| Precedente :: Successivo |
| Autore |
Messaggio |
nicolamod
Mortale pio
Registrato: 06/11/07 21:26
Messaggi: 22
|
 Inviato: 13 Feb 2008 12:22 Oggetto: files sospetti ??exgrmgml??, ??exmunml?? |
 |
|
Ciao ragazzi il mio antivirus AVG ha riconosciuto come trojan vari tipi di file come quelli scritti nel titolo del topic. Inoltre frequentemente questi giorni le finestre su cui lavoro improvvisamente si disattivano e mi crea molto fastidio. Spero che riusciate a capire se esiste un problema e come risolverlo. Grazie Mille!!!
p.s. ho fatto il log con hijack e lo posto qui sotto...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11.15.48, on 13/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0C2.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmi\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\PeerGuardian2\pg2.exe
C:\Programmi\AVSMedia\VideoConverter4\AVSVideoConverter4.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Pc02\Documenti\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0C2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OpwareSE2] "C:\Programmi\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programmi\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [devenv] C:\WINDOWS\system\smvss.exe /w
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Programmi\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O15 - Trusted Zone: *.rossoalice.it
O15 - Trusted Zone: *.rossoalice.virgilio.it
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://nic0la88.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165933340218
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://nicolamod.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{467EB6CC-58B9-4A9C-B8C8-36B3B020ED05}: NameServer = 85.37.17.49 85.38.28.91
O20 - Winlogon Notify: winfax32 - C:\WINDOWS\SYSTEM32\winfax32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Upsagent - UPS Monitor (Upsagent) - Unknown owner - C:\Programmi\Upsmon\Upsag_nt.exe
--
End of file - 7985 bytes |
|
| Top |
|
 |
Sante62
Dio maturo
Registrato: 27/06/07 17:55
Messaggi: 3477
Residenza: Floridia
|
| Inviato: 13 Feb 2008 12:34 Oggetto: |
|
|
Ciao nicolamod 
disattiva il ripristino di sistema e avvia il PC in modalità provvisoria;
Avvia HJT, seleziona a sinistra queste righe e premi poi fix Checked:
| Citazione: | O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [devenv] C:\WINDOWS\system\smvss.exe /w
|
Riavvia il PC alla modalità normale e rifai il log di Hijackthis;
Guarda questa discussione
relativa a Combofix, e fai la scansione del PC postando il risultato come indicato;
fai anche la Scansione con GMER
Ricorda che i log di GMER sono due: Autostart e Rootkit. Postali su www.freefilehosting.net come indicato quì |
|
| Top |
|
|
nicolamod
Mortale pio
Registrato: 06/11/07 21:26
Messaggi: 22
|
| Inviato: 13 Feb 2008 15:23 Oggetto: |
|
|
| Sante62 ha scritto: | Ciao nicolamod
disattiva il ripristino di sistema e avvia il PC in modalità provvisoria;
Avvia HJT, seleziona a sinistra queste righe e premi poi fix Checked:
| Citazione: | O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [devenv] C:\WINDOWS\system\smvss.exe /w
|
Riavvia il PC alla modalità normale e rifai il log di Hijackthis;
Guarda questa discussione
relativa a Combofix, e fai la scansione del PC postando il risultato come indicato;
fai anche la Scansione con GMER
Ricorda che i log di GMER sono due: Autostart e Rootkit. Postali su www.freefilehosting.net come indicato quì |
------------------------------------------------------------
LOG HIJACK
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13.40.42, on 13/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0C2.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmi\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\PeerGuardian2\pg2.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Pc02\Documenti\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0C2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OpwareSE2] "C:\Programmi\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programmi\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Programmi\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O15 - Trusted Zone: *.rossoalice.it
O15 - Trusted Zone: *.rossoalice.virgilio.it
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://nic0la88.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165933340218
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://nicolamod.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{467EB6CC-58B9-4A9C-B8C8-36B3B020ED05}: NameServer = 85.37.17.49 85.38.28.91
O20 - Winlogon Notify: winfax32 - C:\WINDOWS\SYSTEM32\winfax32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Upsagent - UPS Monitor (Upsagent) - Unknown owner - C:\Programmi\Upsmon\Upsag_nt.exe
--
End of file - 7747 bytes
---------------------------------------------------------------------------------
LOG COMBOFIX
ComboFix 08-02-13.2 - Pc02 2008-02-13 13.17.57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.178 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Pc02\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Creati Da 2008-01-13 al 2008-02-13 )))))))))))))))))))))))))))))))))))
.
2008-02-12 17:46 . 2008-02-12 17:39 286,720 --a------ C:\WINDOWS\iun506.exe
2008-02-12 17:40 . 2008-02-12 17:40 <DIR> d-------- C:\Programmi\Activision Value
2008-02-12 17:40 . 2008-02-12 17:40 <DIR> d-------- C:\DirectX
2008-02-09 20:02 . 2008-02-09 20:02 <DIR> d-------- C:\Documents and Settings\Pc02\Dati applicazioni\pokerth
2008-01-29 18:46 . 2008-01-29 18:46 <DIR> d-------- C:\Programmi\Microsoft Games
2008-01-29 18:37 . 2008-01-29 18:37 34,304 --a------ C:\WINDOWS\system\smvss.exe
2008-01-25 18:09 . 2008-01-25 18:09 0 --a------ C:\WINDOWS\PowerReg.dat
2008-01-19 19:20 . 2008-01-19 19:20 <DIR> d-------- C:\Programmi\EG
2008-01-16 13:09 . 2008-01-16 13:09 <DIR> d-------- C:\Documents and Settings\Pc02\Dati applicazioni\Alien Skin
2008-01-15 13:15 . 2008-01-15 13:20 <DIR> d-------- C:\Programmi\Fastream IQ Web FTP Server GUI
2008-01-15 12:40 . 2008-01-15 12:45 <DIR> d-------- C:\Programmi\FTP Explorer
2008-01-15 12:01 . 2008-01-15 12:11 <DIR> d-------- C:\Programmi\GlobalSCAPE
2008-01-13 20:48 . 2008-01-13 20:49 <DIR> d-------- C:\Programmi\TVAnts
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-13 12:23 --------- d-----w C:\Programmi\PeerGuardian2
2008-02-13 09:39 --------- d-----w C:\Documents and Settings\Pc02\Dati applicazioni\AVG7
2008-01-29 17:56 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-01-20 22:03 --------- d-----w C:\Documents and Settings\Pc02\Dati applicazioni\FileZilla
2008-01-15 11:11 --------- d-----w C:\Documents and Settings\Pc02\Dati applicazioni\GlobalSCAPE
2008-01-04 20:57 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Firefly Studios
2008-01-04 20:07 --------- d-----w C:\Programmi\Firefly Studios
2008-01-04 09:08 --------- d-----w C:\Programmi\Google
2008-01-03 16:49 --------- d-----w C:\Documents and Settings\Pc02\Dati applicazioni\Canon
2008-01-03 15:30 --------- d-----w C:\Programmi\WebPublisher
2008-01-03 15:28 --------- d-----w C:\Programmi\KONAMI
2008-01-03 15:23 --------- d-----w C:\Programmi\mTIRC
2008-01-03 15:23 --------- d-----w C:\Programmi\Canon
2008-01-03 15:22 --------- d-----w C:\Programmi\DevalVR
2007-12-28 20:11 --------- d-----w C:\Programmi\Messenger Plus! Live
2007-12-26 09:50 --------- d-----w C:\Programmi\eMule
2007-12-16 10:40 --------- d-----w C:\Programmi\SopCast
2007-12-16 10:39 --------- d-----w C:\Documents and Settings\Pc02\Dati applicazioni\SopCast
2007-12-01 08:08 12,334,833 ------w C:\avg7qt.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 03:00 15360]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"PeerGuardian"="C:\Programmi\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RemoteControl"="C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 17:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 17:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 17:22 86016]
"DSLSTATEXE"="C:\Program Files\D-Link\DSL-200\dslstat.exe" [2004-03-03 11:34 356352]
"DSLAGENTEXE"="C:\Program Files\D-Link\DSL-200\dslagent.exe" [2004-03-03 11:34 16384]
"EPSON Stylus C64 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0C2.exe" [2003-09-12 04:00 99840]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-22 13:24 579072]
"OpwareSE2"="C:\Programmi\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00 49152]
"TkBellExe"="C:\Programmi\File comuni\Real\Update_OB\realsched.exe" [2007-11-10 10:08 185632]
"PWRISOVM.EXE"="C:\Programmi\PowerISO\PWRISOVM.EXE" [2007-04-09 13:23 200704]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 03:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-06 22:35 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winfax32]
winfax32.dll 2003-03-25 05:52 9456 C:\WINDOWS\system32\winfax32.dll
R3 ovt530;Webcam Deluxe;C:\WINDOWS\system32\Drivers\ov530vid.sys [2005-03-15 17:04]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2006-10-05 10:30]
S3 Upsagent;Upsagent - UPS Monitor;C:\Programmi\Upsmon\Upsag_nt.exe [2004-03-09 08:16]
*Newly Created Service* - PGFILTER
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 13:28:29
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Programmi\Hercules\WebCam Station\PhotoImpression\share\pihook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
.
**************************************************************************
.
Ora fine scansione: 2008-02-13 13:36:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-13 12:36:26
.
2008-01-09 22:13:16 --- E O F ---
------------------------------------------------------------------------------------
gmer autostart6.txt
gmer rootkit7.txt |
|
| Top |
|
|
Sante62
Dio maturo
Registrato: 27/06/07 17:55
Messaggi: 3477
Residenza: Floridia
|
| Inviato: 13 Feb 2008 17:27 Oggetto: |
|
|
OK, i logs sembrano puliti...
Adesso collegati a Kaspersky online scanner
Quando sta scaricando i file necessari, disattiva momentaneamente l'antivirus. Non appena inizia la scansione del PC disconnettiti da internet.
Alla fine carica il risultato su www.freefilehosting.net, riportando quì il link che ti viene assegnato come indicato quì |
|
| Top |
|
|
nicolamod
Mortale pio
Registrato: 06/11/07 21:26
Messaggi: 22
|
| Inviato: 13 Feb 2008 21:19 Oggetto: |
|
|
| Sante62 ha scritto: | OK, i logs sembrano puliti...
Adesso collegati a Kaspersky online scanner
Quando sta scaricando i file necessari, disattiva momentaneamente l'antivirus. Non appena inizia la scansione del PC disconnettiti da internet.
Alla fine carica il risultato su www.freefilehosting.net, riportando quì il link che ti viene assegnato come indicato quì |
dopo 2 ore di attesa ecco il log
link |
|
| Top |
|
|
Sante62
Dio maturo
Registrato: 27/06/07 17:55
Messaggi: 3477
Residenza: Floridia
|
| Inviato: 14 Feb 2008 10:25 Oggetto: |
|
|
Scarica The Avenger
Scompattalo in una sua cartella in c:\
Avvialo
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:
| Citazione: | files to delete:
C:\Programmi\eMule\Incoming\fm08up801cd2.rar
C:\Programmi\Sports Interactive\Football Manager 2008\fmloader.exe |
Clicca su Done
Clicca sul semaforo
Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu. Al termine posta il log generato; lo trovi su C:\Avenger.txt. Elimina il file C:\Qoobox; è il backup creato da Combofix. Utilizza anche CCleaner; Avvialo e clicca su opzioni->Avanzate, e togli la spunta da "elimina file solo se più vecchi di 48 ore"
Utilizza l'opzione Pulizia e poi clicca su Analizza; alla fine clicca su Avvia Pulizia. Fai la stessa cosa con l'opzione Trova problemi; eliminerà una serie di chiavi di registro inutili. Ora dovresti essere a posto....
|
|
| Top |
|
|
nicolamod
Mortale pio
Registrato: 06/11/07 21:26
Messaggi: 22
|
| Inviato: 14 Feb 2008 11:49 Oggetto: |
|
|
| Sante62 ha scritto: | Scarica The Avenger
Scompattalo in una sua cartella in c:\
Avvialo
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:
| Citazione: | files to delete:
C:\Programmi\eMule\Incoming\fm08up801cd2.rar
C:\Programmi\Sports Interactive\Football Manager 2008\fmloader.exe |
Clicca su Done
Clicca sul semaforo
Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu. Al termine posta il log generato; lo trovi su C:\Avenger.txt. Elimina il file C:\Qoobox; è il backup creato da Combofix. Utilizza anche CCleaner; Avvialo e clicca su opzioni->Avanzate, e togli la spunta da "elimina file solo se più vecchi di 48 ore"
Utilizza l'opzione Pulizia e poi clicca su Analizza; alla fine clicca su Avvia Pulizia. Fai la stessa cosa con l'opzione Trova problemi; eliminerà una serie di chiavi di registro inutili. Ora dovresti essere a posto....
|
ho fatto tutto ciò ke mi hai chiesto!
ecco il log di avenger:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tefw^amw
*******************
Script file located at: \??\C:\Program Files\sgyosmup.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\Programmi\eMule\Incoming\fm08up801cd2.rar deleted successfully.
File C:\Programmi\Sports Interactive\Football Manager 2008\fmloader.exe not found!
Deletion of file C:\Programmi\Sports Interactive\Football Manager 2008\fmloader.exe failed!
Could not process line:
C:\Programmi\Sports Interactive\Football Manager 2008\fmloader.exe
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
GRAZIE MILLLLLLLLLLLLLLLLEEEEE!!! |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 14 Feb 2008 11:52 Oggetto: |
|
|
Penso che sia meglio cancellare anche quest'altro:
| Citazione: | | 2008-01-29 18:37 . 2008-01-29 18:37 34,304 --a------ C:\WINDOWS\system\smvss.exe |
|
|
| Top |
|
|
nicolamod
Mortale pio
Registrato: 06/11/07 21:26
Messaggi: 22
|
| Inviato: 14 Feb 2008 12:24 Oggetto: |
|
|
| bdoriano ha scritto: | Penso che sia meglio cancellare anche quest'altro:
| Citazione: | | 2008-01-29 18:37 . 2008-01-29 18:37 34,304 --a------ C:\WINDOWS\system\smvss.exe |
|
lo faccio con avenger con la stessa procedura con cui ho eliminato i precedenti? |
|
| Top |
|
|
Sante62
Dio maturo
Registrato: 27/06/07 17:55
Messaggi: 3477
Residenza: Floridia
|
| Inviato: 14 Feb 2008 14:10 Oggetto: |
|
|
| Si, fallo con Avenger... |
|
| Top |
|
|
nicolamod
Mortale pio
Registrato: 06/11/07 21:26
Messaggi: 22
|
| Inviato: 14 Feb 2008 14:23 Oggetto: |
|
|
| Sante62 ha scritto: | | Si, fallo con Avenger... |
fatto
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qqpanlat
*******************
Script file located at: \??\C:\WINDOWS\system32\nvrsgyqk.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system\smvss.exe deleted successfully.
Completed script processing.
*******************
Finished! Terminate. |
|
| Top |
|
|
Sante62
Dio maturo
Registrato: 27/06/07 17:55
Messaggi: 3477
Residenza: Floridia
|
| Inviato: 14 Feb 2008 16:17 Oggetto: |
|
|
Bene, riscontri altri problemi?
Se non sbaglio sei sprovvisto di firewall scegline uno tramite questa discussione. |
|
| Top |
|
|
nicolamod
Mortale pio
Registrato: 06/11/07 21:26
Messaggi: 22
|
| Inviato: 14 Feb 2008 17:16 Oggetto: |
 |
|
| Sante62 ha scritto: | Bene, riscontri altri problemi?
Se non sbaglio sei sprovvisto di firewall scegline uno tramite questa discussione. |
attualmente no ...grazie mille!
ora provvedo a metterne uno! |
|
| Top |
|
|
|
FAQ
Cerca
Lista utenti
Gruppi
Registrati
Profilo
Messaggi privati
Log in
