Precedente :: Successivo |
Autore |
Messaggio |
aitano Eroe

Registrato: 10/02/08 11:19 Messaggi: 62
|
Inviato: 04 Giu 2008 11:54 Oggetto: DIAL/23376.B.1 |
|
|
salve, antivir mi ha trovato questo dialer, che ovviamente non è riuscito ad eliminare, ho lanciato hijackthis e fixato una voce, tutto ora sembrerebbe ok, anche kaspersky on line dice che sono pulito, ma dato che rompe da ormai una settimana, posto un log, se possibile mi aiutate?
s.o.: xp sp2
antivirus: antivir
firewall: outpost (free version)
ecco il log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43, on 2008-06-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Programmi\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Programmi\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Documents and Settings\Davide\Desktop\davide\programmi\BitComet\tools\BitCometBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Programmi\Agnitum\Outpost Firewall 1.0\outpost.exe" /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download all links using BitComet - res://C:\Documents and Settings\Davide\Desktop\davide\programmi\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Documents and Settings\Davide\Desktop\davide\programmi\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Documents and Settings\Davide\Desktop\davide\programmi\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\it.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://freezone14.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://freezone14.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar1.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DA630E6-35CB-419B-95D2-861301B26106}: NameServer = 10.0.0.2,208.67.222.222
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmi\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SPBBCSvc - Adaptec, Inc. - (no file)
--
End of file - 7789 bytes |
|
Top |
|
 |
Sante62 Dio maturo


Registrato: 27/06/07 17:55 Messaggi: 3477 Residenza: Floridia
|
|
Top |
|
 |
aitano Eroe

Registrato: 10/02/08 11:19 Messaggi: 62
|
Inviato: 04 Giu 2008 19:50 Oggetto: |
|
|
ComboFix 08-06-03.1 - Davide 2008-06-04 13:06:43.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.58 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Davide\Desktop\sicurezza\Combo-Fix.exe
* Creato nuovo punto di ripristino
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\kmd.exe
C:\WINDOWS\system32\drivers\kbd.sys
C:\WINDOWS\system32\kmd.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_kbd
((((((((((((((((((((((((( Files Creati Da 2008-05-04 al 2008-06-04 )))))))))))))))))))))))))))))))))))
.
2008-06-04 11:42 . 2008-06-04 11:42 <DIR> d-------- C:\Programmi\Trend Micro
2008-06-04 09:57 . 2008-06-04 09:57 <DIR> d-------- C:\Documents and Settings\LocalService\Documenti
2008-06-03 09:51 . 2008-06-03 09:51 <DIR> d-------- C:\Documents and Settings\Davide\DoctorWeb
2008-05-25 20:58 . 2008-05-25 20:58 1,409 --a------ C:\WINDOWS\system32\tmpDC178.FOT
2008-05-25 20:58 . 2008-05-25 20:58 1,409 --a------ C:\WINDOWS\system32\tmpA2D68.FOT
2008-05-25 20:58 . 2008-05-25 20:58 1,409 --a------ C:\WINDOWS\system32\tmp5A078.FOT
2008-05-25 20:58 . 2008-05-25 20:58 1,409 --a------ C:\WINDOWS\system32\tmp28E68.FOT
2008-05-25 20:58 . 2008-05-25 20:58 1,409 --a------ C:\WINDOWS\system32\tmp07178.FOT
2008-05-24 15:45 . 2008-05-29 19:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-24 15:45 . 2008-05-24 15:45 1,409 --a------ C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-03 08:18 --------- d-----w C:\Programmi\arswp
2008-05-30 10:17 --------- d-----w C:\Programmi\File comuni\Agnitum Shared
2008-05-14 16:50 --------- d-----w C:\Documents and Settings\Davide\Dati applicazioni\Nero
2008-05-08 12:46 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-04-01 20:20 92,064 ----a-w C:\Documents and Settings\Davide\mqdmmdm.sys
2008-04-01 20:20 9,232 ----a-w C:\Documents and Settings\Davide\mqdmmdfl.sys
2008-04-01 20:20 79,328 ----a-w C:\Documents and Settings\Davide\mqdmserd.sys
2008-04-01 20:20 66,656 ----a-w C:\Documents and Settings\Davide\mqdmbus.sys
2008-04-01 20:20 6,208 ----a-w C:\Documents and Settings\Davide\mqdmcmnt.sys
2008-04-01 20:20 5,936 ----a-w C:\Documents and Settings\Davide\mqdmwhnt.sys
2008-04-01 20:20 4,048 ----a-w C:\Documents and Settings\Davide\mqdmcr.sys
2008-04-01 20:20 25,600 ----a-w C:\Documents and Settings\Davide\usbsermptxp.sys
2008-04-01 20:20 22,768 ----a-w C:\Documents and Settings\Davide\usbsermpt.sys
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 621,344 ------w C:\WINDOWS\system32\dllcache\mswstr10.dll
2008-03-25 04:51 183,072 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 04:51 183,072 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-20 08:06 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-20 08:06 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 14:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-19 14:00 208952]
"TkBellExe"="C:\Programmi\File comuni\Real\Update_OB\realsched.exe" [2005-08-29 14:50 180269]
"NWEReboot"="" []
"avgnt"="C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-15 22:58 262401]
"Outpost Firewall"="C:\Programmi\Agnitum\Outpost Firewall 1.0\outpost.exe" [2002-06-14 16:20 78848]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2005-08-29 14:48 98304]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 14:00 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MSNAUDIO"= msnaudio.acm
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OlStatusMon]
--a------ 2006-07-26 17:20 106496 C:\Programmi\Olivetti\ANY_WAY\olDvcStatus.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2005-02-02 12:11 692316 C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2005-02-02 12:12 102492 C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"olMntrService"=2 (0x2)
"gusvc"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 VFILT;Outpost Firewall Kernel Driver;C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS [2002-06-14 16:19]
R3 Linux.DLL;Outpost Firewall PlugIn (Linux.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\Linux.DLL [2002-06-14 16:20]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL [2002-06-14 16:20]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL [2002-06-14 16:19]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL [2002-06-14 16:20]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL [2002-06-14 16:20]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL [2002-06-14 16:20]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL [2002-06-14 16:20]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL [2002-06-14 16:20]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL [2002-06-14 16:20]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL [2002-06-14 16:20]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL [2002-06-14 16:20]
R3 ULI5261;ULi Based Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN.SYS [2004-12-31 15:24]
S3 CIR;Hid Device;C:\WINDOWS\system32\DRIVERS\CIR.sys [2005-05-20 09:01]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-02-27 14:31]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 20:03]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 10:27]
S3 p2pgasvc;Autenticazione gruppo rete peer;C:\WINDOWS\system32\svchost.exe [2004-08-19 14:00]
S3 p2pimsvc;Gestione identità rete peer;C:\WINDOWS\system32\svchost.exe [2004-08-19 14:00]
S3 p2psvc;Rete peer;C:\WINDOWS\system32\svchost.exe [2004-08-19 14:00]
S3 PNRPSvc;Peer Name Resolution Protocol (PNRP);C:\WINDOWS\system32\svchost.exe [2004-08-19 14:00]
S3 usbscan;Driver scanner USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 23:58]
S3 USBSTOR;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]
S4 olMntrService;olMntrService;C:\Programmi\Olivetti\ANY_WAY\olMntrService.exe [2006-07-24 13:02]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79583928-d6ef-11dc-b815-0040d07c9bf6}]
\Shell\AutoRun\command - 3wcxx91.cmd
\Shell\explore\Command - 3wcxx91.cmd
\Shell\open\Command - 3wcxx91.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ca7c376-bc76-11db-b63e-0040d07c9bf6}]
\Shell\AutoRun\command - h.cmd
\Shell\explore\Command - h.cmd
\Shell\open\Command - h.cmd
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 13:18:44
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Programmi\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Programmi\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\APPS\HIDSERVICE\HidService.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\tcpsvcs.exe
Log di Combofix:
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\snmp.exe
C:\APPS\Powercinema\Kernel\TV\CLSched.exe
.
**************************************************************************
.
Ora fine scansione: 2008-06-04 13:27:19 - machine was rebooted [Davide]
ComboFix-quarantined-files.txt 2008-06-04 11:27:11
14 Directory 28,078,608,384 byte disponibili
21 Directory 28,100,358,144 byte disponibili
157 --- E O F --- 2008-05-28 15:42:33 |
|
Top |
|
 |
aitano Eroe

Registrato: 10/02/08 11:19 Messaggi: 62
|
Inviato: 04 Giu 2008 19:53 Oggetto: |
|
|
log di hijack:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19.51.35, on 04/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\VEXPLITE\MONLITE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Programmi\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Programmi\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\VEXPLITE\viritsvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Documents and Settings\Davide\Desktop\davide\programmi\BitComet\tools\BitCometBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Programmi\Agnitum\Outpost Firewall 1.0\outpost.exe" /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download all links using BitComet - res://C:\Documents and Settings\Davide\Desktop\davide\programmi\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Documents and Settings\Davide\Desktop\davide\programmi\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Documents and Settings\Davide\Desktop\davide\programmi\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\it.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://freezone14.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://freezone14.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar1.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DA630E6-35CB-419B-95D2-861301B26106}: NameServer = 10.0.0.2,208.67.222.222
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmi\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SPBBCSvc - Adaptec, Inc. - (no file)
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
--
End of file - 7882 bytes |
|
Top |
|
 |
aitano Eroe

Registrato: 10/02/08 11:19 Messaggi: 62
|
Inviato: 04 Giu 2008 19:55 Oggetto: |
|
|
mi scuso per il post chilometrico ma non ricordo come uplodare i log e non trovo il post-guida, mi dite dov'è? provvedero in futuro ad evitare di intasare tutto:) |
|
Top |
|
 |
Sante62 Dio maturo


Registrato: 27/06/07 17:55 Messaggi: 3477 Residenza: Floridia
|
Inviato: 04 Giu 2008 21:48 Oggetto: |
|
|
Guarda quì;
Fai la scasnione con VirIT... |
|
Top |
|
 |
aitano Eroe

Registrato: 10/02/08 11:19 Messaggi: 62
|
Inviato: 05 Giu 2008 08:55 Oggetto: |
|
|
fatto anche con virit, ha cancellato due chiavi di registro infette, ma nessun file |
|
Top |
|
 |
Sante62 Dio maturo


Registrato: 27/06/07 17:55 Messaggi: 3477 Residenza: Floridia
|
Inviato: 05 Giu 2008 17:35 Oggetto: |
|
|
aitano ha scritto: | fatto anche con virit, ha cancellato due chiavi di registro infette, ma nessun file |
Quali? indicale cortesemente oppure posta il log... |
|
Top |
|
 |
aitano Eroe

Registrato: 10/02/08 11:19 Messaggi: 62
|
Inviato: 05 Giu 2008 18:18 Oggetto: |
|
|
giusto, eccole:
04/06/2008 - 13:43:15
[SCANSIONE DEL REGISTRO]
{2a6af021-17a2-4014-8624-cf6015f82fad} Infetto da BHO.Agent.BA
* * * RIMOSSO * * *
{4E7BD74F-2B8D-469E-A0E8-EB65B685FA7D} Infetto da Adware.2020Search.A
* * * RIMOSSO * * *
[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
Chiavi Registro infette: 2.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 68770.
Files Totali: 68770.
Chiavi Registro rimosse: 2.
Virus Rimossi: 0.
[SCANSIONE DELLA MEMORIA]
OK |
|
Top |
|
 |
Sante62 Dio maturo


Registrato: 27/06/07 17:55 Messaggi: 3477 Residenza: Floridia
|
Inviato: 05 Giu 2008 19:06 Oggetto: |
|
|
Bene, adesso fai la scansione con Systemscan e posta il log generato come
indicato quì |
|
Top |
|
 |
aitano Eroe

Registrato: 10/02/08 11:19 Messaggi: 62
|
Inviato: 06 Giu 2008 10:04 Oggetto: |
|
|
quando avvio SeDebug-Restore ricevo il seguente messaggio, e al riavvio sysxxxx ripete il messaggio di prima
ecco lo screenshot:
report SeDebug-Restore.bmp |
|
Top |
|
 |
aitano Eroe

Registrato: 10/02/08 11:19 Messaggi: 62
|
Inviato: 06 Giu 2008 10:07 Oggetto: |
|
|
magari ora non c'entra piu, ma dopo che virit a suo tempo ha eliminato quelle chiavi, ho dovuto disintallare-reinstallare la tastiera, in gestione periferiche c'era un bel pallino giallo con il punto esclamativo. un' informazione in piu puo fare solo bene |
|
Top |
|
 |
Sante62 Dio maturo


Registrato: 27/06/07 17:55 Messaggi: 3477 Residenza: Floridia
|
Inviato: 06 Giu 2008 12:00 Oggetto: |
|
|
aitano ha scritto: | magari ora non c'entra piu, ma dopo che virit a suo tempo ha eliminato quelle chiavi, ho dovuto disintallare-reinstallare la tastiera, in gestione periferiche c'era un bel pallino giallo con il punto esclamativo. un' informazione in piu puo fare solo bene |
Sicuramente il malware ti ha danneggiato i driver di quelle periferiche;
Capita anche questo...
Ora vedo il tipo di errore che riscontri con systemscan... |
|
Top |
|
 |
Sante62 Dio maturo


Registrato: 27/06/07 17:55 Messaggi: 3477 Residenza: Floridia
|
Inviato: 06 Giu 2008 12:09 Oggetto: |
|
|
aitano ha scritto: | quando avvio SeDebug-Restore ricevo il seguente messaggio, e al riavvio sysxxxx ripete il messaggio di prima
|
Scarica SeDebug-Restore
eseguilo. Riavvia il pc e riprova. |
|
Top |
|
 |
aitano Eroe

Registrato: 10/02/08 11:19 Messaggi: 62
|
Inviato: 06 Giu 2008 12:37 Oggetto: |
|
|
niente, SeDebug continua a mandarmi quel messaggio che ho linkato, ho riavviato e riprovato, ma niente
che si fa? comunque grazie dell'aiuto, mai visto altro forum (e moderatori) cosi cortesi e sopratutto rapidi!!! |
|
Top |
|
 |
Sante62 Dio maturo


Registrato: 27/06/07 17:55 Messaggi: 3477 Residenza: Floridia
|
Inviato: 06 Giu 2008 12:52 Oggetto: |
|
|
Proviamo ad attivare i privilegi di amministratore:
Citazione: | per Windows XP Professional:
Pannello di controllo
Strumenti di amministrazione
Criteri di Protezione locale
Criteri Locali
assegnazione diritti utenti
doppio click su Debug di programmi
Aggiungi utente o gruppo
Tipi di oggetto
metti il segno di spunta alla casella Gruppi
Ok
digita Administrators nello spazio Immettere i nomi degli oggetti da selezionare
clicca Ok e ancora Ok
riavvia il pc
|
|
|
Top |
|
 |
aitano Eroe

Registrato: 10/02/08 11:19 Messaggi: 62
|
Inviato: 09 Giu 2008 10:13 Oggetto: |
|
|
Citazione: | per Windows XP Professional:
Pannello di controllo
Strumenti di amministrazione
Criteri di Protezione locale <---------------------Questa voce non c'è!
Criteri Locali
assegnazione diritti utenti
doppio click su Debug di programmi
Aggiungi utente o gruppo
Tipi di oggetto
metti il segno di spunta alla casella Gruppi
Ok
digita Administrators nello spazio Immettere i nomi degli oggetti da selezionare
clicca Ok e ancora Ok
riavvia il pc
|
che si fa? |
|
Top |
|
 |
Sante62 Dio maturo


Registrato: 27/06/07 17:55 Messaggi: 3477 Residenza: Floridia
|
Inviato: 09 Giu 2008 11:06 Oggetto: |
|
|
aitano ha scritto: | Citazione: | per Windows XP Professional:
Pannello di controllo
Strumenti di amministrazione
Criteri di Protezione locale <---------------------Questa voce non c'è!
|
che si fa? |
Le altre voci ci sono?
E' strano perchè ci dovrebbe essere.. |
|
Top |
|
 |
aitano Eroe

Registrato: 10/02/08 11:19 Messaggi: 62
|
|
Top |
|
 |
Sante62 Dio maturo


Registrato: 27/06/07 17:55 Messaggi: 3477 Residenza: Floridia
|
Inviato: 10 Giu 2008 17:53 Oggetto: |
|
|
In effetti manca il collegamento;
Appena possibile vedo come ripristinarlo... |
|
Top |
|
 |
|