Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » Bandoo.exe

Bandoo.exe Opzioni
Topic Precedente · Topic Sucessivo
tegwane
Inviato: Tuesday, October 19, 2010 12:27:04 PM

Rank: AiutAmico

Iscritto dal : 12/20/2003
Posts: 128
Aprendo il TaskManager ho trovato questo processo " Bandoo.exe"
Vi allego il log di HijackThis per un'analisi.
Grazie


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12.19.57, on 19/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
C:\Programmi\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Programmi\PeerBlock\peerblock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Winamp\winamp.exe
C:\Programmi\uTorrent\uTorrent.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2011\klwtblfs.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Windows Searchqu Toolbar\Datamngr\datamngrUI.exe
C:\PROGRA~1\Fun4IM\Bandoo.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Administrator\Desktop\Prog.EXE\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2011\ievkbd.dll
O2 - BHO: Searchqu Toolbar - {7FF99715-3016-4381-84CE-E4E4C9673020} - C:\PROGRA~1\WI9130~1\ToolBar\SearchquDx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Bandoo IE Plugin - {EB5CEE80-030A-4ED8-8E20-454E9C68380F} - C:\Programmi\Fun4IM\Plugins\IE\ieplugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmi\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Searchqu Toolbar - {7FF99715-3016-4381-84CE-E4E4C9673020} - C:\PROGRA~1\WI9130~1\ToolBar\SearchquDx.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe"
O4 - HKLM\..\Run: [DATAMNGR] C:\PROGRA~1\WI9130~1\Datamngr\DATAMN~1.EXE
O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Programmi\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [PeerBlock] C:\Programmi\PeerBlock\peerblock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Aggiungi ad Anti-Banner - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2011\ie_banner_deny.htm
O8 - Extra context menu item: Aggiungi all'elenco di stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Anteprima Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Stampa ad alta velocità Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: &Tastiera Virtuale - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: C&ontrollo URL - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1255620173140
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AFE048C-3849-47C3-9BC3-C4347FBF6872}: NameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8940818-C9A6-4742-B933-741BF954173C}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{1AFE048C-3849-47C3-9BC3-C4347FBF6872}: NameServer = 192.168.1.254
O17 - HKLM\System\CS3\Services\Tcpip\..\{1AFE048C-3849-47C3-9BC3-C4347FBF6872}: NameServer = 192.168.1.254
O20 - AppInit_DLLs: c:\progra~1\wi9130~1\datamngr\datamngr.dll c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll c:\progra~1\kasper~1\kasper~1\kloehk.dll c:\progra~1\fun4im\bndhook.dll
O23 - Service: Servizio Kaspersky Anti-Virus (AVP) - Kaspersky Lab ZAO - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
O23 - Service: Fun4IM Coordinator - Discordia Limited - C:\PROGRA~1\Fun4IM\Bandoo.exe
O23 - Service: Servizio di Google Update (gupdate) (gupdate) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Programmi\Macrium\Reflect\ReflectService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exe

--
End of file - 7570 bytes
Torna in alto
 
Sponsor
Inviato: Tuesday, October 19, 2010 12:27:04 PM

 
Torna in alto
 
shapiro
Inviato: Tuesday, October 19, 2010 12:40:08 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164
ciao

controlla sul sito virus total quel Bandoo.exe prevx lo segnala ancora in fase di revisione

http://www.prevx.com/filenames/1110987863578740106-X1/BANDOO.EXE.html

fai anche una scansione con malwarebytes per verificare le altre minacce, ci sono un paio di processi che non mi convincono

1) lo installi
2) lo aggiorni
3) fai una scansione scegliendo la modalità completa
4) NON eliminare per ora le ventuali minacce che rileva
5) finita la scansione seleziona il tabellino log, apri il file di testo e postalo sul forum
Torna in alto
 
tegwane
Inviato: Tuesday, October 19, 2010 12:53:16 PM

Rank: AiutAmico

Iscritto dal : 12/20/2003
Posts: 128
ok
sto facendo la scansione
Torna in alto
 
maopapof
Inviato: Tuesday, October 19, 2010 1:18:02 PM

Rank: AiutAmico

Iscritto dal : 10/31/2004
Posts: 7,185
per shapiro

O23 - Service: Fun4IM Coordinator - Discordia Limited - C:\PROGRA~1\Fun4IM\Bandoo.exe

= ----> esegui ... mscofig ... e togli la spunta al bandoo .... e dopo fare scansione con malwarebytes
Torna in alto
 
shapiro
Inviato: Tuesday, October 19, 2010 1:24:33 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164
Commenta:
O23 - Service: Fun4IM Coordinator - Discordia Limited - C:\PROGRA~1\Fun4IM\Bandoo.exe

= ----> esegui ... mscofig ... e togli la spunta al bandoo .... e dopo fare scansione con malwarebytes


maopapof voglio prima vedere cosa risulta dal sito virus total, bandoo e' un sito dove si possono prelevare emotion

http://www.bandoo.com/
Torna in alto
 
tegwane
Inviato: Tuesday, October 19, 2010 5:07:46 PM

Rank: AiutAmico

Iscritto dal : 12/20/2003
Posts: 128
la scansione è è pulita

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Versione database: 4879

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

19/10/2010 13.32.14
mbam-log-2010-10-19 (13-32-14).txt

Tipo di scansione: Scansione completa (C:\|)
Elementi esaminati: 223206
Tempo trascorso: 50 minuti, 19 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Voci infette nei dati di registro: 0
Cartelle infette: 0
File infetti: 0

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
(Non sono stati rilevati elementi nocivi)

Valori di registro infetti:
(Non sono stati rilevati elementi nocivi)

Voci infette nei dati di registro:
(Non sono stati rilevati elementi nocivi)

Cartelle infette:
(Non sono stati rilevati elementi nocivi)

File infetti:
(Non sono stati rilevati elementi nocivi)
Torna in alto
 
shapiro
Inviato: Tuesday, October 19, 2010 5:12:13 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164
per sicurezza hai controllato Bandoo.exe su virus total? sarebbe interessante conoscere anche cosa dicono i 40 antivirus
Torna in alto
 
tegwane
Inviato: Tuesday, October 19, 2010 5:27:20 PM

Rank: AiutAmico

Iscritto dal : 12/20/2003
Posts: 128
Per analizzare il file ero il 3423° in coda e siccome mi diceva che questo file era già stato analizzato ho aperto un log del 30 settembre. Tutti gli antivir lo danno negativo ad eccezzione di Symantec che lo classifica " WS.Reputation 1."
Torna in alto
 
shapiro
Inviato: Tuesday, October 19, 2010 5:30:12 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164
fammi questa scansione

scarica combofix sul desktop

quando ti chiedera' se vuoi installare la Recovery consolle clicca su NO


- esegui ComboFix.exe
- segui le instruzioni
- finita la scansione portati in C:\ e copia/incolla, nella tua prossima risposta, il contenuto del file di testo Combofix.txt
Torna in alto
 
tegwane
Inviato: Tuesday, October 19, 2010 6:05:02 PM

Rank: AiutAmico

Iscritto dal : 12/20/2003
Posts: 128
ComboFix 10-10-18.06 - Administrator 19/10/2010 17.52.56.3.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.2047.1581 [GMT 2:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Dati applicazioni\chrtmp
c:\windows\system32\vbzlib1.dll

.
((((((((((((((((((((((((( Files Creati Da 2010-09-19 al 2010-10-19 )))))))))))))))))))))))))))))))))))
.

2010-10-19 10:13 . 2010-10-19 10:13 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Bandoo
2010-10-19 10:12 . 2010-10-19 10:12 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Bandoo
2010-10-19 10:11 . 2010-10-19 10:11 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Fun4IM
2010-10-19 10:11 . 2010-10-19 10:12 -------- d-----w- c:\programmi\Fun4IM
2010-10-19 10:09 . 2010-10-19 10:09 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Thinstall
2010-10-17 08:33 . 2010-10-19 09:08 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\MoneyManagerEx
2010-10-17 08:32 . 2010-10-17 08:32 -------- d-----w- c:\programmi\MoneyManagerEx
2010-10-17 07:25 . 2010-07-27 11:40 2078208 ----a-w- c:\windows\system32\QuickPDFAX0721.dll
2010-10-17 07:25 . 2003-05-28 13:33 647939 ----a-w- c:\windows\system32\MSCOMCT2.OCX
2010-10-17 07:25 . 1998-06-24 08:00 244024 ----a-w- c:\windows\system32\MSFLXGRD.OCX
2010-10-17 07:25 . 1998-06-24 08:00 137000 ----a-w- c:\windows\system32\MSMAPI32.OCX
2010-10-16 17:08 . 2010-10-17 09:44 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\vlc
2010-10-16 16:57 . 2009-12-15 16:25 487424 ----a-w- c:\windows\system32\msvcp70.dll
2010-10-16 16:57 . 2009-12-15 16:25 344064 ----a-w- c:\windows\system32\msvcr70.dll
2010-10-16 16:57 . 2010-10-17 06:31 -------- d-----w- c:\programmi\SureThing CD Labeler 5
2010-10-14 12:41 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 12:41 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 12:40 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-06 14:24 . 2010-10-06 14:24 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\BVRP Software
2010-10-06 14:23 . 2010-10-06 14:26 -------- d-----w- c:\programmi\Avanquest update
2010-10-06 14:22 . 2010-10-06 14:31 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\BVRP Software
2010-10-06 14:22 . 2010-10-06 14:30 -------- d-----w- c:\programmi\Motorola Phone Tools
2010-10-06 14:22 . 2004-10-22 00:18 749568 ----a-w- c:\programmi\File comuni\InstallShield\Professional\RunTime\10\50\Intel32\iKernel.dll
2010-10-06 14:22 . 2004-10-22 00:17 69715 ----a-w- c:\programmi\File comuni\InstallShield\Professional\RunTime\10\50\Intel32\ctor.dll
2010-10-06 14:22 . 2004-10-22 00:17 274432 ----a-w- c:\programmi\File comuni\InstallShield\Professional\RunTime\10\50\Intel32\iscript.dll
2010-10-06 14:22 . 2004-10-22 00:16 180224 ----a-w- c:\programmi\File comuni\InstallShield\Professional\RunTime\10\50\Intel32\iuser.dll
2010-10-06 14:22 . 2004-10-22 00:16 5632 ----a-w- c:\programmi\File comuni\InstallShield\Professional\RunTime\10\50\Intel32\DotNetInstaller.exe
2010-10-06 14:22 . 2010-10-06 14:22 323716 ----a-w- c:\programmi\File comuni\InstallShield\Professional\RunTime\10\50\Intel32\setup.dll
2010-10-06 14:22 . 2010-10-06 14:22 192644 ----a-w- c:\programmi\File comuni\InstallShield\Professional\RunTime\10\50\Intel32\iGdi.dll
2010-10-06 13:29 . 2010-10-06 13:29 -------- d-----w- C:\Program Files
2010-10-01 21:22 . 2010-10-15 16:50 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\dvdcss
2010-09-29 09:23 . 2010-09-29 09:23 -------- d-----w- c:\programmi\CPUID
2010-09-29 09:23 . 2010-07-09 11:18 20328 ----a-w- c:\windows\system32\drivers\cpuz134_x32.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2009-12-21 . 07D26189C25F030F7828B7F669170FD6 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB5CEE80-030A-4ED8-8E20-454E9C68380F}]
2010-08-23 02:22 2195456 ----a-w- c:\programmi\Fun4IM\Plugins\IE\ieplugin.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadwin PrintScreen"="c:\programmi\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]
"PeerBlock"="c:\programmi\PeerBlock\peerblock.exe" [2009-09-28 1524824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-11 13666408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-11 110696]
"AVP"="c:\programmi\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe" [2010-09-14 352976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Menu Avvio^Programmi^Esecuzione automatica^Stardock ObjectDock.lnk]
backup=c:\windows\pss\Stardock ObjectDock.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Menu Avvio^Programmi^Esecuzione automatica^STasks 1.9.lnk]
backup=c:\windows\pss\STasks 1.9.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"NeroFilterCheck"=c:\programmi\File comuni\Ahead\Lib\NeroCheck.exe
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"Easy-PrintToolBox"=c:\programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
"UpdatePPShortCut"="c:\programmi\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "c:\programmi\CyberLink\PowerProducer" UpdateWithCreateOnce "Software\CyberLink\PowerProducer\5.0"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Programmi\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Programmi\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Programmi\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Programmi\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [20/05/2008 9.32.40 15328]
R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [17/05/2010 11.14.08 15172]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [09/06/2010 17.43.52 11352]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [25/11/2009 17.46.11 116560]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [25/11/2009 17.43.52 41424]
R2 Fun4IM Coordinator;Fun4IM Coordinator;c:\progra~1\Fun4IM\Bandoo.exe [19/10/2010 12.11.48 1938880]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [07/05/2010 12.06.26 32856]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02/11/2009 20.27.24 19472]
R3 pbfilter;pbfilter;c:\programmi\PeerBlock\pbfilter.sys [16/03/2010 16.25.16 14424]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [09/09/2009 1.02.27 1086208]
S2 gupdate;Servizio di Google Update (gupdate);c:\programmi\Google\Update\GoogleUpdate.exe [13/05/2010 11.14.06 136176]
S3 esihdrv;esihdrv; [x]
S3 Nbdrv;NetBalancer Service;c:\windows\system32\DRIVERS\nbdrv.sys --> c:\windows\system32\DRIVERS\nbdrv.sys [?]
S3 ReflectService;Macrium Reflect Image Mounting Service;c:\programmi\Macrium\Reflect\ReflectService.exe [17/11/2009 13.49.51 220128]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [14/10/2009 12.16.34 721904]
.
Contenuto della cartella 'Scheduled Tasks'

2010-10-18 c:\windows\Tasks\CCleaner.job
- c:\programmi\CCleaner\CCleaner.exe [2010-09-24 17:54]

2010-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-05-13 09:13]

2010-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-05-13 09:13]

2010-10-19 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Scansione supplementare -------
.
uLocal Page = c:\windows\pchealth\helpctr\System\panels\blank.htm
uStart Page = hxxp://www.google.it/
mLocal Page = c:\windows\pchealth\helpctr\System\panels\blank.htm
IE: Aggiungi ad Anti-Banner - c:\programmi\Kaspersky Lab\Kaspersky Internet Security 2011\ie_banner_deny.htm
IE: Aggiungi all'elenco di stampa Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Anteprima Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Stampa ad alta velocità Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Stampa Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
TCP: {1AFE048C-3849-47C3-9BC3-C4347FBF6872} = 192.168.1.254
TCP: {D8940818-C9A6-4742-B933-741BF954173C} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\myrnmj77.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=ATU3&o=15380&locale=it_IT&q=
FF - component: c:\documents and settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\myrnmj77.default\extensions\firefox@bandoo.com\components\FFPlugin.dll
FF - component: c:\programmi\Mozilla Firefox\extensions\KavAntiBanner@Kaspersky.ru\components\abhelperxpcom.dll
FF - component: c:\programmi\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
FF - plugin: c:\documents and settings\Administrator\Dati applicazioni\Mozilla\plugins\np-mswmp.dll
FF - plugin: c:\programmi\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programmi\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\programmi\Java\jre6\bin\npjpi160_20.dll
FF - plugin: c:\programmi\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\programmi\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

AddRemove-HijackThis - c:\documents and settings\Administrator\Desktop\Prog.EXE\Nuova cartella\HijackThis.exe
AddRemove-{76E41F43-59D2-4F30-BA42-9A762EE1E8DE} - c:\programmi\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe


.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-790525478-1383384898-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,45,28,44,4e,5d,c7,41,48,bb,9e,fe,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0b,10,72,1b,20,bb,f7,44,85,9b,fb,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,45,28,44,4e,5d,c7,41,48,bb,9e,fe,\

[HKEY_USERS\S-1-5-21-790525478-1383384898-682003330-500\Software\SecuROM\License information*]
"datasecu"=hex:7d,eb,2a,8d,20,48,4a,6f,2a,78,27,b1,3e,35,b7,a0,93,f6,21,b9,41,
cc,01,ac,fa,8f,47,22,81,ec,69,85,cc,ee,bf,27,e7,ad,38,25,1c,c3,83,72,da,4b,\
"rkeysecu"=hex:e4,cb,0e,54,88,4a,98,e0,a2,fb,c0,f3,06,3a,06,5e
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(3504)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\programmi\CyberLink\Shared files\RichVideo.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Ora fine scansione: 2010-10-19 18:02:51 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-10-19 16:02

Pre-Run: 90.594.406.400 byte disponibili
Post-Run: 90.619.936.768 byte disponibili

- - End Of File - - 162986298723F017420283CBEA9A71E5
Torna in alto
 
Utenti presenti in questo topic
Guest

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » Bandoo.exe


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.