|
| Precedente :: Successivo |
| Autore |
Messaggio |
marco1969
Mortale devoto
Registrato: 16/04/08 17:14
Messaggi: 11
|
 Inviato: 16 Apr 2008 17:21 Oggetto: [RISOLTO] infezione da virtumonde.dll |
 |
|
buongiorno a tutti.
antivirus: AVG
Spybot installato
Windows defender installato.
contimnuano ad aprirsi finestre pubblicitarie.
facendo la scansione con Spybot mi rileva virtumonde.dll
eseguo la pulizia ma quotidianamente continua a ripresentarsi il problema dopo qualche ora.
ho utilizzato le applicazioni Vundofix e Virtumondobegone ma il problema si ripresenta.
questo è il log di HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 17.06.20, on 16/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\marco_e_anna\Menu Avvio\Programmi\Esecuzione automatica\html2pop3.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Microsoft ActiveSync\WCESMgr.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\MARCO_~1\IMPOST~1\Temp\Rar$EX03.750\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BM9fd9cf60] Rundll32.exe "C:\WINDOWS\system32\okoheieo.dll",s
O4 - HKLM\..\RunOnce: [SpybotDeletingA8276] command /c del "C:\WINDOWS\system32\iifdARiI.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5052] cmd /c del "C:\WINDOWS\system32\iifdARiI.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1434] command /c del "C:\WINDOWS\system32\lkgsvaqa.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC451] cmd /c del "C:\WINDOWS\system32\lkgsvaqa.dll_old"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB7856] command /c del "C:\WINDOWS\system32\iifdARiI.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2551] cmd /c del "C:\WINDOWS\system32\iifdARiI.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6699] command /c del "C:\WINDOWS\system32\lkgsvaqa.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9981] cmd /c del "C:\WINDOWS\system32\lkgsvaqa.dll_old"
O4 - Startup: html2pop3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\programmi\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F015DFA3-00EB-4B9A-B2CA-7439E358337C}: NameServer = 88.149.128.22 88.149.128.12
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
...cosa posso fare...?  (( |
|
| Top |
|
 |
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 16 Apr 2008 18:22 Oggetto: |
|
|
|
|
| Top |
|
|
marco1969
Mortale devoto
Registrato: 16/04/08 17:14
Messaggi: 11
|
| Inviato: 16 Apr 2008 22:47 Oggetto: log |
|
|
VUNDOFIX non ha trovato nulla e non mi ha dato un log.
VIRTUMONDOBEGONE mi ha dato questo log:
[04/16/2008, 21:13:47] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\marco_e_anna\Desktop\virtumonde\VirtumundoBeGone.exe" )
[04/16/2008, 21:13:52] - Detected System Information:
[04/16/2008, 21:13:52] - Windows Version: 5.1.2600, Service Pack 2
[04/16/2008, 21:13:52] - Current Username: marco_e_anna (Admin)
[04/16/2008, 21:13:52] - Windows is in SAFE mode with Networking.
[04/16/2008, 21:13:52] - Searching for Browser Helper Objects:
[04/16/2008, 21:13:52] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[04/16/2008, 21:13:52] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/16/2008, 21:13:52] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[04/16/2008, 21:13:52] - BHO 4: {695F564D-4C0B-491F-9E70-65F5B78A005E} ()
[04/16/2008, 21:13:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/16/2008, 21:13:52] - Checking for HKLM\...\Winlogon\Notify\iifdARiI
[04/16/2008, 21:13:52] - Key not found: HKLM\...\Winlogon\Notify\iifdARiI, continuing.
[04/16/2008, 21:13:52] - BHO 5: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[04/16/2008, 21:13:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/16/2008, 21:13:52] - No filename found. Continuing.
[04/16/2008, 21:13:52] - BHO 6: {A4D13F30-55A5-49BB-8B90-2A71EA9673A9} ()
[04/16/2008, 21:13:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/16/2008, 21:13:52] - Checking for HKLM\...\Winlogon\Notify\khfDsqrq
[04/16/2008, 21:13:52] - Found: HKLM\...\Winlogon\Notify\khfDsqrq - This is probably Virtumundo.
[04/16/2008, 21:13:52] - Assigning {A4D13F30-55A5-49BB-8B90-2A71EA9673A9} MSEvents Object
[04/16/2008, 21:13:52] - BHO list has been changed! Starting over...
[04/16/2008, 21:13:52] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[04/16/2008, 21:13:52] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/16/2008, 21:13:52] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[04/16/2008, 21:13:52] - BHO 4: {695F564D-4C0B-491F-9E70-65F5B78A005E} ()
[04/16/2008, 21:13:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/16/2008, 21:13:52] - Checking for HKLM\...\Winlogon\Notify\iifdARiI
[04/16/2008, 21:13:52] - Key not found: HKLM\...\Winlogon\Notify\iifdARiI, continuing.
[04/16/2008, 21:13:52] - BHO 5: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[04/16/2008, 21:13:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/16/2008, 21:13:52] - No filename found. Continuing.
[04/16/2008, 21:13:52] - BHO 6: {A4D13F30-55A5-49BB-8B90-2A71EA9673A9} (MSEvents Object)
[04/16/2008, 21:13:52] - ALERT: Found MSEvents Object!
[04/16/2008, 21:13:52] - BHO 7: {AF5B9F64-9E22-4D83-940B-3A53014F0A35} ()
[04/16/2008, 21:13:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/16/2008, 21:13:52] - Checking for HKLM\...\Winlogon\Notify\mlJcBust
[04/16/2008, 21:13:52] - Key not found: HKLM\...\Winlogon\Notify\mlJcBust, continuing.
[04/16/2008, 21:13:52] - BHO 8: {E3CD29CD-E220-4029-8CBB-317C3BC51B1A} ()
[04/16/2008, 21:13:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/16/2008, 21:13:52] - Checking for HKLM\...\Winlogon\Notify\iifcCtSI
[04/16/2008, 21:13:52] - Key not found: HKLM\...\Winlogon\Notify\iifcCtSI, continuing.
[04/16/2008, 21:13:52] - Finished Searching Browser Helper Objects
[04/16/2008, 21:13:52] - *** Detected MSEvents Object
[04/16/2008, 21:13:52] - Trying to remove MSEvents Object...
[04/16/2008, 21:13:53] - Terminating Process: IEXPLORE.EXE
[04/16/2008, 21:13:53] - Terminating Process: RUNDLL32.EXE
[04/16/2008, 21:13:53] - Disabling Automatic Shell Restart
[04/16/2008, 21:13:53] - Terminating Process: EXPLORER.EXE
[04/16/2008, 21:13:53] - Suspending the NT Session Manager System Service
[04/16/2008, 21:13:53] - Terminating Windows NT Logon/Logoff Manager
[04/16/2008, 21:13:53] - Re-enabling Automatic Shell Restart
[04/16/2008, 21:13:53] - File to disable: C:\WINDOWS\system32\khfDsqrq.dll
[04/16/2008, 21:13:53] - Renaming C:\WINDOWS\system32\khfDsqrq.dll -> C:\WINDOWS\system32\khfDsqrq.dll.vir
[04/16/2008, 21:13:53] - ! File rename was unsucessful.
[04/16/2008, 21:13:53] - Attempting to Deny Access to C:\WINDOWS\system32\khfDsqrq.dll
[04/16/2008, 21:13:53] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[04/16/2008, 21:13:53] - processed file: C:\WINDOWS\system32\khfDsqrq.dll
[04/16/2008, 21:13:53] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[04/16/2008, 21:13:53] - Removing HKLM\...\Browser Helper Objects\{A4D13F30-55A5-49BB-8B90-2A71EA9673A9}
[04/16/2008, 21:13:53] - Removing HKCR\CLSID\{A4D13F30-55A5-49BB-8B90-2A71EA9673A9}
[04/16/2008, 21:13:53] - Adding Kill Bit for ActiveX for GUID: {A4D13F30-55A5-49BB-8B90-2A71EA9673A9}
[04/16/2008, 21:13:53] - Deleting ATLEvents/MSEvents Registry entries
[04/16/2008, 21:13:53] - Removing HKLM\...\Winlogon\Notify\khfDsqrq
[04/16/2008, 21:13:53] - Searching for Browser Helper Objects:
[04/16/2008, 21:13:53] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[04/16/2008, 21:13:53] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/16/2008, 21:13:53] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[04/16/2008, 21:13:53] - BHO 4: {695F564D-4C0B-491F-9E70-65F5B78A005E} ()
[04/16/2008, 21:13:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/16/2008, 21:13:53] - Checking for HKLM\...\Winlogon\Notify\iifdARiI
[04/16/2008, 21:13:53] - Key not found: HKLM\...\Winlogon\Notify\iifdARiI, continuing.
[04/16/2008, 21:13:53] - BHO 5: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[04/16/2008, 21:13:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/16/2008, 21:13:53] - No filename found. Continuing.
[04/16/2008, 21:13:53] - BHO 6: {AF5B9F64-9E22-4D83-940B-3A53014F0A35} ()
[04/16/2008, 21:13:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/16/2008, 21:13:53] - Checking for HKLM\...\Winlogon\Notify\mlJcBust
[04/16/2008, 21:13:53] - Key not found: HKLM\...\Winlogon\Notify\mlJcBust, continuing.
[04/16/2008, 21:13:53] - BHO 7: {E3CD29CD-E220-4029-8CBB-317C3BC51B1A} ()
[04/16/2008, 21:13:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/16/2008, 21:13:53] - Checking for HKLM\...\Winlogon\Notify\iifcCtSI
[04/16/2008, 21:13:53] - Key not found: HKLM\...\Winlogon\Notify\iifcCtSI, continuing.
[04/16/2008, 21:13:53] - Finished Searching Browser Helper Objects
[04/16/2008, 21:13:53] - Finishing up...
[04/16/2008, 21:13:53] - A restart is needed.
[04/16/2008, 21:14:00] - Attempting to Restart via STOP error (Blue Screen!)
COMBOFIX mi ha dato questo:
ComboFix 08-04-15.8 - marco_e_anna 2008-04-16 21.19.08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.585 [GMT 2:00]
Eseguito da: C:\Documents and Settings\marco_e_anna\Desktop\virtumonde\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\geBsrRjG.dll
C:\WINDOWS\system32\iifdARiI.dll
C:\WINDOWS\system32\IiRAdfii.ini
C:\WINDOWS\system32\IiRAdfii.ini2
C:\WINDOWS\system32\IStCcfii.ini
C:\WINDOWS\system32\IStCcfii.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nnnkHaBQ.dll
C:\WINDOWS\system32\nnnnNHya.dll
C:\WINDOWS\system32\tsuBcJlm.ini
C:\WINDOWS\system32\tsuBcJlm.ini2
.
((((((((((((((((((((((((( Files Creati Da 2008-03-16 al 2008-04-16 )))))))))))))))))))))))))))))))))))
.
2008-04-16 21:13 . 2008-04-16 21:13 0 --a------ C:\WINDOWS\system32\khfDsqrq.dll.vir
2008-04-15 11:53 . 2008-04-15 11:53 <DIR> d-------- C:\VundoFix Backups
2008-04-13 21:17 . 2008-04-16 21:13 714 --a------ C:\WINDOWS\wininit.ini
2008-04-13 20:57 . 2008-04-13 20:57 <DIR> d-------- C:\Programmi\Spybot - Search & Destroy
2008-04-13 20:57 . 2008-04-13 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-04-12 06:37 . 2008-04-16 10:32 101,091 --a------ C:\WINDOWS\BM9fd9cf60.xml
2008-04-11 20:55 . 2008-04-11 20:55 1,144 --a------ C:\WINDOWS\mozver.dat
2008-04-11 20:39 . 2008-04-11 20:39 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-11 18:34 . 2008-04-11 18:34 <DIR> d-------- C:\Documents and Settings\marco_e_anna\Dati applicazioni\BWMonitor
2008-04-11 18:29 . 2008-04-11 18:29 37,376 --a------ C:\WINDOWS\system32\khfDsqrq.dll
2008-03-19 21:35 . 2008-03-19 21:35 <DIR> d-------- C:\Programmi\Ubisoft
2008-03-19 21:35 . 2008-03-19 21:35 <DIR> d-------- C:\Documents and Settings\marco_e_anna\Dati applicazioni\InstallShield
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 17:07 --------- d-----w C:\Documents and Settings\marco_e_anna\Dati applicazioni\uTorrent
2008-04-16 01:00 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\avg7
2008-04-15 20:44 --------- d-----w C:\Documents and Settings\marco_e_anna\Dati applicazioni\Skype
2008-04-13 20:26 --------- d-----w C:\Programmi\Flickr Uploadr
2008-04-13 16:53 --------- d-----w C:\Documents and Settings\marco_e_anna\Dati applicazioni\AVG7
2008-04-07 18:21 --------- d-----w C:\Programmi\eMule
2008-03-19 19:35 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-02-28 08:20 --------- d-----w C:\Programmi\Windows Defender
2008-02-16 17:23 --------- d-----w C:\Programmi\Weather Watcher
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1B1E34C4-0199-47A5-A14C-88CF96D1B020}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4D13F30-55A5-49BB-8B90-2A71EA9673A9}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF5B9F64-9E22-4D83-940B-3A53014F0A35}]
C:\WINDOWS\system32\mlJcBust.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3CD29CD-E220-4029-8CBB-317C3BC51B1A}]
C:\WINDOWS\system32\iifcCtSI.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 14:00 15360]
"H/PC Connection Agent"="C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-22 12:16 417871]
"Yahoo! Pager"="C:\Programmi\Yahoo!\Messenger\ypager.exe" [ ]
"SpybotSD TeaTimer"="C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-10-24 15:45 90112 C:\WINDOWS\SOUNDMAN.EXE]
"SMSERIAL"="sm56hlpr.exe" [2005-09-13 07:00 544768 C:\WINDOWS\sm56hlpr.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-08-02 16:35 7110656]
"nwiz"="nwiz.exe" [2005-08-02 16:35 1519616 C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"NvMediaCenter"="NvMCTray.dll" [2005-08-02 16:35 86016 C:\WINDOWS\system32\nvmctray.dll]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 09:43 579584]
"Windows Defender"="C:\Programmi\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]
"BM9fd9cf60"="C:\WINDOWS\system32\okoheieo.dll" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 14:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-01 22:30 219136]
C:\Documents and Settings\marco_e_anna\Menu Avvio\Programmi\Esecuzione automatica\
html2pop3.exe [2005-10-14 04:31:20 72704]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfDsqrq]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Programmi\\uTorrent\\uTorrent.exe"=
"C:\\Programmi\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Programmi\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Programmi\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Programmi\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programmi\\FreeCall.com\\FreeCall\\FreeCall.exe"=
"C:\\Programmi\\eMule\\emule.exe"=
"C:\\Programmi\\Skype\\Phone\\Skype.exe"=
R0 xmasbus;xmasbus;C:\WINDOWS\system32\DRIVERS\xmasbus.sys [2003-12-21 18:24]
R0 xmasscsi;xmasscsi;C:\WINDOWS\system32\Drivers\xmasscsi.sys [2003-12-23 03:15]
R3 usbstor;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-19 14:00]
S3 DTVFW;LITE-ON DVB-T USB adapter firmware;C:\WINDOWS\system32\DRIVERS\dtvfw.sys [2005-05-12 13:16]
S3 usbdtv;LITE-ON DVB-T (PID=F001) receiver;C:\WINDOWS\system32\Drivers\usbdtv.sys [2005-06-07 12:37]
.
Contenuto della cartella 'Scheduled Tasks'
"2008-04-16 19:26:59 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Programmi\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 21:24:16
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\marco_e_anna\Menu Avvio\Programmi\Esecuzione automatica\html2pop3.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\fxssvc.exe
.
**************************************************************************
.
Ora fine scansione: 2008-04-16 21:32:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-16 19:31:52
24 Directory 51,215,679,488 byte disponibili
28 Directory 51,112,607,744 byte disponibili
.
2008-04-16 10:11:37 --- E O F ---
Norman Malware Cleaner mi ha dato questo:
http://www.freefilehosting.net/download/3feie
HijackThis mi ha dato questo:
Logfile of HijackThis v1.99.1
Scan saved at 22.46.29, on 16/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\marco_e_anna\Menu Avvio\Programmi\Esecuzione automatica\html2pop3.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\marco_e_anna\Desktop\virtumonde\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AF5B9F64-9E22-4D83-940B-3A53014F0A35} - C:\WINDOWS\system32\mlJcBust.dll (file missing)
O2 - BHO: (no name) - {E3CD29CD-E220-4029-8CBB-317C3BC51B1A} - C:\WINDOWS\system32\iifcCtSI.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BM9fd9cf60] Rundll32.exe "C:\WINDOWS\system32\okoheieo.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: html2pop3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\programmi\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F015DFA3-00EB-4B9A-B2CA-7439E358337C}: NameServer = 88.149.128.22 88.149.128.12
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: khfDsqrq - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 17 Apr 2008 09:11 Oggetto: |
|
|
Crea un file di testo con le seguenti istruzioni:
| Codice: | File::
C:\WINDOWS\system32\khfDsqrq.dll.vir
C:\WINDOWS\system32\khfDsqrq.dll
C:\WINDOWS\system32\mlJcBust.dll
C:\WINDOWS\system32\iifcCtSI.dll
C:\WINDOWS\system32\okoheieo.dll
registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM9fd9cf60"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfDsqrq]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF5B9F64-9E22-4D83-940B-3A53014F0A35}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E3CD29CD-E220-4029-8CBB-317C3BC51B1A}] |
Salva il file sul desktop con il nome CFScript.txt e trascinalo sull'icona di ComboFix, come indicato in seguito:
Attendi pazientemente la fine dei lavori senza toccare tastiera, mouse o altro. 
Posta i logs aggiornati di combofix e di hijackthis |
|
| Top |
|
|
marco1969
Mortale devoto
Registrato: 16/04/08 17:14
Messaggi: 11
|
| Inviato: 17 Apr 2008 19:34 Oggetto: |
|
|
COMBOFIX:
ComboFix 08-04-15.8 - marco_e_anna 2008-04-17 19.18.44.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.584 [GMT 2:00]
Eseguito da: C:\Documents and Settings\marco_e_anna\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\marco_e_anna\Desktop\CFScript.txt
* Creato nuovo punto di ripristino
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\iifcCtSI.dll
C:\WINDOWS\system32\khfDsqrq.dll
C:\WINDOWS\system32\khfDsqrq.dll.vir
C:\WINDOWS\system32\mlJcBust.dll
C:\WINDOWS\system32\okoheieo.dll
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\khfDsqrq.dll
C:\WINDOWS\system32\khfDsqrq.dll.vir
.
((((((((((((((((((((((((( Files Creati Da 2008-03-17 al 2008-04-17 )))))))))))))))))))))))))))))))))))
.
2008-04-15 11:53 . 2008-04-15 11:53 <DIR> d-------- C:\VundoFix Backups
2008-04-13 21:17 . 2008-04-16 21:13 714 --a------ C:\WINDOWS\wininit.ini
2008-04-13 20:57 . 2008-04-13 20:57 <DIR> d-------- C:\Programmi\Spybot - Search & Destroy
2008-04-13 20:57 . 2008-04-13 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-04-12 06:37 . 2008-04-16 10:32 101,091 --a------ C:\WINDOWS\BM9fd9cf60.xml
2008-04-11 20:55 . 2008-04-11 20:55 1,144 --a------ C:\WINDOWS\mozver.dat
2008-04-11 20:39 . 2008-04-11 20:39 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-11 18:34 . 2008-04-11 18:34 <DIR> d-------- C:\Documents and Settings\marco_e_anna\Dati applicazioni\BWMonitor
2008-03-19 21:35 . 2008-03-19 21:35 <DIR> d-------- C:\Programmi\Ubisoft
2008-03-19 21:35 . 2008-03-19 21:35 <DIR> d-------- C:\Documents and Settings\marco_e_anna\Dati applicazioni\InstallShield
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 17:14 --------- d-----w C:\Documents and Settings\marco_e_anna\Dati applicazioni\uTorrent
2008-04-17 01:00 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\avg7
2008-04-15 20:44 --------- d-----w C:\Documents and Settings\marco_e_anna\Dati applicazioni\Skype
2008-04-13 20:26 --------- d-----w C:\Programmi\Flickr Uploadr
2008-04-13 16:53 --------- d-----w C:\Documents and Settings\marco_e_anna\Dati applicazioni\AVG7
2008-04-07 18:21 --------- d-----w C:\Programmi\eMule
2008-03-20 08:06 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 19:35 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-03-01 12:58 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-28 08:20 --------- d-----w C:\Programmi\Windows Defender
2008-02-20 06:50 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:33 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.
((((((((((((((((((((((((((((( snapshot@2008-04-16_21.31.42.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-16 19:23:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-16 20:38:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 14:00 15360]
"H/PC Connection Agent"="C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-22 12:16 417871]
"Yahoo! Pager"="C:\Programmi\Yahoo!\Messenger\ypager.exe" [ ]
"SpybotSD TeaTimer"="C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-10-24 15:45 90112 C:\WINDOWS\SOUNDMAN.EXE]
"SMSERIAL"="sm56hlpr.exe" [2005-09-13 07:00 544768 C:\WINDOWS\sm56hlpr.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-08-02 16:35 7110656]
"nwiz"="nwiz.exe" [2005-08-02 16:35 1519616 C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"NvMediaCenter"="NvMCTray.dll" [2005-08-02 16:35 86016 C:\WINDOWS\system32\nvmctray.dll]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 09:43 579584]
"Windows Defender"="C:\Programmi\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 14:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-01 22:30 219136]
C:\Documents and Settings\marco_e_anna\Menu Avvio\Programmi\Esecuzione automatica\
html2pop3.exe [2005-10-14 04:31:20 72704]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Programmi\\uTorrent\\uTorrent.exe"=
"C:\\Programmi\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Programmi\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Programmi\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Programmi\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programmi\\FreeCall.com\\FreeCall\\FreeCall.exe"=
"C:\\Programmi\\eMule\\emule.exe"=
"C:\\Programmi\\Skype\\Phone\\Skype.exe"=
R0 xmasbus;xmasbus;C:\WINDOWS\system32\DRIVERS\xmasbus.sys [2003-12-21 18:24]
R0 xmasscsi;xmasscsi;C:\WINDOWS\system32\Drivers\xmasscsi.sys [2003-12-23 03:15]
R3 usbstor;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-19 14:00]
S3 DTVFW;LITE-ON DVB-T USB adapter firmware;C:\WINDOWS\system32\DRIVERS\dtvfw.sys [2005-05-12 13:16]
S3 usbdtv;LITE-ON DVB-T (PID=F001) receiver;C:\WINDOWS\system32\Drivers\usbdtv.sys [2005-06-07 12:37]
.
Contenuto della cartella 'Scheduled Tasks'
"2008-04-16 20:41:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Programmi\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 19:22:05
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
Ora fine scansione: 2008-04-17 19.24.33
ComboFix-quarantined-files.txt 2008-04-17 17:23:49
ComboFix2.txt 2008-04-16 19:32:08
24 Directory 49,442,152,448 byte disponibili
28 Directory 49,442,283,520 byte disponibili
.
2008-04-16 10:11:37 --- E O F ---
HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 19.25.36, on 17/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\Documents and Settings\marco_e_anna\Menu Avvio\Programmi\Esecuzione automatica\html2pop3.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\marco_e_anna\Desktop\virtumonde\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AF5B9F64-9E22-4D83-940B-3A53014F0A35} - (no file)
O2 - BHO: (no name) - {E3CD29CD-E220-4029-8CBB-317C3BC51B1A} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: html2pop3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\programmi\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F015DFA3-00EB-4B9A-B2CA-7439E358337C}: NameServer = 88.149.128.22 88.149.128.12
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: khfDsqrq - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 18 Apr 2008 08:55 Oggetto: |
|
|
Ok, andiamo decisamente meglio.
- Disabilita il tuo antivirus
- Collegati a BitDefender (con IE) e fai la scansione completa.
- Collegati a Kaspersky on-line scanner e fai la scansione estesa, come indicato qui.
Salva il risultato della scansione in un file (in formato HTML), carica il file su Freefilehosting e posta qui il link che ti viene assegnato.
Prima di continuare, aggiorna hijackthis e salvalo in una sua cartella non temporanea e non sul desktop.
Disabilita il ripristino di sistema e avvia il pc in modalità provvisoria
esegui hijackthis
clicca su do a system scan only
metti il segno di spunta a queste voci:
| Citazione: | O2 - BHO: (no name) - {AF5B9F64-9E22-4D83-940B-3A53014F0A35} - (no file)
O2 - BHO: (no name) - {E3CD29CD-E220-4029-8CBB-317C3BC51B1A} - (no file)
O20 - Winlogon Notify: khfDsqrq - C:\WINDOWS\ |
clicca fix checked
Riavvia il pc in modalità normale, rifai il log di hijackthis e postalo |
|
| Top |
|
|
marco1969
Mortale devoto
Registrato: 16/04/08 17:14
Messaggi: 11
|
| Inviato: 19 Apr 2008 04:46 Oggetto: |
|
|
kaspersky log:
http://www.freefilehosting.net/download/3fhle |
|
| Top |
|
|
marco1969
Mortale devoto
Registrato: 16/04/08 17:14
Messaggi: 11
|
| Inviato: 19 Apr 2008 04:56 Oggetto: |
|
|
log prima del restart in modalità provv:
Logfile of HijackThis v1.99.1
Scan saved at 4.47.32, on 19/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\Documents and Settings\marco_e_anna\Menu Avvio\Programmi\Esecuzione automatica\html2pop3.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Grisoft\AVG7\avgcc.exe
C:\Documents and Settings\marco_e_anna\Desktop\virtumonde\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AF5B9F64-9E22-4D83-940B-3A53014F0A35} - (no file)
O2 - BHO: (no name) - {E3CD29CD-E220-4029-8CBB-317C3BC51B1A} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: html2pop3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\programmi\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F015DFA3-00EB-4B9A-B2CA-7439E358337C}: NameServer = 88.149.128.12 88.149.128.22
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: khfDsqrq - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
log dopo il riavvio:
Logfile of HijackThis v1.99.1
Scan saved at 4.53.59, on 19/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\marco_e_anna\Menu Avvio\Programmi\Esecuzione automatica\html2pop3.exe
C:\Documents and Settings\marco_e_anna\Desktop\virtumonde\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AF5B9F64-9E22-4D83-940B-3A53014F0A35} - (no file)
O2 - BHO: (no name) - {E3CD29CD-E220-4029-8CBB-317C3BC51B1A} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: html2pop3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\programmi\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: khfDsqrq - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
ahi ahi..mi sono accorto che non avevo disabilitato il ripristino del registro di configurazione....devo rifare qualcosa...? |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 19 Apr 2008 14:02 Oggetto: |
|
|
Puoi disabilitarlo adesso, almeno elimina un virus presente nel ripristino di sistema.
Stranamente, le voci che ti ho indicato da eliminare, sono ancora presenti. 
Fai questa scansione con SystemScan e posta il log su FreeFileHosting come indicato qui. |
|
| Top |
|
|
marco1969
Mortale devoto
Registrato: 16/04/08 17:14
Messaggi: 11
|
| Inviato: 19 Apr 2008 15:12 Oggetto: suspectfile |
|
|
ecco il link:
http://www.freefilehosting.net/download/3fim6
ho solo un dubbio, ho seguito le istruzioni che dicevano di scollegare da internet, ma questo non gli ha permesso di fare l'upgrade.
lo devo rifare? |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
|
| Top |
|
|
marco1969
Mortale devoto
Registrato: 16/04/08 17:14
Messaggi: 11
|
| Inviato: 19 Apr 2008 19:10 Oggetto: |
|
|
ero intenzionato a sostituire l'antivirus attuale e il firewall con norton 2007...può essere il momento buono o prima è meglio fare la pulizia del registro suggerita?
2) ...cosa fai di bello sul tatami..?  |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 19 Apr 2008 20:36 Oggetto: |
|
|
Prima la pulizia e poi l'installazione. Se mi posso permettere, è preferibile kaspersky o panda al posto di norton. (parere personale, ovviamente).
Per il resto... ne avevamo parlato qui.  |
|
| Top |
|
|
marco1969
Mortale devoto
Registrato: 16/04/08 17:14
Messaggi: 11
|
| Inviato: 19 Apr 2008 22:35 Oggetto: |
|
|
fatte le pulizie...
...è che norton me lo hanno regalato gli altri due no..
...aikido quindi...anch'io regolarmente sono residente sul tatami (karate) anche se sono fermo fino afine mese per un piccolo intervento... |
|
| Top |
|
|
marco1969
Mortale devoto
Registrato: 16/04/08 17:14
Messaggi: 11
|
| Inviato: 21 Apr 2008 23:31 Oggetto: |
|
|
...in ogni caso...ora con più calma, ti ringrazio dell'aiuto che mi hai dato. sarebbe stato praticamente impossibile ripulire il pc senza questo aiuto esterno.
ora per procedere con l'istallazione del nuovo antivirus è necessario disinstallare quello vecchio prima o si può lasciare dov'è? |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 21 Apr 2008 23:45 Oggetto: |
|
|
Disinstalla il precedente, riavvia, installa il nuovo.
PS: se non riscontri altri problemi, tra una settimana spostiamo il thread tra i casi risolti.  |
|
| Top |
|
|
marco1969
Mortale devoto
Registrato: 16/04/08 17:14
Messaggi: 11
|
| Inviato: 28 Apr 2008 20:55 Oggetto: risolto |
 |
|
direi che è stato tutto risolto...ho poi installato norton e mi ha trovato due vecchi file potenzialmente infetti.....mi fido
direi che possiamo metterlo nei casi risolti e passare alla cassa direttamente.. |
|
| Top |
|
|
|
|
Non puoi inserire nuovi argomenti
Non puoi rispondere a nessun argomento
Non puoi modificare i tuoi messaggi
Non puoi cancellare i tuoi messaggi
Non puoi votare nei sondaggi
|
|
FAQ
Cerca
Lista utenti
Gruppi
Registrati
Profilo
Messaggi privati
Log in
