 --a------ C:\WINDOWS\unin0410.exe
2008-01-17 20:45 . 2000-10-20 22:25 79,360 --a------ C:\WINDOWS\system32\acdbres.dll
2008-01-17 20:45 . 2000-10-20 22:25 31,744 --a------ C:\WINDOWS\system32\Hlp95en.dll
2008-01-17 20:45 . 2000-10-20 22:25 25,872 --a------ C:\WINDOWS\system32\Fm20ENU.dll
2008-01-17 20:44 . 2008-01-17 20:46 <DIR> d-------- C:\Programmi\File comuni\Wextech Shared
2008-01-17 20:34 . 2008-01-17 20:34 107,132 --a------ C:\WINDOWS\UninstallFirefox.exe
2008-01-17 20:24 . 2008-01-17 22:30 <DIR> d-------- C:\Programmi\Java
2008-01-17 20:24 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-17 20:22 . 2008-01-17 22:22 <DIR> d-------- C:\Programmi\Yahoo!
2008-01-17 20:20 . 2008-01-17 20:21 <DIR> d-------- C:\Programmi\File comuni\Adobe
2008-01-17 20:16 . 2008-01-17 20:16 424 --a------ C:\WINDOWS\ODBC.INI
2008-01-17 20:00 . 2008-01-17 20:00 <DIR> d-------- C:\WINDOWS\A4W_DATA
2008-01-17 20:00 . 2008-01-17 20:00 604 --a------ C:\WINDOWS\MAXLINK.INI
2008-01-17 20:00 . 2008-01-17 20:00 47 --a------ C:\WINDOWS\OPLEInst.ini
2008-01-17 20:00 . 2008-01-17 20:00 35 --a------ C:\WINDOWS\A4W.INI
2008-01-17 19:59 . 2008-01-17 20:00 <DIR> d-------- C:\OPLIMIT
2008-01-17 19:59 . 1998-03-18 14:24 20,976 --a------ C:\WINDOWS\CTL3D.DLL
2008-01-17 19:59 . 2008-01-17 23:35 757 --a------ C:\WINDOWS\oplimit.ini
2008-01-17 19:58 . 1996-08-24 11:11 384,512 --------- C:\WINDOWS\system32\MFCO40.DLL
2008-01-17 19:58 . 1997-04-18 11:51 252,928 --a------ C:\WINDOWS\UN160410.EXE
2008-01-17 19:58 . 1997-04-08 20:03 248,176 --a------ C:\WINDOWS\UNINST16.EXE
2008-01-17 19:58 . 1998-09-29 12:35 27,648 --a------ C:\WINDOWS\Photo Express 2 SE.scr
2008-01-17 19:58 . 1995-07-13 18:43 26,768 --a------ C:\WINDOWS\system\CTL3D.DLL
2008-01-17 19:58 . 2008-01-25 17:52 646 --a------ C:\WINDOWS\ULEAD32.INI
2008-01-17 19:57 . 1998-07-30 17:43 306,176 --a------ C:\WINDOWS\IsUn0410.exe
2008-01-17 19:40 . 2007-02-28 17:02 2,184,064 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-01-17 19:40 . 2007-02-28 17:02 2,139,648 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-01-17 19:40 . 2007-02-28 17:02 2,061,312 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-01-17 19:40 . 2007-02-28 17:02 2,019,328 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-01-17 19:40 . 2006-06-01 19:48 163,840 -----c--- C:\WINDOWS\system32\dllcache\jgdw400.dll
2008-01-17 19:40 . 2006-06-01 19:48 27,648 -----c--- C:\WINDOWS\system32\dllcache\jgpl400.dll
2008-01-17 19:39 . 2006-05-05 10:41 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-01-17 19:39 . 2006-03-17 01:38 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2008-01-17 19:20 . 2008-01-16 15:32 71,674 --a------ C:\WINDOWS\hpdj3740.hi2
2008-01-17 19:20 . 2008-01-17 19:19 11,208 --a------ C:\WINDOWS\hpdj3740.bu1
2008-01-17 19:16 . 2003-12-11 11:15 626,960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2008-01-17 19:16 . 2003-12-11 11:15 487,424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2008-01-17 19:16 . 2003-12-11 11:15 344,064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2008-01-17 19:16 . 2003-12-11 11:15 82,432 -ra------ C:\WINDOWS\system32\MSXML4r.dll
2008-01-17 19:16 . 2003-12-11 11:15 44,544 -ra------ C:\WINDOWS\system32\MSXML4a.dll
2008-01-17 19:15 . 2008-01-17 19:19 233,978 --a------ C:\WINDOWS\hpdj3740.hi1
2008-01-17 19:15 . 2004-03-04 16:07 200,704 -ra------ C:\WINDOWS\system32\hpzpnp10.dll
2008-01-17 19:15 . 2008-01-17 19:20 790 --a------ C:\WINDOWS\hpdj3740.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 19:52 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-01-11 10:35 21,275 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-01-11 10:25 --------- d-----w C:\Programmi\File comuni\InstallShield
2008-01-11 09:45 --------- d-----w C:\Programmi\File comuni\SpeechEngines
2008-01-11 09:45 --------- d-----w C:\Programmi\File comuni\ODBC
2008-01-11 09:15 --------- d-----w C:\Programmi\Realtek
2008-01-11 09:14 --------- d-----w C:\Programmi\Intel
2008-01-11 08:53 --------- d--h--w C:\Programmi\Uninstall Information
2008-01-11 08:51 --------- d-----w C:\Programmi\microsoft frontpage
2008-01-11 08:50 --------- d-----w C:\Programmi\Servizi in linea
2008-01-11 08:49 --------- d-----w C:\Programmi\File comuni\MSSoap
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-07 09:27 727,552 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:42 1,292,800 ----a-w C:\WINDOWS\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 13:00 15360]
"IncrediMail"="C:\Programmi\IncrediMail\bin\IncMail.exe" [2008-01-17 11:08 214456]
"PC Suite Tray"="C:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-11-09 13:16 688128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 09:58 16264192 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
"StartCCC"="C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"TWCU"="C:\Programmi\TP-LINK\TWCU\TWCU.exe" [2006-03-29 16:12 364544]
"HP Component Manager"="C:\Programmi\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 16:46 172032]
"HP Software Update"="C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 18:55 49152]
"PE2CKFNT SE"="C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 12:51 25088]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"WinampAgent"="C:\Programmi\Winamp\winampa.exe" [2007-05-14 23:22 35328]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2008-01-20 18:29 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 13:00 15360]
"Nokia.PCSync"="C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Reader Synchronizer.lnk - C:\Programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Kodak EasyShare software.lnk - C:\Programmi\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Programmi\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04 83360]
Photo Express Calendar Checker SE.lnk - C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [2008-01-17 19:58:08 55296]

R2 NMSAccessU;NMSAccessU;C:\Programmi\CDBurnerXP\NMSAccessU.exe [2007-10-12 08:34]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{657c2942-c537-11dc-ad79-0019e0883b6b}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{657c294b-c537-11dc-ad79-0019e0883b6b}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{657c294d-c537-11dc-ad79-0019e0883b6b}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

*Newly Created Service* - PROCEXP90
.
Contenuto della cartella 'Scheduled Tasks'
"2008-01-20 19:10:36 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\DATIAP~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-01-23 14:33:00 C:\WINDOWS\Tasks\WebReg 20080116153310.job"
- C:\Programmi\HP\Digital Imaging\bin\hpqwrg.exeQ/TaskName 20080116153310 /N
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 17:58:13
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-01-25 17:58:29
.
2008-01-21 19:06:50 --- E O F ---



LOG GMER AUTOSTART

ComboFix 08-01-23.1C - Sergio 2008-01-25 17:56:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.1592 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Sergio.SERVER-8BEC7D3D\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Creati Da 2007-12-25 al 2008-01-25 )))))))))))))))))))))))))))))))))))
.

2008-01-25 17:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-25 00:06 . 2008-01-25 00:06 <DIR> d-------- C:\hj
2008-01-24 23:17 . 2008-01-24 23:17 <DIR> d-------- C:\WINDOWS\Sun
2008-01-24 18:09 . 2008-01-24 18:29 3 --a------ C:\WINDOWS\Twain001.Mtx
2008-01-24 18:09 . 2008-01-24 18:09 0 --a------ C:\WINDOWS\Twunk003.MTX
2008-01-24 18:09 . 2008-01-24 18:09 0 --a------ C:\WINDOWS\Twunk002.MTX
2008-01-23 17:38 . 2008-01-23 17:38 <DIR> d-------- C:\Programmi\PC Connectivity Solution
2008-01-23 17:38 . 2008-01-23 17:38 <DIR> d-------- C:\Programmi\File comuni\PCSuite
2008-01-23 17:38 . 2008-01-23 17:38 <DIR> d-------- C:\Programmi\DIFX
2008-01-23 17:32 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-01-23 17:32 . 2007-02-22 10:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-01-23 17:32 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-01-23 17:32 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-01-23 17:32 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-01-23 17:31 . 2008-01-24 18:09 <DIR> d-------- C:\Programmi\Nokia
2008-01-23 17:31 . 2008-01-24 18:09 <DIR> d-------- C:\Programmi\File comuni\Nokia
2008-01-23 15:21 . 2008-01-23 15:21 <DIR> d-------- C:\spoolerlogs
2008-01-22 17:42 . 2008-01-22 17:42 <DIR> d-------- C:\Programmi\Riva
2008-01-22 17:42 . 2008-01-22 17:42 <DIR> d-------- C:\Programmi\File comuni\SWF Studio
2008-01-21 17:54 . 2008-01-22 21:38 <DIR> d-------- C:\CHIARA
2008-01-20 20:16 . 2008-01-25 17:54 13,827 --a------ C:\logfile
2008-01-20 20:15 . 2008-01-23 17:32 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-20 20:15 . 2007-06-06 09:57 2,363,392 --a------ C:\WINDOWS\system32\xerces-c_2_7.dll
2008-01-20 20:15 . 2007-06-06 09:18 45,056 --a------ C:\WINDOWS\system32\KPDDynCC.DLL
2008-01-20 20:15 . 2007-06-06 09:25 40,960 --a------ C:\WINDOWS\system32\KPDLM.dll
2008-01-20 20:14 . 2008-01-20 20:14 <DIR> d-------- C:\Programmi\File comuni\Kodak
2008-01-20 18:58 . 1999-07-22 00:04 271,872 -ra------ C:\WINDOWS\system32\ucs32p.dll
2008-01-20 18:58 . 1999-07-22 01:09 13,824 -ra------ C:\WINDOWS\system32\FB63Ucpl.cpl
2008-01-20 18:58 . 1999-07-22 00:02 11,556 -ra------ C:\WINDOWS\system32\drivers\FB630U.sys
2008-01-20 18:29 . 2008-01-20 18:29 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-01-20 18:29 . 2008-01-20 18:29 <DIR> d-------- C:\Programmi\QuickTime
2008-01-20 18:29 . 2008-01-20 18:29 <DIR> d-------- C:\Programmi\Bonjour
2008-01-20 18:28 . 2008-01-20 18:28 <DIR> d-------- C:\WINDOWS\system32\BWKDLogs
2008-01-20 18:28 . 2004-08-19 15:39 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-01-20 18:28 . 2006-04-20 14:27 64,512 --a------ C:\WINDOWS\system32\PTPITCP.dll
2008-01-20 18:28 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-20 18:28 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-20 18:28 . 2001-08-30 23:07 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-01-20 18:27 . 2008-01-20 20:01 <DIR> d-------- C:\WINDOWS\system32\color
2008-01-20 18:16 . 2008-01-20 18:47 395 --a------ C:\WINDOWS\I_VIEW32.INI
2008-01-20 18:12 . 2008-01-20 20:15 <DIR> d-------- C:\Programmi\Kodak
2008-01-20 18:00 . 2008-01-20 18:00 <DIR> d-------- C:\Programmi\Alwil Software
2008-01-20 17:59 . 2008-01-20 18:00 <DIR> d-------- C:\avast
2008-01-19 09:38 . 2008-01-19 09:38 <DIR> d-------- C:\Programmi\CDBurnerXP
2008-01-17 23:36 . 2008-01-17 23:36 <DIR> d-------- C:\Programmi\MSXML 4.0
2008-01-17 22:31 . 2008-01-19 23:01 <DIR> d-------- C:\Programmi\eMule
2008-01-17 22:21 . 2008-01-17 22:25 <DIR> d-------- C:\DOCFA 3.00.5
2008-01-17 21:50 . 2008-01-17 21:50 7,486 -rahs---- C:\WINDOWS\system32\killVBS.vbs
2008-01-17 21:21 . 2004-08-19 13:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-17 21:20 . 2008-01-17 21:20 <DIR> d-------- C:\Programmi\Iomega
2008-01-17 20:52 . 2008-01-17 20:52 <DIR> d-------- C:\ATI
2008-01-17 20:46 . 2008-01-17 20:46 <DIR> d-------- C:\Programmi\WexTech
2008-01-17 20:46 . 1997-12-17 18:33 304,128 --a------ C:\WINDOWS\IsUninst.exe
2008-01-17 20:46 . 2000-05-02 10:03 225,280 --a------ C:\WINDOWS\system32\awrtl30.dll
2008-01-17 20:46 . 1998-08-04 11:22 111,616 --------- C:\WINDOWS\system32\Ltih30tb.dll
2008-01-17 20:45 . 2000-10-20 22:25 487,184 --a------ C:\WINDOWS\system32\Mrt7enu.dll
2008-01-17 20:45 . 2000-10-20 22:25 446,464 --a------ C:\WINDOWS\system32\hhactivex.dll
2008-01-17 20:45 . 1999-08-02 10:13 301,568 --a------ C:\WINDOWS\unin0410.exe
2008-01-17 20:45 . 2000-10-20 22:25 79,360 --a------ C:\WINDOWS\system32\acdbres.dll
2008-01-17 20:45 . 2000-10-20 22:25 31,744 --a------ C:\WINDOWS\system32\Hlp95en.dll
2008-01-17 20:45 . 2000-10-20 22:25 25,872 --a------ C:\WINDOWS\system32\Fm20ENU.dll
2008-01-17 20:44 . 2008-01-17 20:46 <DIR> d-------- C:\Programmi\File comuni\Wextech Shared
2008-01-17 20:34 . 2008-01-17 20:34 107,132 --a------ C:\WINDOWS\UninstallFirefox.exe
2008-01-17 20:24 . 2008-01-17 22:30 <DIR> d-------- C:\Programmi\Java
2008-01-17 20:24 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-17 20:22 . 2008-01-17 22:22 <DIR> d-------- C:\Programmi\Yahoo!
2008-01-17 20:20 . 2008-01-17 20:21 <DIR> d-------- C:\Programmi\File comuni\Adobe
2008-01-17 20:16 . 2008-01-17 20:16 424 --a------ C:\WINDOWS\ODBC.INI
2008-01-17 20:00 . 2008-01-17 20:00 <DIR> d-------- C:\WINDOWS\A4W_DATA
2008-01-17 20:00 . 2008-01-17 20:00 604 --a------ C:\WINDOWS\MAXLINK.INI
2008-01-17 20:00 . 2008-01-17 20:00 47 --a------ C:\WINDOWS\OPLEInst.ini
2008-01-17 20:00 . 2008-01-17 20:00 35 --a------ C:\WINDOWS\A4W.INI
2008-01-17 19:59 . 2008-01-17 20:00 <DIR> d-------- C:\OPLIMIT
2008-01-17 19:59 . 1998-03-18 14:24 20,976 --a------ C:\WINDOWS\CTL3D.DLL
2008-01-17 19:59 . 2008-01-17 23:35 757 --a------ C:\WINDOWS\oplimit.ini
2008-01-17 19:58 . 1996-08-24 11:11 384,512 --------- C:\WINDOWS\system32\MFCO40.DLL
2008-01-17 19:58 . 1997-04-18 11:51 252,928 --a------ C:\WINDOWS\UN160410.EXE
2008-01-17 19:58 . 1997-04-08 20:03 248,176 --a------ C:\WINDOWS\UNINST16.EXE
2008-01-17 19:58 . 1998-09-29 12:35 27,648 --a------ C:\WINDOWS\Photo Express 2 SE.scr
2008-01-17 19:58 . 1995-07-13 18:43 26,768 --a------ C:\WINDOWS\system\CTL3D.DLL
2008-01-17 19:58 . 2008-01-25 17:52 646 --a------ C:\WINDOWS\ULEAD32.INI
2008-01-17 19:57 . 1998-07-30 17:43 306,176 --a------ C:\WINDOWS\IsUn0410.exe
2008-01-17 19:40 . 2007-02-28 17:02 2,184,064 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-01-17 19:40 . 2007-02-28 17:02 2,139,648 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-01-17 19:40 . 2007-02-28 17:02 2,061,312 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-01-17 19:40 . 2007-02-28 17:02 2,019,328 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-01-17 19:40 . 2006-06-01 19:48 163,840 -----c--- C:\WINDOWS\system32\dllcache\jgdw400.dll
2008-01-17 19:40 . 2006-06-01 19:48 27,648 -----c--- C:\WINDOWS\system32\dllcache\jgpl400.dll
2008-01-17 19:39 . 2006-05-05 10:41 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-01-17 19:39 . 2006-03-17 01:38 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2008-01-17 19:20 . 2008-01-16 15:32 71,674 --a------ C:\WINDOWS\hpdj3740.hi2
2008-01-17 19:20 . 2008-01-17 19:19 11,208 --a------ C:\WINDOWS\hpdj3740.bu1
2008-01-17 19:16 . 2003-12-11 11:15 626,960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2008-01-17 19:16 . 2003-12-11 11:15 487,424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2008-01-17 19:16 . 2003-12-11 11:15 344,064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2008-01-17 19:16 . 2003-12-11 11:15 82,432 -ra------ C:\WINDOWS\system32\MSXML4r.dll
2008-01-17 19:16 . 2003-12-11 11:15 44,544 -ra------ C:\WINDOWS\system32\MSXML4a.dll
2008-01-17 19:15 . 2008-01-17 19:19 233,978 --a------ C:\WINDOWS\hpdj3740.hi1
2008-01-17 19:15 . 2004-03-04 16:07 200,704 -ra------ C:\WINDOWS\system32\hpzpnp10.dll
2008-01-17 19:15 . 2008-01-17 19:20 790 --a------ C:\WINDOWS\hpdj3740.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 19:52 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-01-11 10:35 21,275 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-01-11 10:25 --------- d-----w C:\Programmi\File comuni\InstallShield
2008-01-11 09:45 --------- d-----w C:\Programmi\File comuni\SpeechEngines
2008-01-11 09:45 --------- d-----w C:\Programmi\File comuni\ODBC
2008-01-11 09:15 --------- d-----w C:\Programmi\Realtek
2008-01-11 09:14 --------- d-----w C:\Programmi\Intel
2008-01-11 08:53 --------- d--h--w C:\Programmi\Uninstall Information
2008-01-11 08:51 --------- d-----w C:\Programmi\microsoft frontpage
2008-01-11 08:50 --------- d-----w C:\Programmi\Servizi in linea
2008-01-11 08:49 --------- d-----w C:\Programmi\File comuni\MSSoap
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-07 09:27 727,552 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:42 1,292,800 ----a-w C:\WINDOWS\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 13:00 15360]
"IncrediMail"="C:\Programmi\IncrediMail\bin\IncMail.exe" [2008-01-17 11:08 214456]
"PC Suite Tray"="C:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-11-09 13:16 688128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 09:58 16264192 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
"StartCCC"="C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"TWCU"="C:\Programmi\TP-LINK\TWCU\TWCU.exe" [2006-03-29 16:12 364544]
"HP Component Manager"="C:\Programmi\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 16:46 172032]
"HP Software Update"="C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 18:55 49152]
"PE2CKFNT SE"="C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 12:51 25088]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"WinampAgent"="C:\Programmi\Winamp\winampa.exe" [2007-05-14 23:22 35328]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2008-01-20 18:29 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 13:00 15360]
"Nokia.PCSync"="C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Reader Synchronizer.lnk - C:\Programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Kodak EasyShare software.lnk - C:\Programmi\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Programmi\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04 83360]
Photo Express Calendar Checker SE.lnk - C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [2008-01-17 19:58:08 55296]

R2 NMSAccessU;NMSAccessU;C:\Programmi\CDBurnerXP\NMSAccessU.exe [2007-10-12 08:34]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{657c2942-c537-11dc-ad79-0019e0883b6b}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{657c294b-c537-11dc-ad79-0019e0883b6b}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{657c294d-c537-11dc-ad79-0019e0883b6b}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

*Newly Created Service* - PROCEXP90
.
Contenuto della cartella 'Scheduled Tasks'
"2008-01-20 19:10:36 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\DATIAP~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-01-23 14:33:00 C:\WINDOWS\Tasks\WebReg 20080116153310.job"
- C:\Programmi\HP\Digital Imaging\bin\hpqwrg.exeQ/TaskName 20080116153310 /N
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 17:58:13
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-01-25 17:58:29
.
2008-01-21 19:06:50 --- E O F ---



LOG GMER ROOTKIT

ComboFix 08-01-23.1C - Sergio 2008-01-25 17:56:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.1592 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Sergio.SERVER-8BEC7D3D\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Creati Da 2007-12-25 al 2008-01-25 )))))))))))))))))))))))))))))))))))
.

2008-01-25 17:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-25 00:06 . 2008-01-25 00:06 <DIR> d-------- C:\hj
2008-01-24 23:17 . 2008-01-24 23:17 <DIR> d-------- C:\WINDOWS\Sun
2008-01-24 18:09 . 2008-01-24 18:29 3 --a------ C:\WINDOWS\Twain001.Mtx
2008-01-24 18:09 . 2008-01-24 18:09 0 --a------ C:\WINDOWS\Twunk003.MTX
2008-01-24 18:09 . 2008-01-24 18:09 0 --a------ C:\WINDOWS\Twunk002.MTX
2008-01-23 17:38 . 2008-01-23 17:38 <DIR> d-------- C:\Programmi\PC Connectivity Solution
2008-01-23 17:38 . 2008-01-23 17:38 <DIR> d-------- C:\Programmi\File comuni\PCSuite
2008-01-23 17:38 . 2008-01-23 17:38 <DIR> d-------- C:\Programmi\DIFX
2008-01-23 17:32 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-01-23 17:32 . 2007-02-22 10:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-01-23 17:32 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-01-23 17:32 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-01-23 17:32 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-01-23 17:31 . 2008-01-24 18:09 <DIR> d-------- C:\Programmi\Nokia
2008-01-23 17:31 . 2008-01-24 18:09 <DIR> d-------- C:\Programmi\File comuni\Nokia
2008-01-23 15:21 . 2008-01-23 15:21 <DIR> d-------- C:\spoolerlogs
2008-01-22 17:42 . 2008-01-22 17:42 <DIR> d-------- C:\Programmi\Riva
2008-01-22 17:42 . 2008-01-22 17:42 <DIR> d-------- C:\Programmi\File comuni\SWF Studio
2008-01-21 17:54 . 2008-01-22 21:38 <DIR> d-------- C:\CHIARA
2008-01-20 20:16 . 2008-01-25 17:54 13,827 --a------ C:\logfile
2008-01-20 20:15 . 2008-01-23 17:32 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-20 20:15 . 2007-06-06 09:57 2,363,392 --a------ C:\WINDOWS\system32\xerces-c_2_7.dll
2008-01-20 20:15 . 2007-06-06 09:18 45,056 --a------ C:\WINDOWS\system32\KPDDynCC.DLL
2008-01-20 20:15 . 2007-06-06 09:25 40,960 --a------ C:\WINDOWS\system32\KPDLM.dll
2008-01-20 20:14 . 2008-01-20 20:14 <DIR> d-------- C:\Programmi\File comuni\Kodak
2008-01-20 18:58 . 1999-07-22 00:04 271,872 -ra------ C:\WINDOWS\system32\ucs32p.dll
2008-01-20 18:58 . 1999-07-22 01:09 13,824 -ra------ C:\WINDOWS\system32\FB63Ucpl.cpl
2008-01-20 18:58 . 1999-07-22 00:02 11,556 -ra------ C:\WINDOWS\system32\drivers\FB630U.sys
2008-01-20 18:29 . 2008-01-20 18:29 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-01-20 18:29 . 2008-01-20 18:29 <DIR> d-------- C:\Programmi\QuickTime
2008-01-20 18:29 . 2008-01-20 18:29 <DIR> d-------- C:\Programmi\Bonjour
2008-01-20 18:28 . 2008-01-20 18:28 <DIR> d-------- C:\WINDOWS\system32\BWKDLogs
2008-01-20 18:28 . 2004-08-19 15:39 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-01-20 18:28 . 2006-04-20 14:27 64,512 --a------ C:\WINDOWS\system32\PTPITCP.dll
2008-01-20 18:28 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-20 18:28 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-20 18:28 . 2001-08-30 23:07 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-01-20 18:27 . 2008-01-20 20:01 <DIR> d-------- C:\WINDOWS\system32\color
2008-01-20 18:16 . 2008-01-20 18:47 395 --a------ C:\WINDOWS\I_VIEW32.INI
2008-01-20 18:12 . 2008-01-20 20:15 <DIR> d-------- C:\Programmi\Kodak
2008-01-20 18:00 . 2008-01-20 18:00 <DIR> d-------- C:\Programmi\Alwil Software
2008-01-20 17:59 . 2008-01-20 18:00 <DIR> d-------- C:\avast
2008-01-19 09:38 . 2008-01-19 09:38 <DIR> d-------- C:\Programmi\CDBurnerXP
2008-01-17 23:36 . 2008-01-17 23:36 <DIR> d-------- C:\Programmi\MSXML 4.0
2008-01-17 22:31 . 2008-01-19 23:01 <DIR> d-------- C:\Programmi\eMule
2008-01-17 22:21 . 2008-01-17 22:25 <DIR> d-------- C:\DOCFA 3.00.5
2008-01-17 21:50 . 2008-01-17 21:50 7,486 -rahs---- C:\WINDOWS\system32\killVBS.vbs
2008-01-17 21:21 . 2004-08-19 13:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-17 21:20 . 2008-01-17 21:20 <DIR> d-------- C:\Programmi\Iomega
2008-01-17 20:52 . 2008-01-17 20:52 <DIR> d-------- C:\ATI
2008-01-17 20:46 . 2008-01-17 20:46 <DIR> d-------- C:\Programmi\WexTech
2008-01-17 20:46 . 1997-12-17 18:33 304,128 --a------ C:\WINDOWS\IsUninst.exe
2008-01-17 20:46 . 2000-05-02 10:03 225,280 --a------ C:\WINDOWS\system32\awrtl30.dll
2008-01-17 20:46 . 1998-08-04 11:22 111,616 --------- C:\WINDOWS\system32\Ltih30tb.dll
2008-01-17 20:45 . 2000-10-20 22:25 487,184 --a------ C:\WINDOWS\system32\Mrt7enu.dll
2008-01-17 20:45 . 2000-10-20 22:25 446,464 --a------ C:\WINDOWS\system32\hhactivex.dll
2008-01-17 20:45 . 1999-08-02 10:13 301,568 --a------ C:\WINDOWS\unin0410.exe
2008-01-17 20:45 . 2000-10-20 22:25 79,360 --a------ C:\WINDOWS\system32\acdbres.dll
2008-01-17 20:45 . 2000-10-20 22:25 31,744 --a------ C:\WINDOWS\system32\Hlp95en.dll
2008-01-17 20:45 . 2000-10-20 22:25 25,872 --a------ C:\WINDOWS\system32\Fm20ENU.dll
2008-01-17 20:44 . 2008-01-17 20:46 <DIR> d-------- C:\Programmi\File comuni\Wextech Shared
2008-01-17 20:34 . 2008-01-17 20:34 107,132 --a------ C:\WINDOWS\UninstallFirefox.exe
2008-01-17 20:24 . 2008-01-17 22:30 <DIR> d-------- C:\Programmi\Java
2008-01-17 20:24 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-17 20:22 . 2008-01-17 22:22 <DIR> d-------- C:\Programmi\Yahoo!
2008-01-17 20:20 . 2008-01-17 20:21 <DIR> d-------- C:\Programmi\File comuni\Adobe
2008-01-17 20:16 . 2008-01-17 20:16 424 --a------ C:\WINDOWS\ODBC.INI
2008-01-17 20:00 . 2008-01-17 20:00 <DIR> d-------- C:\WINDOWS\A4W_DATA
2008-01-17 20:00 . 2008-01-17 20:00 604 --a------ C:\WINDOWS\MAXLINK.INI
2008-01-17 20:00 . 2008-01-17 20:00 47 --a------ C:\WINDOWS\OPLEInst.ini
2008-01-17 20:00 . 2008-01-17 20:00 35 --a------ C:\WINDOWS\A4W.INI
2008-01-17 19:59 . 2008-01-17 20:00 <DIR> d-------- C:\OPLIMIT
2008-01-17 19:59 . 1998-03-18 14:24 20,976 --a------ C:\WINDOWS\CTL3D.DLL
2008-01-17 19:59 . 2008-01-17 23:35 757 --a------ C:\WINDOWS\oplimit.ini
2008-01-17 19:58 . 1996-08-24 11:11 384,512 --------- C:\WINDOWS\system32\MFCO40.DLL
2008-01-17 19:58 . 1997-04-18 11:51 252,928 --a------ C:\WINDOWS\UN160410.EXE
2008-01-17 19:58 . 1997-04-08 20:03 248,176 --a------ C:\WINDOWS\UNINST16.EXE
2008-01-17 19:58 . 1998-09-29 12:35 27,648 --a------ C:\WINDOWS\Photo Express 2 SE.scr
2008-01-17 19:58 . 1995-07-13 18:43 26,768 --a------ C:\WINDOWS\system\CTL3D.DLL
2008-01-17 19:58 . 2008-01-25 17:52 646 --a------ C:\WINDOWS\ULEAD32.INI
2008-01-17 19:57 . 1998-07-30 17:43 306,176 --a------ C:\WINDOWS\IsUn0410.exe
2008-01-17 19:40 . 2007-02-28 17:02 2,184,064 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-01-17 19:40 . 2007-02-28 17:02 2,139,648 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-01-17 19:40 . 2007-02-28 17:02 2,061,312 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-01-17 19:40 . 2007-02-28 17:02 2,019,328 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-01-17 19:40 . 2006-06-01 19:48 163,840 -----c--- C:\WINDOWS\system32\dllcache\jgdw400.dll
2008-01-17 19:40 . 2006-06-01 19:48 27,648 -----c--- C:\WINDOWS\system32\dllcache\jgpl400.dll
2008-01-17 19:39 . 2006-05-05 10:41 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-01-17 19:39 . 2006-03-17 01:38 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2008-01-17 19:20 . 2008-01-16 15:32 71,674 --a------ C:\WINDOWS\hpdj3740.hi2
2008-01-17 19:20 . 2008-01-17 19:19 11,208 --a------ C:\WINDOWS\hpdj3740.bu1
2008-01-17 19:16 . 2003-12-11 11:15 626,960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2008-01-17 19:16 . 2003-12-11 11:15 487,424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2008-01-17 19:16 . 2003-12-11 11:15 344,064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2008-01-17 19:16 . 2003-12-11 11:15 82,432 -ra------ C:\WINDOWS\system32\MSXML4r.dll
2008-01-17 19:16 . 2003-12-11 11:15 44,544 -ra------ C:\WINDOWS\system32\MSXML4a.dll
2008-01-17 19:15 . 2008-01-17 19:19 233,978 --a------ C:\WINDOWS\hpdj3740.hi1
2008-01-17 19:15 . 2004-03-04 16:07 200,704 -ra------ C:\WINDOWS\system32\hpzpnp10.dll
2008-01-17 19:15 . 2008-01-17 19:20 790 --a------ C:\WINDOWS\hpdj3740.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 19:52 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-01-11 10:35 21,275 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-01-11 10:25 --------- d-----w C:\Programmi\File comuni\InstallShield
2008-01-11 09:45 --------- d-----w C:\Programmi\File comuni\SpeechEngines
2008-01-11 09:45 --------- d-----w C:\Programmi\File comuni\ODBC
2008-01-11 09:15 --------- d-----w C:\Programmi\Realtek
2008-01-11 09:14 --------- d-----w C:\Programmi\Intel
2008-01-11 08:53 --------- d--h--w C:\Programmi\Uninstall Information
2008-01-11 08:51 --------- d-----w C:\Programmi\microsoft frontpage
2008-01-11 08:50 --------- d-----w C:\Programmi\Servizi in linea
2008-01-11 08:49 --------- d-----w C:\Programmi\File comuni\MSSoap
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-07 09:27 727,552 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:42 1,292,800 ----a-w C:\WINDOWS\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 13:00 15360]
"IncrediMail"="C:\Programmi\IncrediMail\bin\IncMail.exe" [2008-01-17 11:08 214456]
"PC Suite Tray"="C:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-11-09 13:16 688128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 09:58 16264192 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
"StartCCC"="C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"TWCU"="C:\Programmi\TP-LINK\TWCU\TWCU.exe" [2006-03-29 16:12 364544]
"HP Component Manager"="C:\Programmi\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 16:46 172032]
"HP Software Update"="C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 18:55 49152]
"PE2CKFNT SE"="C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 12:51 25088]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"WinampAgent"="C:\Programmi\Winamp\winampa.exe" [2007-05-14 23:22 35328]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2008-01-20 18:29 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 13:00 15360]
"Nokia.PCSync"="C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Reader Synchronizer.lnk - C:\Programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Kodak EasyShare software.lnk - C:\Programmi\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Programmi\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04 83360]
Photo Express Calendar Checker SE.lnk - C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [2008-01-17 19:58:08 55296]

R2 NMSAccessU;NMSAccessU;C:\Programmi\CDBurnerXP\NMSAccessU.exe [2007-10-12 08:34]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{657c2942-c537-11dc-ad79-0019e0883b6b}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{657c294b-c537-11dc-ad79-0019e0883b6b}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{657c294d-c537-11dc-ad79-0019e0883b6b}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

*Newly Created Service* - PROCEXP90
.
Contenuto della cartella 'Scheduled Tasks'
"2008-01-20 19:10:36 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\DATIAP~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-01-23 14:33:00 C:\WINDOWS\Tasks\WebReg 20080116153310.job"
- C:\Programmi\HP\Digital Imaging\bin\hpqwrg.exeQ/TaskName 20080116153310 /N
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 17:58:13
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-01-25 17:58:29
.
2008-01-21 19:06:50 --- E O F ---




GRAZIE PER LA TUA COLLABORAZIONE, UN GRAZIE DI CUORE, ATTENDO TUE NOTIZIE, CIAO

[Sante62]

[zesergio]

Ma quando apro FreeFileHosting mi dice sfoglia...ok...quindi cerco sul mio pc..ma quali files?

[Sante62]

Fai prima le scansioni con GMER e salva i log da qualche parte sul tuo PC. Caricali poi su freefilehosting, come indicato.

[zesergio]

ok...fatto...dopodichè mi ha fatto scaricare 2 file log..uno di autostart e l'altro di l'altro di rootkit...adesso che faccio? grazie

[Sante62]

Caricali su freefilehosting come indicato quì

[zesergio]

SEGUITO LE ISTRUZIONI..

la risposta è stata:
FORUM LINK

[URL="http://www.freefilehosting.net/files/3b328"]rook124.txt[/URL]


e adesso che faccio? grazie

[Sante62]

Il log Rootkit non presenta nulla di pericoloso, anche se mi sembra un pò corto. Fai la stessa cosa con il log Autostart di GMER.

[zesergio]

AUTOSTART


URL="http://www.freefilehosting.net/files/3b336"]autostart161.txt[/URL]



ROOK


[URL="http://www.freefilehosting.net/files/3b337"]rook125.txt[/URL]


rifatti tutti e due...eccoli qui..dimmi tu perche per me ormai "arabo", grazie

[zesergio]

TRA L'ALTRO RIBADISCO CHE IL PROBLEMA NASCE SOLO SE CERCO DI APRIRE UNA CHIAVETTA USB SE CI CLICCO SOPRA DUE VOLTE...

SE INVECE LA APRO COL TASTO DESTRO CON "APRI" NON MI DA NESSUNA ANOMALIA...BOH...