Olimpo Informatico

[bob80]

Ciao a tutti,
ho avuto un virus che mi ha impallato il sistema per diversi giorni. Si chiama Sdbot.KYZ.worm.
Avevo l'Avast che si è subito arreso (è stato disabilitato e non sono più riuscito a riabilitarlo) e comparivano strani processi che occupavano il 99% della CPU e in ogni archivio che avevo ho trovato oltre ai vecchi file anche un file.com che veniva riconosciuto come virus (lo stesso di sopra).
Per ora ho installato AVG che mi ha risolto parecchio. Non ci sono processi strani ed invasivi in esecuzione e li ho anche tolti dall'esecuzione automatica. Avevo anche fatto la scansione online con Panda, ma non aveva dato grande supporto.
Cmq ogni tanto l'antivirus trova dei "tracking cookie" e non so se sia normale e l'altro giorno quando ho riavviato mi si era disabilitata il Resident Shield cioè la protezione attiva.
Insomma non sono sicuro di aver debellato il virus completamente.
Mi attengo alla procedura e intanto posto il log di HJT.
Eccolo:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10.35.12, on 02/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Programmi\D-Link\AirPlus G\AirGCFG.exe
C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Messenger\msmsgs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Programmi\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a periferica &Bluetooth... - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195079059577
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195485710932
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmi\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Programmi\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6688 bytes

Ho disattivato tutti i programmi inutili, tranne AVG e Spybot... mi dispiace se è troppo lungo.
Attendo notizie e a presto.
Roberto.

[Sante62]

Ciao bob80

Nel log di Hijackthis non ci sono cose strane...segno che la maggior parte dei file infetti li ha già rimossi il tuo antivirus...

Scarica Virit
Aggiornalo mediante l'icona della parabola posta nella barra in alto e fagli fare la scansione completa del PC.
Fai in modo che rimuova automaticamente i file infetti trovati.
Non dimenticare di disattivare momentaneamente il tuo antivirus.
Incolla poi quì il risultato.

Fai anche la scansione con Combofix

[bob80]

Ciao Sante 62,
la scansione con Virit ha dato questo risultato:

-------------INIZIO REPORT SCANZIONE----------
VirIT eXplorer Lite Log

[SCANSIONE DELLA MEMORIA]
OK
[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
02/05/2008 - 19:35:42

[SCANSIONE DEL REGISTRO]
OK

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK


Chiavi Registro infette: 0.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 88838.
Files Totali: 88838.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.

--------------------------------------------------------
02/05/2008 - 20:36:58

[SCANSIONE DEL REGISTRO]
OK

[D:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

D:\System Volume Information\_restore{B8D00517-E187-46D7-B3A4-FA233CC50A87}\RP149\A0076199.exe Possibile variante da Trojan.Win32.Small.AH
D:\System Volume Information\_restore{B8D00517-E187-46D7-B3A4-FA233CC50A87}\RP149\A0076200.exe Possibile variante da Trojan.Win32.Small.AH
D:\mIRC\mirc32.exe Infetto da Backdoor.mIRC.G
* * * RIMOSSO * * *
D:\Universita\Informatica grafica\IG_12 26-05-2004\IG_12 26-05-2004\earth.exe Possibile variante da Trojan.Win32.Agent.AAQ
D:\Universita\Informatica grafica\IG_12 26-05-2004\IG_12 26-05-2004\earth_moon.exe Possibile variante da Trojan.Win32.Agent.AAQ
D:\Universita\Informatica grafica\IG_12 26-05-2004\IG_12 26-05-2004\ex_2.exe Possibile variante da Trojan.Win32.Small.GV
D:\Universita\Informatica grafica\IG_12 26-05-2004\IG_12 26-05-2004\ex_3.exe Possibile variante da Trojan.Win32.Agent.AAQ
D:\Universita\Informatica grafica\IG_12 26-05-2004\IG_12 26-05-2004\rotatingcube.exe Possibile variante da Trojan.Win32.Small.IT
D:\Universita\Informatica grafica\IG_12 26-05-2004\IG_12 26-05-2004\shapes.exe Possibile variante da Trojan.Win32.Small.IT
D:\Universita\Informatica grafica\IG_12 26-05-2004\IG_12 26-05-2004\ttest.exe Possibile variante da I-WORM.Lovsan.C
D:\Universita\Informatica grafica\IG_12 26-05-2004\earth.exe Possibile variante da Trojan.Win32.Agent.AAQ
D:\Universita\Informatica grafica\IG_12 26-05-2004\earth_moon.exe Possibile variante da Trojan.Win32.Agent.AAQ
D:\Universita\Informatica grafica\IG_12 26-05-2004\ex_2.exe Possibile variante da Trojan.Win32.Small.GV
D:\Universita\Informatica grafica\IG_12 26-05-2004\ex_3.exe Possibile variante da Trojan.Win32.Agent.AAQ
D:\Universita\Informatica grafica\IG_12 26-05-2004\rotatingcube.exe Possibile variante da Trojan.Win32.Small.IT
D:\Universita\Informatica grafica\IG_12 26-05-2004\shapes.exe Possibile variante da Trojan.Win32.Small.IT
D:\Universita\Informatica grafica\IG_12 26-05-2004\ttest.exe Possibile variante da I-WORM.Lovsan.C

Chiavi Registro infette: 0.
Files Infetti: 17.
Files Sospetti: 0.
Files Analizzati: 30214.
Files Totali: 30214.
Chiavi Registro rimosse: 0.
Virus Rimossi: 1.

--------------------------------------------------------
02/05/2008 - 20:56:43

[SCANSIONE DEL REGISTRO]
OK

[E:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK


Chiavi Registro infette: 0.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 41.
Files Totali: 41.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.

-------------FINE REPORT SCANZIONE----------


Per quanto riguarda combofix il risultato è questo:

-------------INIZIO REPORT COMBOFIX----------
ComboFix 08-05-01.3 - bob80 2008-05-02 21.03.23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.357 [GMT 2:00]
Eseguito da: C:\Documents and Settings\bob80\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Creati Da 2008-04-02 al 2008-05-02 )))))))))))))))))))))))))))))))))))
.

2008-05-02 20:33 . 2008-05-02 20:33 0 --a------ C:\WINDOWS\listcmd.bin
2008-05-02 19:31 . 2008-03-17 19:23 39,808 --a------ C:\WINDOWS\system32\drivers\VIRAGTLT.SYS
2008-05-02 19:30 . 2008-05-02 20:47 <DIR> d-------- C:\VEXPLITE
2008-05-02 10:33 . 2008-05-02 11:04 <DIR> d-------- C:\HiJackThis
2008-04-30 19:33 . 2008-04-30 19:33 <DIR> d-------- C:\Programmi\Data Doctor Password Unmask
2008-04-28 07:31 . 2008-05-02 10:10 <DIR> d--h----- C:\$AVG8.VAULT$
2008-04-28 07:20 . 2008-05-01 21:08 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-04-28 07:20 . 2008-04-28 07:20 <DIR> d-------- C:\Programmi\AVG
2008-04-28 07:20 . 2008-04-28 07:20 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\avg8
2008-04-28 07:20 . 2008-04-28 07:20 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-04-28 07:20 . 2008-04-28 07:20 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-04-28 07:20 . 2008-04-28 07:20 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-04-28 07:17 . 2008-05-02 21:03 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\NtUser.dat.LOG
2008-04-28 07:10 . 2008-04-28 07:05 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-28 07:10 . 2008-04-28 07:10 2,549 --a------ C:\WINDOWS\unins000.dat
2008-04-27 21:29 . 2008-04-28 05:19 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-04-27 21:29 . 2008-04-27 21:29 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-04-27 21:29 . 2008-04-27 21:29 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-04-27 21:29 . 2008-04-27 21:29 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-04-26 14:34 . 2007-11-14 23:16 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di stampa
2008-04-26 14:34 . 2007-11-14 23:16 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di rete
2008-04-26 14:34 . 2007-11-14 23:16 <DIR> d-------- C:\Documents and Settings\Administrator\Preferiti
2008-04-26 14:34 . 2007-11-14 23:22 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2008-04-26 14:34 . 2007-11-14 23:16 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Avvio
2008-04-26 14:34 . 2008-05-02 21:06 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2008-04-26 14:34 . 2007-11-14 23:16 <DIR> d-------- C:\Documents and Settings\Administrator\Documenti
2008-04-26 14:34 . 2007-11-14 23:16 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dati applicazioni
2008-04-26 14:34 . 2008-04-28 07:21 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-26 14:34 . 2008-05-02 21:03 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-26 13:59 . 2008-04-29 23:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-26 13:59 . 2008-04-26 13:59 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-25 22:33 . 2008-04-28 07:19 12 --a------ C:\WINDOWS\system32\mapisvc.inf
2008-04-25 22:31 . 2008-04-28 09:41 <DIR> d-------- C:\Programmi\ESET
2008-04-23 17:35 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-04-22 18:18 . 2008-04-22 18:18 0 --a------ C:\WINDOWS\PCFriend.INI
2008-04-22 18:12 . 2008-04-22 18:13 <DIR> d-------- C:\Programmi\PCFriendly
2008-04-22 18:12 . 1996-10-15 18:01 298,496 --a------ C:\WINDOWS\uninst.exe
2008-04-22 18:12 . 1999-09-27 17:15 78,848 --a------ C:\WINDOWS\system32\INLOADER.DLL
2008-04-22 18:03 . 2008-04-22 18:03 <DIR> d-------- C:\Documents and Settings\bob80\Dati applicazioni\dvdcss
2008-04-19 09:30 . 2008-04-19 09:30 <DIR> d-------- C:\Programmi\File comuni\PCSuite
2008-04-19 09:30 . 2008-04-19 09:30 <DIR> d-------- C:\Programmi\File comuni\Nokia
2008-04-19 09:29 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys
2008-04-19 09:28 . 2008-04-19 09:29 <DIR> d-------- C:\Programmi\PC Connectivity Solution
2008-04-12 16:50 . 2008-04-24 10:51 <DIR> d-------- C:\Programmi\nLite
2008-04-04 09:46 . 2008-04-09 10:04 158 --a------ C:\WINDOWS\hpbafd.ini
2008-04-03 12:44 . 2008-04-03 12:44 <DIR> d-------- C:\Programmi\Common Files
2008-04-03 12:42 . 2008-04-03 12:42 126 --a------ C:\WINDOWS\mdm.ini
2008-04-03 12:31 . 2008-04-03 12:31 <DIR> d-------- C:\Programmi\Pubblicazione guidata
2008-04-03 12:31 . 1998-04-21 12:20 145,360 -ra------ C:\WINDOWS\system32\WEBPOST.DLL
2008-04-03 12:31 . 1998-05-28 14:26 121,472 -ra------ C:\WINDOWS\system32\CRSWPP.DLL
2008-04-03 12:31 . 1998-06-02 10:48 110,016 -ra------ C:\WINDOWS\system32\WPWIZDLL.DLL
2008-04-03 12:31 . 1998-04-21 12:20 98,960 -ra------ C:\WINDOWS\system32\FTPWPP.DLL
2008-04-03 12:31 . 1998-05-22 10:13 98,496 -ra------ C:\WINDOWS\system32\POSTWPP.DLL
2008-04-03 12:31 . 1998-05-22 10:13 92,432 -ra------ C:\WINDOWS\system32\FPWPP.DLL
2008-04-03 12:31 . 1998-04-21 12:20 50,816 -ra------ C:\WINDOWS\system32\PIPARSE.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 05:18 --------- d-----w C:\Documents and Settings\bob80\Dati applicazioni\uTorrent
2008-04-28 10:12 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-04-28 07:41 --------- d-----w C:\Programmi\Spybot - Search & Destroy
2008-04-23 20:54 --------- d-----w C:\Documents and Settings\bob80\Dati applicazioni\gtk-2.0
2008-04-23 15:36 155,995 ----a-w C:\WINDOWS\java\Packages\CU7NB575.ZIP
2008-04-19 07:30 --------- d-----w C:\Programmi\Nokia
2008-04-19 07:02 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Installations
2008-04-18 22:21 --------- d-----w C:\Programmi\eMule
2008-04-14 19:46 --------- d-----w C:\Documents and Settings\bob80\Dati applicazioni\Skype
2008-04-14 19:01 --------- d-----w C:\Documents and Settings\bob80\Dati applicazioni\skypePM
2008-03-30 09:58 --------- d-----w C:\Programmi\StarUML
2008-03-26 15:51 --------- d-----w C:\Programmi\Consumer Update Firmware
2008-03-20 08:06 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 11:21 --------- d-----w C:\Documents and Settings\bob80\Dati applicazioni\Nokia Multimedia Player
2008-03-17 11:19 --------- d-----w C:\Documents and Settings\bob80\Dati applicazioni\Nokia
2008-03-16 00:45 --------- d-----w C:\Programmi\Java
2008-03-14 11:01 --------- d-----w C:\Programmi\GPLGS
2008-03-14 10:59 --------- d-----w C:\Programmi\Acro Software
2008-03-09 10:33 --------- d-----w C:\Documents and Settings\bob80\Dati applicazioni\Apple Computer
2008-03-09 10:23 --------- d-----w C:\Programmi\QuickTime
2008-03-09 10:22 --------- d-----w C:\Programmi\Apple Software Update
2008-03-09 10:22 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Apple Computer
2008-03-09 10:22 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Apple
2008-03-07 13:17 --------- d-----w C:\Programmi\AVIConverter
2008-03-07 12:15 --------- d-----w C:\Programmi\Allok AVI MPEG Converter
2008-03-07 12:06 --------- d-----w C:\Programmi\NCH Software
2008-03-07 11:52 --------- d-----w C:\Programmi\TeXnicCenter
2008-03-01 12:58 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:50 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:33 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-11-16 16:16 32 ----a-w C:\Documents and Settings\All Users\Dati applicazioni\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 00:39 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray"="C:\WINDOWS\System32\sistray.EXE" [2002-05-09 04:19 303104]
"SiS KHooker"="C:\WINDOWS\System32\khooker.exe" [2002-01-25 03:30 290816]
"D-Link AirPlus G"="C:\Programmi\D-Link\AirPlus G\AirGCFG.exe" [2005-11-23 16:04 1544192]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-04-28 07:20 1177368]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-20 00:39 160256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-20 00:39 15360]
"Nokia.PCSync"="C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 18:41 1232896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^BTTray.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-20 00:39 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft OCX]
C:\WINDOWS\system32\gkwfpofzz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 18:24 1694208 C:\Programmi\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
C:\Programmi\Eset\nod32kui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"ServiceLayer"=3 (0x3)
"ose"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Programmi\\uTorrent\\uTorrent.exe"=
"C:\\Programmi\\eMule\\emule.exe"=
"C:\\Programmi\\VoipStunt.com\\VoipStunt\\VoipStunt.exe"=
"C:\\Programmi\\Skype\\Phone\\Skype.exe"=
"C:\\Programmi\\AVG\\AVG8\\avgupd.exe"=
"C:\\Programmi\\AVG\\AVG8\\avgemc.exe"=

R0 VIRAGTLT;VIRAGTLT;C:\WINDOWS\system32\drivers\VIRAGTLT.SYS [2008-03-17 19:23]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-04-28 07:20]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-04-28 07:20]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-28 07:20]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-04-28 07:20]
R2 viritsvclite;Virit eXplorer Lite;C:\VEXPLITE\viritsvc.exe [2008-05-02 19:32]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys [2002-06-17 20:31]
S3 pccsmcfd;PCCS Mode Change Filter Driver;C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2007-09-17 15:53]
S3 rockusb;Driver for rockusb Device;C:\WINDOWS\system32\DRIVERS\rockusb.sys [2006-03-22 20:57]
S3 usbscan;Driver scanner USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 07:58]
S3 USBSTOR;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 08:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34e8ebb3-b9e8-11dc-a2bb-00195bd145c2}]
\Shell\Auto\command - G:\voxtdjuqc.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL voxtdjuqc.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - VIRAGTLT
.
Contenuto della cartella 'Scheduled Tasks'
"2008-04-19 07:59:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 21:08:36
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-05-02 21.11.07
ComboFix-quarantined-files.txt 2008-05-02 19:10:54

10 Directory 3,462,070,272 byte disponibili
14 Directory 4,102,119,424 byte disponibili

184

-------------FINE REPORT COMBOFIX----------

Cosa ne pensi?
Grazie,
Roberto

[Sante62]

Penso che ancora c'è dell'altro...

Scarica Norman Malware Cleaner
disattiva il ripristino di sistema e avvia il PC in modalità provvisoria
Avvia Norman Malware Cleaner.
Viene generato un log sul desktop chiamandolo NFix_2008-01-gg_hh-mm-ss.log, alla fine della scansione postalo qui.

[bob80]

Ecco il report di Norman:

Norman Malware Cleaner
Copyright © 1990 - 2008, Norman ASA. Built 2008/04/29 19:17:00

Norman Scanner Engine Version: 5.92.04
Nvcbin.def Version: 5.92.00, Date: 2008/04/29 19:17:00, Variants: 1600559

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Home 5.1.2600(Safe mode) Service Pack 2
Logged on user: IL_MIO_TESORO\bob80

Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLS = "avgrsstx.dll" -> ""
Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000000

Scan started: 03/05/2008 13:30:52


Scanning running processes and process memory...

Number of processes/threads found: 543
Number of processes/threads scanned: 543
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 21s


Scanning file system...

Scanning: C:\*.*

Scanning: D:\*.*

D:\Universita\Ottimizzazione Combinatoria\Nuove lezioni\Zaino.rar/Zaino3.plg (Error whilst scanning file: I/O Error)

D:\Utility\Editor\Immagini\S-Spline v2.1\Crack\SSpline21_crack.exe (Infected with Dialer.AXUT)
Deleted file

Scanning: E:\*.*

Scanning: d:\System Volume Information\*.*


Running post-scan cleanup routine:

Number of files found: 198868
Number of archives unpacked: 1151
Number of files scanned: 198847
Number of files not scanned: 21
Number of files skipped due to exclude list: 0
Number of infected files found: 1
Number of infected files repaired/deleted: 1
Number of infections removed: 1
Total scanning time: 1h 32m 3s


Mi insospettiscono quei due file sospetti (scusa il gioco di parole) che Virit aveva trovato in D:\System Volume Information.
Cmq attendo istruzioni.
Saluti,
Roberto

[bob80]

P.S. come mai in modalità provvisoria mi compaiono due utenti?
bob80 e Administrator... mentre quando avvio il sistema normalmente mi compare solo bob80... è normale?

[Sante62]

Ritengo sia normale...

Scarica The Avenger (Nuova versione)
Scompattalo in una sua cartella in c:\
Avvialo e clicca su OK
all'interno del box bianco
Inserisci queste righe:

[bob80]

Eccolo.
Gli errori sono dovuti al fatto che quei file li avevo cancellati io manualmente. Per quanto riguarda la chiave di registro mi ha detto che non poteva cancellarla perchè non aveva accesso a quell'area di registro.
Come siamo messi ora?


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Sat May 03 17:42:23 2008

17:42:14: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34e8ebb3-b9e8-11dc-a2bb-00195bd145c2}"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "D:\Universita\Informatica grafica\IG_12 26-05-2004\IG_12 26-05-2004\earth.exe" not found!
Deletion of file "D:\Universita\Informatica grafica\IG_12 26-05-2004\IG_12 26-05-2004\earth.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "D:\Universita\Informatica grafica\IG_12 26-05-2004\IG_12 26-05-2004\earth_moon.exe" not found!
Deletion of file "D:\Universita\Informatica grafica\IG_12 26-05-2004\IG_12 26-05-2004\earth_moon.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "D:\Universita\Informatica grafica\IG_12 26-05-2004\IG_12 26-05-2004\ex_2.exe" not found!
Deletion of file "D:\Universita\Informatica grafica\IG_12 26-05-2004\IG_12 26-05-2004\ex_2.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "D:\Universita\Informatica grafica\IG_12 26-05-2004\IG_12 26-05-2004\ex_3.exe" not found!
Deletion of file "D:\Universita\Informatica grafica\IG_12 26-05-2004\IG_12 26-05-2004\ex_3.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "D:\Universita\Informatica grafica\IG_12 26-05-2004\IG_12 26-05-2004\rotatingcube.exe" not found!
Deletion of file "D:\Universita\Informatica grafica\IG_12 26-05-2004\IG_12 26-05-2004\rotatingcube.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "D:\Universita\Informatica grafica\IG_12 26-05-2004\IG_12 26-05-2004\shapes.exe" not found!
Deletion of file "D:\Universita\Informatica grafica\IG_12 26-05-2004\IG_12 26-05-2004\shapes.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "D:\Universita\Informatica grafica\IG_12 26-05-2004\IG_12 26-05-2004\ttest.exe" not found!
Deletion of file "D:\Universita\Informatica grafica\IG_12 26-05-2004\IG_12 26-05-2004\ttest.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "D:\Universita\Informatica grafica\IG_12 26-05-2004\earth.exe" not found!
Deletion of file "D:\Universita\Informatica grafica\IG_12 26-05-2004\earth.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "D:\Universita\Informatica grafica\IG_12 26-05-2004\earth_moon.exe" not found!
Deletion of file "D:\Universita\Informatica grafica\IG_12 26-05-2004\earth_moon.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "D:\Universita\Informatica grafica\IG_12 26-05-2004\ex_2.exe" not found!
Deletion of file "D:\Universita\Informatica grafica\IG_12 26-05-2004\ex_2.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "D:\Universita\Informatica grafica\IG_12 26-05-2004\ex_3.exe" not found!
Deletion of file "D:\Universita\Informatica grafica\IG_12 26-05-2004\ex_3.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "D:\Universita\Informatica grafica\IG_12 26-05-2004\rotatingcube.exe" not found!
Deletion of file "D:\Universita\Informatica grafica\IG_12 26-05-2004\rotatingcube.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "D:\Universita\Informatica grafica\IG_12 26-05-2004\shapes.exe" not found!
Deletion of file "D:\Universita\Informatica grafica\IG_12 26-05-2004\shapes.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "D:\Universita\Informatica grafica\IG_12 26-05-2004\ttest.exe" not found!
Deletion of file "D:\Universita\Informatica grafica\IG_12 26-05-2004\ttest.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

[bob80]

Con Kaspersky online scanner ho fatto analizzare la cartella sospetta su D:\ e ha dato questo risultato:
Infected Object Name Virus Name Last Action
D:\System Volume Information\_restore{B8D00517-E187-46D7-B3A4-FA233CC50A87}\RP150\A0078301.exe/data0005 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
D:\System Volume Information\_restore{B8D00517-E187-46D7-B3A4-FA233CC50A87}\RP150\A0078301.exe Astrum: infected - 1 skipped


Non ho fatto una scansione completa perchè altrimenti non facevo quello che mi dicevi, però forse può tornare utile.
Attendo come sempre notizie.
Roberto

[Sante62]

[bob80]

Fatto!
E ho anche disattivato il ripristino di configurazione di sistema.
Ora dovrei essere al sicuro? Ma se cancello quei file sospetti succede qualcosa?

[Sante62]

Sono stati già rimossi con la disattivazione del ripristino di sistema;

se non hai altri problemi lo puoi riattivare facendo la procedura inversa...

[chemicalbit]

[bob80]

Quei file ci sono ancora e non ho riattivato il ripristino... cmq se li cancello manualmente o anzi cancello tutta la cartella "System Volume information" succede qualcosa di grave?
Cmq grazie mille per il tuo aiuto Sante.
Roberto

[bob80]

Faccio un piccolo up per la domanda precedente e ne aggiungo anche un'altra: tra gli antivirus gratuiti quale è il milgiore? E tra quelli a pagamento?
Mi piacerebbe avere qualche esperienza diretta più che le solite classifiche riportate su riviste specifiche che secondo me sono poco affidabili.
Fatemi sapere.

[chemicalbit]

Prova a riattivare il ripristino di configurazione di sistema e riavviare.
Poi disattiva il ripristino di configurazione di sistema e riavvia di nuovo.

A quel punto quei file ci sono ancora?



Per la domanda più generale sugli antivirus, dovrebbero esserci delle discussioni sull'argomento nel forum "sicurezza", chiedi una di quelle.
(se non ve ne fossero, aprine pure una, sempre nel forum Sicurezza)


p.s. Avast ora funziona?

[bob80]

[bob80]

Scusate, ma visto che i quasi 300 Mb di file sono ancora lì faccio un piccolo up.
Roberto

[chemicalbit]

Hai provato a ri-attivare il risprstino di configurazione di sistema,
riavviare windows,
ri-disattivare risprstino di configurazione di sistema,
riavviare di nuovo windows?

[bob80]

Si, l'ho fatto... ma sono ancora lì!