Aiutamici Forum
Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » Virus Cancellano file di sistema??

Virus Cancellano file di sistema?? Opzioni
Topic Precedente · Topic Sucessivo
sodomino
Inviato: Friday, January 30, 2009 9:07:25 PM
Rank: AiutAmico

Iscritto dal : 7/17/2008
Posts: 96
Ragazzi mi è successa una cosa molto strana mi sa ke un virus mi ha eliminato dei file del system 32 vi posto il log di hijackthis sperando di riuscire a risolvere qst ennesimo problema

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21.00.40, on 30/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\WINDOWS\system32\SSLEmptyCache.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\PROGRA~1\Nero\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Programmi\DAEMON Tools Lite\daemon.exe
C:\documents and settings\_mirko_\impostazioni locali\dati applicazioni\ssoocik.exe
C:\Programmi\OpenOffice.org 2.2\program\soffice.exe
C:\Programmi\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\eMule\emule.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Windows Live\Messenger\msnmsgr.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.live.com/results.aspx?mkt=it-it&q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster.com/SmartOffers/Services/resultsmaster/ResultsMasterHomeLeftPane.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [bit4id store register] RUNDLL32.EXE "C:\WINDOWS\system32\bit4cnsp.dll",RegisterMyPhysicalStore
O4 - HKLM\..\Run: [SSLEmptyCache] C:\WINDOWS\system32\SSLEmptyCache.exe
O4 - HKLM\..\Run: [7cc0734a] rundll32.exe "C:\WINDOWS\system32\hdehqcgi.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programmi\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ssoocik] "c:\documents and settings\_mirko_\impostazioni locali\dati applicazioni\ssoocik.exe" ssoocik
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Programmi\OpenOffice.org 2.2\program\quickstart.exe
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: Thoosje Vista Sidebar.lnk = C:\Programmi\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {15D151C8-5180-43C1-9360-4D794663BD6E} (Posto di Lavoro del Cittadino - Attestazione) - http://www.crs.regione.lombardia.it/components/OcsKitCittadino.cab
O16 - DPF: {3263F297-5CB9-4D8C-A2DB-CDFB8C69CB6D} (Posto di Lavoro del Cittadino - Autenticazione utente) - http://www.crs.regione.lombardia.it/components/OcxCertUpdate.cab
O16 - DPF: {4384AA75-43AB-4095-84F9-C5B35EC62B5D} (Posto di Lavoro del Cittadino - Interprete dati) - http://www.crs.regione.lombardia.it/components/OcxCrsInfo.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://joint7sftrama.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{82F3EAFF-8B20-44B9-B713-72A202044A77}: NameServer = 193.12.150.2 212.247.152.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: ozcist.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Programmi\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: UPnPService - Magix AG - C:\Programmi\File comuni\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 9835 bytes

Mi si apre una finestra con questo errore:

RUNDLL
errore durante il caricamento di C:\WINDOWS\system32\hdehqcgi.dll
impossibile trovare il modulo specificato

e poi avira mi dice ke ha trovato un virus mi controllate il log e magari me lo ripulite da skifezze e virus??
grazie in anticipo spero ke sappiate aiutarmi
Torna in alto
 
Sponsor
Inviato: Friday, January 30, 2009 9:07:25 PM

 
Torna in alto
 
monsee
Inviato: Friday, January 30, 2009 9:14:48 PM
Rank: AiutAmico

Iscritto dal : 4/5/2005
Posts: 22,971
La DLL che citi, proprio NON ESISTE.
Significa che ti sei beccato proprio un grosso fetecchione...
Torna in alto
 
sodomino
Inviato: Friday, January 30, 2009 9:22:40 PM
Rank: AiutAmico

Iscritto dal : 7/17/2008
Posts: 96
e quindi come posso risolvere??? c sarà un modo??
Torna in alto
 
monsee
Inviato: Friday, January 30, 2009 9:25:52 PM
Rank: AiutAmico

Iscritto dal : 4/5/2005
Posts: 22,971
Non son -credo- all'altezza di affrontare il problema che t'affligge. Ma ci son degli altri, qui, che sono -in questo campo- assai meglio di me (r16, Pidue, shapiro, etc..)
Attendi con fiducia.
Torna in alto
 
sodomino
Inviato: Friday, January 30, 2009 9:27:03 PM
Rank: AiutAmico

Iscritto dal : 7/17/2008
Posts: 96
eh ragazzic'è qualkuno ke può aiutarmi su un problema del genere????x fav help me
Torna in alto
 
sodomino
Inviato: Friday, January 30, 2009 9:46:50 PM
Rank: AiutAmico

Iscritto dal : 7/17/2008
Posts: 96
aiutooooo
Torna in alto
 
r16
Inviato: Friday, January 30, 2009 9:51:12 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Ciao.
Scarica ed installa MalwareBytes:
clicca qui per il download : http://www.malwarebytes.org/
Prima di fare la scansione AGGIORNALO.
Esegui una scansione completa del sistema e, una volta terminata la scansione,assicurati che tutti i files evidenziati, siano selezionati, e clicca Rimuovi Selezionati
Posta il log.
*********************************************************************************************************
Importante: Disabilita il tuo antivirus e chiudi TUTTI i programmi aperti,e dopo aver scaricato COMBOFIX, chiudi la connessione.

Scarica Combofix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Salvalo sul desktop.
Doppio click su combofix.exe (comparirà una videata.)
Se ti verrà chiesto se vuoi Installare LA CONSOLE DI RIPRISTINO DI EMERGENZA, clicca NO.
Digita 1 premi Invio e segui le indicazioni.
Al termine, verrà creato un file log chiamato C:\ComboFix.txt. Postalo qui.
Durante l'operazione di scansione è importante non usare il PC (neanche il mouse) e attendere pazientemente la fine delle operazioni.

Disinstalla combofix in questo modo: (dopo che avrò visto il log)
Start
Esegui
nella finestra di dialogo, digita (oppure, copia ed incolla) questo comando: Combofix /u e premi invio poi cancella le cartelle in "C" di combofix (qoobox)
Poi Posta un nuovo log di HJT.
Torna in alto
 
sodomino
Inviato: Friday, January 30, 2009 10:08:59 PM
Rank: AiutAmico

Iscritto dal : 7/17/2008
Posts: 96
r16 allora mo faccio tutto e domani posto tutti i log ma così risolvo sia quello del virus ke mi trova avira sia quello della dll?? se si se mi puoi pulire anke il log di hijakthis te ne sarei eternamente grato ;)
Torna in alto
 
sodomino
Inviato: Friday, January 30, 2009 10:15:07 PM
Rank: AiutAmico

Iscritto dal : 7/17/2008
Posts: 96
a r16 un'altra cosa io sull'altro pc ho 2 problemi ke ho già esposto qui ma nn mi hanno sauto aiutare quando clikko su esegui e poi cerco di avviare il regedit non me lo avvia mi dice ke nn lo trova e poi non mi apre più il task manager cm posso risolvere??
Torna in alto
 
r16
Inviato: Friday, January 30, 2009 10:15:17 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Ciao.
Tu posta i log richiesti, li controllo, e poi sarò più preciso.
Torna in alto
 
sodomino
Inviato: Friday, January 30, 2009 10:18:22 PM
Rank: AiutAmico

Iscritto dal : 7/17/2008
Posts: 96
Tu sai aiutarmi x l'altro problema?? poi domani sera posto tutti i log
Torna in alto
 
r16
Inviato: Saturday, January 31, 2009 10:41:16 AM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Ripeto: prima pensiamo a risolvere questo problema.
Poi proviamo a risolvere l'altro.
Uno alla volta.
Torna in alto
 
sodomino
Inviato: Sunday, February 01, 2009 1:11:20 PM
Rank: AiutAmico

Iscritto dal : 7/17/2008
Posts: 96
Ecco finalmente i log:

malware-bytes:

Malwarebytes' Anti-Malware 1.33
Versione del database: 1712
Windows 5.1.2600 Service Pack 3

01/02/2009 12.52.10
mbam-log-2009-02-01 (12-52-10).txt

Tipo di scansione: Scansione completa (C:\|)
Elementi scansionati: 141154
Tempo trascorso: 36 minute(s), 34 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 2
Chiavi di registro infette: 19
Valori di registro infetti: 4
Elementi dato del registro infetti: 2
Cartelle infette: 0
File infetti: 51

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
C:\WINDOWS\system32\ozcist.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\geBuUnoo.dll (Trojan.Vundo) -> Delete on reboot.

Chiavi di registro infette:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2a11db33-0283-443c-a7f5-df30225c8c9a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2a11db33-0283-443c-a7f5-df30225c8c9a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebuunoo (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77ab5974-55a3-4737-9fd5-b93c64307f78} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{77ab5974-55a3-4737-9fd5-b93c64307f78} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2a11db33-0283-443c-a7f5-df30225c8c9a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{54a3f8b7-228e-4ed8-895b-de832b2c3959} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{52d660de-1481-4cd9-91cd-92f62f67abd8} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{52d660de-1481-4cd9-91cd-92f62f67abd8} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Valori di registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7cc0734a (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d} (Adware.Zango) -> Quarantined and deleted successfully.

Elementi dato del registro infetti:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\\windows\\system32\\cbxnfvwm -> Quarantined and deleted successfully.

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
C:\WINDOWS\system32\ozcist.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\geBuUnoo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vtUlLFyX.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\XyFLlUtv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oexqyitw.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\GiGi\Impostazioni locali\Temporary Internet Files\Content.IE5\4ZOVIZMP\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\GiGi\Impostazioni locali\Temporary Internet Files\Content.IE5\4ZOVIZMP\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\GiGi\Impostazioni locali\Temporary Internet Files\Content.IE5\89YH4Z2V\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\GiGi\Impostazioni locali\Temporary Internet Files\Content.IE5\E5MRCHWT\CA6FUNAX (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\GiGi\Impostazioni locali\Temporary Internet Files\Content.IE5\QXMPQD41\CA6VOL2V (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\GiGi\Impostazioni locali\Temporary Internet Files\Content.IE5\QXMPQD41\apstpldr.dll[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\_Mirko_\Documenti\programmi\win.pro\WS - win xp fix\Windows XP Keygen.exe (Malware.Tool) -> Quarantined and deleted successfully.
C:\Documents and Settings\_Mirko_\Impostazioni locali\Temporary Internet Files\Content.IE5\0P8F8DKH\index[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\_Mirko_\Impostazioni locali\Temporary Internet Files\Content.IE5\0P8F8DKH\tGnhAsPp[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\_Mirko_\Impostazioni locali\Temporary Internet Files\Content.IE5\0VARC5UZ\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\_Mirko_\Impostazioni locali\Temporary Internet Files\Content.IE5\0VARC5UZ\apstpldr.dll[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\_Mirko_\Impostazioni locali\Temporary Internet Files\Content.IE5\K9M7456B\CAJ6Q9F3 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\_Mirko_\Impostazioni locali\Temporary Internet Files\Content.IE5\K9M7456B\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\_Mirko_\Impostazioni locali\Temporary Internet Files\Content.IE5\Q1MLA72L\InstallAVg_770522170082[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\_Mirko_\Impostazioni locali\Temporary Internet Files\Content.IE5\Q1MLA72L\CAQ3WP23 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\_Mirko_\Impostazioni locali\Temporary Internet Files\Content.IE5\Q1MLA72L\CAYN052F (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A441743D-4D31-47DB-806E-8C5B88711702}\RP532\A0087521.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A441743D-4D31-47DB-806E-8C5B88711702}\RP534\A0087610.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A441743D-4D31-47DB-806E-8C5B88711702}\RP535\A0087668.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A441743D-4D31-47DB-806E-8C5B88711702}\RP536\A0087725.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A441743D-4D31-47DB-806E-8C5B88711702}\RP536\A0088725.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A441743D-4D31-47DB-806E-8C5B88711702}\RP539\A0088835.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A441743D-4D31-47DB-806E-8C5B88711702}\RP540\A0088868.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A441743D-4D31-47DB-806E-8C5B88711702}\RP540\A0088869.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A441743D-4D31-47DB-806E-8C5B88711702}\RP541\A0088952.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A441743D-4D31-47DB-806E-8C5B88711702}\RP541\A0088953.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A441743D-4D31-47DB-806E-8C5B88711702}\RP541\A0088954.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A441743D-4D31-47DB-806E-8C5B88711702}\RP541\A0088963.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A441743D-4D31-47DB-806E-8C5B88711702}\RP541\A0089952.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A441743D-4D31-47DB-806E-8C5B88711702}\RP541\A0090972.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A441743D-4D31-47DB-806E-8C5B88711702}\RP541\A0092991.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A441743D-4D31-47DB-806E-8C5B88711702}\RP541\A0092993.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A441743D-4D31-47DB-806E-8C5B88711702}\RP541\A0092994.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A441743D-4D31-47DB-806E-8C5B88711702}\RP541\A0092995.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A441743D-4D31-47DB-806E-8C5B88711702}\RP541\A0092996.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A441743D-4D31-47DB-806E-8C5B88711702}\RP541\A0092997.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A441743D-4D31-47DB-806E-8C5B88711702}\RP541\A0093000.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A441743D-4D31-47DB-806E-8C5B88711702}\RP541\A0093001.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cbXNFvWM.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vrhuga.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wjmpaokl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\enayik.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ppymor.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urofiici.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mseloqld.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xawhnnsv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Combofix:

ComboFix 09-01-31.02 - _Mirko_ 2009-02-01 13.02.14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.895.532 [GMT 1:00]
Eseguito da: c:\documents and settings\_Mirko_\Desktop\ComboFix.exe
FW: ActiveArmor Firewall *disabled*
* Creato nuovo punto di ripristino

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\_Mirko_\Impostazioni locali\Dati applicazioni\ssoocik.dat
c:\documents and settings\_Mirko_\Impostazioni locali\Dati applicazioni\ssoocik.exe
c:\documents and settings\_Mirko_\Impostazioni locali\Dati applicazioni\ssoocik_nav.dat
c:\documents and settings\_Mirko_\Impostazioni locali\Dati applicazioni\ssoocik_navps.dat
c:\documents and settings\_Mirko_\Menu Avvio\Programmi\Videos.url
c:\documents and settings\_Mirko_\Preferiti\Videos.url
c:\windows\system32\aascqvim.ini
c:\windows\system32\asruak.dll
c:\windows\system32\fkqefrgr.ini
c:\windows\system32\gcefxmri.ini
c:\windows\system32\geiivlqv.ini
c:\windows\system32\gvkteopc.ini
c:\windows\system32\gygldhbc.ini
c:\windows\system32\hspivmms.ini
c:\windows\system32\hydfabmo.ini
c:\windows\system32\igcqhedh.ini
c:\windows\system32\kbybrwts.ini
c:\windows\system32\kekolwup.ini
c:\windows\system32\ltbafxbn.ini
c:\windows\system32\lygtxrxw.ini
c:\windows\system32\mkemwjxn.ini
c:\windows\system32\mwkrfvxs.dll
c:\windows\system32\MWvFNXbc.ini
c:\windows\system32\MWvFNXbc.ini2
c:\windows\system32\orkhgtut.ini
c:\windows\system32\rwnblplu.ini
c:\windows\system32\sscflmla.ini
c:\windows\system32\tjgrihsr.ini
c:\windows\system32\tvohtjdl.ini
c:\windows\system32\umktuhuc.ini
c:\windows\system32\vuqjav.dll
c:\windows\system32\wbtlxrsh.dll
c:\windows\system32\xpcodslw.ini
c:\windows\Tasks\lxbkrjdh.job

.
((((((((((((((((((((((((( Files Creati Da 2009-01-01 al 2009-02-01 )))))))))))))))))))))))))))))))))))
.

2009-01-31 19:57 . 2009-01-31 19:57 <DIR> d-------- c:\programmi\Malwarebytes' Anti-Malware
2009-01-31 19:57 . 2009-01-31 19:57 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-01-31 19:57 . 2009-01-31 19:57 <DIR> d-------- c:\documents and settings\_Mirko_\Dati applicazioni\Malwarebytes
2009-01-31 19:57 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 19:57 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-30 21:00 . 2009-01-30 21:00 <DIR> d-------- c:\programmi\Trend Micro
2009-01-22 13:21 . 2009-01-22 13:21 1,474,003 --ahs---- c:\windows\system32\gygldhbc.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-01 11:55 --------- d-----w c:\documents and settings\_Mirko_\Dati applicazioni\OpenOffice.org2
2009-02-01 11:03 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Skype
2009-02-01 10:58 --------- d-----w c:\programmi\CRS Manager
2009-01-31 18:47 --------- d-----w c:\documents and settings\GiGi\Dati applicazioni\OpenOffice.org2
2009-01-30 18:57 --------- d-----w c:\programmi\eMule
2009-01-19 13:08 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Nero
2009-01-19 13:08 --------- d-----w c:\documents and settings\_Mirko_\Dati applicazioni\Nero
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-27 22:04 57,696 ----a-w c:\windows\system32\bit4cnsp-uninst.exe
2007-07-30 17:38 24,192 ----a-w c:\documents and settings\_Mirko_\usbsermptxp.sys
2007-07-30 17:38 22,768 ----a-w c:\documents and settings\_Mirko_\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\programmi\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2008-04-14 1695232]
"RocketDock"="c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe" [2007-03-18 630784]
"Nero PhotoShow Media Manager"="c:\progra~1\Nero\PHOTOS~1\data\Xtras\mssysmgr.exe" [2007-04-27 312848]
"DAEMON Tools Lite"="c:\programmi\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-16 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-16 86016]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"TkBellExe"="c:\programmi\File comuni\Real\Update_OB\realsched.exe" [2008-05-19 185896]
"DSLSTATEXE"="c:\program files\D-Link\DSL-200\dslstat.exe" [2005-12-12 344064]
"DSLAGENTEXE"="c:\program files\D-Link\DSL-200\dslagent.exe" [2005-08-25 65536]
"NeroFilterCheck"="c:\programmi\File comuni\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2008-05-27 413696]
"bit4id store register"="c:\windows\system32\bit4cnsp.dll" [2008-05-16 155648]
"SSLEmptyCache"="c:\windows\system32\SSLEmptyCache.exe" [2008-05-21 57344]
"nwiz"="nwiz.exe" [2006-08-16 c:\windows\system32\nwiz.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\documents and settings\_Mirko_\Documenti\programmi\nokia pc suit\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\GiGi\Menu Avvio\Programmi\Esecuzione automatica\
OpenOffice.org 2.2.lnk - c:\programmi\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 393216]

c:\documents and settings\_Mirko_\Menu Avvio\Programmi\Esecuzione automatica\
OpenOffice.org 2.2.lnk - c:\programmi\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 393216]
RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 630784]
Thoosje Vista Sidebar.lnk - c:\programmi\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe [2007-10-22 524288]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma.lnk - c:\programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2007-09-08 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ozcist.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Pro_wIRC\\mirc.exe"=
"c:\\Programmi\\File comuni\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Programmi\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=

R3 PAC207;Trust WB-1400T Webcam;c:\windows\system32\drivers\PFC027.SYS [2007-05-14 508288]
S3 ACSSCR;ACR38 Smart Card Reader;c:\windows\system32\drivers\a38usbxp.sys [2008-11-24 24832]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\programmi\MAGIX\Common\Database\bin\fbserver.exe [2008-02-17 1527900]
S3 UPnPService;UPnPService;c:\programmi\File comuni\MAGIX Shared\UPnPService\UPnPService.exe [2008-02-17 544768]
.
Contenuto della cartella 'Scheduled Tasks'

2009-01-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

BHO-{58BCEB7B-7633-423E-A8CA-F57460E66A4D} - c:\windows\system32\cbXNFvWM.dll
BHO-{DB35C569-5624-4CFC-8043-E5139F55A073} - (no file)
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
HKCU-Run-ssoocik - c:\documents and settings\_mirko_\impostazioni locali\dati applicazioni\ssoocik.exe


.
------- Scansione supplementare -------
.
mStart Page = hxxp://it.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {15D151C8-5180-43C1-9360-4D794663BD6E} - hxxp://www.crs.regione.lombardia.it/components/OcsKitCittadino.cab
DPF: {3263F297-5CB9-4D8C-A2DB-CDFB8C69CB6D} - hxxp://www.crs.regione.lombardia.it/components/OcxCertUpdate.cab
DPF: {4384AA75-43AB-4095-84F9-C5B35EC62B5D} - hxxp://www.crs.regione.lombardia.it/components/OcxCrsInfo.cab
FF - ProfilePath - c:\documents and settings\_Mirko_\Dati applicazioni\Mozilla\Firefox\Profiles\71m60qh7.default\
FF - prefs.js: browser.startup.homepage - hxxp://it.msn.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?mkt=it-it&FORM=MICI05&q=
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 13:05:43
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2009-02-01 13.07.07
ComboFix-quarantined-files.txt 2009-02-01 12:06:49

Pre-Run: 203.059.064.832 byte disponibili
Post-Run: 204,779,806,720 byte disponibili

167 --- E O F --- 2009-01-14 13:03:06

Nuovo log di Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13.07.34, on 01/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\PROGRA~1\Nero\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Programmi\DAEMON Tools Lite\daemon.exe
C:\Programmi\OpenOffice.org 2.2\program\soffice.exe
C:\Programmi\OpenOffice.org 2.2\program\soffice.BIN
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [bit4id store register] RUNDLL32.EXE "C:\WINDOWS\system32\bit4cnsp.dll",RegisterMyPhysicalStore
O4 - HKLM\..\Run: [SSLEmptyCache] C:\WINDOWS\system32\SSLEmptyCache.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programmi\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Documents and Settings\_Mirko_\Documenti\programmi\nokia pc suit\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Programmi\OpenOffice.org 2.2\program\quickstart.exe
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: Thoosje Vista Sidebar.lnk = C:\Programmi\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {15D151C8-5180-43C1-9360-4D794663BD6E} (Posto di Lavoro del Cittadino - Attestazione) - http://www.crs.regione.lombardia.it/components/OcsKitCittadino.cab
O16 - DPF: {3263F297-5CB9-4D8C-A2DB-CDFB8C69CB6D} (Posto di Lavoro del Cittadino - Autenticazione utente) - http://www.crs.regione.lombardia.it/components/OcxCertUpdate.cab
O16 - DPF: {4384AA75-43AB-4095-84F9-C5B35EC62B5D} (Posto di Lavoro del Cittadino - Interprete dati) - http://www.crs.regione.lombardia.it/components/OcxCrsInfo.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://joint7sftrama.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - AppInit_DLLs: ozcist.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Programmi\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: UPnPService - Magix AG - C:\Programmi\File comuni\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 9238 bytes

r16 damme una mano ;) grazie in anticipo
Torna in alto
 
r16
Inviato: Sunday, February 01, 2009 1:36:34 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Ciao.
Non occorrono commenti, basta guardare i log....
Disattiva il ripristino configurazione di sistema, e tienilo disattivato, fino alla soluzione del problema http://guide.aiutamici.com/guide?C1=7&C2=68&ID=80121
Avvia in modalità provvisoria http://guide.aiutamici.com/guide?C1=7&C2=68&ID=80122
Avvia hijackthis, metti la spunta alle voci che andrò ad elencarti e con tutte le applicazioni chiuse e disconnesso da Internet,premi su fix checked
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [bit4id store register] RUNDLL32.EXE "C:\WINDOWS\system32\bit4cnsp.dll",RegisterMyPhysicalStore
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {15D151C8-5180-43C1-9360-4D794663BD6E} (Posto di Lavoro del Cittadino - Attestazione) - http://www.crs.regione.lombardia.it/components/OcsKitCittadino.cab
O16 - DPF: {3263F297-5CB9-4D8C-A2DB-CDFB8C69CB6D} (Posto di Lavoro del Cittadino - Autenticazione utente) - http://www.crs.regione.lombardia.it/components/OcxCertUpdate.cab
O16 - DPF: {4384AA75-43AB-4095-84F9-C5B35EC62B5D} (Posto di Lavoro del Cittadino - Interprete dati) - http://www.crs.regione.lombardia.it/components/OcxCrsInfo.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://joint7sftrama.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - AppInit_DLLs: ozcist.dll

Scarica VIRIT :
http://www.tgsoft.it/italy/download.htm lo aggiorni (cliccando sulla parabola in alto) e fai la scansione in Modalità Provvisoria (è molto importante).
Posta anche il log. (lo trovi sull'icona in alto, con raffigurato un block notes ,con una penna)
Scarica Spy-Bot da qui http://www.aiutaamici.com/software?ID=10831 e fai una scansione sempre in Modalità Provvisoria.

Dai una pulita (registro compreso)con CCleaner http://www.aiutaamici.com/software?ID=11223
Riavvia il computer.
*********************************************************************************************************
Scarica questo:Avenger, scompatta Avenger all'interno di una apposita cartella.
http://swandog46.geekstogo.com/avenger.zip

Avvia AVENGER
Clicca Ok
Inserisci queste righe (fai copia-incolla) nel riquadro bianco: (quelle in neretto)

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs


Clicca su Execute e aspetta...
Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
Al termine dell'operazione, posta qui il risultato di Avenger con un log aggiornato di hijackthis.
Torna in alto
 
sodomino
Inviato: Sunday, February 01, 2009 1:38:14 PM
Rank: AiutAmico

Iscritto dal : 7/17/2008
Posts: 96
ok grazie r16 sei sempre il migliore ;) e x l'altro problema di cui t avevo parlato ke mi dici??
Torna in alto
 
r16
Inviato: Sunday, February 01, 2009 1:45:25 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Leggi bene il post precedente che ho aggiunto delle operazioni.
sodomino , risolviamo questo problema........Non preoccuparti dell'altro, per quello che posso, ti darò una mano, anche a risolverlo.
Torna in alto
 
sodomino
Inviato: Sunday, February 01, 2009 1:48:11 PM
Rank: AiutAmico

Iscritto dal : 7/17/2008
Posts: 96
ok t farò saxe stasera cm va xkè ora devo andare a lavoro grazie in anticipo ;)
Torna in alto
 
sodomino
Inviato: Sunday, February 01, 2009 1:58:56 PM
Rank: AiutAmico

Iscritto dal : 7/17/2008
Posts: 96
ma devo mandarti qualkosa??? qualke log??
Torna in alto
 
r16
Inviato: Sunday, February 01, 2009 2:20:30 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
sodomino ha scritto:
ma devo mandarti qualkosa??? qualke log??


sodomino , sei distratto.....Think
Come richiesto:
Il log di Virit.
Il log di Avenger.
Per ultimo il log di HJT.
Torna in alto
 
Utenti presenti in questo topic
Guest

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » Virus Cancellano file di sistema??


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.