• Regolamento Macrocategoria DEV
    Prima di aprire un topic nella Macrocategoria DEV, è bene leggerne il suo regolamento. Sei un'azienda o un hosting/provider? Qui sono anche contenute informazioni per collaborare con Sciax2 ed ottenere l'accredito nella nostra community!

Problema risolto Trojan nel pc

L

lavezzi7

Guest
Autore del topic
Ho un problema, il mio anti-virus appena accendo il computer dopo 35-40 secondi mi segnala due trojan nel computer, Li provo a spostare in quarantena ma la quarantena è piena -.- Allora faccio elimina (correggi) Dice non è possibile correggere il file -.- Allora Apro taskmanager termino il processo e non mi da più problemi.Poi riaccendo il pc e li ritrovo lì.Uso Avg Free.Il processo del trojan si chiama:C://Window/System32/svchost.exe.

Che faccio????

:ciao:
 
Ultima modifica da un moderatore:
svchost.exe è un processo dell'avvio di windows....dovrebbe essere normale,anche io cel'ho.

Però ho letto che certi trojan copiano il processo svchost.exe..... Quindi non so che dirti..... Se non sbaglio terminandolo si ottiene l'instabilità del sistema giusto?Non ricordo....
 
Vai su msconfig (dal cmd fai start msconfig) poi vai su avvio e cerchi guardando nome e directory del file quello che dovrebbe essere "l'infetto".
Per debellare l'infezione puoi provare con Combofix è facile da usare e non necessita installazione,se fai la scansione quando finisce in C:\ ci sarà un file combofix.txt copiami ed incollami il contenuto qui.
 
Ecco ora riavvio cosi mi ri-segnala il trojan e prendo la directory.
C'è un problema non me lo segnala più il trojan mo che faccio?

Non credo che si è levato perchè il processo l'ho terminato pure due-tre volte e dopo quando riaccendevo usciva sempre la minaccia.

Ecco qui i log

Codice:
Perfavore, Entra oppure Registrati per vedere i codici!
ComboFix 09-12-20.08 - Hi-Tech 21/12/2009 21.34.52.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.1023.663 [GMT 1:00]
Eseguito da: c:\documents and settings\Hi-Tech\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
ADS - system32: deleted 0 bytes in 1 streams.
ADS - WINDOWS: deleted 0 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Menu Avvio\Programmi\MessengerSkinner
c:\documents and settings\All Users\Menu Avvio\Programmi\MessengerSkinner\Condizioni generali.url
c:\documents and settings\All Users\Menu Avvio\Programmi\MessengerSkinner\Disinstalla.lnk
c:\documents and settings\All Users\Menu Avvio\Programmi\MessengerSkinner\MessengerSkinner.lnk
c:\documents and settings\All Users\Menu Avvio\Programmi\MessengerSkinner\Riservatezza.url
c:\documents and settings\All Users\Menu Avvio\Programmi\MessengerSkinner\Website.url
c:\programmi\Fast Browser Search
c:\windows\system32\bgrbrcti.ini
c:\windows\system32\CIRYHRqr.ini
c:\windows\system32\CIRYHRqr.ini2
c:\windows\system32\dLmTCcdd.ini
c:\windows\system32\dLmTCcdd.ini2
c:\windows\system32\dwywdowg.ini
c:\windows\system32\ffegpoqw.ini
c:\windows\system32\gxxlbijh.ini
c:\windows\system32\KRuwwyay.ini
c:\windows\system32\KRuwwyay.ini2
c:\windows\system32\njhtuajs.ini
c:\windows\system32\pblnfoqy.ini
c:\windows\system32\pjkkfeux.ini
c:\windows\system32\tcupxcpc.ini
c:\windows\system32\wlgiexpn.ini
c:\windows\system32\wxjfylni.ini

.
((((((((((((((((((((((((( Files Creati Da 2009-11-21 al 2009-12-21 )))))))))))))))))))))))))))))))))))
.

2009-12-21 20:25 . 2009-12-21 20:25 -------- d-----w- c:\programmi\TrendMicro
2009-12-21 19:07 . 2009-12-21 19:07 -------- d-----w- C:\Download
2009-12-21 19:07 . 2009-12-21 19:07 -------- d-----w- C:\Nexon
2009-12-21 19:07 . 2009-12-21 20:21 421888 ----a-w- c:\windows\NEXON_EU_DownloaderUpdater.exe
2009-12-08 12:38 . 2009-12-08 13:22 -------- d-----w- c:\documents and settings\Hi-Tech\Impostazioni locali\Dati applicazioni\LogMeIn Hamachi
2009-12-08 12:38 . 2009-12-08 13:22 -------- d-----w- c:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\LogMeIn Hamachi
2009-12-06 14:43 . 2009-12-08 13:23 -------- d-----w- c:\programmi\Cheat Engine
2009-12-02 03:22 . 2009-12-02 03:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-22 19:01 . 2009-11-22 19:01 -------- d-----w- C:\users

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-21 20:48 . 2001-08-31 12:00 79688 ----a-w- c:\windows\system32\perfc010.dat
2009-12-21 20:48 . 2001-08-31 12:00 479368 ----a-w- c:\windows\system32\perfh010.dat
2009-12-21 20:47 . 2009-09-17 17:48 -------- d-----w- c:\programmi\PeerGuardian2
2009-12-21 20:25 . 2009-12-21 20:25 388096 ----a-r- c:\documents and settings\Hi-Tech\Dati applicazioni\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-21 20:20 . 2009-06-21 14:31 -------- d---a-w- c:\documents and settings\All Users\Dati applicazioni\TEMP
2009-12-18 16:32 . 2009-10-04 10:10 -------- d-----w- c:\documents and settings\Hi-Tech\Dati applicazioni\vlc
2009-12-02 03:23 . 2008-07-16 16:46 -------- d-----w- c:\programmi\Google
2009-11-30 11:54 . 2008-07-16 23:55 10 -c--a-w- c:\windows\popcinfo.dat
2009-11-22 16:47 . 2008-07-14 17:53 -------- d-----w- c:\programmi\DivX
2009-11-22 13:07 . 2008-07-14 18:16 60168 -c--a-w- c:\documents and settings\Hi-Tech\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-11-08 21:57 . 2009-11-05 14:50 -------- d-----w- c:\programmi\PHPNukeIT
2009-11-05 15:57 . 2009-11-05 14:51 14 ----a-w- c:\windows\popcinfot.dat
2009-11-05 14:50 . 2009-11-05 14:50 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\PopCap Games
2009-11-05 14:50 . 2009-11-05 14:50 -------- d-----w- c:\programmi\PopCap Games
2009-10-23 19:44 . 2009-10-23 19:44 152576 ----a-w- c:\documents and settings\Hi-Tech\Dati applicazioni\Sun\Java\jre1.6.0_16\lzma.dll
2009-09-23 08:41 . 2009-01-16 13:04 26176 ---ha-w- c:\windows\system32\drivers\hamachi.sys
2009-04-07 18:52 . 2009-04-07 18:52 28672 ----a-w- c:\programmi\mozilla firefox\components\GooglePlusVideosXPCOM.dll
.

------- Sigcheck -------

[-] 2008-04-14 . CE7DB8EE1C9BD8A40F84529DDC28B0D8 . 1571840 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\fc8deab818fa7e7ffabfc43e34347907\sfcfiles.dll
[-] 2008-01-10 . 5DEF00B476192F4AE0E9515F08100443 . 1548288 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\programmi\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
"{2c965f3f-8efd-4bfc-a2c5-1672845fdbbf}"= "c:\programmi\PHPNukeIT\tbPHP1.dll" [2009-11-08 2166296]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_CLASSES_ROOT\clsid\{2c965f3f-8efd-4bfc-a2c5-1672845fdbbf}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2c965f3f-8efd-4bfc-a2c5-1672845fdbbf}]
2009-11-08 21:57 2166296 ----a-w- c:\programmi\PHPNukeIT\tbPHP1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 07:55 1090816 ----a-w- c:\programmi\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\programmi\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
"{2c965f3f-8efd-4bfc-a2c5-1672845fdbbf}"= "c:\programmi\PHPNukeIT\tbPHP1.dll" [2009-11-08 2166296]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{2c965f3f-8efd-4bfc-a2c5-1672845fdbbf}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\programmi\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
"{2C965F3F-8EFD-4BFC-A2C5-1672845FDBBF}"= "c:\programmi\PHPNukeIT\tbPHP1.dll" [2009-11-08 2166296]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{2c965f3f-8efd-4bfc-a2c5-1672845fdbbf}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\lib\NMBgMonitor.exe" [2005-09-03 94208]
"swg"="c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-10 68856]
"updateMgr"="c:\programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"PeerGuardian"="c:\programmi\PeerGuardian2\pg2.exe" [2005-09-18 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NIC Monitor"="VNICMon.exe" [2002-05-30 40960]
"nwiz"="nwiz.exe" [2006-08-11 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-11 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CnxDslTaskBar"="c:\programmi\Conexant\AccessRunner ADSL\CnxDslTb.exe" [2005-10-30 462848]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-21 11:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"f:\\eMule\\emule.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"c:\\Programmi\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Programmi\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Programmi\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Programmi\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgupd.exe"=
"c:\\Nexon\\NEXON_EU_Downloader\\NEXON_EU_Downloader_Engine.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"52282:TCP"= 52282:TCP:emule tcp
"48242:UDP"= 48242:UDP:emule udp

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [31/12/2008 10.16.52 642560]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [16/01/2009 0.21.47 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [16/01/2009 0.21.53 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [16/01/2009 0.21.24 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [16/01/2009 0.21.22 297752]
R3 CnxEtP;Conexant AccessRunner USB ADSL WAN Adapter Filter Driver;c:\windows\system32\drivers\CnxEtP.sys [16/07/2008 17.02.46 60288]
R3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;c:\windows\system32\drivers\CnxEtU.sys [16/07/2008 17.02.38 646784]
R3 CnxTgN;Conexant AccessRunner USB ADSL WAN Adapter Driver;c:\windows\system32\drivers\CnxTgN.sys [16/07/2008 17.02.46 108675]
S2 gupdate1c9cc142479fc5a;Servizio di Google Update (gupdate1c9cc142479fc5a);c:\programmi\Google\Update\GoogleUpdate.exe [03/05/2009 18.25.21 133104]
S2 ShellHWDetection_Untrusted_BZ;Rilevamento hardware shell_Untrusted_BZ;c:\virtual\Untrusted\C_\WINDOWS\System32\svchost.exe -k netsvcs --> c:\virtual\Untrusted\C_\WINDOWS\System32\svchost.exe [?]
S2 StiSvc_Untrusted_BZ;Acquisizione di immagini di Windows (WIA)_Untrusted_BZ;c:\virtual\Untrusted\C_\WINDOWS\system32\svchost.exe -k imgsvc --> c:\virtual\Untrusted\C_\WINDOWS\system32\svchost.exe [?]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [31/12/2008 10.19.07 223128]
S3 VNICPKT5;VNICPKT5 Protocol Driver;c:\windows\system32\VNICPKT5.sys [14/07/2008 19.07.26 16202]
.
------- Scansione supplementare -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2102507
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=%s
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Hi-Tech\Dati applicazioni\Mozilla\Firefox\Profiles\6hhzpmtv.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it
FF - prefs.js: keyword.URL - hxxp://it.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_it&p=
FF - component: c:\programmi\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\programmi\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\programmi\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\programmi\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\programmi\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\programmi\Mozilla Firefox\components\GooglePlusVideosXPCOM.dll
FF - plugin: c:\documents and settings\All Users\Dati applicazioni\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\programmi\Canon\ZoomBrowser EX\Program\NPCIG.dll
FF - plugin: c:\programmi\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programmi\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npzylomgamesplayer.dll
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

URLSearchHooks-*{b8a5b62c-517f-42a5-85ae-29b5497fb15f} - (no file)
URLSearchHooks-*{cd36797a-70f3-4acd-8825-623d3b896881} - (no file)
BHO-{3A81BE3C-75D8-44B2-BEA7-8FD1CD4CEED1} - c:\windows\system32\rqRHYRIC.dll
BHO-{95DA423C-592D-4EEB-A43C-33175CCA1F0F} - c:\windows\system32\yaywwuRK.dll
BHO-{F4DA8FB7-8E2D-43E7-B042-A38AB9D1FA45} - (no file)
HKCU-Run-L08EXLRD_100517593 - c:\programmi\Microsoft Student\Microsoft Student con Encarta Premium 2008 DVD\EDICT.EXE
HKCU-Run-E08IXLRD_324175093 - c:\programmi\Microsoft Encarta\Microsoft Encarta 2008 - Premium DVD\EDICT.EXE
HKLM-Run-NWEReboot - (no file)
HKLM-Run-fc4c973f - c:\windows\system32\cpcxpuct.dll
Notify-geBqNDvw - geBqNDvw.dll
AddRemove-MsgPlus! Plugin - c:\programmi\MessengerPlus! 3\MsgPlus.exe
AddRemove-Secured Internet Explorer - c:\progra~1\SECURE~1\UNWISE.EXE
AddRemove-VIA NIC ControlSet - c:\programmi\VIA\NIC ControlSet\Uninst_VNIC.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Perfavore, Entra oppure Registrati per vedere i Link!

Rootkit scan 2009-12-21 21:44
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
Perfavore, Entra oppure Registrati per vedere i Link!


device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe >>UNKNOWN [0x8678D9C0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x8678d9c0
\Driver\ACPI -> ACPI.sys @ 0xf76fdcb8
\Driver\atapi -> atapi.sys @ 0xf76942f0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0094
ParseProcedure -> ntoskrnl.exe @ 0x8056f08e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0094
ParseProcedure -> ntoskrnl.exe @ 0x8056f08e
NDIS: VIA VT6105M Rhine III Management Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf759bba0
PacketIndicateHandler -> NDIS.sys @ 0xf758aa0b
SendHandler -> NDIS.sys @ 0xf759eb31
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{3DA165B6-CC41-11d2-BDC6-00C04F79EC6B}\ProgID]
@Denied: (A) (Everyone)
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{3DA165B6-CC41-11d2-BDC6-00C04F79EC6B}\Version]
@Denied: (A) (Everyone)
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{8D8763AB-E93B-4812-964E-F04E0008FD50}\Version]
@Denied: (A) (Everyone)
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Control]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\EnableFullPage]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Implemented Categories]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\InprocServer32]
"VRegSpecialValueName"=dword:000000aa
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash9f.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\MiscStatus]
"VRegSpecialValueName"=dword:000000aa
@="0"

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ProgID]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Programmable]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ToolboxBitmap32]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\TypeLib]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Version]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\VersionIndependentProgID]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil9f.exe,-101"

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\ClsID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"VRegSpecialValueName"=dword:00000000

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
"VRegSpecialValueName"=dword:000000aa

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\Software\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
"VRegSpecialValueName"=dword:000000aa
@="Shockwave Flash"

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\System\ControlSet001\Hardware Profiles\Current]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\Machine\System\CurrentControlSet]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

[HKEY_LOCAL_MACHINE\software\BufferZone\Virtual\Untrusted\USER\LocalSystem]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(2788)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\documents and settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S30RP1.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\programmi\Canon\CAL\CALMAIN.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\programmi\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\VNICMon.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Ora fine scansione: 2009-12-21 21:53:13 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-12-21 20:53

Pre-Run: 9.472.487.424 byte disponibili
Post-Run: 9.460.232.192 byte disponibili

- - End Of File - - E0A9D0952BFDC09DEA27CF7FD1682C1C
--------------- AGGIUNTA AL POST ---------------
Up.
 
Ultima modifica da un moderatore:
certi trojan prendono il nome di svchost.exe perchè è una cosa di windows che serve per caricare i programmi ( se non erro ) e c'è ne sono più di 1 di quei file e quindi sfruttano quel nome per passare inosservati... comunque aspetta mikleman che ti controlla il log di combofix
 
certi trojan prendono il nome di svchost.exe perchè è una cosa di windows che serve per caricare i programmi ( se non erro ) e c'è ne sono più di 1 di quei file e quindi sfruttano quel nome per passare inosservati... comunque aspetta mikleman che ti controlla il log di combofix

Io ho terminato un processo svchost.exe e non mi ha dato problemi si vede che avevo preso quello giusto ù.ù
 
Io ho terminato un processo svchost.exe e non mi ha dato problemi si vede che avevo preso quello giusto ù.ù

E' normale che ne siano 2-3 e non vanno terminati,non crei danni permanenti al pc ma rendi instabile il sistema (magari neanche te ne sei accorto),roba che comunque si risolve con un riavvio del pc.

Per quanto riguarda l'infezione,eri infetto da quel vecchissimo malware che era Messenger Skinner (infatti me lo ricordavo un nome simile io..),ComboFix sembrerebbe averlo individuato ed eliminato,mi rassicura anche che il tuo antivirus non te lo segnali più :emoji_smiley:

Penso che la situazione sia risolta,svchost è normale che ci sia ma se per caso ti viene segnalato come malware non esitare a dirmelo!

Ah personalmente ti consiglio di usare Avira Antivir al posto di AVG,poi fai come ti pare :rox:
 
E' normale che ne siano 2-3 e non vanno terminati,non crei danni permanenti al pc ma rendi instabile il sistema (magari neanche te ne sei accorto),roba che comunque si risolve con un riavvio del pc.

Per quanto riguarda l'infezione,eri infetto da quel vecchissimo malware che era Messenger Skinner (infatti me lo ricordavo un nome simile io..),ComboFix sembrerebbe averlo individuato ed eliminato,mi rassicura anche che il tuo antivirus non te lo segnali più :emoji_smiley:

Penso che la situazione sia risolta,svchost è normale che ci sia ma se per caso ti viene segnalato come malware non esitare a dirmelo!

Ah personalmente ti consiglio di usare Avira Antivir al posto di AVG,poi fai come ti pare :rox:

Grazie per l'aiuto tutto a posto Problema risolto:emoji_smiley:

è il pc di mio nonno gli ho detto anche io di levare avg e di mettere avira ma niente:wosd: Spero che ora si sia convinto .