Olimpo Informatico :: Leggi argomento

Olimpo Informatico
I Forum di Zeus News
Leggi la newsletter gratuita - Attiva il Menu compatto

FAQ

Cerca

Lista utenti

Gruppi

Registrati

Profilo

Messaggi privati

Infezione virus

Indice del forum -> Pronto Soccorso Virus

Precedente :: Successivo

Autore

Messaggio

rubix
Mortale devoto

Registrato: 16/01/08 13:02
Messaggi: 7

Inviato: 16 Gen 2008 13:13 Oggetto: Infezione virus

Ciao. Sto cercando di rimuovere dei virus da un computer...
Ho installato nod32 che ha rilevato e messo in quarantena i seguenti virus:

WIN32/AGbot trojan
WIN32/Qhost trojan
WIN32/Adware.virtumonde

Poi con spybot ho corretto 10 errori di registro.

Con Hijackthis poi ho fatto una analisi

Codice:

Logfile of HijackThis v1.99.1
Scan saved at 23.55.46, on 15/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmi\ESET\ESET Smart Security\ekrn.exe
C:\Programmi\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Nero\Nero 7\InCD\NBHGui.exe
C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe
C:\WINDOWS\system32\flvx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {784077AE-467C-47E6-A8D3-82B567F25B59} - C:\WINDOWS\System32\gebyv.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Programmi\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [pronto] flvx.exe
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [egui] "C:\Programmi\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\RunServices: [pronto] flvx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Internet Connection Sharing Firewall Service (AccessSharing) - Unknown owner - C:\WINDOWS\system\wcntfysvc.exe (file missing)
O23 - Service: Advance Service Process - Unknown owner - C:\Programmi\File comuni\System\MSASP32.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Programmi\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Programmi\ESET\ESET Smart Security\ekrn.exe
O23 - Service: hs7d2t9 - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programmi\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe

ed ho eliminato i seguenti valori:

O2 - BHO: (no name) - {784077AE-467C-47E6-A8D3-82B567F25B59} - C:\WINDOWS\System32\gebyv.dll (file missing)

O23 - Service: hs7d2t9 - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)

O4 - HKLM\..\RunServices: [pronto] flvx.exe

O4 - HKLM\..\Run: [pronto] flvx.exe

O23 - Service: Advance Service Process - Unknown owner - C:\Programmi\File comuni\System\MSASP32.exe (file missing)

O23 - Service: Internet Connection Sharing Firewall Service (AccessSharing) - Unknown owner - C:\WINDOWS\system\wcntfysvc.exe (file missing)

Ho poi visto che alcuni valori (file missing) sono file di altri tipi di virus...

Cmq, fatto ciò, credevo di essere apposto... Anche se i file che ho messo in quarantena io li cancellerei.... Però per sicurezza chiedo a voi Wink

Allego l'immagine dei file messi in quarantena

Un altra cosa, non riesco ad eliminare la cartella di AVG (l'antivirus che c'era prima).... il sw è stato disintallato (o dovrebbe esserlo) ma c'erano ancora dei processi attivi.... io li ho eliminati (con hijackthis) e tolti dall'esecuzione automatica anche con Spybot... però la directory non riesco a eliminarla... :/

Un'altra cosa, quella per cui scrivo qua, è che IE non funziona correttamente... cioè, se provo ad andare su www.kaspersky.com non va, esce un'altra pagina diversa da quella originale (non può essere il file hosts, quello è messo in quarantena, e sul sistema ora non c'è nessun file hosts...) ma con Firefox il problema non c'è.... vedo il sito tranquillamente (Ma per fare la scansione necessito di IE).

Spero in qualche vostra soluzione Smile

Top

bdoriano
Amministratore

Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...

Inviato: 16 Gen 2008 13:23 Oggetto:

Ciao rubix, ci sono da fare alcune pulizie... Scarica VundoFix e VirtumundoBegone e salvali sul desktop. Disabilita il tuo antivirus Avvia VundoFix Seleziona Scan for Vundo e a scansione terminata scegli Remove Vundo. Clicca Yes e alla richiesta di riavviare il Pc rispondi Ok. Al riavvio dovrebbe comparire il blocco-note con dentro il log, copia e posta sul forum il contenuto. Ora avvia in modalità provvisoria Avvia VirtumundoBeGone e segui le indicazioni a video. riavvia il Pc in modalità normale e posta il log. Segui le istruzioni di questo topic per postare il log di combofix. Fai anche un nuovo log di HijackThis (usa la versione aggiornata) e mettilo qui.

Top

rubix
Mortale devoto

Registrato: 16/01/08 13:02
Messaggi: 7

Inviato: 16 Gen 2008 13:35 Oggetto:

ok cmq.. stavo per aggiungere info Da ricerca fatte ho letto che il file gebyv.dll appartiene al virus Vundo.. però gli altri file appertenenti a quel virus non ci sono sul sistema... magari è stato tolto dal precendente antivirus (AVG)... cmq ora seguo le istruzioni era solo una precisazioe

Top

rubix
Mortale devoto

Registrato: 16/01/08 13:02
Messaggi: 7

Inviato: 16 Gen 2008 14:02 Oggetto:

VundoFix non ha trovato file infetti. Che faccio, continuo con VirtumundoBegone?

Top

bdoriano
Amministratore

Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...

Inviato: 16 Gen 2008 14:07 Oggetto:

Si, i passaggi falli tutti anche se non trovano nulla.

Top

rubix
Mortale devoto

Registrato: 16/01/08 13:02
Messaggi: 7

Inviato: 16 Gen 2008 14:09 Oggetto:

ok. Ora sto avviando combofix.exe ma non va... mi esce ComboFix.exe non è una applicazione di Win32 valida

Top

bdoriano
Amministratore

Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...

Inviato: 16 Gen 2008 14:11 Oggetto:

Scaricalo dal secondo sito.

Top

rubix
Mortale devoto

Registrato: 16/01/08 13:02
Messaggi: 7

Inviato: 16 Gen 2008 14:48 Oggetto:

ok, allora... ti posto qualche log Smile

ComboFix

Codice:

ComboFix 08-01-09.2 - User 2008-01-16 13:34:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.74 [GMT 1:00]
Eseguito da: C:\Documents and Settings\User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\in.exe
C:\WINDOWS\system32\uk.exe
C:\WINDOWS\system32\vybeg.ini
C:\WINDOWS\system32\vybeg.ini2
C:\WINDOWS\system32\yxnxpdhtm.exe

.
((((((((((((((((((((((((( Files Creati Da 2007-12-16 al 2008-01-16 )))))))))))))))))))))))))))))))))))
.

2008-01-16 13:32 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 12:40 . 2008-01-16 12:40 <DIR> d-------- C:\VundoFix Backups
2008-01-16 01:33 . 2008-01-16 01:33 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-16 01:33 . 2005-02-25 04:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-16 01:27 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-01-16 01:27 . 2007-07-30 19:19 38,232 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-16 01:27 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-16 01:27 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-16 01:27 . 2007-07-30 19:18 21,336 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-16 01:25 . 2008-01-16 01:25 <DIR> d---s---- C:\Documents and Settings\User\UserData
2008-01-15 20:25 . 2008-01-15 20:25 <DIR> d-------- C:\Programmi\Lavasoft
2008-01-15 20:25 . 2008-01-15 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Lavasoft
2008-01-15 20:24 . 2008-01-15 20:24 <DIR> d-------- C:\Programmi\File comuni\Wise Installation Wizard
2008-01-15 17:25 . 2007-12-24 11:49 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di stampa
2008-01-15 17:25 . 2007-12-24 11:49 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di rete
2008-01-15 17:25 . 2007-12-24 11:49 <DIR> d-------- C:\Documents and Settings\Administrator\Preferiti
2008-01-15 17:25 . 2008-01-11 22:01 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2008-01-15 17:25 . 2007-12-24 11:49 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Avvio
2008-01-15 17:25 . 2007-12-24 11:49 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2008-01-15 17:25 . 2007-12-24 11:49 <DIR> d-------- C:\Documents and Settings\Administrator\Documenti
2008-01-15 17:25 . 2007-12-24 11:49 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dati applicazioni
2008-01-15 17:18 . 2008-01-15 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-01-15 16:43 . 2001-08-30 20:41 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-15 16:43 . 2001-08-30 20:41 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-15 16:43 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-15 16:43 . 2001-08-17 22:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-15 16:35 . 2008-01-07 14:29 352 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-01-15 16:33 . 2008-01-15 16:33 <DIR> d-------- C:\Documents and Settings\User\Dati applicazioni\ESET
2008-01-15 16:31 . 2008-01-15 16:31 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\ESET
2008-01-15 16:10 . 2008-01-15 16:10 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-15 15:56 . 2008-01-16 13:17 <DIR> d-------- C:\hijackthis
2008-01-15 15:54 . 2008-01-15 15:54 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-11 23:02 . 2008-01-11 23:02 <DIR> d-------- C:\WINDOWS\system32\InsFiles
2008-01-11 23:01 . 2003-01-30 12:02 167,936 --a------ C:\WINDOWS\system32\stmcfg32.dll
2008-01-11 23:01 . 2003-01-22 12:01 151,552 --a------ C:\WINDOWS\system32\stmctrl.dll
2008-01-11 23:00 . 2008-01-11 23:00 <DIR> d-------- C:\Programmi\Telecom Italia
2008-01-11 22:52 . 2008-01-11 22:52 <DIR> d-------- C:\WINDOWS\Provisioning
2008-01-11 22:52 . 2008-01-11 22:58 <DIR> d-------- C:\WINDOWS\PeerNet
2008-01-11 22:52 . 2008-01-11 22:58 <DIR> d-------- C:\WINDOWS\ehome
2008-01-11 22:39 . 2008-01-11 22:39 <DIR> d-------- C:\Documents and Settings\NetworkService\Dati applicazioni\AVG7
2008-01-11 22:20 . 2004-08-03 22:31 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-01-11 22:19 . 2001-08-31 12:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-11 22:18 . 2001-08-31 12:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-11 22:17 . 2001-08-31 12:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-01-11 22:16 . 2004-08-19 15:39 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-01-11 22:15 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-01-11 22:12 . 2008-01-11 22:12 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-01-11 22:10 . 2004-08-03 23:01 124,800 --a------ C:\WINDOWS\system32\drivers\fltMgr.sys
2008-01-11 22:10 . 2004-08-03 23:01 124,800 --a--c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-11 22:10 . 2004-08-03 22:21 81,920 --a--c--- C:\WINDOWS\system32\dllcache\msado27.tlb
2008-01-11 22:10 . 2004-08-19 15:39 22,528 --a------ C:\WINDOWS\system32\fltMc.exe
2008-01-11 22:10 . 2004-08-19 15:39 22,528 --a--c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-11 22:10 . 2004-08-19 15:39 18,432 --a--c--- C:\WINDOWS\system32\dllcache\iedw.exe
2008-01-11 22:10 . 2004-08-19 15:39 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2008-01-11 22:10 . 2004-08-19 15:39 16,896 --a--c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-11 22:07 . 2004-08-19 15:39 368,640 --a--c--- C:\WINDOWS\system32\dllcache\wmic.exe
2008-01-11 22:07 . 2004-08-19 15:39 92,672 --a--c--- C:\WINDOWS\system32\dllcache\policman.dll
2008-01-11 22:02 . 2001-08-31 12:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-01-11 22:02 . 2001-08-31 12:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-01-11 22:02 . 2001-08-31 12:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-01-11 22:02 . 2001-08-31 12:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-01-11 08:30 . 2008-01-11 08:30 256,560 --a------ C:\WINDOWS\system32\setup_it.exe
2008-01-10 21:13 . 2008-01-10 21:13 <DIR> dr------- C:\Documents and Settings\LocalService\Preferiti
2008-01-10 21:06 . 2008-01-11 18:40 7,552 --a------ C:\WINDOWS\system\delnew.exe
2008-01-10 21:06 . 2008-01-11 18:40 3,080 --a------ C:\msets.exe
2008-01-09 16:45 . 2001-11-06 16:29 94,208 --a------ C:\WINDOWS\system32\getpntid.exe
2008-01-09 16:45 . 2003-01-10 21:52 13,997 --a------ C:\WINDOWS\system32\Ssgb3mon.dll
2008-01-09 16:45 . 2001-03-20 16:10 3,262 --a------ C:\WINDOWS\reinstall.ico
2008-01-09 13:11 . 2008-01-09 13:11 <DIR> d-------- C:\Programmi\Samsung ML-1510_700 Series
2008-01-09 13:11 . 2001-03-20 14:52 766 --a------ C:\WINDOWS\Uninstall.ico
2008-01-09 08:49 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-01-07 12:35 . 2008-01-07 12:35 <DIR> d-------- C:\Programmi\XP Codec Pack
2008-01-07 12:33 . 2008-01-07 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Ahead
2008-01-07 12:30 . 2008-01-07 12:30 <DIR> d-------- C:\Programmi\Nero
2008-01-07 12:30 . 2008-01-07 12:32 <DIR> d-------- C:\Programmi\File comuni\Ahead
2008-01-07 12:30 . 2008-01-07 12:30 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Nero
2008-01-07 12:29 . 2008-01-11 22:14 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-01-07 12:26 . 2004-08-19 15:39 130,048 --a------ C:\WINDOWS\system32\ksproxy.ax
2008-01-07 12:26 . 2004-08-19 15:39 91,136 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-01-07 12:26 . 2004-08-03 23:10 85,376 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2008-01-07 12:26 . 2004-08-19 15:39 61,952 --a------ C:\WINDOWS\system32\kstvtune.ax
2008-01-07 12:26 . 2004-08-03 23:10 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2008-01-07 12:26 . 2004-08-19 15:39 43,008 --a------ C:\WINDOWS\system32\ksxbar.ax
2008-01-07 12:26 . 2004-08-03 23:10 19,328 --a------ C:\WINDOWS\system32\drivers\wstcodec.sys
2008-01-07 12:26 . 2004-08-03 23:10 17,024 --a------ C:\WINDOWS\system32\drivers\ccdecode.sys
2008-01-07 12:26 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\mstee.sys
2008-01-07 12:26 . 2004-08-19 15:39 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2008-01-07 12:24 . 2008-01-07 12:24 <DIR> d--h-c--- C:\WINDOWS\$MSI30UninstallMSI30-KB884016$
2008-01-07 11:43 . 2008-01-11 21:06 <DIR> d-------- C:\Documents and Settings\User\Dati applicazioni\AVG7
2008-01-07 11:43 . 2008-01-11 08:00 <DIR> d-------- C:\Documents and Settings\LocalService\Dati applicazioni\AVG7
2008-01-07 11:43 . 2008-01-07 11:43 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Grisoft
2008-01-07 11:43 . 2008-01-15 17:27 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Avg7
2008-01-07 11:43 . 2008-01-07 11:43 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-01-07 11:43 . 2008-01-07 11:43 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-01-07 11:40 . 2005-07-11 21:12 524,850 -ra------ C:\WINDOWS\system32\drivers\ativcaxx.cpa
2008-01-07 11:40 . 2005-08-04 07:07 307,200 -ra------ C:\WINDOWS\system32\atiiiexx.dll
2008-01-07 11:40 . 2005-06-10 21:59 95,617 -ra------ C:\WINDOWS\system32\atiicdxx.dat
2008-01-07 11:40 . 2005-06-08 20:45 58,560 -ra------ C:\WINDOWS\system32\drivers\ativckxx.vp
2008-01-07 11:40 . 2005-08-04 07:20 21,712 -ra------ C:\WINDOWS\system32\drivers\ativvpxx.vp
2008-01-07 11:40 . 2005-06-07 08:25 5,496 -ra------ C:\WINDOWS\system32\atifglpf.xml

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 19:28 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-01-15 19:28 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-01-15 19:28 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-11 22:00 --------- d--h--w C:\Programmi\InstallShield Installation Information
2007-12-27 09:26 --------- d-----w C:\Programmi\File comuni\InstallShield
2007-12-24 14:19 --------- d-----w C:\Programmi\microsoft frontpage
2007-12-24 10:58 --------- d-----w C:\Programmi\Servizi in linea
2007-12-24 10:57 --------- d-----w C:\Programmi\File comuni\MSSoap
2007-12-24 10:49 --------- d-----w C:\Programmi\File comuni\SpeechEngines
2007-12-24 10:49 --------- d-----w C:\Programmi\File comuni\ODBC
2007-12-24 10:23 --------- d-----w C:\Programmi\Realtek Sound Manager
2007-12-24 10:23 --------- d-----w C:\Programmi\Realtek AC97
2007-12-24 10:23 --------- d-----w C:\Programmi\AvRack
2007-12-24 10:21 --------- d-----w C:\Programmi\C-Media 3D Audio
2003-04-08 12:00 182,272 --sha-r C:\WINDOWS\system32\flvx.exe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{784077AE-467C-47E6-A8D3-82B567F25B59}]
C:\WINDOWS\System32\gebyv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:39 15360]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-08-19 15:51 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"SoundMan"="SOUNDMAN.EXE" [2006-05-17 07:06 81920 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"SecurDisc"="C:\Programmi\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 15:55 1628208]
"Samsung LBP SM"="C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" [2003-01-14 00:57 69632]
"AdslTaskBar"="stmctrl.dll" [2003-01-22 12:01 151552 C:\WINDOWS\system32\stmctrl.dll]
"egui"="C:\Programmi\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 15:39 15360]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma Loader.exe.lnk - C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-24 15:34:38]
Adobe Gamma Loader.lnk - C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-24 15:34:38]
Microsoft Office.lnk - C:\Programmi\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"InCD"=C:\Programmi\Nero\Nero 7\InCD\InCD.exe

R3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\system32\DRIVERS\stmatm.sys [2002-09-25 07:37]
S2 AccessSharing;Internet Connection Sharing Firewall Service;"C:\WINDOWS\system\wcntfysvc.exe" []
S2 Advance Service Process;Advance Service Process;"C:\Programmi\File comuni\System\MSASP32.exe" []
S3 TaurusUsb;ADSL Modem USB Service 1.09a;C:\WINDOWS\system32\DRIVERS\torususb.sys [2003-01-09 15:21]
S4 hs7d2t9;hs7d2t9;"C:\WINDOWS\system32\svshost.exe" []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 13:38:55
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-01-16 13:41:26 - machine was rebooted [User]
ComboFix-quarantined-files.txt 2008-01-16 12:41:08

VundoFix

Codice:

VundoFix V6.7.7

Checking Java version...

Sun Java not detected
Scan started at 12.40.26 16/01/2008

Listing files found while scanning....

No infected files were found.

Beginning removal...

VirtumundoBeGone

Codice:

[01/16/2008, 13:14:11] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\User\Desktop\VirtumundoBeGone.exe" )
[01/16/2008, 13:14:23] - Detected System Information:
[01/16/2008, 13:14:23] - Windows Version: 5.1.2600, Service Pack 2
[01/16/2008, 13:14:23] - Current Username: Administrator (Admin)
[01/16/2008, 13:14:23] - Windows is in SAFE mode with Networking.
[01/16/2008, 13:14:23] - Searching for Browser Helper Objects:
[01/16/2008, 13:14:23] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/16/2008, 13:14:23] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[01/16/2008, 13:14:23] - BHO 3: {784077AE-467C-47E6-A8D3-82B567F25B59} ()
[01/16/2008, 13:14:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/16/2008, 13:14:23] - Checking for HKLM\...\Winlogon\Notify\gebyv
[01/16/2008, 13:14:23] - Key not found: HKLM\...\Winlogon\Notify\gebyv, continuing.
[01/16/2008, 13:14:23] - Finished Searching Browser Helper Objects
[01/16/2008, 13:14:23] - Finishing up...
[01/16/2008, 13:14:23] - Nothing found! Exiting...

EDIT: ho notato che è stata creata una nuova directory QooBox... normale? La devo tenere?

Top

rubix
Mortale devoto

Registrato: 16/01/08 13:02
Messaggi: 7

Inviato: 16 Gen 2008 16:29 Oggetto:

ho fatto una scansione con Hijackthis...

questo il log

Codice:

Logfile of HijackThis v1.99.1
Scan saved at 15.24.57, on 16/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Nero\Nero 7\InCD\NBHGui.exe
C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmi\ESET\ESET Smart Security\ekrn.exe
C:\Programmi\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Programmi\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [egui] "C:\Programmi\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200443204913
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Internet Connection Sharing Firewall Service (AccessSharing) - Unknown owner - C:\WINDOWS\system\wcntfysvc.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Programmi\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Programmi\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programmi\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe

però alcuni elementi che ho fixato con HijackThis al riavvio ricompaiono... cioè, non vengono eliminati....

i valori a cui mi riferisco sono questi:

Codice:

O23 - Service: Internet Connection Sharing Firewall Service (AccessSharing) - Unknown owner - C:\WINDOWS\system\wcntfysvc.exe (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

Inoltre, per quanto riguarda AVG... non riesco ad eliminarne la directory... e dovrebbe già essere disinstallato...

Top

rubix
Mortale devoto

Registrato: 16/01/08 13:02
Messaggi: 7

Inviato: 16 Gen 2008 17:09 Oggetto:

scusate se posto ancora... ma intanto ho fatto una scansione online con kaspersky.

Allego il report post-scansione

Codice:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 16, 2008 4:06:36 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/01/2008
Kaspersky Anti-Virus database records: 512843
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\User\IMPOST~1\Temp\

Scan Statistics:
Total number of scanned objects: 10575
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 00:15:54

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\WINDOWS\system32\setup_it.exe Infected: not-a-virus:Downloader.Win32.WinFixer.bq skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Cancello i files in questione? Pensavo di usare un livecd di linux per poi eliminare i file da li (incluso avg) visto che windows non mi lascia eliminarli

Top

bdoriano
Amministratore

Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...

Inviato: 17 Gen 2008 12:21 Oggetto:

rubix ha scritto:

EDIT: ho notato che è stata creata una nuova directory QooBox... normale? La devo tenere?

No, alla fine delle operazioni la puoi eliminare (è la cartella di backup di combofix)
Combofix ha eliminato qualcosa e ha evidenziato altre voci da eliminare.

Anche Kaspersky ha evidenziato alcune voci (poche, per la verità).
Rifai la scansione, però completa (su tutti i dischi del pc infetto).

Top

Mostra prima i messaggi di:

	Indice del forum -> Pronto Soccorso Virus	Tutti i fusi orari sono GMT + 2 ore
Pagina 1 di 1

Vai a:

Non puoi inserire nuovi argomenti
Non puoi rispondere a nessun argomento
Non puoi modificare i tuoi messaggi
Non puoi cancellare i tuoi messaggi
Non puoi votare nei sondaggi