Olimpo Informatico

pino

ciao a tutti

all'avvio del pc mi si apre una finestra

kxvo.exe errore di applicazione
L'istruzione a "0x10011edf" ha fatto riferimento alla memoria a "0x000000ff". L memoria non poteva essere read

da una ricerca su google mi ha mandato a fare una scansione con prevx csi che mi ha dato il seguente risultato:

E.DLL TROJAN.PACKED.7
KDK.DLL Packed
KKD7.DLL TROJAN.PACKED.7
RFA.DLL TROJAN.PACKED.7
T89TYM.DLL KAVKOP:Payload-A
TRU1.TMP Email-Worm.Win32.Banwarum.a
FOOL1.DLL KAVKOP:Payload-A
KXVO.EXE KAVKOP:Trojan-A
GVSQIKES.CMD Gammima:Worm-ag
KSO6.BAT PSW.OnlineGames.AQ

come posso ripulire la macchina? posto di seguito anche un log di hjt

un grazie anticipato per l'aiuto

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21.50.22, on 20/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\PrevxCSI\PrevxCSI.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\PrevxCSI\PrevxCSI.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\File comuni\LogiShrd\LComMgr\Communications_Helper.exe
C:\Programmi\File comuni\LogiShrd\LComMgr\LVComSX.exe
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\Programmi\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Programmi\Logitech\SetPoint\SetPoint.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Programmi\File comuni\Logitech\KhalShared\KHALMNPR.EXE
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ZoneLabs\UpdClient.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijaackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgilio.it/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\ieso0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programmi\File comuni\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Programmi\File comuni\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Programmi\File comuni\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Programmi\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [\TINY\EPSON Stylus D78 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE /FU "C:\DOCUME~1\tiny\IMPOST~1\Temp\E_S6F.tmp" /EF "HKLM"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Avvio veloce di Adobe Acrobat.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Aggiungi a PDF esistente - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197808572375
O17 - HKLM\System\CCS\Services\Tcpip\..\{75456062-E80C-4C1A-BC71-A361117C458A}: NameServer = 151.99.125.2,151.99.250.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{8461F9C1-41B4-4950-87F0-E69F6C9E6AED}: NameServer = 151.99.125.2,151.99.250.2
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Programmi\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Prevx - C:\Programmi\PrevxCSI\\PrevxCSI.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9370 bytes

Sante62 · Inviato: 20 Apr 2008 22:30 Oggetto:

Ciao pino

disattiva il ripristino di sistema e avvia il PC in modalità provvisoria;

Avvia Hijackthis, seleziona questa riga e clicca su fix Checked:

pino · Inviato: 21 Apr 2008 12:08 Oggetto:

ciao Sante e grazie per la tua risposta.

fatto tutto questi i report

combofix

ComboFix 08-04-20.2 - tiny 2008-04-21 13.00.12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.1334 [GMT 2:00]
Eseguito da: C:\Documents and Settings\tiny\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Creati Da 2008-03-21 al 2008-04-21 )))))))))))))))))))))))))))))))))))
.

2008-04-21 11:45 . 2008-04-21 12:15 <DIR> d-------- C:\VEXPLITE
2008-04-21 11:45 . 2007-10-10 09:00 36,096 --a------ C:\WINDOWS\system32\drivers\VIRAGTLT.SYS
2008-04-20 22:14 . 2008-04-20 22:14 <DIR> d-------- C:\Programmi\CCleaner
2008-04-20 21:42 . 2008-04-21 11:21 <DIR> d-------- C:\hijaackthis
2008-04-20 21:19 . 2008-04-20 21:35 <DIR> d-a------ C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-04-11 15:51 . 2008-04-14 13:17 157,006 -r-hs---- C:\w2ngo.com
2008-04-09 21:42 . 2008-04-09 21:42 155,578 -r-hs---- C:\gvsqikes.cmd
2008-04-09 21:42 . 2008-04-20 19:12 88,064 -r-hs---- C:\WINDOWS\system32\fool1.dll
2008-04-09 21:41 . 2008-04-03 08:31 158,261 -r-hs---- C:\kso6.bat
2008-04-09 21:41 . 2008-04-14 13:17 157,006 -r-hs---- C:\WINDOWS\system32\kxvo.exe
2008-04-09 21:41 . 2008-04-21 11:10 88,064 -r-hs---- C:\WINDOWS\system32\fool0.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 01:12 85,076 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-20 01:12 6,989,856 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-12 14:07 --------- d-----w C:\Programmi\AutoCAD Architecture 2008
2008-04-07 19:35 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-20 11:45 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\ALM
2008-03-20 08:06 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-28 17:58 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-02-28 17:57 --------- d-----w C:\Programmi\Spybot - Search & Destroy
2008-02-28 17:53 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-20 06:50 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:33 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:01 662,016 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-02 20:58 1,543,680 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2006-06-23 22:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:39 15360]
"SpybotSD TeaTimer"="C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe" [2005-09-08 12:06 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 16:49 16126464 C:\WINDOWS\RTHDCPL.exe]
"ZoneAlarm Client"="C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 22:54 919016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-16 23:21 8466432]
"nwiz"="nwiz.exe" [2007-11-16 23:21 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-11-16 23:21 81920]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 16:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"LogitechCommunicationsManager"="C:\Programmi\File comuni\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 04:09 488984]
"LVCOMSX"="C:\Programmi\File comuni\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 04:12 244512]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"ISUSPM Startup"="C:\Programmi\File comuni\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:30 249856]
"ISUSScheduler"="C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" [2005-08-11 17:30 81920]
"Acrobat Assistant 8.0"="C:\Programmi\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 00:24 620152]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-04-09 15:49 1423360]
"\TINY\EPSON Stylus D78 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.exe" [2006-02-23 06:00 131072]
"VIRIT LITE MONITOR"="C:\VEXPLITE\MONLITE.EXE" [2008-04-21 11:47 245760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 15:39 15360]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Reader Synchronizer.lnk - C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 01:01:50 734872]
Avvio veloce di Adobe Acrobat.lnk - C:\WINDOWS\Installer\{AC76BA86-1040-7D00-7760-000000000003}\_SC_Acrobat.exe [2007-12-18 00:12:36 295606]
Logitech Desktop Messenger.lnk - C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-12-17 11:22:55 67128]
Logitech SetPoint.lnk - C:\Programmi\Logitech\SetPoint\SetPoint.exe [2008-01-18 00:46:15 692224]
WinZip Quick Pick.lnk - C:\Programmi\WinZip\WZQKPICK.EXE [2007-12-17 15:24:14 389120]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"C:\\Programmi\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Programmi\\Bonjour\\mDNSResponder.exe"=

R0 VIRAGTLT;VIRAGTLT;C:\WINDOWS\system32\drivers\VIRAGTLT.SYS [2007-10-10 09:00]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R2 viritsvclite;Virit eXplorer Lite;C:\VEXPLITE\viritsvc.exe [2008-04-21 11:47]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-03-15 16:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0154afe6-abb4-11dc-bde7-f2226133be0e}]
\Shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a740b50-b549-11dc-a033-001e8c26914b}]
\Shell\AutoRun\command - J:\w2ngo.com
\Shell\explore\Command - J:\w2ngo.com
\Shell\open\Command - J:\w2ngo.com

*Newly Created Service* - CATCHME
*Newly Created Service* - VIRAGTLT
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 13:02:54
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\TINY\\EPSON Stylus D78 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIBGE.EXE /FU \"C:\\DOCUME~1\\tiny\\IMPOST~1\\Temp\\E_S6F.tmp\" /EF \"HKLM\""
.
Ora fine scansione: 2008-04-21 13.03.47
ComboFix-quarantined-files.txt 2008-04-21 11:03:44

9 Directory 236,588,412,928 byte disponibili
12 Directory 237,057,114,112 byte disponibili

118 --- E O F --- 2008-04-12 22:52:04

hjt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13.07.02, on 21/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\VEXPLITE\viritsvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\File comuni\LogiShrd\LComMgr\Communications_Helper.exe
C:\Programmi\File comuni\LogiShrd\LComMgr\LVComSX.exe
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\Programmi\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE
C:\VEXPLITE\MONLITE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Programmi\Logitech\SetPoint\SetPoint.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\File comuni\Logitech\KhalShared\KHALMNPR.EXE
C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\hijaackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgilio.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programmi\File comuni\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Programmi\File comuni\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Programmi\File comuni\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Programmi\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [\TINY\EPSON Stylus D78 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE /FU "C:\DOCUME~1\tiny\IMPOST~1\Temp\E_S6F.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Avvio veloce di Adobe Acrobat.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Aggiungi a PDF esistente - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197808572375
O17 - HKLM\System\CCS\Services\Tcpip\..\{75456062-E80C-4C1A-BC71-A361117C458A}: NameServer = 151.99.125.2,151.99.250.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{8461F9C1-41B4-4950-87F0-E69F6C9E6AED}: NameServer = 151.99.125.2,151.99.250.2
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Programmi\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9671 bytes

Sante62 · Inviato: 21 Apr 2008 14:44 Oggetto:

Cortesemente, posta anche il log di Virit...

Combofix ha eliminato qualcosa, ma credo ci sia dell'altro...

Se è presente elimina manualmente questo file indicato in grassetto:

pino · Inviato: 21 Apr 2008 15:08 Oggetto:

appena riesco vedo di recuperare il log di virit e lo posto, poi aspetto la tua risposta o posso iniziare a fare le altre operazioni?

ciao

pino · Inviato: 21 Apr 2008 15:19 Oggetto:

recuperato il log di virit

VirIT eXplorer Lite Log

[SCANSIONE DELLA MEMORIA]
OK
[SCANSIONE DELLA MEMORIA]
OK
[SCANSIONE DELLA MEMORIA]
OK
[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
21/04/2008 - 11:50:35

[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
21/04/2008 - 11:52:43

[SCANSIONE DEL REGISTRO]
{CE7C3CF0-4B15-11D1-ABED-709549C10000} Infetto da BHO.Agent.HX
* * * RIMOSSO * * *

[A:]
BOOT SECTOR: OK

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

C:\Documents and Settings\tiny\Impostazioni locali\Temp\Rar$EX01.625\Patch.exe Infetto da CrackTool.Revenge.A
* * * RIMOSSO * * *
C:\Patch.exe Infetto da CrackTool.Revenge.A
* * * RIMOSSO * * *

[D:]

[E:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

E:\copie pc vecchio\D\posta\IM\Identities\{6A8C432E-18CC-4930-B818-B3F9BF85C54D}\Message Store\Attachments\{E8B2F1F9-9A76-4BD8-B285-C4161496CFEA}\Sballo!!!.exe Infetto da Joke.Setup
* * * RIMOSSO * * *
E:\copie pc vecchio\D\posta\IM\Identities\{6A8C432E-18CC-4930-B818-B3F9BF85C54D}\Message Store\Attachments\{F7247B5B-AD41-4355-847C-96EB02A2ADEE}\Sballo!!!.exe Infetto da Joke.Setup
* * * RIMOSSO * * *
E:\copie pc vecchio\D\Programmi\WinRAR\Uninstall.Exe Infetto da Backdoor.PoeBot.D
* * * RIMOSSO * * *

[F:]
BOOT SECTOR: OK

[G:]
BOOT SECTOR: OK

[H:]
BOOT SECTOR: OK

[I:]
BOOT SECTOR: OK

[J:]
BOOT SECTOR: OK

Chiavi Registro infette: 1.
Files Infetti: 5.
Files Sospetti: 0.
Files Analizzati: 207589.
Files Totali: 207589.
Chiavi Registro rimosse: 1.
Virus Rimossi: 5.

[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
21/04/2008 - 13:15:41

[SCANSIONE DEL REGISTRO]
OK

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

Chiavi Registro infette: 0.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 80103.
Files Totali: 80103.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.

[SCANSIONE DELLA MEMORIA]
OK

pino · Inviato: 21 Apr 2008 15:22 Oggetto:

C:\WINDOWS\system32\kxvo.exe non è presente

invece è presente C:\WINDOWS\prefetch\KXVO.EXE-00D5F4A6.pf

pino · Inviato: 21 Apr 2008 19:22 Oggetto:

ecco il log

Norman Malware Cleaner
Copyright © 1990 - 2008, Norman ASA. Built 2008/04/14 19:07:00

Norman Scanner Engine Version: 5.92.04
Nvcbin.def Version: 5.92.00, Date: 2008/04/14 19:07:00, Variants: 1516167

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600(Safe mode) Service Pack 2
Logged on user: VALE\tiny

Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000000

Scan started: 21/04/2008 17:46:04

Scanning running processes and process memory...

Number of processes/threads found: 578
Number of processes/threads scanned: 578
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 11s

Scanning file system...

Scanning: C:\*.*

C:\gvsqikes.cmd (Infected with W32/NSAnti.HZU)
Deleted file

C:\kso6.bat (Infected with W32/NSAnti.HYL)
Deleted file

C:\QooBox\Quarantine\C\autorun.inf.vir (Infected with BAT/AutoRun.AE)
Deleted file

C:\QooBox\Quarantine\E\autorun.inf.vir (Infected with BAT/AutoRun.AE)
Deleted file

Scanning: E:\*.*

E:\gvsqikes.cmd (Infected with W32/NSAnti.HZU)
Deleted file

E:\kso6.bat (Infected with W32/NSAnti.HYL)
Deleted file

Scanning: c:\System Volume Information\*.*

Scanning: e:\System Volume Information\*.*

Running post-scan cleanup routine:

Number of files found: 281038
Number of archives unpacked: 1966
Number of files scanned: 281003
Number of files not scanned: 35
Number of files skipped due to exclude list: 0
Number of infected files found: 6
Number of infected files repaired/deleted: 6
Number of infections removed: 19
Total scanning time: 1h 24m 38s

log di systemscan

link

Sante62 · Inviato: 21 Apr 2008 22:01 Oggetto:

Dal log di sistemscan non risultano altre cose strane...

però risulta presente ancora il file

pino · Inviato: 22 Apr 2008 14:33 Oggetto:

ho cancellato C:\WINDOWS\system32\kxvo.exe

non viene portata a termine la scansione online di Kaspersky, l'ho lanciata più volte, si blocca sempre al 14%......

Sante62 · Inviato: 22 Apr 2008 16:10 Oggetto:

Prova a vedere
questa discussione;

e quest'altra

pino · Inviato: 22 Apr 2008 18:37 Oggetto:

ho letto le due discussioni, fanno riferimento a mancata partenza della scansione

il mio caso è diverso, immaginando che avrebbe chiesto di installare dei controlli activex, ho usato subito explorer, dopo le prime videate ha scaricato ed installato i controlli activex, ho disattivato l'antivirus e il firewall, la scansione parte, e dopo un pò si blocca, sempre al 14%, sempre sullo stesso file c:\system volume information\tracking.log

ho provato ad aspettare anche quasi 1 ora per vedere se poi si sbloccava..... senza esito

pino · Inviato: 22 Apr 2008 19:17 Oggetto:

ho fatto un riavvio in modalità provvisoria con connessioni di rete

lanciato la scansione online, adesso ha passato il punto critico ed ha superato il 15%

pino · Inviato: 22 Apr 2008 20:27 Oggetto:

ho portato a termine la scansione con kaspersky, qui sotto riporto il log

dopo la scansione, al riavvio in modalità normale, si è ripresentata la finestra :
kxvo.exe errore di applicazione
L'istruzione a "0x10011edf" ha fatto riferimento alla memoria a "0x000000ff". L memoria non poteva essere read

il filew kxvo.exe non c'è ma si è ripresentato il file KXVO.EXE-00D5F4A6.pf

ultima cosa, la partizione J è una chiave USB che era rimasta collegata, i files riportati nel log di kaspersky non li vedo.....

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 22, 2008 9:12:31 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/04/2008
Kaspersky Anti-Virus database records: 721742
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 205728
Number of viruses found: 8
Number of infected objects: 25
Number of suspicious objects: 0
Duration of the scan process: 01:00:39

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\tiny\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\tiny\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\tiny\Impostazioni locali\Cronologia\History.IE5\MSHist012008042220080423\index.dat Object is locked skipped
C:\Documents and Settings\tiny\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\tiny\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\tiny\Impostazioni locali\Temp\rfa.dll Infected: Trojan-PSW.Win32.OnLineGames.aaqb skipped
C:\Documents and Settings\tiny\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\tiny\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\tiny\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\tiny\UserData\index.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\w2ngo.com Infected: Worm.Win32.AutoRun.dit skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\Paramete.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\fool0.dll Infected: Trojan-PSW.Win32.OnLineGames.aapy skipped
C:\WINDOWS\system32\fool1.dll Infected: Trojan-PSW.Win32.OnLineGames.aapy skipped
C:\WINDOWS\system32\ieso0.dll Infected: Trojan-PSW.Win32.OnLineGames.aapz skipped
C:\WINDOWS\system32\kxvo.exe Infected: Worm.Win32.AutoRun.dit skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
E:\file da babbuz\copie pc vecchio\F\copia dati CD download\DWLD PROGRAMMI\FlashGet\fgf095.zip/setup.exe/WISE0070.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\file da babbuz\copie pc vecchio\F\copia dati CD download\DWLD PROGRAMMI\FlashGet\fgf095.zip/setup.exe/WISE0071.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\file da babbuz\copie pc vecchio\F\copia dati CD download\DWLD PROGRAMMI\FlashGet\fgf095.zip/setup.exe/WISE0072.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\file da babbuz\copie pc vecchio\F\copia dati CD download\DWLD PROGRAMMI\FlashGet\fgf095.zip/setup.exe/WISE0073.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\file da babbuz\copie pc vecchio\F\copia dati CD download\DWLD PROGRAMMI\FlashGet\fgf095.zip/setup.exe/WISE0074.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\file da babbuz\copie pc vecchio\F\copia dati CD download\DWLD PROGRAMMI\FlashGet\fgf095.zip/setup.exe Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\file da babbuz\copie pc vecchio\F\copia dati CD download\DWLD PROGRAMMI\FlashGet\fgf095.zip ZIP: infected - 6 skipped
E:\file da babbuz\copie pc vecchio\F\copia dati CD download\DWLD PROGRAMMI\FlashGet\setup.exe/WISE0070.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\file da babbuz\copie pc vecchio\F\copia dati CD download\DWLD PROGRAMMI\FlashGet\setup.exe/WISE0071.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\file da babbuz\copie pc vecchio\F\copia dati CD download\DWLD PROGRAMMI\FlashGet\setup.exe/WISE0072.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\file da babbuz\copie pc vecchio\F\copia dati CD download\DWLD PROGRAMMI\FlashGet\setup.exe/WISE0073.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\file da babbuz\copie pc vecchio\F\copia dati CD download\DWLD PROGRAMMI\FlashGet\setup.exe/WISE0074.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\file da babbuz\copie pc vecchio\F\copia dati CD download\DWLD PROGRAMMI\FlashGet\setup.exe WiseSFX: infected - 5 skipped
E:\file da babbuz\copie pc vecchio\F\copia dati CD download\tombola\msof0104.zip/MSOFPASS.EXE Infected: not-a-virus:PSWTool.Win32.MSOfPass.a skipped
E:\file da babbuz\copie pc vecchio\F\copia dati CD download\tombola\msof0104.zip ZIP: infected - 1 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\w2ngo.com Infected: Worm.Win32.AutoRun.dit skipped
J:\w2ngo.com Infected: Worm.Win32.AutoRun.dit skipped
J:\32.com Infected: Worm.Win32.AutoRun.cib skipped
J:\kso6.bat Infected: Trojan.Win32.Vaklik.yl skipped

Scan process completed.

Sante62 · Inviato: 22 Apr 2008 22:27 Oggetto:

Ora si capisce perchè ti reinfettavi sempre;

sicuramente è la chiavetta USB che ti ha infettato il PC;

quei file non li vedi perchè il virus li tiene nascosti;

adesso avvia Systemscan;

clicca su Removal Script;

nel box inserisci questo script;

pino · Inviato: 22 Apr 2008 22:39 Oggetto:

fatto

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\lnminrus

*******************

Script file located at: \??\C:\Documents and Settings\hoolrhwv.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Documents and Settings\tiny\Impostazioni locali\Temp\rfa.dll deleted successfully.
File C:\WINDOWS\system32\fool0.dll deleted successfully.
File C:\WINDOWS\system32\fool1.dll deleted successfully.
File C:\WINDOWS\system32\ieso0.dll deleted successfully.
File C:\WINDOWS\system32\kxvo.exe deleted successfully.
File E:\file da babbuz\copie pc vecchio\F\copia dati CD download\DWLD PROGRAMMI\FlashGet\fgf095.zip deleted successfully.
File E:\file da babbuz\copie pc vecchio\F\copia dati CD download\DWLD PROGRAMMI\FlashGet\setup.exe deleted successfully.
File E:\file da babbuz\copie pc vecchio\F\copia dati CD download\tombola\msof0104.zip deleted successfully.
File E:\w2ngo.com deleted successfully.

Could not open file J:\w2ngo.com for deletion
Deletion of file J:\w2ngo.com failed!

Could not process line:
J:\w2ngo.com
Status: 0xc000003a

Could not open file J:\32.com for deletion
Deletion of file J:\32.com failed!

Could not process line:
J:\32.com
Status: 0xc000003a

Could not open file J:\kso6.bat for deletion
Deletion of file J:\kso6.bat failed!

Could not process line:
J:\kso6.bat
Status: 0xc000003a

Program C:\Documents and Settings\tiny\Desktop\A kit per virus\sys87544.exe successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

pino · Inviato: 22 Apr 2008 22:40 Oggetto:

la chiave USB è sempre al suo posto, non è mai stata tolta

Sante62 · Inviato: 22 Apr 2008 23:10 Oggetto:

A questo punto, ti consiglierei di formattare subito la chiavetta USB, prima che ti reifetti di nuovo...

pino · Inviato: 23 Apr 2008 09:13 Oggetto:

grazie Sante

ho formattato la chiavetta

al riavvio, suspectfile mi ha chiesto di fare una scansione, qui ho nesso il report link

pino · Inviato: 23 Apr 2008 10:19 Oggetto:

ma è normale che ad ogni riavvio, prima di caricare Windows, si apra la finestra di suspectfile e fino a quando non la chiudo il caricamento non procede?

per una verifica ho lanciato una nuova scansione con Kansperski, ha trovato ancora dei virus ,
Non ho il report perchè la scansione si blocca ancora come ieri al 14% sempre sullo stesso file......

adesso sto facendo una scansione in modalità provvisoria, poi posto il risultato