Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » hotbarSA.exe &Co, aiutatemi per favore!!!

4 pages: [1] 2 3 4
hotbarSA.exe &Co, aiutatemi per favore!!! Opzioni
Topic Precedente · Topic Sucessivo
wolfsoul
Inviato: Wednesday, March 31, 2010 11:06:02 AM

Rank: AiutAmico

Iscritto dal : 3/31/2010
Posts: 52
Vi espongo subito il problema. Due mesi fa ho avuto problemi con Hotbar! Questo fantastico "virus" mi ha costretta a formattare, o meglio, il mio tecnico ha dovuto fare proprio questo ma TADA' neanche un mese fa attraverso una scansione di ccleaner ecco cosa appare:




E come se non bastasse anche lo spybot rileva qualcosa che non va, TRANNE l'antivirus =_='' Avast Home Edition.



Seguendo qualche passo di un altro topic, ho avviato il pc in modalità provvisoria e fatto una scansione con HiJackThis, solo che non so cosa cancellare, quindi vi invio la scansione quì di seguito;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10.42.53, on 31/03/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.galaxysystems.eu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\ASUS\ASUS Remote\RemoteControlAppl.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregIta\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregIta\ereg.ini"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [HotbarSA] "C:\Program Files\Hotbar\bin\11.0.120.0\HotbarSA.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WeatherDPA] "C:\Program Files\Hotbar\bin\11.0.120.0\Weather.exe" -auto
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258563508968
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Servizio di Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: uvnc_service - UltraVNC - C:\WINDOWS\system32\UltraVNC\WinVNC.exe

--
End of file - 5615 bytes

Grazie mille in anticipo a chi deciderà di aiutarmiPray

Torna in alto
 
Sponsor
Inviato: Wednesday, March 31, 2010 11:06:02 AM

 
Torna in alto
 
bazzurlone
Inviato: Wednesday, March 31, 2010 11:13:42 AM

Rank: AiutAmico

Iscritto dal : 1/20/2005
Posts: 1,537
inizia a usare questo, http://www.aiutamici.com/software?ID=80346 aggiornalo,scansione completa in modalita' normale, poi posta il log che uscira'
Torna in alto
 
wolfsoul
Inviato: Wednesday, March 31, 2010 11:19:38 AM

Rank: AiutAmico

Iscritto dal : 3/31/2010
Posts: 52
E' già aggiornato :) proprio da 10 minuti fa! Anche se il problema c'è da un mese ma è sotto controllo perché credo sia parzialmente "bloccato"
Torna in alto
 
bazzurlone
Inviato: Wednesday, March 31, 2010 11:20:36 AM

Rank: AiutAmico

Iscritto dal : 1/20/2005
Posts: 1,537
Fai la scansione completa
Torna in alto
 
wolfsoul
Inviato: Wednesday, March 31, 2010 2:06:42 PM

Rank: AiutAmico

Iscritto dal : 3/31/2010
Posts: 52


E ora che faccio?
Torna in alto
 
paolopa
Inviato: Wednesday, March 31, 2010 2:11:37 PM

Rank: AiutAmico

Iscritto dal : 10/14/2008
Posts: 2,777
rimuovi le infezioni,poi:
Scarica Combofix

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Salvalo sul desktop.

Importante: dopo aver scaricato COMBOFIX chiudi la connessione disabilita il tuo antivirus e
chiudi TUTTI i programmi aperti,(Firewall compreso) e

Doppio click su combofix.exe (comparirà una videata.)

E' probabile che ti siano inviati messaggi dall'antivirus,(o dallo stesso Combofix)
tu ignorali.

Se ti verrà chiesto se vuoi Installare LA CONSOLE DI RIPRISTINO DI EMERGENZA, clicca NO.

Durante l'operazione di scansione è importante non usare il PC (neanche il mouse)
e attendere pazientemente la fine delle operazioni.
Al termine, verrà creato un file log sul Desktop, chiamato C:\ComboFix.txt. Postalo qui.
posta anche un log aggiornato di hijack.


@bazz,mi sono permesso perchè ho visto che non c eri piu'....
Torna in alto
 
wolfsoul
Inviato: Wednesday, March 31, 2010 2:19:56 PM

Rank: AiutAmico

Iscritto dal : 3/31/2010
Posts: 52
Ho già inviato il log di HiJackThis aggiornato! :) forse non mi spiego bene! E ho già fatto una scansioen con malwarebytes! Posto il log di seguito:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Versione database: 3936

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

31/03/2010 14.10.28
mbam-log-2010-03-31 (14-10-28).txt

Tipo di scansione: Scansione completa (A:\|C:\|D:\|E:\|F:\|)
Elementi esaminati: 229085
Tempo trascorso: 2 ore, 21 minuti, 59 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Voci infette nei dati di registro: 3
Cartelle infette: 0
File infetti: 2

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
(Non sono stati rilevati elementi nocivi)

Valori di registro infetti:
(Non sono stati rilevati elementi nocivi)

Voci infette nei dati di registro:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Cartelle infette:
(Non sono stati rilevati elementi nocivi)

File infetti:
C:\Documents and Settings\Administrator\My Documents\Download\emulesetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
D:\Program Files\Corel\Corel Paint Shop Pro Photo X2\Patch.exe (Trojan.Bancos) -> Quarantined and deleted successfully.
Torna in alto
 
bazzurlone
Inviato: Wednesday, March 31, 2010 2:29:06 PM

Rank: AiutAmico

Iscritto dal : 1/20/2005
Posts: 1,537
paolopa ha scritto:


@bazz,mi sono permesso perchè ho visto che non c eri piu'....

Tranquillo,stavo facendo un sonnellino; poi,che importanza ha se il problema lo risolvi tu o io,l'importante è risolvere
Torna in alto
 
paolopa
Inviato: Wednesday, March 31, 2010 2:31:09 PM

Rank: AiutAmico

Iscritto dal : 10/14/2008
Posts: 2,777
vedo di spiegarmi meglio io:ti ho chiesto una scansione con COMBOFIX(vedi post precedente),DOPO quella scansione di cui dovresti postare il log che ti rilascera',vorrei vedere un log di hijack aggiornato(per aggiornato intendo dopo che hai fatto la scansione con combofix.)e per inciso il primo log che hai mandato di hijack l hai fatto in modalita' provvisoria,e non va bene.naturalmente se ti va di fare tutto cio'.vedi un po tu....
@bazz:bentornato bazz,è tutto tuo.
Torna in alto
 
wolfsoul
Inviato: Wednesday, March 31, 2010 2:33:01 PM

Rank: AiutAmico

Iscritto dal : 3/31/2010
Posts: 52
Vado e torno =_=
Torna in alto
 
bazzurlone
Inviato: Wednesday, March 31, 2010 2:39:35 PM

Rank: AiutAmico

Iscritto dal : 1/20/2005
Posts: 1,537
paolopa ha scritto:

@bazz:bentornato bazz,è tutto tuo.

No,no prosegui pure,hai imparato alla grande. io intervengo solo quando quelli "tosti" non sono online
Torna in alto
 
wolfsoul
Inviato: Wednesday, March 31, 2010 2:45:06 PM

Rank: AiutAmico

Iscritto dal : 3/31/2010
Posts: 52
ComboFix 10-03-29.04 - Administrator 31/03/2010 14.35.47.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1033.18.1535.1181 [GMT 2:00]
Eseguito da: c:\documents and settings\Administrator\My Documents\Download\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100331-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-358973153-2649386250-593993646-1001
c:\windows\system32\winlogon.bak

.
((((((((((((((((((((((((( Files Creati Da 2010-02-28 al 2010-03-31 )))))))))))))))))))))))))))))))))))
.

2010-03-31 09:22 . 2010-03-31 09:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-31 09:21 . 2010-03-29 13:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-31 09:21 . 2010-03-31 09:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-31 09:21 . 2010-03-29 13:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-31 09:21 . 2010-03-31 09:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-31 08:34 . 2010-03-31 08:34 -------- d-----w- c:\program files\Trend Micro
2010-03-30 14:03 . 2010-03-30 14:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-29 18:27 . 2010-02-03 13:56 26176 ---ha-w- c:\windows\system32\hamachi.sys
2010-03-26 20:56 . 2010-03-29 13:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Canon
2010-03-24 22:34 . 2010-03-24 22:34 -------- d-----w- C:\ApolloOutput
2010-03-24 11:53 . 2010-03-24 11:55 -------- d-----w- c:\program files\ConvertHelper
2010-03-24 11:44 . 2010-03-24 11:44 -------- d-----w- c:\documents and settings\Administrator\dwhelper
2010-03-23 12:15 . 2010-03-23 12:38 581 ---ha-w- C:\os057717.bin
2010-03-23 12:13 . 2010-03-23 12:13 -------- d-----w- c:\windows\Vbox
2010-03-23 12:13 . 2010-03-23 12:13 -------- d-----w- c:\program files\101ware
2010-03-15 14:47 . 2010-03-15 14:47 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5bd6e43a-n\msvcr71.dll
2010-03-15 14:47 . 2010-03-15 14:47 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5bd6e43a-n\msvcp71.dll
2010-03-15 14:47 . 2010-03-15 14:47 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-607325a8-n\decora-sse.dll
2010-03-15 14:47 . 2010-03-15 14:47 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5bd6e43a-n\jmc.dll
2010-03-15 14:47 . 2010-03-15 14:47 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-607325a8-n\decora-d3d.dll
2010-03-13 23:22 . 2010-03-13 23:22 -------- d-----w- c:\program files\JRE
2010-03-13 23:21 . 2010-03-13 23:22 -------- d-----w- c:\program files\OpenOffice.org 3
2010-03-13 23:21 . 2010-03-13 23:21 -------- d-----w- c:\program files\Common Files\Java
2010-03-13 23:21 . 2010-03-13 23:21 -------- d-----w- c:\program files\Java
2010-03-06 10:21 . 2010-03-31 12:08 -------- d-----w- c:\program files\eMule
2010-03-03 18:37 . 2010-03-03 18:37 -------- d-----w- c:\documents and settings\Administrator\.thumbnails
2010-03-03 18:36 . 2010-03-03 19:02 -------- d-----w- c:\documents and settings\Administrator\.gimp-2.6
2010-03-03 17:22 . 2010-03-03 17:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\AnvSoft
2010-03-03 17:22 . 2010-03-03 17:22 -------- d-----w- c:\program files\AnvSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-31 12:15 . 2010-02-27 14:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2010-03-31 08:04 . 2010-02-27 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-31 07:59 . 2009-11-18 16:45 -------- d-----w- c:\program files\CCleaner
2010-03-30 16:58 . 2009-11-18 14:04 127584 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-28 14:03 . 2009-11-18 17:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-24 23:00 . 2010-02-27 15:09 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-03-24 23:00 . 2010-02-27 15:09 -------- d-----w- c:\program files\NCH Swift Sound
2010-03-24 11:57 . 2009-11-18 15:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-13 23:21 . 2009-11-18 16:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-08 22:45 . 2010-02-24 11:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\SecondLife
2010-03-07 18:02 . 2010-02-13 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SSScanAppDataDir
2010-03-03 17:13 . 2010-02-27 17:11 -------- d-----w- c:\program files\Nokia
2010-03-03 17:13 . 2010-02-27 17:31 -------- d-----w- c:\program files\Common Files\Nokia
2010-03-03 17:09 . 2010-02-21 09:44 -------- d-----w- c:\program files\Google
2010-03-03 17:08 . 2009-11-18 16:54 53319 ----a-w- c:\documents and settings\All Users\Application Data\TEMP\{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}\PostBuild.exe
2010-03-03 17:06 . 2010-01-20 12:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SlySoft
2010-03-03 17:01 . 2009-11-18 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedBit
2010-03-03 17:01 . 2009-11-18 16:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-27 20:04 . 2010-02-27 20:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-27 19:14 . 2010-02-27 19:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Nokia
2010-02-27 19:11 . 2010-02-27 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2010-02-27 19:11 . 2010-02-27 19:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Suite
2010-02-27 19:06 . 2010-02-27 19:06 193184 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-27 19:03 . 2010-02-27 19:03 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-02-27 19:03 . 2010-02-27 19:03 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-02-27 18:09 . 2010-02-27 18:09 -------- d-----w- c:\program files\MSXML 6.0
2010-02-27 18:08 . 2010-02-27 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaMusic
2010-02-27 17:27 . 2010-02-27 17:27 -------- d-----w- c:\program files\DIFX
2010-02-27 17:11 . 2010-02-27 17:11 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{927AA2A2-7631-4EA2-A1F9-252D27B9D0A2}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-02-27 17:11 . 2010-02-27 17:11 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{927AA2A2-7631-4EA2-A1F9-252D27B9D0A2}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-02-27 17:11 . 2010-02-27 17:11 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{927AA2A2-7631-4EA2-A1F9-252D27B9D0A2}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-02-27 17:11 . 2010-02-27 17:11 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{927AA2A2-7631-4EA2-A1F9-252D27B9D0A2}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-02-27 17:11 . 2010-02-27 17:11 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{927AA2A2-7631-4EA2-A1F9-252D27B9D0A2}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-02-27 17:11 . 2010-02-27 17:11 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{927AA2A2-7631-4EA2-A1F9-252D27B9D0A2}\Installer\CommonCustomActions\pcswpc.exe
2010-02-27 17:11 . 2010-02-27 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\OviInstallerCache
2010-02-27 17:10 . 2010-02-27 17:11 98302544 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{927AA2A2-7631-4EA2-A1F9-252D27B9D0A2}\Nokia_Ovi_Suite_11_update.exe
2010-02-27 15:20 . 2010-02-27 15:20 -------- d-----w- c:\program files\NCH Software
2010-02-27 15:09 . 2010-02-27 15:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\NCH Swift Sound
2010-02-27 15:06 . 2010-02-27 14:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Audacity
2010-02-27 14:47 . 2010-02-27 14:47 -------- d-----w- c:\program files\LimeWire
2010-02-25 13:48 . 2010-02-25 13:48 60416 ----a-w- c:\windows\ALCFDRTM.EXE
2010-02-25 13:27 . 2010-02-25 13:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-02-24 11:57 . 2010-02-24 11:57 -------- d-----w- c:\program files\SecondLife
2010-02-18 23:56 . 2010-02-18 23:56 -------- d-----w- c:\program files\VideoLAN
2010-02-18 23:50 . 2010-02-18 23:50 0 ----a-w- c:\windows\nsreg.dat
2010-02-17 19:50 . 2009-11-18 11:18 172775 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-14 13:40 . 2009-11-18 15:44 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-13 19:35 . 2010-02-13 19:35 -------- d-----w- c:\program files\Canon
2010-02-13 19:34 . 2010-02-13 19:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\ScanSoft
2010-02-13 19:34 . 2010-02-13 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SSScanWizard
2010-02-13 19:34 . 2010-02-13 19:34 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2010-02-13 19:34 . 2010-02-13 19:34 -------- d-----w- c:\program files\ScanSoft
2010-02-13 17:33 . 2009-11-18 12:08 74752 ----a-w- c:\windows\system32\storprop.dll
2010-02-13 17:33 . 2008-04-14 12:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2010-02-13 17:33 . 2008-04-14 12:00 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2010-02-13 17:33 . 2008-04-14 12:00 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys
2010-02-13 17:33 . 2008-04-14 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-13 17:33 . 2008-04-14 12:00 24960 ----a-w- c:\windows\system32\drivers\pciidex.sys
2010-02-13 17:33 . 2008-04-14 12:00 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2010-02-13 17:03 . 2010-02-13 17:03 0 ----a-w- c:\windows\ativpsrm.bin
2010-02-13 16:54 . 2010-02-13 16:54 -------- d-----w- c:\program files\ATI Technologies
2010-02-13 16:51 . 2010-02-13 16:51 -------- d-----w- c:\program files\ASUS
2010-02-13 16:49 . 2010-02-13 16:49 -------- d-----w- c:\program files\Realtek AC97
2010-01-20 13:03 . 2010-01-20 13:03 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-20 12:50 . 2008-04-14 00:01 35840 ----a-w- c:\windows\system32\drivers\processr.sys
2010-01-20 12:50 . 2010-01-20 12:50 8832 ------w- c:\windows\system32\drivers\wmiacpi.sys
2010-01-20 12:50 . 2010-01-20 12:50 330264 ------w- c:\windows\system32\drivers\iaStor.sys
2010-01-20 12:38 . 2010-01-20 12:37 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-01-20 12:35 . 2009-11-18 16:29 10688 ----a-w- c:\windows\system32\drivers\mv2.sys
2010-01-20 12:35 . 2009-11-18 16:29 20672 ----a-w- c:\windows\system32\mv2.dll
2010-01-05 15:38 . 2010-01-05 15:38 5376 ------w- c:\windows\system32\drivers\viaide.sys
2010-01-05 15:20 . 2010-01-05 15:20 1956072 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-01-05 15:16 . 2008-04-14 12:00 507904 ----a-w- c:\windows\system32\winlogon.exe
2010-01-01 17:20 . 2010-01-01 17:20 26024 ------w- c:\windows\system32\drivers\ElbyCDIO.sys
2009-12-31 16:50 . 2008-04-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

------- Sigcheck -------

[-] 2010-01-05 . 679A7259741F6A09994F02CE261B5F2E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"RemoteControl"="c:\program files\ASUS\ASUS Remote\RemoteControlAppl.exe" [2007-02-12 65536]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"OPSE reminder"="c:\program files\ScanSoft\OmniPageSE2.0\EregIta\Ereg.exe" [2003-07-07 729088]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-2-19 503808]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [13/02/2010 18.51.20 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [13/02/2010 18.51.20 20560]
R2 uvnc_service;uvnc_service;c:\windows\system32\UltraVNC\winvnc.exe [13/02/2010 18.56.29 1590216]
R3 3xHybrid;ASUSTek SAA713x PCI Card;c:\windows\system32\drivers\3xHybrid.sys [26/01/2007 3.42.50 2831232]
R3 PRISM;D-Link Air Wireless Prism3 Adapter Driver;c:\windows\system32\drivers\PRISMNDS.sys [13/02/2010 19.36.14 652288]
S2 gupdate;Servizio di Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/02/2010 11.44.17 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [18/11/2009 17.44.36 1684736]
S3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [18/11/2009 18.29.46 10688]
S4 DM9USB;DM9601 USB To Fast Ethernet Adapter;c:\windows\system32\drivers\dm9usb.sys [27/10/2009 16.20.07 54272]
S4 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [13/11/2009 10.43.50 49664]
.
Contenuto della cartella 'Scheduled Tasks'

2010-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 09:44]

2010-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 09:44]

2010-03-31 c:\windows\Tasks\User_Feed_Synchronization-{F8ED5DC1-7AC3-4BCF-9CDD-0A8EA906856B}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 03:31]

2010-03-20 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-02-27 15:09]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://portal.galaxysystems.eu/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rmt38fb0.default\
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-31 14:39
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-527237240-1844823847-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2e,93,63,65,f2,42,9a,47,9f,a5,bc,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2e,93,63,65,f2,42,9a,47,9f,a5,bc,\
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\Ati2evxx.dll
.
Ora fine scansione: 2010-03-31 14:42:01
ComboFix-quarantined-files.txt 2010-03-31 12:41

Pre-Run: 136.446.590.976 bytes free
Post-Run: 136.414.625.792 byte disponibili

- - End Of File - - 2134847C0CBE49D22105D6A85FAC8926


___________________________________________________________________________________________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.45.38, on 31/03/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ASUS\ASUS Remote\RemoteControlAppl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\UltraVNC\WinVNC.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.galaxysystems.eu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\ASUS\ASUS Remote\RemoteControlAppl.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregIta\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregIta\ereg.ini"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [HotbarSA] "C:\Program Files\Hotbar\bin\11.0.120.0\HotbarSA.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherDPA] "C:\Program Files\Hotbar\bin\11.0.120.0\Weather.exe" -auto
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258563508968
O17 - HKLM\System\CCS\Services\Tcpip\..\{84388EC8-132D-46EF-BE53-78ACC178102B}: NameServer = 85.37.17.50 85.38.28.76
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Servizio di Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: uvnc_service - UltraVNC - C:\WINDOWS\system32\UltraVNC\WinVNC.exe

--
End of file - 6572 bytes
Torna in alto
 
paolopa
Inviato: Wednesday, March 31, 2010 3:03:07 PM

Rank: AiutAmico

Iscritto dal : 10/14/2008
Posts: 2,777
apri hijack,clicca su "do a system scan only"e,con tutte le applicazioni chiuse e disconnesso da internet seleziona le seguenti voci:
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [HotbarSA] "C:\Program Files\Hotbar\bin\11.0.120.0\HotbarSA.exe"
O4 - HKCU\..\Run: [WeatherDPA] "C:\Program Files\Hotbar\bin\11.0.120.0\Weather.exe" -auto
e clicca su "fix checked
rifai una scansione con malwarebytes e posta il log che ti rilascera'.
Torna in alto
 
r16
Inviato: Wednesday, March 31, 2010 3:16:02 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Scusate l'intromissione:
@wolfsoul
Con la funzione "Cerca" di Windows, trova questi file: (uno alla volta)
Weather.exe (per non sbagliare a digitarlo, fai un copia-incolla)
HotbarSA.exe (per non sbagliare a digitarlo, fai un copia-incolla)

Dai una pulita (registro compreso)con CCleaner: http://www.aiutamici.com/software?ID=11223
Nella schermata iniziale di CCleaner, clicca su Opzioni e poi Avanzate, togli il segno di spunta a: Cancella i file in Windows Temp solo se più vecchi di 48 ore. (poi esegui le pulizie)
Torna in alto
 
wolfsoul
Inviato: Wednesday, March 31, 2010 3:21:41 PM

Rank: AiutAmico

Iscritto dal : 3/31/2010
Posts: 52
Non li trova, ci avevo già provato....
Comunque tra un pò posto il log aggiornato...

NB. I problemi trovati da Ccleaner rimangono, ancora, quelli postati nel primo post del topic, tranne gli ultimi due!
Torna in alto
 
paolopa
Inviato: Wednesday, March 31, 2010 3:24:49 PM

Rank: AiutAmico

Iscritto dal : 10/14/2008
Posts: 2,777
prova a visualizzare file e cartelle nascosti e protetti dal sistema prima di usare il "cerca"
@r16:ma quale intromissione,scherzi???era ora che arrivassi!!!!
Torna in alto
 
maopapof
Inviato: Wednesday, March 31, 2010 3:26:22 PM

Rank: AiutAmico

Iscritto dal : 10/31/2004
Posts: 7,185
con le scuse a tt

ma ..... Seguendo qualche passo di un altro topic, ho avviato il pc in modalità provvisoria e fatto una scansione con HiJackThis ... questo non si fa'

si VA' in modalita' provvisoria .... si fa' una scansione malware aggiornato in provvisoria ... si pulisce tutto .... e si trasmette un hijachthis in apertura normale per verificare se vi sono rimasugli

poi dopo ... risolto il tutto .... si eliminano i punti di ripristino meno l'ultimo che dovra' essere totalmente pulito :o)
Torna in alto
 
wolfsoul
Inviato: Wednesday, March 31, 2010 3:27:58 PM

Rank: AiutAmico

Iscritto dal : 3/31/2010
Posts: 52
Ok paolopa!

@r16, ho fatto come hai detto ma non ho ottenuto risultati, provo a fare come ha consigliato Paolopa e vediamo che succede! :(

Non succede nulla, non trova nulla...
Torna in alto
 
wolfsoul
Inviato: Wednesday, March 31, 2010 3:29:31 PM

Rank: AiutAmico

Iscritto dal : 3/31/2010
Posts: 52
maopapof ha scritto:
con le scuse a tt

ma ..... Seguendo qualche passo di un altro topic, ho avviato il pc in modalità provvisoria e fatto una scansione con HiJackThis ... questo non si fa'

si VA' in modalita' provvisoria .... si fa' una scansione malware aggiornato in provvisoria ... si pulisce tutto .... e si trasmette un hijachthis in apertura normale per verificare se vi sono rimasugli

poi dopo ... risolto il tutto .... si eliminano i punti di ripristino meno l'ultimo che dovra' essere totalmente pulito :o)


non cominciate a diventare difficili mettetevi d'accordo... :s abbiate pietà
Torna in alto
 
Utenti presenti in questo topic
Guest

4 pages: [1] 2 3 4

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » hotbarSA.exe &Co, aiutatemi per favore!!!


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.