Olimpo Informatico

tempestasolare · Mortale devoto Registrato: 03/06/06 22:47 Messaggi: 12

Sono scoraggiato, provo a rispostare .....
Ho un problema che non riesco a risolvere!
mi compare in trusted zone un dominio "fasullo" *.whataboutadog.com e compare un file in C:\WINDOWS\Temp un file che cambia di volta in volta, ora trovo RUCEDB.exe (lo cancello in modalità provvisoria ma ricompare con altro nome). Il file cambia nome ma cmq è sempre formato da sei caratteri alfanumerici e maiuscoli.
Ho fatto girare un pò di "cose" ma non risolvo il problema....
ccleaner
spybot
trend micro antispyware
AD aware se
trend nicro office scan
ewido online
e
altro
allego log hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 15.16.44, on 26/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Officescan NT\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Officescan NT\tmlisten.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Officescan NT\OfcPfwSvc.exe
C:\WINDOWS\TEMP\RUCEDB.EXE
C:\WINDOWS\Explorer.EXE
C:\Officescan NT\pccntmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Officescan NT\Pop3Trap.exe
C:\Program Files\Canon\Memory Card Utility\iP6220D\PDUiP6220DMon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\SealedMedia\sealmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\a-squared Free\a2free.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
E:\antivir\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://noiportal.telecomitalia.it
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://noiportal.telecomitalia.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Telecom Italia s.p.a.
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Officescan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [PDUiP6220DMon] C:\Program Files\Canon\Memory Card Utility\iP6220D\PDUiP6220DMon.exe
O4 - HKLM\..\Run: [RUN_PWR_SETTINGS] %windir%\system32\RunUnset.vbs
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O8 - Extra context menu item: Aggiungi all'elenco di stampa Easy-WebPrint - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Anteprima Easy-WebPrint - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Stampa ad alta velocità Easy-WebPrint - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Stampa Easy-WebPrint - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://noiportal.telecomitalia.it
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: http://organigramma.griffon.local
O15 - Trusted Zone: *.griffon.local
O15 - Trusted Zone: http://atomwfe1.telecomitalia.it
O15 - Trusted Zone: http://atomwfe2.telecomitalia.it
O15 - Trusted Zone: http://griffon.ittelecom.open.telecomitalia.it
O15 - Trusted Zone: http://griffon.open.telecomitalia.it
O15 - Trusted Zone: http://hr.open.telecomitalia.it
O15 - Trusted Zone: http://mpa.dg.telecomitalia.it
O15 - Trusted Zone: http://paperless.open.telecomitalia.it
O15 - Trusted Zone: http://tils.open.telecomitalia.it
O15 - Trusted Zone: http://dwh-o2c.telecomitalia.local
O15 - Trusted Zone: http://soa404.telecomitalia.local
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: http://organigramma.griffon.local (HKLM)
O15 - Trusted Zone: *.griffon.local (HKLM)
O15 - Trusted Zone: http://atomwfe1.telecomitalia.it (HKLM)
O15 - Trusted Zone: http://atomwfe2.telecomitalia.it (HKLM)
O15 - Trusted Zone: http://griffon.ittelecom.open.telecomitalia.it (HKLM)
O15 - Trusted Zone: http://griffon.open.telecomitalia.it (HKLM)
O15 - Trusted Zone: http://hr.open.telecomitalia.it (HKLM)
O15 - Trusted Zone: http://paperless.open.telecomitalia.it (HKLM)
O15 - Trusted Zone: http://tils.open.telecomitalia.it (HKLM)
O15 - Trusted Zone: http://dwh-o2c.telecomitalia.local (HKLM)
O15 - Trusted Zone: http://soa404.telecomitalia.local (HKLM)
O15 - Trusted IP range: 10.74.27.45
O15 - Trusted IP range: http://10.173.215.15
O15 - Trusted IP range: 10.74.27.45 (HKLM)
O15 - Trusted IP range: http://10.173.215.15 (HKLM)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = telecomitalia.local
O17 - HKLM\Software\..\Telephony: DomainName = telecomitalia.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{04B7E05C-ECA4-4393-BC1B-FC1B635BA7C4}: NameServer = 156.54.205.68,156.54.17.166
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9FA1FB0-D522-4225-95FD-95A29CD25D01}: NameServer = 85.37.17.16 85.38.28.68
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = telecomitalia.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = telecomitalia.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{04B7E05C-ECA4-4393-BC1B-FC1B635BA7C4}: NameServer = 156.54.205.68,156.54.17.166
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = telecomitalia.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Officescan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Officescan NT\OfcPfwSvc.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Officescan NT\tmlisten.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

Sante62 · Dio maturo Registrato: 27/06/07 17:55 Messaggi: 3477 Residenza: Floridia

Ciao tempestasolare Smile

Guardando il log penso che la maggior parte dei siti delle righe 015 li hai aggiunti tu, tranne ovviamente quelle che hai citato.
Dai una passata con Virit
Aggiornalo mediante l'icona della parabola posta nella barra in alto e fagli fare la scansione completa del PC.
Fai in modo che rimuova automaticamente i file infetti trovati.
Non dimenticare di disattivare momentaneamente il tuo antivirus.
Fai questi passaggi:
Scansione con FindAWF
Scansione con GMER
Ricorda che i log di GMER sono due: Autostart e Rootkit

Incolla poi quì il risultato di Virit insieme ad un nuovo log di HJT, scaricandoti però la versione aggiornata

tempestasolare · Mortale devoto Registrato: 03/06/06 22:47 Messaggi: 12

ecco i log
awf
http://www.freefilehosting.net/download/39gd7

gmer
autostart
http://www.freefilehosting.net/download/39gd5
rootkit
http://www.freefilehosting.net/download/39gd6

bdoriano

Manca il log autostart di gmer. Rolling Eyes

tempestasolare · Mortale devoto Registrato: 03/06/06 22:47 Messaggi: 12

sorry
gmer autostart
http://www.freefilehosting.net/download/39gdi

Sante62 · Dio maturo Registrato: 27/06/07 17:55 Messaggi: 3477 Residenza: Floridia

Dai log di FindAWF e GMER non si vedono cose strane. Avvia HJT e seleziona a sinistra queste righe (quelle in rosso se le conosci non selezionarle):