Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » Aiuto ROGUE!

6 pages: [1] 2 3 4 5 6
Aiuto ROGUE! Opzioni
Topic Precedente · Topic Sucessivo
nckx83
Inviato: Tuesday, May 04, 2010 11:51:38 PM

Rank: AiutAmico

Iscritto dal : 10/1/2009
Posts: 258
Salve, mio fratello navigando su internet si è "beccato" un rogue: antimalware doctor.
Gli ho fatto fare una scansione con MBAM, il quale ha trovato numerosi files infetti, e una scansione con hijackthis, delle quali allego un log.
Chiedo cortesemente un aiuto per eliminare il problema.
Grazie.



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Versione database: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

04/05/2010 23.36.52
mbam-log-2010-05-04 (23-36-52).txt

Tipo di scansione: Scansione completa (C:\|D:\|)
Elementi esaminati: 182576
Tempo trascorso: 1 ore, 29 minuti, 11 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 24
Valori di registro infetti: 2
Voci infette nei dati di registro: 0
Cartelle infette: 8
File infetti: 12

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{131dfcad-732a-428a-a7de-a2a4c305b21b} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{131dfcad-732a-428a-a7de-a2a4c305b21b} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{131dfcad-732a-428a-a7de-a2a4c305b21b} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{131dfcad-732a-428a-a7de-a2a4c305b21b} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a9722a0d-365f-47d2-b70b-37d046316d99} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ezLife (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adhlpr.adhlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adhlpr.adhlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66c13876-cd3e-29cf-8881-67113c6539a6} (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{66c13876-cd3e-29cf-8881-67113c6539a6} (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{753c5d33-888a-4e67-9710-1d548b38261b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{753c5d33-888a-4e67-9710-1d548b38261b} (Trojan.BHO) -> Quarantined and deleted successfully.

Valori di registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ezlife (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vxrhraumuujne (Trojan.Agent) -> Quarantined and deleted successfully.

Voci infette nei dati di registro:
(Non sono stati rilevati elementi nocivi)

Cartelle infette:
C:\Programmi\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Programmi\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Programmi\Smart-Ads-Solutions\SmartAds\1.5.5.0 (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\ezLife\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Programmi\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Programmi\ezLife\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Programmi\ezLife\ezLife\1.5.5.0 (Adware.EzLife) -> Quarantined and deleted successfully.

File infetti:
C:\WINDOWS\system32\abnooafg.dll (Adware.EZlife) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Impostazioni locali\temp\4F.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Impostazioni locali\temp\amneswcoxr.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Impostazioni locali\temp\oxeasnrmwc.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\50.tmp (Rootkit.Dropper) -> Delete on reboot.
C:\Programmi\Smart-Ads-Solutions\SmartAds\1.5.5.0\uninstall.exe (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Programmi\ezLife\ezLife\1.5.5.0\uninstall.exe (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Menu Avvio\Programmi\Esecuzione automatica\Antimalware Doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Dati applicazioni\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Proprietario\Menu Avvio\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kstuqspgbjtfxrun.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zskxcvzn.dll (Trojan.BHO) -> Quarantined and deleted successfully.




Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 0.02.12, on 05/05/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\McAfee\SiteAdvisor\McSACore.exe
C:\Programmi\File comuni\McAfee\McSvcHost\McSvHost.exe
C:\Programmi\File comuni\McAfee\SystemCore\mfevtps.exe
C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Programmi\File comuni\McAfee\SystemCore\mcshield.exe
C:\Programmi\File comuni\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmi\McAfee\VirusScan\mcods.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Programmi\Sitecom\Common\RaUI.exe
C:\Programmi\internet explorer\iexplore.exe
C:\Programmi\internet explorer\iexplore.exe
C:\DOCUME~1\PROPRI~1\IMPOST~1\Temp\Google Toolbar\gtb7C.tmp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\internet explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Programmi\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Programmi\File comuni\McAfee\SystemCore\ScriptSn.20100429001723.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programmi\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programmi\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [mcui_exe] "C:\Programmi\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Programmi\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [gotnewupdate000.exe] C:\Documents and Settings\Proprietario\Dati applicazioni\54F6EE91CA45E9D3AB4BC330652836F1\gotnewupdate000.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Sitecom Wireless Utility.lnk = C:\Programmi\Sitecom\Common\RaUI.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Programmi\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: PokerStars.it - {C4046502-6524-4d87-896C-878F57D1FF07} - C:\Programmi\PokerStars.IT\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Programmi\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Personal Firewall (McMPFSvc) - McAfee, Inc. - C:\Programmi\File comuni\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Programmi\File comuni\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Programmi\File comuni\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Programmi\File comuni\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Programmi\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Programmi\File comuni\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Programmi\File comuni\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Programmi\File comuni\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Programmi\File comuni\McAfee\SystemCore\mfevtps.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Programmi\File comuni\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 8524 bytes
Torna in alto
 
Sponsor
Inviato: Tuesday, May 04, 2010 11:51:38 PM

 
Torna in alto
 
paolopa
Inviato: Wednesday, May 05, 2010 7:51:36 AM

Rank: AiutAmico

Iscritto dal : 10/14/2008
Posts: 2,777
vediamo cosa elimina combo intanto:
Scarica Combofix

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Salvalo sul desktop.

Importante: dopo aver scaricato COMBOFIX chiudi la connessione disabilita il tuo antivirus e
chiudi TUTTI i programmi aperti,(Firewall compreso) e

Doppio click su combofix.exe (comparirà una videata.)

E' probabile che ti siano inviati messaggi dall'antivirus,(o dallo stesso Combofix)
tu ignorali.

Se ti verrà chiesto se vuoi Installare LA CONSOLE DI RIPRISTINO DI EMERGENZA, clicca NO.

Durante l'operazione di scansione è importante non usare il PC (neanche il mouse)
e attendere pazientemente la fine delle operazioni.
Al termine, verrà creato un file log sul Desktop, chiamato C:\ComboFix.txt. Postalo qui.
Torna in alto
 
nckx83
Inviato: Wednesday, May 05, 2010 4:43:45 PM

Rank: AiutAmico

Iscritto dal : 10/1/2009
Posts: 258
Salve.
Vi scrivo dal mio pc poichè da quello di mio fratello, dopo aver fatto la scansione con combofix, non mi fà postare il log, mi appare la pagina web come se non ci fosse connessione.
Come mai accade ciò? inoltre dopo aver disattivato il ripristino configurazione, prima della scansione, si è riattivato da solo ma non so come.
Torna in alto
 
paolopa
Inviato: Wednesday, May 05, 2010 5:08:07 PM

Rank: AiutAmico

Iscritto dal : 10/14/2008
Posts: 2,777
prova a riaccendere il pc,la connessione dovrebbe tornare.perchè hai disattivato il ripristino configurazione?credo che l abbia riattivato combo per creare un punto di ripristino.vedi se riesci a postare il log.
Torna in alto
 
nckx83
Inviato: Wednesday, May 05, 2010 5:13:10 PM

Rank: AiutAmico

Iscritto dal : 10/1/2009
Posts: 258
Forse mi sono spiegato male, il pc sembra funzionare bene, anche la connessione funziona, ma quando provo a postare il log di combofix qui l'operazione non riesce, infatti, quando clicco su invia mi appare la pagina web che si ha quando non c'è la connessione ad internet.
Torna in alto
 
paolopa
Inviato: Wednesday, May 05, 2010 5:18:50 PM

Rank: AiutAmico

Iscritto dal : 10/14/2008
Posts: 2,777
non capisco:la connessione c è,ma quando fai il copia incolla e dai l invio ti appare la pagina come se mancasse la connessione?secondo me sei senza connessione,se no non si spiega.spegni e riaccendi il pc e riprova.
Torna in alto
 
nckx83
Inviato: Wednesday, May 05, 2010 5:20:53 PM

Rank: AiutAmico

Iscritto dal : 10/1/2009
Posts: 258
Neanche io capisco perchè fà così.
Ho provato a disconnettermi e riconnettermi, riavviare il pc, la connessione c'è tanto che riesco a navigare senza problemi a parte a il fatto che non riesca a postare niete su questo forum.
Torna in alto
 
paolopa
Inviato: Wednesday, May 05, 2010 5:22:35 PM

Rank: AiutAmico

Iscritto dal : 10/14/2008
Posts: 2,777
riesci a trasferirlo sul tuo pc con una pendrive e postarlo?
Torna in alto
 
nckx83
Inviato: Wednesday, May 05, 2010 5:24:56 PM

Rank: AiutAmico

Iscritto dal : 10/1/2009
Posts: 258
Ho pensato di postare il log tramite il mio pc, ma non vorrei correre il rischio di infettarlo tramite la chiavetta usb...
Torna in alto
 
paolopa
Inviato: Wednesday, May 05, 2010 5:30:27 PM

Rank: AiutAmico

Iscritto dal : 10/14/2008
Posts: 2,777
puoi fare cosi:usa questo programma,e poi scansiona la chiavetta col tuo antivirus e malwarebytes
http://www.aiutamici.com/software?ID=11519
tanto è una cosa che serve sempre
Torna in alto
 
nckx83
Inviato: Wednesday, May 05, 2010 5:33:51 PM

Rank: AiutAmico

Iscritto dal : 10/1/2009
Posts: 258

Mi è venuta un'idea, me lo mando tramite hot mail, nel senso che entro nell'è-mail sul web dal pc di mio fratello, salvo in bozze il log, vi riaccedo tramite il mio, copio e incollo e lo posto qui.
Torna in alto
 
paolopa
Inviato: Wednesday, May 05, 2010 5:41:30 PM

Rank: AiutAmico

Iscritto dal : 10/14/2008
Posts: 2,777
va bene,prova
Torna in alto
 
nckx83
Inviato: Wednesday, May 05, 2010 5:54:17 PM

Rank: AiutAmico

Iscritto dal : 10/1/2009
Posts: 258
Ci dev'essere qualcosa di strano, non posso usare l'e-mail dal pc di mio fratello, ci posso entrare ma non posso inviare e-mail nè salvare in bozze il testo, mi appare una scritta breve in rosso che dice: errore generico...etc.
Ora provo con la pendrive usando il programma che mi hai indicato.
Torna in alto
 
nckx83
Inviato: Wednesday, May 05, 2010 6:06:02 PM

Rank: AiutAmico

Iscritto dal : 10/1/2009
Posts: 258
Prima di usare il programma voglio essere sicuro di aver capito il funzionamento.
Allora, scarico e installo il programma sul MIO pc, clicco su vaccinate computer, mi appare la scritta verde computer vaccinated, inserisco la penna nel MIO pc vado sul log copio,incollo e posto qua. giusto?
Torna in alto
 
paolopa
Inviato: Wednesday, May 05, 2010 6:10:07 PM

Rank: AiutAmico

Iscritto dal : 10/14/2008
Posts: 2,777
vaccinando il pc disabiliti l autoplay per le pendrive o l hd esterno,di modo che quando le inserisci puopi scansionarle col tuo antivirus e malwarebytes(clic col dx sulla periferica e scegli "scansiona con",se vaccini la pendrive invece le inserisci un autorun.inf innocuo che pero' impedisce l installazione di autorun.inf malefici.
Torna in alto
 
nckx83
Inviato: Wednesday, May 05, 2010 6:14:47 PM

Rank: AiutAmico

Iscritto dal : 10/1/2009
Posts: 258
Fatto, l'antivirus non ha rilevato infezioni, ma ho comunque vaccinato la pendrive.

Ecco il log di combofix


ComboFix 10-05-04.06 - Proprietario 05/05/2010 15.50.03.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.511.182 [GMT 2:00]
Eseguito da: c:\documents and settings\Proprietario\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Proprietario\Dati applicazioni\54F6EE91CA45E9D3AB4BC330652836F1
c:\documents and settings\Proprietario\Dati applicazioni\54F6EE91CA45E9D3AB4BC330652836F1\enemies-names.txt
c:\documents and settings\Proprietario\Dati applicazioni\54F6EE91CA45E9D3AB4BC330652836F1\gotnewupdate000.exe
c:\documents and settings\Proprietario\Dati applicazioni\54F6EE91CA45E9D3AB4BC330652836F1\hookdll.dll
c:\documents and settings\Proprietario\Impostazioni locali\Dati applicazioni\MSASCui.exe
c:\programmi\WindowsUpdate
c:\windows\system32\mpmctasasuwno.exe

La copia infetta di c:\windows\system32\drivers\acpiec.sys è stata trovata e disinfettata
ipristinata copia da - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Creati Da 2010-04-05 al 2010-05-05 )))))))))))))))))))))))))))))))))))
.

2010-05-04 22:09 . 2010-05-04 22:09 -------- d-----w- c:\documents and settings\Proprietario\Impostazioni locali\Dati applicazioni\Temp
2010-05-04 22:09 . 2010-05-04 22:09 -------- d-----w- c:\documents and settings\NetworkService\Impostazioni locali\Dati applicazioni\Google
2010-05-04 22:07 . 2010-05-04 22:08 -------- d-----w- c:\programmi\CCleaner
2010-05-04 22:04 . 2010-05-04 22:04 -------- d-----w- c:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\Google
2010-05-04 22:00 . 2010-05-04 22:00 388096 ----a-r- c:\documents and settings\Proprietario\Dati applicazioni\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-03 20:55 . 2010-05-04 22:04 -------- d-----w- c:\documents and settings\Proprietario\Impostazioni locali\Dati applicazioni\Google
2010-05-03 20:52 . 2010-05-04 22:04 -------- d-----w- c:\programmi\Google
2010-04-28 00:09 . 2010-04-28 00:09 -------- d-----w- c:\documents and settings\Proprietario\Dati applicazioni\OpenOffice.org
2010-04-22 00:13 . 2010-04-14 10:29 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-22 00:13 . 2010-04-14 10:29 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-22 00:13 . 2010-04-14 10:29 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-22 00:13 . 2010-04-14 10:29 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-22 00:13 . 2010-04-14 10:29 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-22 00:13 . 2010-04-14 10:29 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-22 00:13 . 2010-04-14 10:29 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-22 00:13 . 2010-04-14 10:29 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-22 00:13 . 2010-04-14 10:29 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-22 00:13 . 2010-04-14 10:29 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-05 02:20 . 2001-08-31 15:00 79406 ----a-w- c:\windows\system32\perfc010.dat
2010-05-05 02:20 . 2001-08-31 15:00 479166 ----a-w- c:\windows\system32\perfh010.dat
2010-05-02 15:06 . 2009-03-15 18:34 -------- d-----w- c:\programmi\PokerStars.IT
2010-04-30 17:07 . 2009-11-16 18:29 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2010-04-30 17:07 . 2009-12-14 16:33 6153352 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-29 13:39 . 2009-11-16 18:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 13:39 . 2009-11-16 18:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-22 19:06 . 2009-03-09 19:28 -------- d-----w- c:\programmi\McAfee.com
2010-04-22 00:25 . 2009-03-09 19:28 -------- d-----w- c:\programmi\McAfee
2010-04-22 00:24 . 2009-03-09 19:15 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\McAfee
2010-04-22 00:24 . 2009-03-09 19:28 -------- d-----w- c:\programmi\File comuni\McAfee
2010-03-10 06:15 . 2004-08-19 13:39 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:16 . 2004-08-19 13:39 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-03 21:15 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 19:05 . 2004-08-19 13:34 2149888 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 19:05 . 2004-08-19 15:34 2028032 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 10:03 . 2010-03-06 22:12 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33 . 2004-08-19 13:39 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-03 21:07 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\programmi\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-03 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 339968]
"SoundMan"="SOUNDMAN.EXE" [2009-02-16 67584]
"SynTPLpr"="c:\programmi\Synaptics\SynTP\SynTPLpr.exe" [2003-04-24 110592]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2003-04-24 610304]
"mcui_exe"="c:\programmi\McAfee.com\Agent\mcagent.exe" [2010-04-01 1180976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Sitecom Wireless Utility.lnk - c:\programmi\Sitecom\Common\RaUI.exe [2009-3-9 1527808]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\File comuni\\McAfee\\McSvcHost\\McSvHost.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [22/04/2010 2.13.20 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\programmi\McAfee\SiteAdvisor\McSACore.exe [09/03/2009 21.32.45 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\programmi\File comuni\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [22/04/2010 2.13.00 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\programmi\File comuni\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [22/04/2010 2.13.00 271480]
R2 mfefire;McAfee Firewall Core Service;c:\programmi\File comuni\McAfee\SystemCore\mfefire.exe [22/04/2010 2.13.54 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\programmi\File comuni\McAfee\SystemCore\mfevtps.exe [22/04/2010 2.13.23 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [22/04/2010 2.13.19 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [22/04/2010 2.13.19 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [22/04/2010 2.13.20 88480]
S2 gupdate;Servizio di Google Update (gupdate);c:\programmi\Google\Update\GoogleUpdate.exe [05/05/2010 0.04.44 135664]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [22/04/2010 2.13.20 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [22/04/2010 2.13.20 83496]

--- Altri Servizi/Drivers In Memoria ---

*Deregistered* - mfeavfk01
.
Contenuto della cartella 'Scheduled Tasks'

2010-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-05-04 22:04]

2010-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-05-04 22:04]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://google.it/
IE: Google Sidewiki... - c:\programmi\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {{C4046502-6524-4d87-896C-878F57D1FF07} - c:\programmi\PokerStars.IT\PokerStarsUpdate.exe
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKCU-Run-gotnewupdate000.exe - c:\documents and settings\Proprietario\Dati applicazioni\54F6EE91CA45E9D3AB4BC330652836F1\gotnewupdate000.exe
AddRemove-mpmctasasuwno - c:\windows\system32\mpmctasasuwno.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-05 16:04
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82EC5EE4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf869af28
\Driver\ACPI -> ACPI.sys @ 0xf85edcb8
\Driver\atapi -> atapi.sys @ 0xf8561852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(920)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(980)
c:\windows\system32\WININET.dll
.
Ora fine scansione: 2010-05-05 16:09:26
ComboFix-quarantined-files.txt 2010-05-05 14:09

Pre-Run: 37.954.023.424 byte disponibili
Post-Run: 38.301.970.432 byte disponibili

- - End Of File - - EF23E7A39D966639CF17858753CE88CE
Torna in alto
 
paolopa
Inviato: Wednesday, May 05, 2010 6:19:46 PM

Rank: AiutAmico

Iscritto dal : 10/14/2008
Posts: 2,777
Scarica MBR:EXE direttamente nella Directory C:\ (Devi scaricarlo obligatoriamente in C: )
http://www2.gmer.net/mbr/mbr.exe
Entra in Modalità provvisoria.
da Start - Esegui - digita C:\mbr.exe -f (fai il copia-incolla)e clicca su OK
La scansione dura pochi secondi.
Posta il log prodotto per il controllo. (lo trovi in C )
Torna in alto
 
nckx83
Inviato: Wednesday, May 05, 2010 6:26:48 PM

Rank: AiutAmico

Iscritto dal : 10/1/2009
Posts: 258
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Torna in alto
 
paolopa
Inviato: Wednesday, May 05, 2010 6:27:39 PM

Rank: AiutAmico

Iscritto dal : 10/14/2008
Posts: 2,777
ok,posta un log di hijack aggiornato.
Torna in alto
 
Utenti presenti in questo topic
Guest

6 pages: [1] 2 3 4 5 6

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » Aiuto ROGUE!


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.