Olimpo Informatico

david · Mortale pio Registrato: 27/04/08 11:12 Messaggi: 22

ho scaricato di nuovo entrambi i programmi, ma niente da fare. avenger mi ha di nuovo "incartato" il computer. mah!

ciao.

chemicalbit · Inviato: 29 Apr 2008 23:39 Oggetto:

bdoriano · Inviato: 29 Apr 2008 23:46 Oggetto:

Fai questa scansione con SystemScan e posta il log su FreeFileHosting come indicato qui.

david · Mortale pio Registrato: 27/04/08 11:12 Messaggi: 22

ciao chemicalbit e bdoriano.

qui siamo in evidente peggioramento e non sò spiegarne i motivi. si è ripresentato il problema della cpu che lavora al 100% e la finestra esce nuovamente. il primo problema riesco temporaneamente a superarlo, ma si ripresenta. elibagla non riesce a terminare la scansione. ecco cosa ho trovato:

C:\Programmi\Synaptics\SynTP\SYNTPLPR.EXE --> Eliminado Bagle.dldr
C:\Programmi\SUPERAntiSpyware\SUPERANTISPYWARE.EXE --> Eliminado Bagle.dldr
C:\Muestras\HLDRRR.EXE.MUESTRA ELIBAGLE V11.31 --> Eliminado Bagle.dldr
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle.dldr Acceso Denegado.

MBAM mi trova sempre i soliti 2 file:

File infetti:
C:\WINDOWS\system32\drivers\srosa.sys (Rootkit.Bagle) -> No action taken.
C:\WINDOWS\system32\drivers\hldrrr.exe (Rootkit.Agent) -> No action taken.

li cancello a partire dalla quarantena, ma se rifaccio la scansione escono di nuovo fuori.

ti posto il log di SystemScan:

30_04_2008_15_07_report.zip

chemicalbit, ho riprovato ad aggiornare MBAM, ma mi segnala un problema con la connessione internet o con il firewall.

è dura...

ciao.

chemicalbit · Inviato: 30 Apr 2008 16:34 Oggetto:

david · Mortale pio Registrato: 27/04/08 11:12 Messaggi: 22

solo nei giorni feriali posso connettermi con un altro computer.

R16 · Dio maturo Registrato: 07/03/08 22:58 Messaggi: 10129

Chiedo scusa se mi intrometto,ma se scarica Elibagle,e lo fà girare in modalità provvisoria,sono sicuro che gli darà una grossa mano.

http://www.zonavirus.com/datos/descargas/95/elibagla.asp

chemicalbit · Inviato: 30 Apr 2008 18:44 Oggetto:

Ok,
allora confermi Elibagla da modalità provvisoria,
che io ipotizzavo potesse funzionare.

p.s. EliBagle o EliBagla? Nella stessa pagina lo scrivono in 2 modi diversi.

bdoriano · Inviato: 30 Apr 2008 19:58 Oggetto:

Apri il notepad, e copia/incolla questo codice

Citazione:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"hldrrr"=-

poi salva il file col nome di fix.reg in C:\ (IMPORTANTE!)
Avvia nuovamente SystemScan
metti il segno di spunta a I have read and agree. Please let me free to proceed e clicca su Proceed
clicca su Removal Script

Nel riquadro inserisci il seguente script:

Codice:

Files to delete:
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\hsieegdm.sys
C:\WINDOWS\system32\drivers\srosa.sys
c:\documents and settings\davide\impostazioni locali\temp\gain_trickler_3202a.exe

registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler
HKLM\SYSTEM\CurrentControlSet\Services\srosa

Programs to launch on reboot:
C:\fix.reg

e clicca Proceed with removal

******
Se dovessi ricevere l'errore Please copy and paste a valid script file, una volta incollato lo script in SystemScan (o Avenger), selezioni la prima riga, la cancelli e la ri-digiti. Fatto questo, dovrebbe tornare a funzionare.
******

Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
Al termine dell'operazione, posta qui il contenuto del file C:\Avenger.txt con un log aggiornato di hijackthis.

david · Mortale pio Registrato: 27/04/08 11:12 Messaggi: 22

Buongiorno a tutti.

Allora, ho utilizzato MBAM ed elibagla in modalità provvisoria e hanno cancellato diversi file. Ho anche fatto una scansione con GMER.

i link dei log:

mbam-log-4-30-2008 (17-45-30).txt

InfoSat20.txt

GMER1-5-2008 11-07.log

bdoriano, ho fatto quanto hai detto e ridigitando la prima riga finalmente (mi aveva sempre dato quel messaggio di errore sia oggi che nelle precedenti occasioni) SystemScan è partito con la rimozione dello script.

ti posto il log:

avenger97.txt

hijackthis, così come il norton, avenger e combofix, non si apre e mi dà il solito messaggio di applicazione win32 non valida.

Alla luce anche del log di GMER, che ne dici se disinstallo il norton? non riesco neanche ad aprire i documenti di office.

Sto evitando di connettermi con quel computer altrimenti ritorniamo al punto di partenza. Wink

ciao.

bdoriano

Alla luce degli ultimi logs, conviene fare i passaggi uno alla volta.
MBAM sembra sia riuscito a eliminare Bagle e, infatti, EliBaglA ha eliminato l'ultimo rimasuglio.
Ora dobbiamo occuparci dell'altra infezione.
Disinstallare Norton potrebbe essere una buona idea. Razz

Rifai nuovamente i seguenti passaggi, riscaricando i vari programmi aggiornati:

Scarica Norman Malware Cleaner.
Avvia il pc in modalità provvisoria.
Avvia Norman Malware Cleaner e fagli fare la scansione completa.
Viene generato un log sul desktop chiamandolo NFix_2008-05-gg_hh-mm-ss.log, alla fine della scansione caricalo su FreeFileHosting come indicato qui e posta il link che ti viene assegnato.
Segui le istruzioni di questo topic per postare il log di combofix.

david · Mortale pio Registrato: 27/04/08 11:12 Messaggi: 22

credo che il computer sia tornato a posto, non sto riscontrando problemi. Very Happy

il log di Norman Malware Cleaner:

NFix_2008-05-03_13-15-52.log

finalmente ho potuto usare combofix, avenger e HiJackThis.

avenger99.txt

ComboFix 08-05-01.3
Microsoft Windows XP Home Edition

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Creati Da 2008-04-03 al 2008-05-03 )))))))))))))))))))))))))))))))))))
.

2008-05-03 12:20 . 2008-05-03 12:20 <DIR> d-------- C:\Programmi\Alwil Software
2008-05-02 09:26 . 2008-05-02 09:26 <DIR> d-------- C:\suspectfile
2008-05-01 10:50 . 2008-05-01 11:02 250 --a------ C:\WINDOWS\gmer.ini
2008-04-30 17:36 . 2008-04-30 17:36 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Malwarebytes
2008-04-30 17:34 . 2005-11-01 11:31 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-30 17:34 . 2005-11-01 11:14 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di stampa
2008-04-30 17:34 . 2005-11-01 11:14 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di rete
2008-04-30 17:34 . 2005-11-01 11:41 <DIR> dr------- C:\Documents and Settings\Administrator\Preferiti
2008-04-30 17:34 . 2005-11-01 11:14 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2008-04-30 17:34 . 2005-11-01 11:14 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Avvio
2008-04-30 17:34 . 2005-11-01 11:14 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2008-04-30 17:34 . 2005-11-01 11:41 <DIR> dr------- C:\Documents and Settings\Administrator\Documenti
2008-04-30 17:34 . 2005-11-01 11:37 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Symantec
2008-04-30 17:34 . 2005-11-01 11:30 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\InterTrust
2008-04-30 17:34 . 2005-11-01 11:44 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Intel
2008-04-30 17:34 . 2005-11-01 11:14 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dati applicazioni
2008-04-30 17:34 . 2008-04-30 17:35 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-30 17:34 . 2008-05-03 14:25 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-29 17:51 . 2008-04-29 17:51 <DIR> d-------- C:\Documents and Settings\Davide\Dati applicazioni\Malwarebytes
2008-04-29 17:50 . 2008-04-29 17:50 <DIR> d-------- C:\Programmi\Malwarebytes' Anti-Malware
2008-04-29 17:50 . 2008-04-29 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Malwarebytes
2008-04-29 14:19 . 2008-04-29 14:19 <DIR> d-------- C:\_OTMoveIt
2008-04-29 11:56 . 2008-04-29 11:56 <DIR> d-------- C:\Programmi\PrevxCSI
2008-04-29 11:54 . 2008-04-30 11:52 10,624 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-04-28 21:12 . 2008-04-28 21:12 <DIR> d-------- C:\Documents and Settings\Davide\Dati applicazioni\SUPERAntiSpyware.com
2008-04-28 21:12 . 2008-04-28 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2008-04-27 19:22 . 2008-04-27 19:22 <DIR> d-------- C:\script per david
2008-04-27 16:40 . 2008-05-02 09:24 119 --a------ C:\fix.reg
2008-04-27 13:05 . 2008-04-27 13:05 <DIR> d-------- C:\Programmi\CCleaner
2008-04-27 10:23 . 2008-04-27 10:23 <DIR> d-------- C:\gmer
2008-04-26 22:13 . 2008-04-26 22:13 <DIR> d-------- C:\HiJackThis
2008-04-26 21:20 . 2008-04-26 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-04-26 21:18 . 2008-04-26 21:18 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Prevx
2008-04-26 21:15 . 2008-04-26 21:15 <DIR> d-------- C:\Documents and Settings\Davide\Dati applicazioni\PrevxCSI
2008-04-26 20:41 . 2008-04-26 20:41 <DIR> d-------- C:\Programmi\avenger
2008-04-26 19:48 . 2008-04-26 19:48 <DIR> d--hs---- C:\FOUND.000
2008-04-26 19:17 . 2008-04-26 19:17 <DIR> d-------- C:\Muestras
2008-04-26 18:15 . 2008-04-26 18:15 169 --a------ C:\WINDOWS\RtlRack.ini
2008-04-26 18:05 . 2008-04-26 18:05 <DIR> d-------- C:\Programmi\Realtek Sound Manager
2008-04-26 18:05 . 2004-12-17 07:19 164 --------- C:\WINDOWS\avrack.ini
2008-04-26 18:04 . 2004-12-17 07:19 208,896 --------- C:\WINDOWS\alcupd.exe
2008-04-26 18:04 . 2004-12-17 07:19 139,264 --------- C:\WINDOWS\alcrmv.exe
2008-04-26 18:04 . 2004-12-17 07:19 40,448 --------- C:\WINDOWS\system32\ChCfg.exe
2008-04-25 19:28 . 2008-04-25 19:28 <DIR> d-------- C:\Programmi\FreeUndelete
2008-04-25 16:44 . 1999-06-18 23:49 165,888 --a------ C:\WINDOWS\Ckconfig.exe
2008-04-25 16:44 . 2006-03-01 03:10 69,632 --a------ C:\WINDOWS\system32\Crypserv.exe
2008-04-25 16:44 . 2006-01-10 04:47 31,846 --a------ C:\WINDOWS\system32\Ckldrv.sys
2008-04-25 16:44 . 1996-05-03 19:21 27,648 -ra------ C:\WINDOWS\Setup_ck.exe
2008-04-25 16:44 . 1996-05-03 17:36 18,432 --a------ C:\WINDOWS\Setup_ck.dll
2008-04-25 16:44 . 1995-07-04 20:33 11,776 --a------ C:\WINDOWS\Ckrfresh.exe
2008-04-25 16:44 . 2008-04-25 16:44 1,680 --a------ C:\WINDOWS\system32\esnecil.nlp
2008-04-25 16:44 . 2008-04-26 10:00 1,680 --a------ C:\WINDOWS\system32\esnecil.ind
2008-04-25 16:44 . 2008-04-25 16:44 67 --a------ C:\WINDOWS\Crypkey.ini
2008-04-25 16:44 . 2008-04-25 16:44 4 --a------ C:\WINDOWS\vx86036.dat
2008-04-25 15:08 . 2008-04-25 15:08 <DIR> d-------- C:\Programmi\Drive Rescue
2008-04-13 11:05 . 2008-04-13 11:05 <DIR> d-------- C:\Programmi\PC Inspector File Recovery
2008-04-13 11:05 . 2002-02-18 18:40 6,200 --a------ C:\WINDOWS\system32\int13ext.vxd
2008-04-13 10:39 . 2008-04-13 10:39 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-06 17:40 . 2008-04-06 17:40 <DIR> d-------- C:\Documents and Settings\Davide\Dati applicazioni\zanic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-03 12:31 4,944 ----a-w C:\Documents and Settings\Davide\Winio.sys
2008-04-30 15:01 14,848 ----a-w C:\WINDOWS\system32\dllcache\register.exe
2008-04-29 07:50 94,208 ----a-w C:\WINDOWS\DUMP16ff.tmp
2008-04-26 21:30 94,208 ----a-w C:\WINDOWS\DUMP3c9e.tmp
2008-04-26 21:24 94,208 ----a-w C:\WINDOWS\DUMP3a27.tmp
2008-04-26 20:59 69,632 ----a-w C:\WINDOWS\DUMP3ab3.tmp
2008-03-09 09:09 --------- d-----w C:\Documents and Settings\Davide\Dati applicazioni\Lavasoft
2008-03-09 08:54 --------- d-----w C:\Programmi\N501HS Wizard
2008-03-08 12:59 --------- d-----w C:\Programmi\Rename-It!
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 14:00 15360]
"SUPERAntiSpyware"="C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2004-11-03 15:48 94208]
"SynTPLpr"="C:\Programmi\Synaptics\SynTP\SynTPLpr.exe" [ ]
"SynTPEnh"="C:\Programmi\Synaptics\SynTP\SynTPEnh.exe" [2004-12-16 19:55 688218]
"ATIPTA"="C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 21:10 344064]
"Power_Gear"="C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe" [2004-09-21 16:55 81920]
"IntelWireless"="C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" [2004-08-06 16:48 385024]
"EOUApp"="C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe" [2004-08-06 16:52 356352]
"NB Probe"="C:\Programmi\ASUS\NB Probe\NBProbe.exe" [2004-12-08 10:09 765952]
"PC98Monitor"="C:\PROGRA~1\TIMTUR~1.33I\N100EM~1.EXE" [2005-05-15 18:35 368640]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"DetectDatacard"="C:\Programmi\InstallShield Installation Information\{2427F243-56D8-4AFE-B03B-1943036306D8}\DetectDatacard.exe" [2006-06-16 20:43 24576]
"SoundMan"="SOUNDMAN.EXE" [2004-12-17 07:19 73728 C:\WINDOWS\soundman.exe]
"PrevxCSI"="C:\Programmi\PrevxCSI\prevxcsi.exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 14:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Programmi\Intel\Wireless\Bin\LgNotify.dll 2004-08-06 16:48 110592 C:\Programmi\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll
"vidc.DIVF"= DivX412.dll
"vidc.XVID"= xvid.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^ASUS ChkMail.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\ASUS ChkMail.lnk
backup=C:\WINDOWS\pss\ASUS ChkMail.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Avvio veloce di Adobe Acrobat.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Avvio veloce di Adobe Acrobat.lnk
backup=C:\WINDOWS\pss\Avvio veloce di Adobe Acrobat.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2004-12-14 02:12 483328 C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Live Update]
--a------ 2003-09-19 12:54 172032 C:\Programmi\ASUS\ASUS Live Update\ALU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX5000 Series]
--a------ 2006-02-14 05:00 131072 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programmi\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R3 NeroCd2k;NeroCd2k;C:\WINDOWS\system32\drivers\NeroCd2k.sys [2002-01-14 21:07]
R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D.sys [2004-07-06 19:56]
R3 ZTEusbmdm6k;ONDA Proprietary USB Driver (PID 6000);C:\WINDOWS\system32\DRIVERS\ondausbmdm6k.sys [2006-05-31 14:53]
R3 ZTEusbnmea;ONDA NMEA Port;C:\WINDOWS\system32\DRIVERS\ondausbnmea.sys [2006-05-31 14:53]
R3 ZTEusbser6k;ONDA Diagnostic Port 6000;C:\WINDOWS\system32\DRIVERS\ondausbser6k.sys [2006-05-31 14:53]
S3 ACGPRS;Sierra Wireless GPRS Adapter;C:\WINDOWS\system32\DRIVERS\acgprs.sys [2003-02-10 14:57]
S3 Asushwio;Asushwio;C:\WINDOWS\system32\drivers\Asushwio.sys [2000-03-29 14:17]
S3 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-04-30 11:52]
S3 ThSerial;ThSerial;C:\WINDOWS\system32\DRIVERS\thserial.sys [2005-04-29 13:35]
S3 ThSerMux;ThSerMux;C:\WINDOWS\system32\DRIVERS\thsermux.sys [2005-04-29 13:35]
S3 thserprt;thserprt;C:\WINDOWS\system32\DRIVERS\thserprt.sys [2005-04-29 13:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f5c4fa0-894c-11dc-a51d-0012f020f730}]
\Shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d75dfdb8-060d-11dc-a4ea-0012f020f730}]
\Shell\Auto\command - bittorrent.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-03 15:27:07
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-05-03 15.27.39
ComboFix-quarantined-files.txt 2008-05-03 13:27:38
ComboFix2.txt 2008-05-03 12:34:36

22 Directory 8,093,368,320 byte disponibili
27 Directory 8,093,237,248 byte disponibili

173

david · Mortale pio Registrato: 27/04/08 11:12 Messaggi: 22

il log di HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16.23.44, on 03/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Intel\Wireless\Bin\OProtSvc.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\ASUS\NB Probe\SPM\spmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe
C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe
C:\Programmi\ASUS\NB Probe\NBProbe.exe
C:\PROGRA~1\TIMTUR~1.33I\N100EM~1.EXE
C:\Programmi\InstallShield Installation Information\{2427F243-56D8-4AFE-B03B-1943036306D8}\DetectDatacard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [IntelWireless] C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [NB Probe] C:\Programmi\ASUS\NB Probe\NBProbe.exe
O4 - HKLM\..\Run: [PC98Monitor] "C:\PROGRA~1\TIMTUR~1.33I\N100EM~1.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DetectDatacard] C:\Programmi\InstallShield Installation Information\{2427F243-56D8-4AFE-B03B-1943036306D8}\DetectDatacard.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scarica con FlashGet - C:\Programmi\FlashGet\jc_link.htm
O8 - Extra context menu item: Scarica tutto con FlashGet - C:\Programmi\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188073632875
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: spmgr - Unknown owner - C:\Programmi\ASUS\NB Probe\SPM\spmgr.exe

--
End of file - 8861 bytes

risulta qualcosa di anomalo?

grazie. Smile

bdoriano

Il log di combofix evidenzia un paio di periferiche USB (chiavette o HD) infette.

Disabilita il tuo antivirus
Collegati a BitDefender (con IE) e fai la scansione completa.
Collegati a Kaspersky on-line scanner e fai la scansione estesa, come indicato qui.
Salva il risultato della scansione in un file (in formato HTML), carica il file su Freefilehosting e posta qui il link che ti viene assegnato.

Crea un file di testo con le seguenti istruzioni:

Codice:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f5c4fa0-894c-11dc-a51d-0012f020f730}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d75dfdb8-060d-11dc-a4ea-0012f020f730}]

Salva il file sul desktop con il nome CFScript.txt e trascinalo sull'icona di ComboFix, come indicato in seguito:

Attendi pazientemente la fine dei lavori senza toccare tastiera, mouse o altro. Wink

Posta il log aggiornato di combofix.

david · Mortale pio Registrato: 27/04/08 11:12 Messaggi: 22

ciao bdoriano.

ho fatto la scansione con kaspersky. ecco il link al log:

report kaspersky9.html

ho utilizzato combofix, ma il computer si è riavviato e ha fatto un controllo di coerenza del disco. ha ripristinato il sistema a seguito di un grave errore. mi sembra che il log sia incompleto.

ComboFix 08-05-01.3 - 2008-05-04 14.16.55.3 - FAT32x86
Microsoft Windows XP Home Edition
Command switches used :: C:\...\CFScript.txt
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Creati Da 2008-04-04 al 2008-05-04 )))))))))))))))))))))))))))))))))))
.

2008-05-03 19:13 . 2008-05-03 19:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-03 19:13 . 2008-05-03 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab
2008-05-03 19:04 . 2008-05-03 19:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-05-03 16:18 . 2008-05-03 16:18 <DIR> d-------- C:\Programmi\Eusing Free Registry Cleaner
2008-05-03 12:20 . 2008-05-03 12:20 <DIR> d-------- C:\Programmi\Alwil Software
2008-05-02 09:26 . 2008-05-02 09:26 <DIR> d-------- C:\suspectfile
2008-05-01 10:50 . 2008-05-01 11:02 250 --a------ C:\WINDOWS\gmer.ini
2008-04-30 17:36 . 2008-04-30 17:36 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Malwarebytes
2008-04-30 17:34 . 2005-11-01 11:31 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-30 17:34 . 2005-11-01 11:14 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di stampa
2008-04-30 17:34 . 2005-11-01 11:14 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di rete
2008-04-30 17:34 . 2005-11-01 11:41 <DIR> dr------- C:\Documents and Settings\Administrator\Preferiti
2008-04-30 17:34 . 2005-11-01 11:14 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2008-04-30 17:34 . 2005-11-01 11:14 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Avvio
2008-04-30 17:34 . 2005-11-01 11:14 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2008-04-30 17:34 . 2005-11-01 11:41 <DIR> dr------- C:\Documents and Settings\Administrator\Documenti
2008-04-30 17:34 . 2005-11-01 11:37 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Symantec
2008-04-30 17:34 . 2005-11-01 11:30 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\InterTrust
2008-04-30 17:34 . 2005-11-01 11:44 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Intel
2008-04-30 17:34 . 2005-11-01 11:14 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dati applicazioni
2008-04-30 17:34 . 2008-04-30 17:35 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-30 17:34 . 2008-05-03 20:00 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-29 17:51 . 2008-04-29 17:51 <DIR> d-------- C:\Documents and Settings\Davide\Dati applicazioni\Malwarebytes
2008-04-29 17:50 . 2008-04-29 17:50 <DIR> d-------- C:\Programmi\Malwarebytes' Anti-Malware
2008-04-29 17:50 . 2008-04-29 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Malwarebytes
2008-04-29 14:19 . 2008-04-29 14:19 <DIR> d-------- C:\_OTMoveIt
2008-04-29 11:56 . 2008-04-29 11:56 <DIR> d-------- C:\Programmi\PrevxCSI
2008-04-29 11:54 . 2008-04-30 11:52 10,624 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-04-28 21:12 . 2008-04-28 21:12 <DIR> d-------- C:\Documents and Settings\Davide\Dati applicazioni\SUPERAntiSpyware.com
2008-04-28 21:12 . 2008-04-28 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2008-04-27 19:22 . 2008-04-27 19:22 <DIR> d-------- C:\script per david
2008-04-27 16:40 . 2008-05-02 09:24 119 --a------ C:\fix.reg
2008-04-27 13:05 . 2008-04-27 13:05 <DIR> d-------- C:\Programmi\CCleaner
2008-04-27 10:23 . 2008-04-27 10:23 <DIR> d-------- C:\gmer
2008-04-26 22:13 . 2008-04-26 22:13 <DIR> d-------- C:\HiJackThis
2008-04-26 21:20 . 2008-04-26 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-04-26 21:18 . 2008-04-26 21:18 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Prevx
2008-04-26 21:15 . 2008-04-26 21:15 <DIR> d-------- C:\Documents and Settings\Davide\Dati applicazioni\PrevxCSI
2008-04-26 19:48 . 2008-04-26 19:48 <DIR> d--hs---- C:\FOUND.000
2008-04-26 19:17 . 2008-04-26 19:17 <DIR> d-------- C:\Muestras
2008-04-26 18:15 . 2008-04-26 18:15 169 --a------ C:\WINDOWS\RtlRack.ini
2008-04-26 18:05 . 2008-04-26 18:05 <DIR> d-------- C:\Programmi\Realtek Sound Manager
2008-04-26 18:05 . 2004-12-17 07:19 164 --------- C:\WINDOWS\avrack.ini
2008-04-26 18:04 . 2004-12-17 07:19 208,896 --------- C:\WINDOWS\alcupd.exe
2008-04-26 18:04 . 2004-12-17 07:19 139,264 --------- C:\WINDOWS\alcrmv.exe
2008-04-26 18:04 . 2004-12-17 07:19 40,448 --------- C:\WINDOWS\system32\ChCfg.exe
2008-04-25 19:28 . 2008-04-25 19:28 <DIR> d-------- C:\Programmi\FreeUndelete
2008-04-25 16:44 . 1999-06-18 23:49 165,888 --a------ C:\WINDOWS\Ckconfig.exe
2008-04-25 16:44 . 2006-03-01 03:10 69,632 --a------ C:\WINDOWS\system32\Crypserv.exe
2008-04-25 16:44 . 2006-01-10 04:47 31,846 --a------ C:\WINDOWS\system32\Ckldrv.sys
2008-04-25 16:44 . 1996-05-03 19:21 27,648 -ra------ C:\WINDOWS\Setup_ck.exe
2008-04-25 16:44 . 1996-05-03 17:36 18,432 --a------ C:\WINDOWS\Setup_ck.dll
2008-04-25 16:44 . 1995-07-04 20:33 11,776 --a------ C:\WINDOWS\Ckrfresh.exe
2008-04-25 16:44 . 2008-04-25 16:44 1,680 --a------ C:\WINDOWS\system32\esnecil.nlp
2008-04-25 16:44 . 2008-04-26 10:00 1,680 --a------ C:\WINDOWS\system32\esnecil.ind
2008-04-25 16:44 . 2008-04-25 16:44 67 --a------ C:\WINDOWS\Crypkey.ini
2008-04-25 16:44 . 2008-04-25 16:44 4 --a------ C:\WINDOWS\vx86036.dat
2008-04-25 15:08 . 2008-04-25 15:08 <DIR> d-------- C:\Programmi\Drive Rescue
2008-04-13 11:05 . 2008-04-13 11:05 <DIR> d-------- C:\Programmi\PC Inspector File Recovery
2008-04-13 11:05 . 2002-02-18 18:40 6,200 --a------ C:\WINDOWS\system32\int13ext.vxd
2008-04-13 10:39 . 2008-04-13 10:39 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-06 17:40 . 2008-04-06 17:40 <DIR> d-------- C:\Documents and Settings\Davide\Dati applicazioni\zanic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 08:14 4,944 ----a-w C:\Documents and Settings\Davide\Winio.sys
2008-04-30 15:01 14,848 ----a-w C:\WINDOWS\system32\dllcache\register.exe
2008-04-29 07:50 94,208 ----a-w C:\WINDOWS\DUMP16ff.tmp
2008-04-26 21:30 94,208 ----a-w C:\WINDOWS\DUMP3c9e.tmp
2008-04-26 21:24 94,208 ----a-w C:\WINDOWS\DUMP3a27.tmp
2008-04-26 20:59 69,632 ----a-w C:\WINDOWS\DUMP3ab3.tmp
2008-03-09 09:09 --------- d-----w C:\Documents and Settings\Davide\Dati applicazioni\Lavasoft
2008-03-09 08:54 --------- d-----w C:\Programmi\N501HS Wizard
2008-03-08 12:59 --------- d-----w C:\Programmi\Rename-It!
.

ciao.

bdoriano

Il log di Kaspersky evidenzia alcune infezioni presenti nel ripristino di sistema del disco D:

Il controllo di coerenza ha riscontrato errori sui dischi?

Effettivamente, il log di combofix è incompleto. Puoi provare a rifarlo?

david · Mortale pio Registrato: 27/04/08 11:12 Messaggi: 22

ciao.

sì, il controllo del disco ha dato qualche errore su C: su path relative a combofix. non ricordo altro.

ho rifatto l'operazione con combofix. ecco il log completo:

ComboFix 08-05-01.3 - 2008-05-04 20:55:55.4 - FAT32x86
Microsoft Windows XP Home EditionEseguito da: C:\...\ComboFix.exe
Command switches used :: C:\...\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Creati Da 2008-04-04 al 2008-05-04 )))))))))))))))))))))))))))))))))))
.

2008-05-04 14:25 . 2008-05-04 14:25 <DIR> d--hs---- C:\FOUND.001
2008-05-03 19:13 . 2008-05-03 19:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-03 19:13 . 2008-05-03 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab
2008-05-03 19:04 . 2008-05-03 19:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-05-03 16:18 . 2008-05-03 16:18 <DIR> d-------- C:\Programmi\Eusing Free Registry Cleaner
2008-05-03 12:20 . 2008-05-03 12:20 <DIR> d-------- C:\Programmi\Alwil Software
2008-05-02 09:26 . 2008-05-02 09:26 <DIR> d-------- C:\suspectfile
2008-05-01 10:50 . 2008-05-01 11:02 250 --a------ C:\WINDOWS\gmer.ini
2008-04-30 17:36 . 2008-04-30 17:36 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Malwarebytes
2008-04-30 17:34 . 2005-11-01 11:31 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-30 17:34 . 2005-11-01 11:14 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di stampa
2008-04-30 17:34 . 2005-11-01 11:14 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di rete
2008-04-30 17:34 . 2005-11-01 11:41 <DIR> dr------- C:\Documents and Settings\Administrator\Preferiti
2008-04-30 17:34 . 2005-11-01 11:14 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2008-04-30 17:34 . 2005-11-01 11:14 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Avvio
2008-04-30 17:34 . 2005-11-01 11:14 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2008-04-30 17:34 . 2005-11-01 11:41 <DIR> dr------- C:\Documents and Settings\Administrator\Documenti
2008-04-30 17:34 . 2005-11-01 11:37 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Symantec
2008-04-30 17:34 . 2005-11-01 11:30 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\InterTrust
2008-04-30 17:34 . 2005-11-01 11:44 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Intel
2008-04-30 17:34 . 2005-11-01 11:14 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dati applicazioni
2008-04-30 17:34 . 2008-04-30 17:35 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-30 17:34 . 2008-05-03 20:00 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-29 17:51 . 2008-04-29 17:51 <DIR> d-------- C:\Documents and Settings\Davide\Dati applicazioni\Malwarebytes
2008-04-29 17:50 . 2008-04-29 17:50 <DIR> d-------- C:\Programmi\Malwarebytes' Anti-Malware
2008-04-29 17:50 . 2008-04-29 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Malwarebytes
2008-04-29 14:19 . 2008-04-29 14:19 <DIR> d-------- C:\_OTMoveIt
2008-04-29 11:56 . 2008-04-29 11:56 <DIR> d-------- C:\Programmi\PrevxCSI
2008-04-29 11:54 . 2008-04-30 11:52 10,624 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-04-28 21:12 . 2008-04-28 21:12 <DIR> d-------- C:\Documents and Settings\Davide\Dati applicazioni\SUPERAntiSpyware.com
2008-04-28 21:12 . 2008-04-28 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2008-04-27 19:22 . 2008-04-27 19:22 <DIR> d-------- C:\script per david
2008-04-27 16:40 . 2008-05-02 09:24 119 --a------ C:\fix.reg
2008-04-27 13:05 . 2008-04-27 13:05 <DIR> d-------- C:\Programmi\CCleaner
2008-04-27 10:23 . 2008-04-27 10:23 <DIR> d-------- C:\gmer
2008-04-26 22:13 . 2008-04-26 22:13 <DIR> d-------- C:\HiJackThis
2008-04-26 21:20 . 2008-04-26 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-04-26 21:18 . 2008-04-26 21:18 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Prevx
2008-04-26 21:15 . 2008-04-26 21:15 <DIR> d-------- C:\Documents and Settings\Davide\Dati applicazioni\PrevxCSI
2008-04-26 19:48 . 2008-04-26 19:48 <DIR> d--hs---- C:\FOUND.000
2008-04-26 19:17 . 2008-04-26 19:17 <DIR> d-------- C:\Muestras
2008-04-26 18:15 . 2008-04-26 18:15 169 --a------ C:\WINDOWS\RtlRack.ini
2008-04-26 18:05 . 2008-04-26 18:05 <DIR> d-------- C:\Programmi\Realtek Sound Manager
2008-04-26 18:05 . 2004-12-17 07:19 164 --------- C:\WINDOWS\avrack.ini
2008-04-26 18:04 . 2004-12-17 07:19 208,896 --------- C:\WINDOWS\alcupd.exe
2008-04-26 18:04 . 2004-12-17 07:19 139,264 --------- C:\WINDOWS\alcrmv.exe
2008-04-26 18:04 . 2004-12-17 07:19 40,448 --------- C:\WINDOWS\system32\ChCfg.exe
2008-04-25 19:28 . 2008-04-25 19:28 <DIR> d-------- C:\Programmi\FreeUndelete
2008-04-25 16:44 . 1999-06-18 23:49 165,888 --a------ C:\WINDOWS\Ckconfig.exe
2008-04-25 16:44 . 2006-03-01 03:10 69,632 --a------ C:\WINDOWS\system32\Crypserv.exe
2008-04-25 16:44 . 2006-01-10 04:47 31,846 --a------ C:\WINDOWS\system32\Ckldrv.sys
2008-04-25 16:44 . 1996-05-03 19:21 27,648 -ra------ C:\WINDOWS\Setup_ck.exe
2008-04-25 16:44 . 1996-05-03 17:36 18,432 --a------ C:\WINDOWS\Setup_ck.dll
2008-04-25 16:44 . 1995-07-04 20:33 11,776 --a------ C:\WINDOWS\Ckrfresh.exe
2008-04-25 16:44 . 2008-04-25 16:44 1,680 --a------ C:\WINDOWS\system32\esnecil.nlp
2008-04-25 16:44 . 2008-04-26 10:00 1,680 --a------ C:\WINDOWS\system32\esnecil.ind
2008-04-25 16:44 . 2008-04-25 16:44 67 --a------ C:\WINDOWS\Crypkey.ini
2008-04-25 16:44 . 2008-04-25 16:44 4 --a------ C:\WINDOWS\vx86036.dat
2008-04-25 15:08 . 2008-04-25 15:08 <DIR> d-------- C:\Programmi\Drive Rescue
2008-04-13 11:05 . 2008-04-13 11:05 <DIR> d-------- C:\Programmi\PC Inspector File Recovery
2008-04-13 11:05 . 2002-02-18 18:40 6,200 --a------ C:\WINDOWS\system32\int13ext.vxd
2008-04-13 10:39 . 2008-04-13 10:39 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-06 17:40 . 2008-04-06 17:40 <DIR> d-------- C:\Documents and Settings\Davide\Dati applicazioni\zanic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 17:31 4,944 ----a-w C:\Documents and Settings\Davide\Winio.sys
2008-04-30 15:01 14,848 ----a-w C:\WINDOWS\system32\dllcache\register.exe
2008-04-29 07:50 94,208 ----a-w C:\WINDOWS\DUMP16ff.tmp
2008-04-26 21:30 94,208 ----a-w C:\WINDOWS\DUMP3c9e.tmp
2008-04-26 21:24 94,208 ----a-w C:\WINDOWS\DUMP3a27.tmp
2008-04-26 20:59 69,632 ----a-w C:\WINDOWS\DUMP3ab3.tmp
2008-03-09 09:09 --------- d-----w C:\Documents and Settings\Davide\Dati applicazioni\Lavasoft
2008-03-09 08:54 --------- d-----w C:\Programmi\N501HS Wizard
2008-03-08 12:59 --------- d-----w C:\Programmi\Rename-It!
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2004-11-03 15:48 94208]
"SynTPEnh"="C:\Programmi\Synaptics\SynTP\SynTPEnh.exe" [2004-12-16 19:55 688218]
"ATIPTA"="C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 21:10 344064]
"Power_Gear"="C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe" [2004-09-21 16:55 81920]
"IntelWireless"="C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" [2004-08-06 16:48 385024]
"EOUApp"="C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe" [2004-08-06 16:52 356352]
"NB Probe"="C:\Programmi\ASUS\NB Probe\NBProbe.exe" [2004-12-08 10:09 765952]
"PC98Monitor"="C:\PROGRA~1\TIMTUR~1.33I\N100EM~1.EXE" [2005-05-15 18:35 368640]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"DetectDatacard"="C:\Programmi\InstallShield Installation Information\{2427F243-56D8-4AFE-B03B-1943036306D8}\DetectDatacard.exe" [2006-06-16 20:43 24576]
"SoundMan"="SOUNDMAN.EXE" [2004-12-17 07:19 73728 C:\WINDOWS\soundman.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 14:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Programmi\Intel\Wireless\Bin\LgNotify.dll 2004-08-06 16:48 110592 C:\Programmi\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll
"vidc.DIVF"= DivX412.dll
"vidc.XVID"= xvid.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^ASUS ChkMail.lnk]
backup=C:\WINDOWS\pss\ASUS ChkMail.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Avvio veloce di Adobe Acrobat.lnk]
backup=C:\WINDOWS\pss\Avvio veloce di Adobe Acrobat.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2004-12-14 02:12 483328 C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Live Update]
--a------ 2003-09-19 12:54 172032 C:\Programmi\ASUS\ASUS Live Update\ALU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX5000 Series]
--a------ 2006-02-14 05:00 131072 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programmi\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R3 NeroCd2k;NeroCd2k;C:\WINDOWS\system32\drivers\NeroCd2k.sys [2002-01-14 21:07]
R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D.sys [2004-07-06 19:56]
R3 ZTEusbmdm6k;ONDA Proprietary USB Driver (PID 6000);C:\WINDOWS\system32\DRIVERS\ondausbmdm6k.sys [2006-05-31 14:53]
R3 ZTEusbnmea;ONDA NMEA Port;C:\WINDOWS\system32\DRIVERS\ondausbnmea.sys [2006-05-31 14:53]
R3 ZTEusbser6k;ONDA Diagnostic Port 6000;C:\WINDOWS\system32\DRIVERS\ondausbser6k.sys [2006-05-31 14:53]
S3 ACGPRS;Sierra Wireless GPRS Adapter;C:\WINDOWS\system32\DRIVERS\acgprs.sys [2003-02-10 14:57]
S3 Asushwio;Asushwio;C:\WINDOWS\system32\drivers\Asushwio.sys [2000-03-29 14:17]
S3 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-04-30 11:52]
S3 ThSerial;ThSerial;C:\WINDOWS\system32\DRIVERS\thserial.sys [2005-04-29 13:35]
S3 ThSerMux;ThSerMux;C:\WINDOWS\system32\DRIVERS\thsermux.sys [2005-04-29 13:35]
S3 thserprt;thserprt;C:\WINDOWS\system32\DRIVERS\thserprt.sys [2005-04-29 13:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{872d6f34-d072-11db-a4e1-0012f020f730}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-04 20:58:27
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-05-04 20:59:07
ComboFix3.txt 2008-05-03 12:34:36
ComboFix2.txt 2008-05-03 13:27:40
ComboFix-quarantined-files.txt 2008-05-04 18:59:04

23 Directory 7,745,273,856 byte disponibili
29 Directory 7,744,061,440 byte disponibili

172

buona serata! Smile

bdoriano

Ok. Ci siamo. Wink

Rimangono 2 cose:

Disabilita il ripristino di sistema per il DISCO D:
controlla le chiavette USB in tuo possesso (hai il "quasi" virus Knight.exe)

david · Mortale pio Registrato: 27/04/08 11:12 Messaggi: 22

ho disattivato il ripristino di sistema del disco D:

molto "quasi"! Razz

MBAM non ha rilevato nulla, avast ha trovato 2 cavalli di troia, ma non credo che ti riferissi a quelli. O sì?

quindi per il resto è tutto ok, bdoriano?

ancora grazie. Wink

bdoriano

Il resto sembra a posto. Smile

Puoi dirmi il nome (e la posizione) dei 2 files rilevati da Avast! ? Think

Riscontri altri problemi?