Olimpo Informatico

Irnerio · Eroe Registrato: 23/01/08 21:49 Messaggi: 44

Ciao a tutti,

il mio lap top è pieno di malware ed opera a stento.

Posto un log di hijackthis, nella speranza di poter essere aiutato. Ne ho davvero bisogno...

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19.50.54, on 19/07/2008
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\File comuni\System\MSASP32.exe
C:\Programmi\File comuni\System\MSIWA32.exe
C:\Programmi\File comuni\System\MSWVR32.exe
C:\WINDOWS\System32\irdvxc.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\msmsgs.exe
C:\WINDOWS\System32\nvsvc86.exe
C:\WINDOWS\System32\svcagent.exe
C:\WINDOWS\System32\swchost.exe
C:\WINDOWS\System32\wnd32.exe
C:\WINDOWS\mrofinu1001186.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\rundll32.exe
C:\Programmi\mjc\mjc.exe
C:\Programmi\Sakora\Sakora.exe
C:\WINDOWS\?icrosoft.NET\r?ndll.exe
C:\Programmi\LG PC Suite\LG PC Sync\LGSyncManager.exe
C:\Programmi\Antivirus\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dbsarticles.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Programmi\Webtools\webtools.dll
O2 - BHO: (no name) - {57A52E74-004C-464B-96CC-4DFE5366EA02} - C:\WINDOWS\System32\xxyvutSi.dll
O2 - BHO: (no name) - {858AF508-DC5B-497E-9A05-8B595217FE0E} - C:\WINDOWS\System32\tuvWoooo.dll
O2 - BHO: {51c54d6f-2834-a86b-ba94-0f5ff897fd58} - {85df798f-f5f0-49ab-b68a-4382f6d45c15} - C:\WINDOWS\System32\fnkjtyfy.dll
O2 - BHO: (no name) - {D936E71D-2283-7F2C-FF34-7CA2E2EB4CB7} - C:\WINDOWS\System32\cyfa.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxbumon.exe] "C:\Programmi\Lexmark 6200 Series\lxbumon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Programmi\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Programmi\Lexmark 6200 Series\ezprint.exe"
O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Programmi\Aethra\ADSL EB1070 USB\CnxTrApp.dll",AppEntry -REG "Aethra\ADSL EB1070 USB"
O4 - HKLM\..\Run: [Network Security XP] C:\WINDOWS\System32\nvsvc86.exe
O4 - HKLM\..\Run: [Microsoft Oftice] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [Windows MSN Update] C:\WINDOWS\System32\svcagent.exe
O4 - HKLM\..\Run: [Windows MSN2 XP] C:\WINDOWS\System32\swchost.exe
O4 - HKLM\..\Run: [Windows MSN Updates] C:\WINDOWS\System32\wnd32.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [BM5b6f00a1] Rundll32.exe "C:\WINDOWS\System32\lcfplidb.dll",s
O4 - HKLM\..\Run: [585c333d] rundll32.exe "C:\WINDOWS\System32\riaeafeq.dll",b
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Network Security XP] C:\WINDOWS\System32\nvsvc86.exe
O4 - HKCU\..\Run: [Microsoft Oftice] C:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [Microsoft Windows Driver] C:\WINDOWS\rundll32.exe
O4 - HKCU\..\Run: [Windows MSN Update] C:\WINDOWS\System32\svcagent.exe
O4 - HKCU\..\Run: [Windows MSN2 XP] C:\WINDOWS\System32\swchost.exe
O4 - HKCU\..\Run: [Windows MSN Updates] C:\WINDOWS\System32\wnd32.exe
O4 - HKCU\..\Run: [Mr] C:\WINDOWS\rundll32.exe
O4 - HKCU\..\Run: [mjc] C:\Programmi\mjc\mjc.exe
O4 - HKCU\..\Run: [Sakora] C:\Programmi\Sakora\Sakora.exe
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\Administrator\Dati applicazioni\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Administrator\Dati applicazioni\Microsoft\Windows\hngvxhwd.exe
O4 - HKCU\..\Run: [Tors] "C:\DOCUME~1\ADMINI~1\DOCUME~1\RACLE~1\regsvr32.exe" -vt yazb
O4 - HKCU\..\Run: [Zrevh] C:\WINDOWS\?icrosoft.NET\r?ndll.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Windows Driver] C:\WINDOWS\rundll32.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by2fd.bay2.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110381715459
O16 - DPF: {BD0D1F18-5561-11DC-A0D9-692F56D89593} - http://faststat.net/code/1029.exe
O20 - Winlogon Notify: xxyvutSi - C:\WINDOWS\SYSTEM32\xxyvutSi.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Advance Service Process - Unknown owner - C:\Programmi\File comuni\System\MSASP32.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Integrated Windows Authentication - Unknown owner - C:\Programmi\File comuni\System\MSIWA32.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbucoms.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe (file missing)
O23 - Service: Microsoft Windows Video Driver - Unknown owner - C:\Programmi\File comuni\System\MSWVR32.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9312 byte

Che cosa posso fare?

bdoriano

Ciao Irnerio, Ciao

Fai queste operazioni:

Pulisci i files temporanei con ATF-Cleaner e/o CCleaner
Segui le istruzioni di questo topic per usare MBAM.
Fai una scansione con Norman Malware Cleaner.
Riavvia il computer in modalità normale
Segui le istruzioni di questo topic per eseguire combofix.
Riferisci con un nuovo messaggio in questa discussione dell'esito: se ci sono stati problemi particolari, ecc. ecc. E riporta:
- Carica il log di Norman Malware Cleaner su WikiSend e posta il Forum Link che ti viene assegnato
- Carica il log di MBAM su WikiSend e posta il Forum Link che ti viene assegnato.
- Il log di Combofix generalmente non è molto lungo, quindi postalo direttamente nel messaggio

Scarica la versione aggiornata di Hijackthis e salvalo in una sua cartella non temporanea e non sul desktop. Old

Irnerio · Eroe Registrato: 23/01/08 21:49 Messaggi: 44

Ciao bdoriano,

ho seguito le tue istruzioni ed ho pulito i files temporanei con ATF Cleaner e con CC Cleaner.

Ho esguito la scansione con MBAM. Questo è il forum link su Wikisend:

mbam-log-20_07_2008 (19-44-48).txt

Ho eseguito anche la scansione con Norman Malware Cleaner e ho postato il log su Wikisend, qui:

NFix_2008-07-20_21-00-14.log

Infine, il log di combofix:

ComboFix 08-07-20.5 - Administrator 2008-07-21 19:44:41.4 - NTFSx86
Eseguito da: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Administrator\Documenti\RACLE~1
C:\Documents and Settings\Administrator\Documenti\RACLE~1\?racle\
C:\WINDOWS\Downloaded Program Files\1029.exe
C:\WINDOWS\icroso~1.net
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cmkazm.dll
C:\WINDOWS\system32\dlierurp.dll
C:\WINDOWS\system32\elxhponh.ini
C:\WINDOWS\system32\flhcupbh.dll
C:\WINDOWS\system32\hkyzre.dll
C:\WINDOWS\system32\irdvxc.exe
C:\WINDOWS\system32\jqoxlcvw.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\miofkm.dll
C:\WINDOWS\system32\msiooplt.dll
C:\WINDOWS\system32\nuvbhmin.ini
C:\WINDOWS\system32\nwojuobw.dll
C:\WINDOWS\system32\olrnblaf.dll
C:\WINDOWS\system32\ooooWvut.ini
C:\WINDOWS\system32\ooooWvut.ini2
C:\WINDOWS\system32\qhhvpv.dll
C:\WINDOWS\system32\ss.exe
C:\WINDOWS\system32\swchost.exe
C:\WINDOWS\system32\ttfwyfwa.dll
C:\WINDOWS\system32\tuvWoooo.dll
C:\WINDOWS\system32\uggkha.dll
C:\WINDOWS\system32\urqQhIxY.dll
C:\WINDOWS\system32\vkshthxf.ini
C:\WINDOWS\system32\wnd32.exe
C:\WINDOWS\system32\wpgfeill.ini
C:\WINDOWS\system32\wvclxoqj.ini
C:\WINDOWS\system32\wwvmgvcv.dll
C:\WINDOWS\system32\wxbwfvnc.dll
C:\WINDOWS\system32\xgomkuwb.dll
C:\WINDOWS\system32\xpapwe.dll
C:\WINDOWS\system32\xxyvutSi.dll
C:\WINDOWS\system32\YxIhQqru.ini
C:\WINDOWS\system32\YxIhQqru.ini2

.
((((((((((((((((((((((((( Files Creati Da 2008-06-21 al 2008-07-21 )))))))))))))))))))))))))))))))))))
.

2008-07-20 20:43 . 2008-07-20 20:43 <DIR> d--h----- C:\WINDOWS\PIF
2008-07-20 20:24 . 2008-07-20 20:24 0 --a------ C:\WINDOWS\BM5b6f00a1.xml
2008-07-20 17:58 . 2008-07-20 17:58 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Malwarebytes
2008-07-20 17:57 . 2008-07-20 17:57 <DIR> d-------- C:\Programmi\Malwarebytes' Anti-Malware
2008-07-20 17:57 . 2008-07-20 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Malwarebytes
2008-07-20 17:57 . 2008-07-18 19:15 36,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-20 17:57 . 2008-07-18 19:15 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-20 17:49 . 2008-07-20 18:01 178 --a------ C:\WINDOWS\system32\tj
2008-07-20 17:49 . 2008-07-20 17:49 0 --a------ C:\WINDOWS\system32\xb.exe
2008-07-20 17:43 . 2008-07-20 17:43 <DIR> d-------- C:\Programmi\Yahoo!
2008-07-20 17:43 . 2008-07-20 17:44 <DIR> d-------- C:\Programmi\CCleaner
2008-07-19 20:18 . 2008-07-19 20:18 <DIR> d-------- C:\Programmi\Lavasoft
2008-07-19 20:18 . 2008-07-19 20:18 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Lavasoft
2008-07-19 20:16 . 2008-07-19 20:16 <DIR> d-------- C:\Programmi\File comuni\Wise Installation Wizard
2008-07-19 19:45 . 2008-07-19 19:50 <DIR> d-------- C:\Programmi\Antivirus
2008-07-19 19:24 . 2008-07-19 19:24 <DIR> d-------- C:\Programmi\Alwil Software
2008-07-19 19:24 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-07-19 19:17 . 2008-07-19 19:17 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-14 15:20 . 2008-07-14 15:20 0 --a------ C:\WINDOWS\system32\yc.exe
2008-07-14 15:03 . 2008-07-14 15:03 55,808 --a------ C:\WINDOWS\mrofinu1001186.exe.tmp
2008-07-14 15:02 . 2008-07-14 15:02 73,432 --a------ C:\WINDOWS\system32\kq.exe
2008-07-13 16:08 . 2008-07-13 16:08 62,168 --a------ C:\WINDOWS\system32\ig.exe
2008-07-07 15:02 . 2008-07-07 15:02 62,168 --a------ C:\WINDOWS\system32\il.exe
2008-06-27 19:59 . 2008-06-27 19:59 73,432 --a------ C:\WINDOWS\system32\wv.exe
2008-06-22 19:56 . 2008-06-22 19:56 62,168 --a------ C:\WINDOWS\system32\qy.exe
2008-06-22 19:35 . 2008-06-22 19:35 62,168 --a------ C:\WINDOWS\system32\vo.exe
2008-06-22 19:34 . 2008-06-22 19:34 62,168 --a------ C:\WINDOWS\system32\or.exe
2008-06-21 17:10 . 2008-06-21 17:10 62,168 --a------ C:\WINDOWS\system32\hj.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 06:15 878 ----a-w C:\Programmi\Collegamento a HiJackThis.exe.lnk
2008-07-21 06:15 --------- d-----w C:\Programmi\IrfanView
2008-07-20 19:29 --------- d-----w C:\Programmi\SymNetDrv
2008-07-20 19:21 --------- d-----w C:\Programmi\Lexmark Fax Solutions
2008-07-20 19:20 --------- d-----w C:\Programmi\Lexmark 6200 Series
2008-07-20 19:18 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-07-20 19:11 --------- d-----w C:\Programmi\Abbyy FineReader 6.0 Sprint
2008-07-20 19:00 155,136 ----a-w C:\fdh.exe
2008-07-19 17:59 71,896 ----a-w C:\WINDOWS\system32\db.exe
2008-07-16 17:50 --------- d-----w C:\Programmi\Lx_cats
2008-06-17 18:37 62,168 ----a-w C:\WINDOWS\system32\gj.exe
2008-06-14 16:34 62,168 ----a-w C:\WINDOWS\system32\vi.exe
2008-06-08 10:57 138,968 ----a-w C:\WINDOWS\system32\oh.exe
2008-05-11 12:06 24,598 ----a-w C:\sdg.exe
2008-05-07 20:40 72,708 --sh--w C:\dg.exe
2008-04-30 08:01 62,168 ----a-w C:\WINDOWS\system32\ki.exe
2008-04-29 10:30 62,168 ----a-w C:\WINDOWS\system32\qo.exe
2000-05-13 23:31 19,544 ----a-w C:\Documents and Settings\Administrator\Dati applicazioni\GDIPFONTCACHEV1.DAT
2005-03-18 19:36 32 --sha-w C:\WINDOWS\{601C1A0B-F209-466C-A961-79CEBB8E31C1}.dat
2007-11-04 20:58 61,440 --sha-w C:\WINDOWS\system32\.exe
2005-03-18 19:36 32 --sha-w C:\WINDOWS\system32\{A294793B-9CA7-416E-BBEE-759AA5C10671}.dat
.

------- Sigcheck -------

2001-08-31 12:00 1014784 b835b4f2d7866896de9453c3265dec32 C:\WINDOWS\explorer.exe
2004-08-20 00:39 1046016 c22f9b3a9014d093f9218a3136398cc1 C:\WINDOWS\SoftwareDistribution\Download\5d02aa687fced580cdb60abdb77eb075\explorer.exe
2001-08-31 12:00 1014784 f5dde51a27d20bf6e2dd5172658fc049 C:\WINDOWS\system32\dllcache\explorer.exe

2004-08-20 00:39 26624 17b1ea4c7befc0a6129342d70ee04cb4 C:\WINDOWS\SoftwareDistribution\Download\5d02aa687fced580cdb60abdb77eb075\ctfmon.exe
2007-09-30 12:27 104976 54b18323ba3c1b6e178b46c71cefc33a C:\WINDOWS\system32\ctfmon.exe
2001-08-31 12:00 24576 8bf73c30b744603d46634bdb4ddab834 C:\WINDOWS\system32\bak\ctfmon.exe
2001-08-31 12:00 90624 170726e859c6741632671e049515c1e7 C:\WINDOWS\system32\dllcache\ctfmon.exe

2004-08-20 00:39 69120 eb8b0e17de94f75cd6d84150728ff075 C:\WINDOWS\SoftwareDistribution\Download\5d02aa687fced580cdb60abdb77eb075\spoolsv.exe
2001-08-31 12:00 95232 ba4f814bfaa04aec999fd7af0d25708f C:\WINDOWS\system32\spoolsv.exe
md5deep: C:\WINDOWS\system32\dllcache\spoolsv.exe: Permission denied
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 54,296 2003-12-02 15:11:04 C:\Programmi\File comuni\Symantec Shared\bak\ccApp.exe

----a-w 58,392 2003-12-02 15:11:12 C:\Programmi\File comuni\Symantec Shared\bak\ccRegVfy.exe

----a-w 218,240 2004-11-02 14:59:52 C:\Programmi\File comuni\Symantec Shared\Security Center\bak\UsrPrmpt.exe

----a-w 61,440 2008-07-20 19:21:03 C:\Programmi\Lexmark 6200 Series\bak\ezprint.exe

----a-w 196,608 2008-07-20 19:21:04 C:\Programmi\Lexmark 6200 Series\bak\lxbumon.exe

----a-w 299,008 2008-07-20 19:21:32 C:\Programmi\Lexmark Fax Solutions\bak\fm3032.exe

----a-w 95,960 2005-03-18 19:50:40 C:\Programmi\SymNetDrv\bak\SNDMon.exe

----a-w 24,576 2001-08-31 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 104,976 2007-09-30 10:27:52 C:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zrevh"="C:\WINDOWS\?icrosoft.NET\r?ndll.exe" [?]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2007-09-30 12:27 104976]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-11-15 16:18 1670144]
"Tors"="C:\DOCUME~1\ADMINI~1\DOCUME~1\RACLE~1\regsvr32.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Programmi\File comuni\Symantec Shared\ccApp.exe" [N/A]
"ccRegVfy"="C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe" [N/A]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [N/A]
"SSC_UserPrompt"="C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe" [N/A]
"LXBUCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll" [2004-11-02 22:03 69632]
"lxbumon.exe"="C:\Programmi\Lexmark 6200 Series\lxbumon.exe" [N/A]
"FaxCenterServer"="C:\Programmi\Lexmark Fax Solutions\fm3032.exe" [N/A]
"EzPrint"="C:\Programmi\Lexmark 6200 Series\ezprint.exe" [N/A]
"CnxTrApp"="C:\Programmi\Aethra\ADSL EB1070 USB\CnxTrApp.dll" [2004-04-20 17:24 247296]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"BM5b6f00a1"="C:\WINDOWS\System32\wwvmgvcv.dll" [N/A]
"585c333d"="C:\WINDOWS\System32\jqoxlcvw.dll" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2007-09-30 12:27 104976]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Programmi\\File comuni\\System\\MSASP32.exe"=
"C:\\Programmi\\File comuni\\System\\MSIWA32.exe"=

R2 Advance Service Process;Advance Service Process;C:\Programmi\File comuni\System\MSASP32.exe [2007-11-14 16:30]
R2 Integrated Windows Authentication;Integrated Windows Authentication;C:\Programmi\File comuni\System\MSIWA32.exe [2007-12-09 21:47]
S2 Microsoft Windows Video Driver;Microsoft Windows Video Driver;C:\Programmi\File comuni\System\MSWVR32.exe []
S2 MSDisk;Network helper Service;C:\WINDOWS\System32\irdvxc.exe []
.
Contenuto della cartella 'Scheduled Tasks'
"2008-07-18 18:00:33 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\DATIAP~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2005-03-18 19:54:12 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Programmi\Symantec\LiveUpdate\NDETECT.EXE
.
- - - - ORFÃOS REMOVIDOS - - - -

BHO-{3F2AA1D5-71B1-4F21-A3F2-8D7C2805216A} - C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\OHUNGTI7\3077ahntdksr[1].dll
BHO-{7D6E4C75-60F9-4929-8530-8FEC7A9A7817} - C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\OHUNGTI7\3077ahntdksr[1].dll

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
O8 -: E&sporta in Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {BD0D1F18-5561-11DC-A0D9-692F56D89593} - hxxp://faststat.net/code/1029.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 19:48:23
Windows 5.1.2600 NTFS

detected NTDLL code modification:
ZwOpenFile

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-07-21 19:50:44
ComboFix-quarantined-files.txt 2008-07-21 17:50:32

Pre-Run: 28,510,887,936 byte disponibili
Post-Run: 28,491,468,800 byte disponibili

195

Il lap top si "impalla"spesso e in avvio manda sempre un messaggio di errore in rundll.32. Inoltre non riesco a lanciare disinstalla programmi, per disinstallare avast, che non si apre e manda anch'esso un messaggio di errore.

Cosa ne dici?

bdoriano

Dico che sei conciato parecchio male... Shocked

Vediamo cosa possiamo fare. Think

Apri il Blocco note e crea un file di testo con le seguenti istruzioni:

Codice:

File:
C:\WINDOWS\BM5b6f00a1.xml
C:\WINDOWS\system32\tj
C:\WINDOWS\system32\xb.exe
C:\WINDOWS\nsreg.dat
C:\WINDOWS\system32\yc.exe
C:\WINDOWS\mrofinu1001186.exe.tmp
C:\WINDOWS\system32\kq.exe
C:\WINDOWS\system32\ig.exe
C:\WINDOWS\system32\il.exe
C:\WINDOWS\system32\wv.exe
C:\WINDOWS\system32\qy.exe
C:\WINDOWS\system32\vo.exe
C:\WINDOWS\system32\or.exe
C:\WINDOWS\system32\hj.exe
C:\fdh.exe
C:\WINDOWS\system32\db.exe
C:\WINDOWS\system32\gj.exe
C:\WINDOWS\system32\vi.exe
C:\WINDOWS\system32\oh.exe
C:\sdg.exe
C:\dg.exe
C:\WINDOWS\system32\ki.exe
C:\WINDOWS\system32\qo.exe
C:\WINDOWS\{601C1A0B-F209-466C-A961-79CEBB8E31C1}.dat
C:\WINDOWS\system32\.exe
C:\WINDOWS\system32\{A294793B-9CA7-416E-BBEE-759AA5C10671}.dat
C:\DOCUME~1\ADMINI~1\DOCUME~1\RACLE~1\regsvr32.exe
C:\WINDOWS\System32\wwvmgvcv.dll
C:\WINDOWS\System32\jqoxlcvw.dll

Registry:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zrevh"=-
"Tors"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM5b6f00a1"=-
"585c333d"=-

Salva il file sul desktop con il nome CFScript.txt e trascinalo sull'icona di ComboFix, come indicato in seguito:

Attendi pazientemente la fine dei lavori senza toccare tastiera, mouse o altro. Wink

Posta il log aggiornato di combofix.

Dopo, indipendentemente dal risultato di combofix, fai questa scansione con SystemScan, carica il log su WikiSend e posta il Forum Link che ti viene assegnato.

Irnerio · Eroe Registrato: 23/01/08 21:49 Messaggi: 44

Ciao,

temevo di essere in cattive acque, ed infatti tu me lo confermi..

Ad ogni modo, questo è il nuovo log di combofix, ottenuto secondo il tuo suggerimento:

ComboFix 08-07-20.5 - Administrator 2008-07-22 22:21:09.6 - NTFSx86
Eseguito da: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\kburctazviurc.dll
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\zxdnt3d.cfg
.
---- Previous Run -------
.
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((( Files Creati Da 2008-06-22 al 2008-07-22 )))))))))))))))))))))))))))))))))))
.

2008-07-21 22:22 . 2008-07-21 22:22 61,467 --a------ C:\WINDOWS\system32\rqwnw64p.exe
2008-07-21 22:17 . 2008-07-21 22:17 204,875 --a------ C:\WINDOWS\system32\qcntmtdm.exe
2008-07-21 22:17 . 2008-07-21 22:17 152,193 --a------ C:\WINDOWS\system32\g32.exe
2008-07-21 22:17 . 2008-07-21 22:17 64,841 --a------ C:\WINDOWS\system32\wlqsixqxmsyp.exe
2008-07-21 22:17 . 2008-07-21 22:17 55,808 --a------ C:\WINDOWS\mrofinu.exe
2008-07-21 22:16 . 2008-07-21 22:16 <DIR> d-------- C:\WINDOWS\system32\wnet
2008-07-21 22:16 . 2008-07-21 22:16 <DIR> d-------- C:\WINDOWS\system32\vdf1
2008-07-21 22:16 . 2008-07-21 22:16 <DIR> d-------- C:\WINDOWS\system32\confg
2008-07-21 22:16 . 2008-07-21 22:16 <DIR> d-------- C:\WINDOWS\system32\carH04
2008-07-21 22:16 . 2008-07-21 22:16 <DIR> d-------- C:\Temp\btxv15
2008-07-20 20:43 . 2008-07-20 20:43 <DIR> d--h----- C:\WINDOWS\PIF
2008-07-20 20:24 . 2008-07-20 20:24 0 --a------ C:\WINDOWS\BM5b6f00a1.xml
2008-07-20 17:58 . 2008-07-20 17:58 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Malwarebytes
2008-07-20 17:57 . 2008-07-20 17:57 <DIR> d-------- C:\Programmi\Malwarebytes' Anti-Malware
2008-07-20 17:57 . 2008-07-20 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Malwarebytes
2008-07-20 17:57 . 2008-07-18 19:15 36,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-20 17:57 . 2008-07-18 19:15 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-20 17:49 . 2008-07-20 18:01 178 --a------ C:\WINDOWS\system32\tj
2008-07-20 17:49 . 2008-07-20 17:49 0 --a------ C:\WINDOWS\system32\xb.exe
2008-07-20 17:43 . 2008-07-20 17:43 <DIR> d-------- C:\Programmi\Yahoo!
2008-07-20 17:43 . 2008-07-20 17:44 <DIR> d-------- C:\Programmi\CCleaner
2008-07-19 20:18 . 2008-07-19 20:18 <DIR> d-------- C:\Programmi\Lavasoft
2008-07-19 20:18 . 2008-07-19 20:18 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Lavasoft
2008-07-19 20:16 . 2008-07-19 20:16 <DIR> d-------- C:\Programmi\File comuni\Wise Installation Wizard
2008-07-19 19:45 . 2008-07-21 22:15 <DIR> d-------- C:\Programmi\Antivirus
2008-07-19 19:24 . 2008-07-19 19:24 <DIR> d-------- C:\Programmi\Alwil Software
2008-07-19 19:24 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-07-19 19:17 . 2008-07-19 19:17 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-14 15:20 . 2008-07-14 15:20 0 --a------ C:\WINDOWS\system32\yc.exe
2008-07-14 15:03 . 2008-07-14 15:03 55,808 --a------ C:\WINDOWS\mrofinu1001186.exe.tmp
2008-07-14 15:02 . 2008-07-14 15:02 73,432 --a------ C:\WINDOWS\system32\kq.exe
2008-07-13 16:08 . 2008-07-13 16:08 62,168 --a------ C:\WINDOWS\system32\ig.exe
2008-07-07 15:02 . 2008-07-07 15:02 62,168 --a------ C:\WINDOWS\system32\il.exe
2008-06-27 19:59 . 2008-06-27 19:59 73,432 --a------ C:\WINDOWS\system32\wv.exe
2008-06-22 19:56 . 2008-06-22 19:56 62,168 --a------ C:\WINDOWS\system32\qy.exe
2008-06-22 19:35 . 2008-06-22 19:35 62,168 --a------ C:\WINDOWS\system32\vo.exe
2008-06-22 19:34 . 2008-06-22 19:34 62,168 --a------ C:\WINDOWS\system32\or.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-22 20:17 --------- d-----w C:\Programmi\Norton AntiVirus
2008-07-21 06:15 --------- d-----w C:\Programmi\IrfanView
2008-07-20 19:29 --------- d-----w C:\Programmi\SymNetDrv
2008-07-20 19:21 --------- d-----w C:\Programmi\Lexmark Fax Solutions
2008-07-20 19:20 --------- d-----w C:\Programmi\Lexmark 6200 Series
2008-07-20 19:18 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-07-20 19:11 --------- d-----w C:\Programmi\Abbyy FineReader 6.0 Sprint
2008-07-20 19:00 155,136 ----a-w C:\fdh.exe
2008-07-19 17:59 71,896 ----a-w C:\WINDOWS\system32\db.exe
2008-07-16 17:50 --------- d-----w C:\Programmi\Lx_cats
2008-06-21 15:10 62,168 ----a-w C:\WINDOWS\system32\hj.exe
2008-06-17 18:37 62,168 ----a-w C:\WINDOWS\system32\gj.exe
2008-06-14 16:34 62,168 ----a-w C:\WINDOWS\system32\vi.exe
2008-06-08 10:57 138,968 ----a-w C:\WINDOWS\system32\oh.exe
2008-05-11 12:06 24,598 ----a-w C:\sdg.exe
2008-05-07 20:40 72,708 --sh--w C:\dg.exe
2008-04-30 08:01 62,168 ----a-w C:\WINDOWS\system32\ki.exe
2008-04-29 10:30 62,168 ----a-w C:\WINDOWS\system32\qo.exe
2000-05-13 23:31 19,544 ----a-w C:\Documents and Settings\Administrator\Dati applicazioni\GDIPFONTCACHEV1.DAT
2005-03-18 19:36 32 --sha-w C:\WINDOWS\{601C1A0B-F209-466C-A961-79CEBB8E31C1}.dat
2007-11-04 20:58 61,440 --sha-w C:\WINDOWS\system32\.exe
2005-03-18 19:36 32 --sha-w C:\WINDOWS\system32\{A294793B-9CA7-416E-BBEE-759AA5C10671}.dat
.

------- Sigcheck -------

2001-08-31 12:00 1014784 b835b4f2d7866896de9453c3265dec32 C:\WINDOWS\explorer.exe
2004-08-20 00:39 1079296 be24795acbfa466f45ffe0049c4dac7d C:\WINDOWS\SoftwareDistribution\Download\5d02aa687fced580cdb60abdb77eb075\explorer.exe
2001-08-31 12:00 1014784 f5dde51a27d20bf6e2dd5172658fc049 C:\WINDOWS\system32\dllcache\explorer.exe

2004-08-20 00:39 59904 33de6cf90d958450c13f1d1d14eb093b C:\WINDOWS\SoftwareDistribution\Download\5d02aa687fced580cdb60abdb77eb075\ctfmon.exe
2007-09-30 12:27 104976 54b18323ba3c1b6e178b46c71cefc33a C:\WINDOWS\system32\ctfmon.exe
2001-08-31 12:00 24576 8bf73c30b744603d46634bdb4ddab834 C:\WINDOWS\system32\bak\ctfmon.exe
2001-08-31 12:00 90624 170726e859c6741632671e049515c1e7 C:\WINDOWS\system32\dllcache\ctfmon.exe

2004-08-20 00:39 69120 eb8b0e17de94f75cd6d84150728ff075 C:\WINDOWS\SoftwareDistribution\Download\5d02aa687fced580cdb60abdb77eb075\spoolsv.exe
2001-08-31 12:00 95232 ba4f814bfaa04aec999fd7af0d25708f C:\WINDOWS\system32\spoolsv.exe
md5deep: C:\WINDOWS\system32\dllcache\spoolsv.exe: Permission denied
.
((((((((((((((((((((((((((((( snapshot@2008-07-21_19.49.49.69 )))))))))))))))))))))))))))))))))))))))))
.
- 2003-07-14 16:42:22 100,864 -c----w C:\WINDOWS\$NtUninstallKB823182$\spuninst\spuninst.exe
+ 2003-07-14 16:42:22 112,128 -c----w C:\WINDOWS\$NtUninstallKB823182$\spuninst\spuninst.exe
- 2003-05-11 15:26:40 89,088 -c----w C:\WINDOWS\$NtUninstallKB823559$\spuninst\spuninst.exe
+ 2003-05-11 15:26:40 100,352 -c----w C:\WINDOWS\$NtUninstallKB823559$\spuninst\spuninst.exe
- 2003-07-14 16:42:22 100,864 -c----w C:\WINDOWS\$NtUninstallKB824105$\spuninst\spuninst.exe
+ 2003-07-14 16:42:22 112,128 -c----w C:\WINDOWS\$NtUninstallKB824105$\spuninst\spuninst.exe
- 2003-08-01 20:15:06 100,864 -c----w C:\WINDOWS\$NtUninstallKB825119$\spuninst\spuninst.exe
+ 2003-08-01 20:15:06 112,128 -c----w C:\WINDOWS\$NtUninstallKB825119$\spuninst\spuninst.exe
- 2003-10-14 06:50:25 141,312 -c----w C:\WINDOWS\$NtUninstallKB828035$\spuninst\spuninst.exe
+ 2003-10-14 06:50:25 152,576 -c----w C:\WINDOWS\$NtUninstallKB828035$\spuninst\spuninst.exe
- 2001-08-31 10:00:00 8,192 -c----w C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe
+ 2001-08-31 10:00:00 19,456 -c--a-w C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe
- 2001-08-31 10:00:00 6,656 -c----w C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe
+ 2001-08-31 10:00:00 17,920 -c--a-w C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe
- 2004-01-10 05:11:28 141,312 -c----w C:\WINDOWS\$NtUninstallKB828741$\spuninst\spuninst.exe
+ 2004-01-10 05:11:28 152,576 -c----w C:\WINDOWS\$NtUninstallKB828741$\spuninst\spuninst.exe
- 2000-08-31 06:00:00 107,520 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 06:00:00 140,288 ----a-w C:\WINDOWS\Nircmd.exe
- 2000-08-31 06:00:00 304,640 ----a-w C:\WINDOWS\swreg.exe
+ 2000-08-31 06:00:00 173,568 ----a-w C:\WINDOWS\swreg.exe
+ 2008-07-18 17:49:16 45,056 ----a-w C:\WINDOWS\system32\carH04\carH041066.exe
+ 2008-07-18 22:54:30 152,733 ----a-w C:\WINDOWS\system32\confg\QREG328.exe
- 2008-07-21 17:41:42 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-22 20:16:42 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-07-21 17:41:42 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
+ 2008-07-22 20:16:42 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
- 2008-07-21 17:41:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-22 20:16:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-03 19:15:10 61,440 ----a-w C:\WINDOWS\system32\vdf1\setpack22.exe
- 2001-08-31 10:00:00 145,920 ----a-w C:\WINDOWS\system32\verifier.exe
+ 2001-08-31 10:00:00 178,688 ----a-w C:\WINDOWS\system32\verifier.exe
+ 2007-08-14 21:22:50 39,953 ----a-w C:\WINDOWS\system32\wnet\SFRuID2.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 54,296 2003-12-02 15:11:04 C:\Programmi\File comuni\Symantec Shared\bak\ccApp.exe

----a-w 58,392 2003-12-02 15:11:12 C:\Programmi\File comuni\Symantec Shared\bak\ccRegVfy.exe

----a-w 218,240 2004-11-02 14:59:52 C:\Programmi\File comuni\Symantec Shared\Security Center\bak\UsrPrmpt.exe

----a-w 61,440 2008-07-20 19:21:03 C:\Programmi\Lexmark 6200 Series\bak\ezprint.exe

----a-w 196,608 2008-07-20 19:21:04 C:\Programmi\Lexmark 6200 Series\bak\lxbumon.exe

----a-w 299,008 2008-07-20 19:21:32 C:\Programmi\Lexmark Fax Solutions\bak\fm3032.exe

----a-w 95,960 2005-03-18 19:50:40 C:\Programmi\SymNetDrv\bak\SNDMon.exe

----a-w 24,576 2001-08-31 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 104,976 2007-09-30 10:27:52 C:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zrevh"="C:\WINDOWS\?icrosoft.NET\r?ndll.exe" [?]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2007-09-30 12:27 104976]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-11-15 16:18 1670144]
"Tors"="C:\DOCUME~1\ADMINI~1\DOCUME~1\RACLE~1\regsvr32.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Programmi\File comuni\Symantec Shared\ccApp.exe" [N/A]
"ccRegVfy"="C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe" [N/A]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [N/A]
"SSC_UserPrompt"="C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe" [N/A]
"LXBUCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll" [2004-11-02 22:03 69632]
"lxbumon.exe"="C:\Programmi\Lexmark 6200 Series\lxbumon.exe" [N/A]
"FaxCenterServer"="C:\Programmi\Lexmark Fax Solutions\fm3032.exe" [N/A]
"EzPrint"="C:\Programmi\Lexmark 6200 Series\ezprint.exe" [N/A]
"CnxTrApp"="C:\Programmi\Aethra\ADSL EB1070 USB\CnxTrApp.dll" [2004-04-20 17:24 247296]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"BM5b6f00a1"="C:\WINDOWS\System32\wwvmgvcv.dll" [N/A]
"585c333d"="C:\WINDOWS\System32\jqoxlcvw.dll" [N/A]
"{C3-33-39-92-DW}"="c:\windows\system32\rwwnw64d.exe" [N/A]
"{fa00ba72-9678-0983-dc7b-6dd2598a5ae0}"="C:\WINDOWS\System32\kburctazviurc.dll" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2007-09-30 12:27 104976]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Programmi\\File comuni\\System\\MSASP32.exe"=
"C:\\Programmi\\File comuni\\System\\MSIWA32.exe"=

R2 Advance Service Process;Advance Service Process;C:\Programmi\File comuni\System\MSASP32.exe [2007-11-14 16:30]
R2 Integrated Windows Authentication;Integrated Windows Authentication;C:\Programmi\File comuni\System\MSIWA32.exe [2007-12-09 21:47]
S2 Microsoft Windows Video Driver;Microsoft Windows Video Driver;C:\Programmi\File comuni\System\MSWVR32.exe []
S2 MSDisk;Network helper Service;C:\WINDOWS\System32\irdvxc.exe []
.
Contenuto della cartella 'Scheduled Tasks'
"2008-07-18 18:00:33 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\DATIAP~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2005-03-18 19:54:12 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Programmi\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 22:24:00
Windows 5.1.2600 NTFS

detected NTDLL code modification:
ZwOpenFile

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-07-22 22:25:55
ComboFix-quarantined-files.txt 2008-07-22 20:25:48
ComboFix2.txt 2008-07-21 17:50:45

Pre-Run: 28,149,161,984 byte disponibili
Post-Run: 28,129,034,240 byte disponibili

209

Ho inoltre scaricato ed eseguito Suspect File: il report che ne è scaturito si trova su Wikisend, qui:

report.txt

Ti indico un altro "sintomo", che ieri ho omesso: internet explorer apre solo alcune pagine e non altre (non riesco ad aprire Google, nè, ad esempio, la pagina del Corriere della Sera, nè questo forum), mentre in compenso fioccano i pop up di siti sconosciuti.
Al momento, sto ovviando al problema con Mozilla Firefox.

Spero che ci siano ancora speranze...

bdoriano

Il buon combofix non ha potuto fare il miracolo... Rolling Eyes

Mi leggo il report di SystemScan e proviamo a usare i mezzi pesanti. Evil or Very Mad

Nel frattempo, disinstalla:
Avast! (come antivirus è una chiavica)
Disinstalla Norton usando il tool indicato in questa pagina. (idem come sopra)
Ad-Aware 2007 (no comment)

Come linea di principio: 2 antivirus insieme non vai mai d'accordo e si mettono i bastoni tra le ruote.
Come antispyware c'è sicuramente di meglio, ma lo vedremo dopo la disinfestazione.

bdoriano

Mapporc... rivedendo lo script che ti avevo fatto usare con ComboFix, mi sono reso conto di aver commesso un paio di errori nella stesura. Brick wall

Non tutto il male viene per nuocere, però. Razz

Nel log di SystemScan ho notato alcune cose che non avevo visto dal log di ComboFix. Laughing

Dopo che hai disinstallato i 3 programmi che ti ho detto sopra, procedi così:

Scarica avenger e scompattalo in una sua cartella non temporanea e non sul desktop

Avvia AVENGER
Clicca Ok
Inserisci queste righe nel riquadro bianco:

Irnerio · Eroe Registrato: 23/01/08 21:49 Messaggi: 44

Dunque, sono riuscito a disinstallare Norton ed Ad Aware, ma non riesco a disinstallare avast!. Embarassed

Il punto è che dal pannello di controllo non riesco ad accedere ad installa/disinstalla programmi: ogni volta che ci provo, si presenta il messaggio di errore in rundll.32 e l'applicazione non risponde.

Non ho trovato alcun modo per rimuovere avast!
Ho provato col file Read Me, ma non è stato illuminante: dice che per rimuovere il programma, devo utilizzare installa/disinstalla programmi... Crying or Very sad

Quando mai l'ho istallato d'oh!

!

Mi trovo ad un punto morto, prima di lanciare Avenger devo rimuovere avast!, ma non so come fare... Basta

C'è un modo alternativo di cui tu sei a conoscenza?

bdoriano

Vai avanti con Avenger e vediamo che combina. Think

edit:
ho trovato il tool per eliminare Avast!, va usato in modalità provvisoria.

Irnerio · Eroe Registrato: 23/01/08 21:49 Messaggi: 44

Ciao bdoriano,

con il tool di rimozione che mi hai segnalato sono riuscito a rimuovere avast!, grazie!!

Ora però sono di nuovo bloccato; ho scaricato numerose vole avenger.zip, ma non sono mai riuscito a lanciarlo.

Ogni volto che ci provo, si apre il messaggio di errore della microsoft per l 'invio della segnalazione ed il file non viene eseguito.

Inoltre ho notato che ogni volta che ho effettuato il download di avenger.zip, nella directory Programmi, in C, vengono create nuove cartelle.

Per indicarti solo le utlime: InetGet 2, mjc, Webtools, CPV, Sakora, alcune delle quali vuote, altre con dei file .exe o .dll.

Ho anche provato a trasferire l'avenger.zip che ho sul desktop a questo lap top, ma il risultato non è cambiato.

Solo tu puoi aiutarmi....

bdoriano

Allora, il virus blocca ne l'avvio.

Avvia nuovamente SystemScan
metti il segno di spunta a I have read and agree. Please let me free to proceed e clicca su Proceed
clicca su Removal Script

Nel riquadro inserisci il seguente script:

Codice:

Files to delete:
c:\fdh.exe
C:\WINDOWS\mrofinu1001186.exe.tmp
C:\WINDOWS\BM5b6f00a1.xml
C:\WINDOWS\BM5b6f00a1.txt
C:\WINDOWS\mrofinu.exe
C:\WINDOWS\system32\oh.exe
C:\WINDOWS\system32\ht.exe
C:\WINDOWS\system32\vi.exe
C:\WINDOWS\system32\gj.exe
C:\WINDOWS\system32\hj.exe
C:\WINDOWS\system32\or.exe
C:\WINDOWS\system32\vo.exe
C:\WINDOWS\system32\qy.exe
C:\WINDOWS\system32\wv.exe
C:\WINDOWS\system32\il.exe
C:\WINDOWS\system32\ig.exe
C:\WINDOWS\system32\kq.exe
C:\WINDOWS\system32\yc.exe
C:\WINDOWS\system32\db.exe
C:\WINDOWS\system32\xb.exe
C:\WINDOWS\system32\tj
C:\WINDOWS\system32\clkcnt.txt
C:\WINDOWS\system32\537ff743-.txt
C:\WINDOWS\system32\wlqsixqxmsyp.exe
C:\WINDOWS\system32\g32.exe
C:\WINDOWS\system32\qcntmtdm.exe
C:\WINDOWS\system32\rqwnw64p.exe
C:\WINDOWS\System32\wwvmgvcv.dll
C:\WINDOWS\System32\jqoxlcvw.dll
c:\windows\system32\rwwnw64d.exe
C:\WINDOWS\System32\irdvxc.exe
C:\WINDOWS\System32\kburctazviurc.dll
C:\DOCUME~1\ADMINI~1\DOCUME~1\RACLE~1\regsvr32.exe
C:\WINDOWS\?icrosoft.NET\r?ndll.exe
C:\Programmi\File comuni\System\MSASP32.exe
C:\Programmi\File comuni\System\MSIWA32.exe
C:\Programmi\File comuni\System\MSWVR32.exe

Folders to delete:
C:\WINDOWS\Downloaded Program Files\CONFLICT.2
C:\WINDOWS\Downloaded Program Files\CONFLICT.1
C:\WINDOWS\Downloaded Program Files\CONFLICT.3
C:\WINDOWS\Downloaded Program Files\CONFLICT.4
C:\WINDOWS\Downloaded Program Files\CONFLICT.5
C:\WINDOWS\Downloaded Program Files\CONFLICT.8
C:\WINDOWS\Downloaded Program Files\CONFLICT.6
C:\WINDOWS\Downloaded Program Files\CONFLICT.7

Registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | BM5b6f00a1
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | 585c333d
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | {C3-33-39-92-DW}
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | {fa00ba72-9678-0983-dc7b-6dd2598a5ae0}

Drivers to unload:
Advance Service Process
Integrated Windows Authentication
Microsoft Windows Video Driver
MSDisk

e clicca Proceed with removal

******
Se dovessi ricevere l'errore Please copy and paste a valid script file, una volta incollato lo script in SystemScan (o Avenger), selezioni la prima riga, la cancelli e la ri-digiti. Fatto questo, dovrebbe tornare a funzionare.
******

Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
Al termine dell'operazione, posta qui il contenuto del file C:\Avenger.txt con un log aggiornato di SystemScan.

Irnerio · Eroe Registrato: 23/01/08 21:49 Messaggi: 44

Penso che il mio lap top sia davvero in condizioni disastrose Sad

.

System Scan non può operare; ho provato numerose volte, senza successo. Dopo aver cliccato "Proceed with removal", compare un messaggio che afferma che il controllo di sicurezza è fallito ed il file è cambiato, probabilmente a causa di un virus.

Ho tentato anche a cancellare e riscrivere la prima riga dello script di rimozione, ma il risultato è il medesimo.

Ed ora? Se disponessi di una bomba atomica da lanciare sul/sui virus, non ci penserei due volte! Twisted Evil

bdoriano

Proviamo un'altra strada... Wink

Ri-scarica Combofix (cambiagli il nome quando lo salvi).
Apri il Blocco note e crea un file di testo con le seguenti istruzioni:

Irnerio · Eroe Registrato: 23/01/08 21:49 Messaggi: 44

Con un po' di fatica, ma ce l'ho fatta!

Ho nuovamente scaricato Combo fix, e l'ho avviato con lo script che mi hai indicato.

Questo è il report:

ComboFix 08-07-26.1 - Administrator 2008-07-27 15:58:21.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1040.18.349 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

FILE ::
C:\DOCUME~1\ADMINI~1\DOCUME~1\RACLE~1\regsvr32.exe
c:\fdh.exe
C:\Programmi\File comuni\System\MSASP32.exe
C:\Programmi\File comuni\System\MSIWA32.exe
C:\Programmi\File comuni\System\MSWVR32.exe
C:\WINDOWS\BM5b6f00a1.txt
C:\WINDOWS\BM5b6f00a1.xml
C:\WINDOWS\mrofinu.exe
C:\WINDOWS\mrofinu1001186.exe.tmp
C:\WINDOWS\system32\537ff743-.txt
C:\WINDOWS\system32\clkcnt.txt
C:\WINDOWS\system32\db.exe
C:\WINDOWS\system32\g32.exe
C:\WINDOWS\system32\gj.exe
C:\WINDOWS\system32\hj.exe
C:\WINDOWS\system32\ht.exe
C:\WINDOWS\system32\ig.exe
C:\WINDOWS\system32\il.exe
C:\WINDOWS\System32\irdvxc.exe
C:\WINDOWS\System32\jqoxlcvw.dll
C:\WINDOWS\System32\kburctazviurc.dll
C:\WINDOWS\system32\kq.exe
C:\WINDOWS\system32\oh.exe
C:\WINDOWS\system32\or.exe
C:\WINDOWS\system32\qcntmtdm.exe
C:\WINDOWS\system32\qy.exe
C:\WINDOWS\system32\rqwnw64p.exe
c:\windows\system32\rwwnw64d.exe
C:\WINDOWS\system32\tj
C:\WINDOWS\system32\vi.exe
C:\WINDOWS\system32\vo.exe
C:\WINDOWS\system32\wlqsixqxmsyp.exe
C:\WINDOWS\system32\wv.exe
C:\WINDOWS\System32\wwvmgvcv.dll
C:\WINDOWS\system32\xb.exe
C:\WINDOWS\system32\yc.exe
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Administrator\Dati applicazioni\WNSXS~1
C:\Documents and Settings\Administrator\Dati applicazioni\WNSXS~1\rundll32.exe
C:\Documents and Settings\Administrator\Dati applicazioni\WNSXS~1\W?nSxS\
C:\Documents and Settings\Administrator\Documenti\APPATC~1
C:\Documents and Settings\Administrator\Documenti\APPATC~1\?poolsv.exe
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\CPV.stt
C:\Documents and Settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\Deewoo.lnk
C:\Documents and Settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\DW_Start.lnk
c:\fdh.exe
C:\h.exe
C:\Programmi\File comuni\System\MSASP32.exe
C:\Programmi\File comuni\System\MSIWA32.exe
C:\Programmi\File comuni\Yazzle1560OinAdmin.exe
C:\Programmi\File comuni\Yazzle1560OinUninstaller.exe
C:\Programmi\GetPack
C:\Programmi\GetPack\GetPack20.exe
C:\Programmi\iCheck
C:\Programmi\iCheck\iCheck.exe
C:\Programmi\iCheck\Uninstall.exe
C:\Programmi\inetget2
C:\Programmi\mjc
C:\Programmi\mjc\mjc.exe
C:\Programmi\outerinfo
C:\Programmi\outerinfo\FF\chrome.manifest
C:\Programmi\outerinfo\FF\components\FF.dll
C:\Programmi\outerinfo\FF\components\OuterinfoAds.xpt
C:\Programmi\outerinfo\FF\install.rdf
C:\Programmi\Sakora
C:\Programmi\Sakora\Sakora.exe
C:\Programmi\Temporary
C:\WINDOWS\b128.exe
C:\WINDOWS\b148.exe
C:\WINDOWS\b152.exe
C:\WINDOWS\b155.exe
C:\WINDOWS\b156.exe
C:\WINDOWS\b157.exe
C:\WINDOWS\BM5b6f00a1.txt
C:\WINDOWS\BM5b6f00a1.xml
C:\WINDOWS\Downloaded Program Files\CONFLICT.1
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\1029.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.2
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\1029.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.3
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\1029.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.4
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\1029.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.5
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\1029.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.6
C:\WINDOWS\Downloaded Program Files\CONFLICT.7
C:\WINDOWS\Downloaded Program Files\CONFLICT.8
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\1029.exe
C:\WINDOWS\mrofinu1001186.exe
C:\WINDOWS\mrofinu1001186.exe.tmp
C:\WINDOWS\system32\537ff743-.txt
C:\WINDOWS\system32\clkcnt.txt
C:\WINDOWS\system32\db.exe
C:\WINDOWS\system32\dlnpwjyw.dll
C:\WINDOWS\system32\duqgbihljmgohni.dll
C:\WINDOWS\system32\g32.exe
C:\WINDOWS\system32\gj.exe
C:\WINDOWS\system32\hj.exe
C:\WINDOWS\system32\ht.exe
C:\WINDOWS\system32\ig.exe
C:\WINDOWS\system32\il.exe
C:\WINDOWS\system32\kq.exe
C:\WINDOWS\system32\oh.exe
C:\WINDOWS\system32\or.exe
C:\WINDOWS\system32\qcntmtdm.exe
C:\WINDOWS\system32\qy.exe
C:\WINDOWS\system32\rqwnw64p.exe
C:\WINDOWS\system32\vi.exe
C:\WINDOWS\system32\vo.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\wlqsixqxmsyp.exe
C:\WINDOWS\system32\wv.exe
C:\WINDOWS\system32\xb.exe
C:\WINDOWS\system32\yc.exe
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ADVANCE_SERVICE_PROCESS
-------\Legacy_INTEGRATED_WINDOWS_AUTHENTICATION
-------\Legacy_MICROSOFT_WINDOWS_VIDEO_DRIVER
-------\Legacy_MSDISK
-------\Service_Advance Service Process
-------\Service_Integrated Windows Authentication
-------\Service_Microsoft Windows Video Driver
-------\Service_MSDisk

((((((((((((((((((((((((( Files Creati Da 2008-06-27 al 2008-07-27 )))))))))))))))))))))))))))))))))))
.

2008-07-26 19:26 . 2008-07-27 14:17 <DIR> d-------- C:\suspectfile
2008-07-26 12:54 . 2008-07-26 12:54 64,852 --a------ C:\WINDOWS\system32\ewrlxijwmj.exe
2008-07-26 12:47 . 2008-07-26 12:47 <DIR> d-------- C:\Programmi\Webtools
2008-07-23 20:59 . 2008-07-23 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Yahoo! Companion
2008-07-21 22:16 . 2008-07-21 22:16 <DIR> d-------- C:\WINDOWS\system32\wnet
2008-07-21 22:16 . 2008-07-21 22:16 <DIR> d-------- C:\WINDOWS\system32\vdf1
2008-07-21 22:16 . 2008-07-21 22:16 <DIR> d-------- C:\WINDOWS\system32\confg
2008-07-21 22:16 . 2008-07-21 22:16 <DIR> d-------- C:\WINDOWS\system32\carH04
2008-07-21 22:16 . 2008-07-21 22:16 <DIR> d-------- C:\Temp\btxv15
2008-07-20 20:43 . 2008-07-20 20:43 <DIR> d--h----- C:\WINDOWS\PIF
2008-07-20 17:58 . 2008-07-20 17:58 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Malwarebytes
2008-07-20 17:57 . 2008-07-20 17:57 <DIR> d-------- C:\Programmi\Malwarebytes' Anti-Malware
2008-07-20 17:57 . 2008-07-20 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Malwarebytes
2008-07-20 17:57 . 2008-07-18 19:15 36,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-20 17:57 . 2008-07-18 19:15 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-20 17:43 . 2008-07-20 17:43 <DIR> d-------- C:\Programmi\Yahoo!
2008-07-20 17:43 . 2008-07-20 17:44 <DIR> d-------- C:\Programmi\CCleaner
2008-07-19 20:18 . 2008-07-19 20:18 <DIR> d-------- C:\Programmi\Lavasoft
2008-07-19 19:45 . 2008-07-21 22:15 <DIR> d-------- C:\Programmi\Antivirus
2008-07-19 19:24 . 2008-07-25 13:45 <DIR> d-------- C:\Programmi\Alwil Software
2008-07-19 19:24 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-07-19 19:17 . 2008-07-19 19:17 0 --a------ C:\WINDOWS\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 18:56 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-07-23 18:56 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Symantec
2008-07-23 15:31 --------- d-----w C:\Programmi\Lx_cats
2008-07-21 06:15 --------- d-----w C:\Programmi\IrfanView
2008-07-20 19:29 --------- d-----w C:\Programmi\SymNetDrv
2008-07-20 19:21 --------- d-----w C:\Programmi\Lexmark Fax Solutions
2008-07-20 19:20 --------- d-----w C:\Programmi\Lexmark 6200 Series
2008-07-20 19:11 --------- d-----w C:\Programmi\Abbyy FineReader 6.0 Sprint
2008-05-11 12:06 24,598 ----a-w C:\sdg.exe
2008-05-07 20:40 72,708 --sh--w C:\dg.exe
2008-04-30 08:01 62,168 ----a-w C:\WINDOWS\system32\ki.exe
2008-04-29 10:30 62,168 ----a-w C:\WINDOWS\system32\qo.exe
2000-05-13 23:31 19,544 ----a-w C:\Documents and Settings\Administrator\Dati applicazioni\GDIPFONTCACHEV1.DAT
2007-11-04 20:58 61,440 --sha-w C:\WINDOWS\system32\.exe
.

------- Sigcheck -------

2001-08-31 12:00 1014784 b835b4f2d7866896de9453c3265dec32 C:\WINDOWS\explorer.exe
2004-08-20 00:39 1079296 be24795acbfa466f45ffe0049c4dac7d C:\WINDOWS\SoftwareDistribution\Download\5d02aa687fced580cdb60abdb77eb075\explorer.exe
2001-08-31 12:00 1014784 f5dde51a27d20bf6e2dd5172658fc049 C:\WINDOWS\system32\dllcache\explorer.exe

2004-08-20 00:39 59904 33de6cf90d958450c13f1d1d14eb093b C:\WINDOWS\SoftwareDistribution\Download\5d02aa687fced580cdb60abdb77eb075\ctfmon.exe
2007-09-30 12:27 104976 54b18323ba3c1b6e178b46c71cefc33a C:\WINDOWS\system32\ctfmon.exe
2001-08-31 12:00 24576 8bf73c30b744603d46634bdb4ddab834 C:\WINDOWS\system32\bak\ctfmon.exe
2001-08-31 12:00 90624 170726e859c6741632671e049515c1e7 C:\WINDOWS\system32\dllcache\ctfmon.exe

2004-08-20 00:39 69120 eb8b0e17de94f75cd6d84150728ff075 C:\WINDOWS\SoftwareDistribution\Download\5d02aa687fced580cdb60abdb77eb075\spoolsv.exe
2001-08-31 12:00 95232 ba4f814bfaa04aec999fd7af0d25708f C:\WINDOWS\system32\spoolsv.exe
2001-08-31 12:00 62464 c1e232345a1af9a34cf0e4a61ebbcc1c C:\WINDOWS\system32\dllcache\spoolsv.exe
.
((((((((((((((((((((((((((((( snapshot_2008-07-22_22.25.30.13 )))))))))))))))))))))))))))))))))))))))))
.
- 2003-07-14 16:42:22 112,128 -c----w C:\WINDOWS\$NtUninstallKB824105$\spuninst\spuninst.exe
+ 2003-07-14 16:42:22 144,896 -c----w C:\WINDOWS\$NtUninstallKB824105$\spuninst\spuninst.exe
- 2003-10-14 06:50:25 152,576 -c----w C:\WINDOWS\$NtUninstallKB828035$\spuninst\spuninst.exe
+ 2003-10-14 06:50:25 185,344 -c----w C:\WINDOWS\$NtUninstallKB828035$\spuninst\spuninst.exe
- 2001-08-31 10:00:00 19,456 -c--a-w C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe
+ 2001-08-31 10:00:00 52,224 -c--a-w C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe
- 2001-08-31 10:00:00 17,920 -c--a-w C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe
+ 2001-08-31 10:00:00 50,688 -c--a-w C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe
- 2004-01-10 05:11:28 152,576 -c----w C:\WINDOWS\$NtUninstallKB828741$\spuninst\spuninst.exe
+ 2004-01-10 05:11:28 185,344 -c----w C:\WINDOWS\$NtUninstallKB828741$\spuninst\spuninst.exe
- 2004-01-10 05:11:28 141,312 -c----w C:\WINDOWS\$NtUninstallKB833987$\spuninst\spuninst.exe
+ 2004-01-10 05:11:28 152,576 -c----w C:\WINDOWS\$NtUninstallKB833987$\spuninst\spuninst.exe
- 2004-06-24 16:16:14 171,008 -c----w C:\WINDOWS\$NtUninstallKB834707-IE6-20040929.115007$\spuninst\spuninst.exe
+ 2004-06-24 16:16:14 182,272 -c----w C:\WINDOWS\$NtUninstallKB834707-IE6-20040929.115007$\spuninst\spuninst.exe
- 2001-08-31 10:00:00 692,224 -c----w C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe
+ 2001-08-31 10:00:00 703,488 -c--a-w C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe
- 2004-01-10 05:11:28 141,312 -c----w C:\WINDOWS\$NtUninstallKB835732$\spuninst\spuninst.exe
+ 2004-01-10 05:11:28 152,576 -c----w C:\WINDOWS\$NtUninstallKB835732$\spuninst\spuninst.exe
- 2000-08-31 06:00:00 101,792 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 06:00:00 134,560 ----a-w C:\WINDOWS\fdsv.exe
- 2000-08-31 06:00:00 140,288 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 06:00:00 107,520 ----a-w C:\WINDOWS\Nircmd.exe
- 2000-08-31 06:00:00 173,568 ----a-w C:\WINDOWS\swreg.exe
+ 2000-08-31 06:00:00 206,336 ----a-w C:\WINDOWS\swreg.exe
- 2000-08-31 06:00:00 223,744 ----a-w C:\WINDOWS\swxcacls.exe
+ 2000-08-31 06:00:00 256,512 ----a-w C:\WINDOWS\swxcacls.exe
- 2001-08-31 10:00:00 80,896 ----a-w C:\WINDOWS\system32\actmovie.exe
+ 2001-08-31 10:00:00 146,432 ----a-w C:\WINDOWS\system32\actmovie.exe
- 2008-02-02 18:30:47 138,968 ----a-w C:\WINDOWS\system32\bf.exe
+ 2008-02-02 18:30:47 171,736 ----a-w C:\WINDOWS\system32\bf.exe
- 2008-04-20 21:34:12 139,480 ----a-w C:\WINDOWS\system32\bu.exe
+ 2008-04-20 21:34:12 172,248 ----a-w C:\WINDOWS\system32\bu.exe
- 2001-08-31 10:00:00 96,256 ----a-w C:\WINDOWS\system32\cacls.exe
+ 2001-08-31 10:00:00 129,024 ----a-w C:\WINDOWS\system32\cacls.exe
- 2001-08-31 10:00:00 88,576 ----a-w C:\WINDOWS\system32\chkntfs.exe
+ 2001-08-31 10:00:00 121,344 ----a-w C:\WINDOWS\system32\chkntfs.exe
- 2008-07-22 20:16:42 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-27 14:01:56 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-07-22 20:16:42 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
+ 2008-07-27 14:01:56 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
+ 2008-07-26 10:49:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\MSHist012008072620080727\index.dat
+ 2008-07-26 10:49:31 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Dati applicazioni\Microsoft\Internet Explorer\MSIMGSIZ.DAT
+ 2008-07-26 17:22:11 8,790 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\CL0XGFUN\wr[1].exe
+ 2008-07-27 12:18:22 8,790 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\CL0XGFUN\wr[2].exe
- 2008-07-22 20:16:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-27 14:01:56 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-25 11:50:22 8,790 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\YJUTCP6B\unpr[1].exe
+ 2008-07-26 10:43:17 8,790 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\YJUTCP6B\unpr[2].exe
- 2008-07-21 06:22:32 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-07-27 12:26:02 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
- 2001-08-31 10:00:00 59,392 ----a-w C:\WINDOWS\TASKMAN.EXE
+ 2001-08-31 10:00:00 92,160 ----a-w C:\WINDOWS\TASKMAN.EXE
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 54,296 2003-12-02 15:11:04 C:\Programmi\File comuni\Symantec Shared\bak\ccApp.exe

----a-w 58,392 2003-12-02 15:11:12 C:\Programmi\File comuni\Symantec Shared\bak\ccRegVfy.exe

----a-w 218,240 2004-11-02 14:59:52 C:\Programmi\File comuni\Symantec Shared\Security Center\bak\UsrPrmpt.exe

----a-w 61,440 2008-07-20 19:21:03 C:\Programmi\Lexmark 6200 Series\bak\ezprint.exe

----a-w 196,608 2008-07-20 19:21:04 C:\Programmi\Lexmark 6200 Series\bak\lxbumon.exe

----a-w 299,008 2008-07-20 19:21:32 C:\Programmi\Lexmark Fax Solutions\bak\fm3032.exe

----a-w 95,960 2005-03-18 19:50:40 C:\Programmi\SymNetDrv\bak\SNDMon.exe

----a-w 24,576 2001-08-31 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 104,976 2007-09-30 10:27:52 C:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zrevh"="C:\WINDOWS\?icrosoft.NET\r?ndll.exe" [?]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2007-09-30 12:27 104976]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-11-15 16:18 1670144]
"Tors"="C:\DOCUME~1\ADMINI~1\DOCUME~1\RACLE~1\regsvr32.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [N/A]
"SSC_UserPrompt"="C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe" [N/A]
"LXBUCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll" [2004-11-02 22:03 69632]
"lxbumon.exe"="C:\Programmi\Lexmark 6200 Series\lxbumon.exe" [N/A]
"FaxCenterServer"="C:\Programmi\Lexmark Fax Solutions\fm3032.exe" [N/A]
"EzPrint"="C:\Programmi\Lexmark 6200 Series\ezprint.exe" [N/A]
"CnxTrApp"="C:\Programmi\Aethra\ADSL EB1070 USB\CnxTrApp.dll" [2004-04-20 17:24 247296]
"BM5b6f00a1"="C:\WINDOWS\System32\wwvmgvcv.dll" [N/A]
"585c333d"="C:\WINDOWS\System32\jqoxlcvw.dll" [N/A]
"{C3-33-39-92-DW}"="c:\windows\system32\rwwnw64d.exe" [N/A]
"{fa00ba72-9678-0983-dc7b-6dd2598a5ae0}"="C:\WINDOWS\System32\kburctazviurc.dll" [N/A]
"{9d5f7f45-c682-e9d4-cd25-f5ee76e61b6e}"="C:\WINDOWS\System32\duqgbihljmgohni.dll" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Zqo"="C:\Documents and Settings\Administrator\Documenti\A?pPatch\?poolsv.exe" [?]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2007-09-30 12:27 104976]
"Sakora"="C:\Programmi\Sakora\Sakora.exe" [N/A]
"mjc"="C:\Programmi\mjc\mjc.exe" [N/A]
"GetPack20"="C:\Programmi\GetPack\GetPack20.exe" [N/A]
"Tors"="C:\DOCUME~1\ADMINI~1\DATIAP~1\WNSXS~1\rundll32.exe" [N/A]

.
Contenuto della cartella 'Scheduled Tasks'
2005-03-18 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Programmi\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 13:24]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 16:02:27
Windows 5.1.2600 NTFS

detected NTDLL code modification:
ZwOpenFile

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Ora fine scansione: 2008-07-27 16:05:37 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-07-27 14:05:30
ComboFix2.txt 2008-07-21 17:50:45

Pre-Run: 27,927,019,520 byte disponibili
Post-Run: 27,893,637,120 byte disponibili

321

Tuttavia, al riavvio del lap top il messaggio di errore in rundll.32 è riapparso, inoltre non riesco ad accedere ancora ad installa/disinstalla programmi.

E' un diavolo di virus, vero?

bdoriano

Parecchio rognoso il ragazzaccio... ma, mi sembra, lo stiamo scalfendo. Razz

Apri il Blocco note e crea un file di testo con le seguenti istruzioni:

Irnerio · Eroe Registrato: 23/01/08 21:49 Messaggi: 44

Ciao,

ecco il nuovo log di combofix:

ComboFix 08-07-26.1 - Administrator 2008-07-28 20:30:03.11 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1040.18.347 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\mrofinu1001186.exe

.
((((((((((((((((((((((((( Files Creati Da 2008-06-28 al 2008-07-28 )))))))))))))))))))))))))))))))))))
.

2008-07-26 19:26 . 2008-07-27 14:17 <DIR> d-------- C:\suspectfile
2008-07-26 12:54 . 2008-07-26 12:54 64,852 --a------ C:\WINDOWS\system32\ewrlxijwmj.exe
2008-07-26 12:47 . 2008-07-26 12:47 <DIR> d-------- C:\Programmi\Webtools
2008-07-23 20:59 . 2008-07-23 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Yahoo! Companion
2008-07-21 22:16 . 2008-07-21 22:16 <DIR> d-------- C:\WINDOWS\system32\wnet
2008-07-21 22:16 . 2008-07-21 22:16 <DIR> d-------- C:\WINDOWS\system32\vdf1
2008-07-21 22:16 . 2008-07-21 22:16 <DIR> d-------- C:\WINDOWS\system32\confg
2008-07-21 22:16 . 2008-07-21 22:16 <DIR> d-------- C:\WINDOWS\system32\carH04
2008-07-21 22:16 . 2008-07-21 22:16 <DIR> d-------- C:\Temp\btxv15
2008-07-20 20:43 . 2008-07-20 20:43 <DIR> d--h----- C:\WINDOWS\PIF
2008-07-20 17:58 . 2008-07-20 17:58 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Malwarebytes
2008-07-20 17:57 . 2008-07-20 17:57 <DIR> d-------- C:\Programmi\Malwarebytes' Anti-Malware
2008-07-20 17:57 . 2008-07-20 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Malwarebytes
2008-07-20 17:57 . 2008-07-18 19:15 36,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-20 17:57 . 2008-07-18 19:15 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-20 17:43 . 2008-07-20 17:43 <DIR> d-------- C:\Programmi\Yahoo!
2008-07-20 17:43 . 2008-07-20 17:44 <DIR> d-------- C:\Programmi\CCleaner
2008-07-19 20:18 . 2008-07-19 20:18 <DIR> d-------- C:\Programmi\Lavasoft
2008-07-19 19:45 . 2008-07-21 22:15 <DIR> d-------- C:\Programmi\Antivirus
2008-07-19 19:24 . 2008-07-25 13:45 <DIR> d-------- C:\Programmi\Alwil Software
2008-07-19 19:24 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-07-19 19:17 . 2008-07-19 19:17 0 --a------ C:\WINDOWS\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 18:56 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-07-23 18:56 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Symantec
2008-07-23 15:31 --------- d-----w C:\Programmi\Lx_cats
2008-07-21 06:15 --------- d-----w C:\Programmi\IrfanView
2008-07-20 19:29 --------- d-----w C:\Programmi\SymNetDrv
2008-07-20 19:21 --------- d-----w C:\Programmi\Lexmark Fax Solutions
2008-07-20 19:20 --------- d-----w C:\Programmi\Lexmark 6200 Series
2008-07-20 19:11 --------- d-----w C:\Programmi\Abbyy FineReader 6.0 Sprint
2008-05-11 12:06 24,598 ----a-w C:\sdg.exe
2008-05-07 20:40 72,708 --sh--w C:\dg.exe
2008-04-30 08:01 62,168 ----a-w C:\WINDOWS\system32\ki.exe
2008-04-29 10:30 62,168 ----a-w C:\WINDOWS\system32\qo.exe
2000-05-13 23:31 19,544 ----a-w C:\Documents and Settings\Administrator\Dati applicazioni\GDIPFONTCACHEV1.DAT
2007-11-04 20:58 61,440 --sha-w C:\WINDOWS\system32\.exe
.

------- Sigcheck -------

2001-08-31 12:00 1014784 b835b4f2d7866896de9453c3265dec32 C:\WINDOWS\explorer.exe
2004-08-20 00:39 1079296 be24795acbfa466f45ffe0049c4dac7d C:\WINDOWS\SoftwareDistribution\Download\5d02aa687fced580cdb60abdb77eb075\explorer.exe
2001-08-31 12:00 1014784 f5dde51a27d20bf6e2dd5172658fc049 C:\WINDOWS\system32\dllcache\explorer.exe

2004-08-20 00:39 59904 33de6cf90d958450c13f1d1d14eb093b C:\WINDOWS\SoftwareDistribution\Download\5d02aa687fced580cdb60abdb77eb075\ctfmon.exe
2007-09-30 12:27 104976 54b18323ba3c1b6e178b46c71cefc33a C:\WINDOWS\system32\ctfmon.exe
2001-08-31 12:00 24576 8bf73c30b744603d46634bdb4ddab834 C:\WINDOWS\system32\bak\ctfmon.exe
2001-08-31 12:00 90624 170726e859c6741632671e049515c1e7 C:\WINDOWS\system32\dllcache\ctfmon.exe

2004-08-20 00:39 69120 eb8b0e17de94f75cd6d84150728ff075 C:\WINDOWS\SoftwareDistribution\Download\5d02aa687fced580cdb60abdb77eb075\spoolsv.exe
2001-08-31 12:00 95232 ba4f814bfaa04aec999fd7af0d25708f C:\WINDOWS\system32\spoolsv.exe
2001-08-31 12:00 62464 c1e232345a1af9a34cf0e4a61ebbcc1c C:\WINDOWS\system32\dllcache\spoolsv.exe
.
((((((((((((((((((((((((((((( snapshot_2008-07-27_16.05.12.80 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 06:00:00 107,520 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 06:00:00 41,984 ----a-w C:\WINDOWS\Nircmd.exe
- 2008-07-27 14:01:56 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-28 18:27:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-07-27 14:01:56 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
+ 2008-07-28 18:27:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
- 2008-07-27 14:01:56 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-28 18:27:30 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 54,296 2003-12-02 15:11:04 C:\Programmi\File comuni\Symantec Shared\bak\ccApp.exe

----a-w 58,392 2003-12-02 15:11:12 C:\Programmi\File comuni\Symantec Shared\bak\ccRegVfy.exe

----a-w 218,240 2004-11-02 14:59:52 C:\Programmi\File comuni\Symantec Shared\Security Center\bak\UsrPrmpt.exe

----a-w 61,440 2008-07-20 19:21:03 C:\Programmi\Lexmark 6200 Series\bak\ezprint.exe

----a-w 196,608 2008-07-20 19:21:04 C:\Programmi\Lexmark 6200 Series\bak\lxbumon.exe

----a-w 299,008 2008-07-20 19:21:32 C:\Programmi\Lexmark Fax Solutions\bak\fm3032.exe

----a-w 95,960 2005-03-18 19:50:40 C:\Programmi\SymNetDrv\bak\SNDMon.exe

----a-w 24,576 2001-08-31 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 104,976 2007-09-30 10:27:52 C:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2007-09-30 12:27 104976]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-11-15 16:18 1670144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXBUCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll" [2004-11-02 22:03 69632]
"lxbumon.exe"="C:\Programmi\Lexmark 6200 Series\lxbumon.exe" [N/A]
"FaxCenterServer"="C:\Programmi\Lexmark Fax Solutions\fm3032.exe" [N/A]
"EzPrint"="C:\Programmi\Lexmark 6200 Series\ezprint.exe" [N/A]
"CnxTrApp"="C:\Programmi\Aethra\ADSL EB1070 USB\CnxTrApp.dll" [2004-04-20 17:24 247296]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2007-09-30 12:27 104976]

.
Contenuto della cartella 'Scheduled Tasks'
2005-03-18 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Programmi\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 13:24]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 20:32:19
Windows 5.1.2600 NTFS

detected NTDLL code modification:
ZwOpenFile

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-07-28 20:34:11
ComboFix-quarantined-files.txt 2008-07-28 18:34:05
ComboFix2.txt 2008-07-21 17:50:45

Pre-Run: 27,744,518,144 byte disponibili
Post-Run: 27,725,291,520 byte disponibili

126

A me, come al solito, dice poco dato che non so leggerlo, ma sono sicuro che tu saprai tirarne fuori qualcosa di interessante!

bdoriano

Altro giro, altro regalo... Laughing

Apri il Blocco note e crea un file di testo con le seguenti istruzioni:

Irnerio · Eroe Registrato: 23/01/08 21:49 Messaggi: 44

Ciao bdoriano,

ho fatto ciò che mi hai chiesto.

Questo è il log di combofix:

ComboFix 08-07-26.1 - Administrator 2008-07-29 18:10:23.14 - NTFSx86
Eseguito da: C:\Documents and Settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

FILE ::
C:\dg.exe
C:\sdg.exe
C:\WINDOWS\system32\.exe
C:\WINDOWS\system32\ewrlxijwmj.exe
C:\WINDOWS\system32\ki.exe
C:\WINDOWS\system32\qo.exe
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\mrofinu1001186.exe
C:\WINDOWS\mrofinu1001186.exe.tmp
.
---- Previous Run -------
.
C:\dg.exe
C:\sdg.exe
C:\WINDOWS\system32\.exe
C:\WINDOWS\system32\ewrlxijwmj.exe
C:\WINDOWS\system32\ki.exe
C:\WINDOWS\system32\qo.exe

.
((((((((((((((((((((((((( Files Creati Da 2008-06-28 al 2008-07-29 )))))))))))))))))))))))))))))))))))
.

2008-07-26 19:26 . 2008-07-27 14:17 <DIR> d-------- C:\suspectfile
2008-07-26 12:47 . 2008-07-26 12:47 <DIR> d-------- C:\Programmi\Webtools
2008-07-23 20:59 . 2008-07-23 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Yahoo! Companion
2008-07-21 22:16 . 2008-07-21 22:16 <DIR> d-------- C:\WINDOWS\system32\wnet
2008-07-21 22:16 . 2008-07-21 22:16 <DIR> d-------- C:\WINDOWS\system32\vdf1
2008-07-21 22:16 . 2008-07-21 22:16 <DIR> d-------- C:\WINDOWS\system32\confg
2008-07-21 22:16 . 2008-07-21 22:16 <DIR> d-------- C:\WINDOWS\system32\carH04
2008-07-21 22:16 . 2008-07-21 22:16 <DIR> d-------- C:\Temp\btxv15
2008-07-20 20:43 . 2008-07-20 20:43 <DIR> d--h----- C:\WINDOWS\PIF
2008-07-20 17:58 . 2008-07-20 17:58 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Malwarebytes
2008-07-20 17:57 . 2008-07-20 17:57 <DIR> d-------- C:\Programmi\Malwarebytes' Anti-Malware
2008-07-20 17:57 . 2008-07-20 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Malwarebytes
2008-07-20 17:57 . 2008-07-18 19:15 36,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-20 17:57 . 2008-07-18 19:15 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-20 17:43 . 2008-07-20 17:43 <DIR> d-------- C:\Programmi\Yahoo!
2008-07-20 17:43 . 2008-07-20 17:44 <DIR> d-------- C:\Programmi\CCleaner
2008-07-19 20:18 . 2008-07-19 20:18 <DIR> d-------- C:\Programmi\Lavasoft
2008-07-19 19:45 . 2008-07-21 22:15 <DIR> d-------- C:\Programmi\Antivirus
2008-07-19 19:24 . 2008-07-25 13:45 <DIR> d-------- C:\Programmi\Alwil Software
2008-07-19 19:24 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-07-19 19:17 . 2008-07-19 19:17 0 --a------ C:\WINDOWS\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 18:56 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-07-23 18:56 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Symantec
2008-07-23 15:31 --------- d-----w C:\Programmi\Lx_cats
2008-07-21 06:15 --------- d-----w C:\Programmi\IrfanView
2008-07-20 19:29 --------- d-----w C:\Programmi\SymNetDrv
2008-07-20 19:21 --------- d-----w C:\Programmi\Lexmark Fax Solutions
2008-07-20 19:20 --------- d-----w C:\Programmi\Lexmark 6200 Series
2008-07-20 19:11 --------- d-----w C:\Programmi\Abbyy FineReader 6.0 Sprint
2000-05-13 23:31 19,544 ----a-w C:\Documents and Settings\Administrator\Dati applicazioni\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

2001-08-31 12:00 1014784 b835b4f2d7866896de9453c3265dec32 C:\WINDOWS\explorer.exe
2004-08-20 00:39 1079296 be24795acbfa466f45ffe0049c4dac7d C:\WINDOWS\SoftwareDistribution\Download\5d02aa687fced580cdb60abdb77eb075\explorer.exe
2001-08-31 12:00 1014784 f5dde51a27d20bf6e2dd5172658fc049 C:\WINDOWS\system32\dllcache\explorer.exe

2004-08-20 00:39 59904 33de6cf90d958450c13f1d1d14eb093b C:\WINDOWS\SoftwareDistribution\Download\5d02aa687fced580cdb60abdb77eb075\ctfmon.exe
2007-09-30 12:27 104976 54b18323ba3c1b6e178b46c71cefc33a C:\WINDOWS\system32\ctfmon.exe
2001-08-31 12:00 24576 8bf73c30b744603d46634bdb4ddab834 C:\WINDOWS\system32\bak\ctfmon.exe
2001-08-31 12:00 90624 170726e859c6741632671e049515c1e7 C:\WINDOWS\system32\dllcache\ctfmon.exe

2004-08-20 00:39 69120 eb8b0e17de94f75cd6d84150728ff075 C:\WINDOWS\SoftwareDistribution\Download\5d02aa687fced580cdb60abdb77eb075\spoolsv.exe
2001-08-31 12:00 95232 ba4f814bfaa04aec999fd7af0d25708f C:\WINDOWS\system32\spoolsv.exe
2001-08-31 12:00 62464 c1e232345a1af9a34cf0e4a61ebbcc1c C:\WINDOWS\system32\dllcache\spoolsv.exe
.
((((((((((((((((((((((((((((( snapshot_2008-07-27_16.05.12.80 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-08-31 10:00:00 52,224 -c--a-w C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe
+ 2001-08-31 10:00:00 84,992 -c--a-w C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe
- 2001-08-31 10:00:00 50,688 -c--a-w C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe
+ 2001-08-31 10:00:00 83,456 -c--a-w C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe
- 2004-01-10 05:11:28 185,344 -c----w C:\WINDOWS\$NtUninstallKB828741$\spuninst\spuninst.exe
+ 2004-01-10 05:11:28 218,112 -c----w C:\WINDOWS\$NtUninstallKB828741$\spuninst\spuninst.exe
- 2004-01-10 05:11:28 152,576 -c----w C:\WINDOWS\$NtUninstallKB833987$\spuninst\spuninst.exe
+ 2004-01-10 05:11:28 185,344 -c----w C:\WINDOWS\$NtUninstallKB833987$\spuninst\spuninst.exe
- 2001-08-31 10:00:00 703,488 -c--a-w C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe
+ 2001-08-31 10:00:00 736,256 -c--a-w C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe
- 2004-01-10 05:11:28 152,576 -c----w C:\WINDOWS\$NtUninstallKB835732$\spuninst\spuninst.exe
+ 2004-01-10 05:11:28 185,344 -c----w C:\WINDOWS\$NtUninstallKB835732$\spuninst\spuninst.exe
- 2000-08-31 06:00:00 107,520 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 06:00:00 74,752 ----a-w C:\WINDOWS\Nircmd.exe
- 2000-08-31 06:00:00 206,336 ----a-w C:\WINDOWS\swreg.exe
+ 2000-08-31 06:00:00 271,872 ----a-w C:\WINDOWS\swreg.exe
- 2008-07-27 14:01:56 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-29 16:08:13 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-07-27 14:01:56 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
+ 2008-07-29 16:08:13 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
- 2008-07-27 14:01:56 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-29 16:08:13 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 54,296 2003-12-02 15:11:04 C:\Programmi\File comuni\Symantec Shared\bak\ccApp.exe

----a-w 58,392 2003-12-02 15:11:12 C:\Programmi\File comuni\Symantec Shared\bak\ccRegVfy.exe

----a-w 218,240 2004-11-02 14:59:52 C:\Programmi\File comuni\Symantec Shared\Security Center\bak\UsrPrmpt.exe

----a-w 61,440 2008-07-20 19:21:03 C:\Programmi\Lexmark 6200 Series\bak\ezprint.exe

----a-w 196,608 2008-07-20 19:21:04 C:\Programmi\Lexmark 6200 Series\bak\lxbumon.exe

----a-w 299,008 2008-07-20 19:21:32 C:\Programmi\Lexmark Fax Solutions\bak\fm3032.exe

----a-w 95,960 2005-03-18 19:50:40 C:\Programmi\SymNetDrv\bak\SNDMon.exe

----a-w 24,576 2001-08-31 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 104,976 2007-09-30 10:27:52 C:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2007-09-30 12:27 104976]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-11-15 16:18 1670144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXBUCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll" [2004-11-02 22:03 69632]
"lxbumon.exe"="C:\Programmi\Lexmark 6200 Series\lxbumon.exe" [N/A]
"FaxCenterServer"="C:\Programmi\Lexmark Fax Solutions\fm3032.exe" [N/A]
"EzPrint"="C:\Programmi\Lexmark 6200 Series\ezprint.exe" [N/A]
"CnxTrApp"="C:\Programmi\Aethra\ADSL EB1070 USB\CnxTrApp.dll" [2004-04-20 17:24 247296]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2007-09-30 12:27 104976]

.
Contenuto della cartella 'Scheduled Tasks'
2005-03-18 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Programmi\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 13:24]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-29 18:12:35
Windows 5.1.2600 NTFS

detected NTDLL code modification:
ZwOpenFile

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-07-29 18:14:21
ComboFix-quarantined-files.txt 2008-07-29 16:14:10
ComboFix2.txt 2008-07-21 17:50:45

Pre-Run: 27,498,700,800 byte disponibili
Post-Run: 27,479,347,200 byte disponibili

150

Ho inoltre scaricato kaspersky offline scanner, ho fatto la scansione ed il risultato è stata la scoperta di più di...4.000 malwares...!!!!!GULP!!

Non sono riuscito ad usare freefile hosting, per cui ho caricato il reposrt su wikisend.

Questo è il forum link :

Kaspersky_30_luglio_2008.txt

Ho seguito le istruzioni del tool di rimozione e, secondo i casi, ho disinfettato alcuni files e ne ho rimossi altri: il numero delle infezioni è però ancora altissimo.

Tuttavia, riscontro dei miglioramenti.

Il messaggio di errore che avevo all'avvio del lap top, sembra sparito (ma ce n'è uno diverso alla chiusura della sessione), inoltre sono riuscito finalmente a riaprire il pannello di controllo e le funzioni installa / disinstalla!!

Non penso ad ogni modo, che i problemi siano risolti; che cosa mi consigli di fare ora?

P.S.

Non ho ancora rimosso Kaspersky offline scanner: devo farlo?

bdoriano

Kaspersky tienilo ancora "in caldo". Razz

nuova correzione... Wink

Pulizia dei files temporanei con ATF-Cleaner e/o CCleaner
Scarica drWeb CureIT e salvalo sul desktop
Avvia il pc in modalità provvisoria
Fai la scansione completa con drWeb CureIT
Fai questa scansione con VirIT

Irnerio · Eroe Registrato: 23/01/08 21:49 Messaggi: 44

Ehmm, credo di aver combinato un disastro... Embarassed

Ho eseguito sia ATF Cleaner sia CC Cleaner, ho scaricato Dr. Web e l'ho eseguito in modalità provvisoria, facendogli fare la scansione completa.

Quando mi ha chiesto cosa fare del malware rilevato, ho scelto di curarlo e, nei casi in cui non era possibile, di eliminarlo.

Ho salvato il rapporto in formato .xls ed ho riavviato il lap top in modalità normale, ed a questo punto la sorpresa: Shocked

compare solo lo sfondo del desktop.

Niente icone, niente barra nè menù di avvio.

Compare solo un messaggio per l'invio di una segnalazione di errore a Microsoft in userinit.exe.

Temo di aver cancellato qualche directory necessaria all'avvio, naturalmente senza accorgemene.

Di nuovo non so cosa fare.

Devo formattare tutto?