Olimpo Informatico

[Typhoon90]

Ciao a tutti,
ho un portatile in cui internet funziona solo per alcuni minuti (variabili) dall'avvio. Per far nuovamente funzionare internet devo riavviarlo.
Il problema quindi non dovrebbe essere nelle impostazioni visto che inoltre ci sono altri pc che funzionano correttamente collegati allo stesso router.

Ho fatto scansioni con Avast e Kaspersky online e hanno trovato un pò di roba che ho prontamente eliminato (uno era WinSpywareProtect) che ho eliminato con Rogue Remover. Ho fatto anche un log con Hijackthis, ma non c'era nulla di strano (lo posto appena posso).

Che posso fare???

Edit:
Ecco il log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19.39.06, on 05/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\acer\epm\epm-dm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [epm-dm] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe

--
End of file - 2816 bytes

[fulmine]

Io non vedo ne antivirus e ne firewall attivi nel tuo log.

[Sante62]

Ciao Typhoon90

Fai queste scansioni:
CCleaner;
Combofix;
Virit;

[Typhoon90]

[Sante62]

[Typhoon90]

ecco i log risultanti:
adesso mi affido a voi



VirIT eXplorer Lite Log

[SCANSIONE DELLA MEMORIA]
OK
[SCANSIONE DELLA MEMORIA]
OK
[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
06/06/2008 - 20:50:41

[SCANSIONE DEL REGISTRO]
{74CC49F7-EB32-4A08-B204-948962A6E3DB} Infetto da Trojan.Win32.Hotbar.I
* * * RIMOSSO * * *

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK


Chiavi Registro infette: 1.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 8146.
Files Totali: 8146.
Chiavi Registro rimosse: 1.
Virus Rimossi: 0.

[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
06/06/2008 - 21:00:21

[SCANSIONE DEL REGISTRO]
OK

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK


Chiavi Registro infette: 0.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 7690.
Files Totali: 7690.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.

--------------------------------------------------------
06/06/2008 - 21:02:22

[SCANSIONE DEL REGISTRO]
OK

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK


Chiavi Registro infette: 0.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 0.
Files Totali: 0.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.

--------------------------------------------------------
06/06/2008 - 21:02:28

[SCANSIONE DEL REGISTRO]
OK

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
06/06/2008 - 21:11:09

[SCANSIONE DEL REGISTRO]
OK

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

C:\System Volume Information\_restore{199A68B7-1345-4EE1-84FE-E643133F1D1A}\RP147\A0053612.dll Infetto da Adware.Vapsup.A
* * * RIMOSSO * * *

Chiavi Registro infette: 0.
Files Infetti: 1.
Files Sospetti: 0.
Files Analizzati: 47002.
Files Totali: 47002.
Chiavi Registro rimosse: 0.
Virus Rimossi: 1.



ComboFix 08-06-06.2 - Silvia 2008-06-06 20.54.50.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.273 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Silvia\Desktop\Combo---Fix.exe
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Creati Da 2008-05-06 al 2008-06-06 )))))))))))))))))))))))))))))))))))
.

2008-06-06 20:44 . 2008-06-06 20:44 <DIR> d-------- C:\VEXPLITE
2008-06-06 20:44 . 2008-03-17 19:23 39,808 --a------ C:\WINDOWS\system32\drivers\VIRAGTLT.SYS
2008-06-05 18:49 . 2008-06-05 18:49 <DIR> d-------- C:\Programmi\RogueRemover FREE
2008-06-05 18:19 . 2008-06-05 18:19 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-06-05 18:05 . 2008-06-05 18:05 <DIR> d-------- C:\Programmi\CCleaner
2008-06-04 22:45 . 2008-06-04 22:45 30,040 --a------ C:\virus.html
2008-06-04 20:48 . 2008-06-04 20:48 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-26 20:00 . 2008-05-26 20:00 <DIR> d-------- C:\Documents and Settings\Silvia\.idlerc
2008-05-26 19:59 . 2008-05-26 19:59 <DIR> d-------- C:\Python25
2008-05-25 21:30 . 2008-05-25 21:30 <DIR> d-------- C:\Programmi\Mozilla Thunderbird
2008-05-24 22:36 . 2008-05-24 22:36 <DIR> d-------- C:\Programmi\Active Ports
2008-05-24 22:36 . 1999-12-17 10:13 49,664 --a------ C:\WINDOWS\unvise32.exe
2008-05-24 22:24 . 2008-05-24 22:24 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-24 21:28 . 2008-05-24 21:28 <DIR> d-------- C:\Documents and Settings\Silvia\Dati applicazioni\Ahead
2008-05-18 13:44 . 2005-02-04 10:00 696,320 --a------ C:\WINDOWS\SnapShow.exe
2008-05-14 10:22 . 2008-05-14 10:22 <DIR> d-------- C:\AISoftware
2008-05-14 10:21 . 2008-05-14 10:21 <DIR> d-------- C:\Documents and Settings\Silvia\Dati applicazioni\AISoftware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 16:59 --------- d-----w C:\Programmi\Trend Micro
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
2008-03-25 04:51 183,072 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 04:51 183,072 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-20 08:06 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-20 08:06 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"epm-dm"="c:\acer\epm\epm-dm.exe" [2005-03-28 18:04 188416]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2005-03-24 09:13 2880512]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 05:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPM-DM]
--a------ 2005-03-28 18:04 188416 c:\acer\epm\epm-dm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-19 05:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SharedAccess"=2 (0x2)
"mnmsrvc"=3 (0x3)
"helpsvc"=2 (0x2)
"Fax"=2 (0x2)
"ERSvc"=2 (0x2)
"CryptSvc"=2 (0x2)
"avast! Mail Scanner"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\eMule\\emule.exe"=
"C:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1052:UDP"= 1052:UDP:prta 1052
"61570:UDP"= 61570:UDP:porta 61570

R0 VIRAGTLT;VIRAGTLT;C:\WINDOWS\system32\drivers\VIRAGTLT.SYS [2008-03-17 19:23]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 13:10]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-03-24 16:54]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]
R2 viritsvclite;Virit eXplorer Lite;C:\VEXPLITE\viritsvc.exe [2008-06-06 20:46]
S3 int15.sys;int15.sys;C:\Programmi\acer\eRecovery\int15.sys [2005-01-13 14:46]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []
S3 SQTECH930B;NX VEGA 300;C:\WINDOWS\system32\Drivers\Capt930b.sys [2005-01-26 10:27]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6936b53a-a86d-11db-9cf4-00c09fe446c5}]
\Shell\AutoRun\command - F:\winPenPack.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b50a5008-dd63-11dc-9de2-00c09fe446c5}]
\Shell\AutoRun\command - F:\ClickMe.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - VIRAGTLT
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 20:56:10
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-06-06 20.56.41
ComboFix-quarantined-files.txt 2008-06-06 18:56:40

18 Directory 11,418,370,048 byte disponibili
22 Directory 11,436,064,768 byte disponibili

104 --- E O F --- 2008-06-04 18:14:22

[Sante62]

Solo VirIT ha trovato qualcosina, ma niente di particolare....

Fa la scansione con Systemscan e posta il log generato come
indicato quì

[Typhoon90]

alla fine ho portato il pc in assistenza perchè avevo urgenza.
Mi hanno detto che il problema era effettivamente la presenza di virus (una ventina mi hanno detto!!!)

[Sante62]

E' probabile....VirIT comunque ha trovato poca cosa;

ovviamente si aveva bisogno di altri logs....