Olimpo Informatico

[Gio1983]

Risolto con il pc di casa (grazie all'aiuto di bdoriano ) adesso ho problemi con il portatile.. Come antivirus ho AVG,il quale ha rilevato presenza di Trojan Horse Downloader.Generic6.AGBZ .
Credevo di averli tolti invece sono ricomparsi.
Posto il log di Hijack.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13.14.19, on 01/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Sitecom\Software Bluetooth\bin\btwdins.exe
C:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Common Files\Sitecom Shared\PnP Universal Installer\CtrlSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmi\Common Files\Sitecom Shared\PnP Universal Installer\PnPUIReg.exe
C:\Programmi\Sitecom\Software Bluetooth\BTTray.exe
C:\Programmi\Common Files\Sitecom Shared\PnP Universal Installer\cpnptool.exe
G:\PhoneConnectorVMC.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\giorgia\Documenti\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.live.com/results.aspx?mkt=it-it&q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://virgilio.alice.it/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.virgilio.it/free
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Tin.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [PnPUI Registrator] C:\Programmi\Common Files\Sitecom Shared\PnP Universal Installer\PnPUIReg.exe -s
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Sitecom WC - WL-162 (ZD1211B).lnk = C:\Programmi\Common Files\Sitecom Shared\PnP Universal Installer\cpnptool.exe
O8 - Extra context menu item: Apri con Memoring - file://C:\Programmi\Memoring\psscript.js
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\Sitecom\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Memoring - {69b50480-2506-11d5-ad03-0050badf8784} - file://C:\Programmi\Memoring\PsScript.js (file missing)
O9 - Extra 'Tools' menuitem: Memoring - {69b50480-2506-11d5-ad03-0050badf8784} - file://C:\Programmi\Memoring\PsScript.js (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\Sitecom\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\Sitecom\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Umail - {6B8F8CE8-E9F2-4677-A4E9-20484AEB4360} - http://www.umail.it (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.virgilio.it/free
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204557403128
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C6D50D1-3032-4980-8794-5CECA3F79BFF}: NameServer = 80.85.96.131 80.85.97.70
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmi\Sitecom\Software Bluetooth\bin\btwdins.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\FILECO~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Programmi\sony\vaio media music server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\vaio media platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Programmi\sony\photo server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Programmi\File comuni\sony shared\vaio media platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Programmi\File comuni\sony shared\vaio media platform\UPnPFramework.exe
O23 - Service: WZCControlingService - Unknown owner - C:\Programmi\Common Files\Sitecom Shared\PnP Universal Installer\CtrlSvc.exe

--
End of file - 8121 bytes


Se qualcuno può dargli un'occhiata..
Grazie ancora per l'aiuto.

[bdoriano]

Toh! Ancora tu? Ma... non dovevamo vederci più?

Pulizie generiche:

• Disabilita il ripristino di sistema.
  
• Pulisci i files temporanei con ATF-Cleaner e/o CCleaner
  
• Scarica Norman Malware Cleaner e NOD32 Scanner.
  
• Avvia il pc in modalità provvisoria.
  
• Avvia NOD32 e fagli fare la scansione completa.
  
• Avvia Norman Malware Cleaner e fagli fare la scansione completa.
  Viene generato un log sul desktop chiamandolo NFix_2008-04-gg_hh-mm-ss.log, alla fine della scansione caricalo su FreeFileHosting come indicato qui e posta il link che ti viene assegnato.
  
• Segui le istruzioni di questo topic per postare il log di combofix.

[Gio1983]

Mi sa che sono il tuo incubo pomeriggio faccio tutte le operazioni..

[Gio1983]

Ecco il link del log di Norman Malware

http://www.freefilehosting.net/download/3ef62

Il log di Combofix :

ComboFix 08-03-30.5 - giorgia 2008-04-01 17:03:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.207 [GMT 2:00]
Eseguito da: C:\Documents and Settings\giorgia\Documenti\Programmi ANTIVIRUS\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Creati Da 2008-03-01 al 2008-04-01 )))))))))))))))))))))))))))))))))))
.

2008-04-01 15:06 . 2008-04-01 15:06 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-01 14:13 . 2008-04-01 14:13 <DIR> d-------- C:\Programmi\CCleaner
2008-04-01 14:11 . 2008-04-01 17:01 <DIR> d-------- C:\Programmi\ESET
2008-03-26 23:53 . 2008-03-26 23:53 <DIR> d-------- C:\WINDOWS\Logs
2008-03-26 23:53 . 2008-03-26 23:53 65,536 --a------ C:\WINDOWS\system32\CTRLWZRD.dll
2008-03-19 11:20 . 2008-03-19 11:20 <DIR> d-------- C:\Programmi\CambridgeSoft
2008-03-11 18:49 . 2008-03-11 18:49 <DIR> d-------- C:\Programmi\Microsoft SQL Server
2008-03-11 18:41 . 2008-03-13 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\CambridgeSoft
2008-03-11 18:39 . 2008-03-13 18:04 <DIR> d-------- C:\Python25
2008-03-11 17:43 . 2008-03-11 17:43 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-03-03 22:54 . 2008-03-03 22:57 <DIR> d-------- C:\Programmi\Windows Live
2008-03-03 22:54 . 2008-03-03 22:55 <DIR> d--hsc--- C:\Programmi\File comuni\WindowsLiveInstaller
2008-03-03 22:54 . 2008-03-03 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\WLInstaller
2008-03-03 17:18 . 2007-07-30 20:19 38,232 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-03 17:18 . 2007-07-30 20:20 30,040 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-03 17:18 . 2007-07-30 20:20 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-03 17:18 . 2007-07-30 20:18 21,336 --a------ C:\WINDOWS\system32\wuaueng.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 12:39 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\avg7
2008-04-01 11:18 --------- d-----w C:\Documents and Settings\giorgia\Dati applicazioni\AVG7
2008-03-26 21:53 --------- d-----w C:\Programmi\Common Files
2008-03-19 09:32 --------- d-----w C:\Programmi\OFFICE11
2008-03-13 16:01 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-03-04 11:22 --------- d-----w C:\Programmi\MSN Messenger
2008-02-20 22:34 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Lavasoft
2008-02-20 22:33 --------- d-----w C:\Programmi\Lavasoft
2008-02-20 22:32 --------- d-----w C:\Programmi\File comuni\Wise Installation Wizard
2008-02-20 21:21 --------- d-----w C:\Programmi\File comuni\Sony Shared
2008-02-20 21:21 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Sony Corporation
2008-02-20 21:18 --------- d-----w C:\Programmi\sony
2008-02-20 21:11 --------- d-----w C:\Programmi\File comuni\Adobe
2008-02-12 10:20 --------- d-----w C:\Programmi\QuickTime
2008-02-12 10:20 --------- d-----w C:\Programmi\iTunes
2008-02-12 10:20 --------- d-----w C:\Programmi\Apoint
2008-02-04 16:21 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-02-04 13:02 40,960 ----a-w C:\WINDOWS\Del Piero 02.dll
2008-02-04 13:02 184,400 ----a-w C:\WINDOWS\Del Piero 02.scr
2008-02-04 13:02 1,089,745 ----a-w C:\WINDOWS\Del Piero 02.exe
2007-01-30 20:41 545,960 ----a-w C:\Programmi\sgc10_pase30_rdr80_DLM_en_US.exe
2007-01-04 18:23 41,567,632 ----a-w C:\Programmi\NIS07100IT.exe
2004-12-25 15:14 1,096,922 ----a-w C:\Programmi\VideoPlayer.exe
2004-01-15 08:43 2,893,952 ----a-w C:\Programmi\PPView97.exe
2004-01-15 08:14 1,897,672 ----a-w C:\Programmi\winzip81.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 40,048 2007-05-11 02:06:32 C:\Programmi\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe

----a-w 114,688 2003-06-13 13:52:14 C:\Programmi\Apoint\bak\Apoint.exe

----a-w 323,584 2003-04-28 19:00:00 C:\Programmi\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 28,738 2001-09-11 13:27:10 C:\Programmi\File comuni\Microsoft Shared\Works Shared\bak\WkUFind.exe

----a-w 579,072 2008-01-17 13:45:41 C:\Programmi\Grisoft\AVG7\bak\avgcc.exe

----a-w 270,648 2007-07-10 07:18:20 C:\Programmi\iTunes\bak\iTunesHelper.exe

----a-w 36,975 2005-11-10 12:03:52 C:\Programmi\Java\jre1.5.0_06\bin\bak\jusched.exe

----a-w 286,720 2007-06-29 04:24:52 C:\Programmi\QuickTime\bak\qttask.exe

----a-w 81,920 2003-04-01 08:00:00 C:\Programmi\sony\HotKey Utility\bak\HKserv.exe

----a-w 40,960 2002-08-20 08:29:26 C:\WINDOWS\system32\bak\ezSP_Px.exe
----a-w 40,960 2002-08-20 08:29:26 C:\WINDOWS\system32\ezSP_Px.exe

----a-w 74,752 2002-07-01 03:05:00 C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_S10IC2.EXE

.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PnPUI Registrator"="C:\Programmi\Common Files\Sitecom Shared\PnP Universal Installer\PnPUIReg.exe" [2004-11-23 01:04 163840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 17:17 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-20 00:39 15360]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
BTTray.lnk - C:\Programmi\Sitecom\Software Bluetooth\BTTray.exe [2003-12-01 16:28:00 499779]
Sitecom WC - WL-162 (ZD1211B).lnk - C:\Programmi\Common Files\Sitecom Shared\PnP Universal Installer\cpnptool.exe [2008-03-26 23:54:27 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
--a------ 2003-08-05 17:53 4608 C:\WINDOWS\system32\carpserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
--a------ 2002-08-20 10:29 40960 C:\WINDOWS\System32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
--a------ 2002-03-14 16:46 45056 C:\WINDOWS\system32\ico.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Programmi\\Vodafone\\Vodafone Mobile Connect\\NettGain1200_C.exe"=
"C:\\Programmi\\iTunes\\iTunes.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=

R2 Wcproto;Wireless Configurator NDIS Protocol Driver for WXP/2000;C:\WINDOWS\system32\DRIVERS\wcproto.sys [2008-03-26 23:54]
R2 WZCControlingService;WZCControlingService;C:\Programmi\Common Files\Sitecom Shared\PnP Universal Installer\CtrlSvc.exe [2008-03-26 23:54]
S3 G3GRSC;G3G R Smart Card;C:\WINDOWS\system32\DRIVERS\g3grsc.sys [2005-10-03 18:56]
S3 G3GRUMDM;G3G R USB Modem;C:\WINDOWS\system32\DRIVERS\g3grumdm.sys [2005-10-03 18:56]
S3 G3GRUSER;G3G R USB Serial;C:\WINDOWS\system32\DRIVERS\g3gruser.sys [2005-10-03 18:56]
S3 SKYNETU;B2C2 Broadband Receiver USB Adapter;C:\WINDOWS\system32\DRIVERS\SkyNETU.SYS [2002-06-04 19:11]
S3 TSClient;Tatara Protocol Driver;C:\WINDOWS\system32\drivers\tsclient.sys [2005-10-04 17:43]
S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2008-03-26 23:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05e6f731-af19-11dc-8fcf-001060a749cf}]
\Shell\AutoRun\command - G:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05e6f732-af19-11dc-8fcf-001060a749cf}]
\Shell\AutoRun\command - G:\VMC_PBStarter.exe

.
Contenuto della cartella 'Scheduled Tasks'
"2008-03-19 21:42:25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 17:06:06
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\nod32drv]
"ImagePath"="\SystemRoot\system32\drivers\nod32drv.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NOD32krn]
"ImagePath"="\"C:\Programmi\Eset\nod32krn.exe\""
.
Ora fine scansione: 2008-04-01 17:08:49
ComboFix-quarantined-files.txt 2008-04-01 15:08:47
14 Directory 9,621,831,680 byte disponibili
18 Directory 9,609,687,040 byte disponibili


Il log di HiJack..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17.10.41, on 01/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programmi\Sitecom\Software Bluetooth\bin\btwdins.exe
C:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Common Files\Sitecom Shared\PnP Universal Installer\CtrlSvc.exe
C:\Programmi\Common Files\Sitecom Shared\PnP Universal Installer\PnPUIReg.exe
C:\Programmi\Sitecom\Software Bluetooth\BTTray.exe
C:\Programmi\Common Files\Sitecom Shared\PnP Universal Installer\cpnptool.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\giorgia\Documenti\Programmi ANTIVIRUS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://virgilio.alice.it/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [PnPUI Registrator] C:\Programmi\Common Files\Sitecom Shared\PnP Universal Installer\PnPUIReg.exe -s
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Sitecom WC - WL-162 (ZD1211B).lnk = C:\Programmi\Common Files\Sitecom Shared\PnP Universal Installer\cpnptool.exe
O8 - Extra context menu item: Apri con Memoring - file://C:\Programmi\Memoring\psscript.js
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\Sitecom\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Memoring - {69b50480-2506-11d5-ad03-0050badf8784} - file://C:\Programmi\Memoring\PsScript.js (file missing)
O9 - Extra 'Tools' menuitem: Memoring - {69b50480-2506-11d5-ad03-0050badf8784} - file://C:\Programmi\Memoring\PsScript.js (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\Sitecom\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\Sitecom\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Umail - {6B8F8CE8-E9F2-4677-A4E9-20484AEB4360} - http://www.umail.it (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.virgilio.it/free
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204557403128
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmi\Sitecom\Software Bluetooth\bin\btwdins.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\FILECO~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Programmi\sony\vaio media music server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\vaio media platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Programmi\sony\photo server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Programmi\File comuni\sony shared\vaio media platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Programmi\File comuni\sony shared\vaio media platform\UPnPFramework.exe
O23 - Service: WZCControlingService - Unknown owner - C:\Programmi\Common Files\Sitecom Shared\PnP Universal Installer\CtrlSvc.exe

--
End of file - 7063 bytes


Questo é tutto..

[Gio1983]

Qualcuno può dare un'occhiata?

[Sante62]

Ciao Gio1983

Nel frattempo, avvia Hijackthis, seleziona queste righe e clicca fix Checked:
(quelle in rosso sono sospette, quindi se le conosci non eliminarle)

[Gio1983]

Ciao sante dunque non ho selezionato le righe del Sitecom perché ho un bluetooth e un USB adapter-wireless network della sitecom e vista la mia incompetenza in materia non vorrei combinare disastri...
adesso sto facendo la scansione con GMER Rootkit intanto ti posto il link del log di GMER Autostart..

http://www.freefilehosting.net/download/3ejij

Appena finisce l'altro,ti posto l'altro link.

Grazie mille!!

[Gio1983]

Ecco il link del log di GMER Rootkit..

http://www.freefilehosting.net/download/3ejj0


Aspetto notizie

[bdoriano]

Ciao Gio1983, rieccomi qui...

Nei logs di gmer e combofix non mi sembra di vedere oggetti pericolosi.
AVG riscontra ancora il virus che dicevi?

[Gio1983]

AVG ha trovato Trojan Horse Downloader Generic6 AGBZ in Adobe Reader_sl.exe,in Apoint.exe,in ATI Control Panel/atiptaxx.exe e in system32\spool\drivers\w32x86\3\E_S10lC2.EXE.
Qualche giorno fa ho disinstallato AVG e quando l'ho re-installato me li sono ritrovati in quarantena.

Idee?

[bdoriano]

Andiamo sul pesante...
Fai questa scansione con SystemScan e posta il log su FreeFileHosting come indicato qui.

[Gio1983]

Ecco fatto !!

http://www.freefilehosting.net/download/3ek3c

[Gio1983]

Ho notato che su AVG i file infetti che sono ricomparsi nella quarantena quando ho re-installato AVG hanno come data la prima data di comparsa(lo scorso 12 febbraio)..é normale?

[bdoriano]

Ciao Gio1983,

ho dato un'occhiata veloce al log e mi sembra pulito.
Hai provato a svuotare la quarantena di AVG? (Empty Virus Vault).

[Gio1983]

Risvuoto la quarantena e faccio una nuova scansione con AVG..Vediamo che succede..
Ti faccio sapere.

Grazie.

[Gio1983]

Finita la scansione di AVG, e non ha trovato nulla!!
Speriamo che non ricompaiono più!!
Grazie per l'aiuto a sante e a bdoriano!!

[Gio1983]

Questa mattina facendo una scansione completa con AVG ha trovato i file kernel32.dll , user32.dll , shell32.dll e ntoskrnl.exe (tutti in system32) come "result/infection change".
Una volta finita la scansione non compaiono da nessuna parte..nel senso né come virus né in quarantena.
Quindi deve essere un risultato modificato visto che virus non ne trova. Giusto?
Ma che significa?

[bdoriano]

Hai scaricato qualche aggiornamento di Windows?

Altri programmi che possono provocare una reazione simile, sono i rootkit... ma dai logs precedenti non ne ho visto traccia.

[Gio1983]

Ho scaricato un aggiornamento di Windows giovedì scorso..però il problema,(se di problema si tratta),é comparso solo oggi..Ho provato a rifare la scansione ma é sempre la stessa storia..compaiono quei file durante la scansione ma alla fine,il risultato della scansione é comunque a posto..non risultano né errori né virus.