Infezione Rouge Residue - Sicurezza VIRUS

Benvenuto Ospite

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » Infezione Rouge Residue

Infezione Rouge Residue

Opzioni

Topic Precedente · Topic Sucessivo

Umberto19870

Inviato: Saturday, April 18, 2009 2:55:46 PM

Rank: AiutAmico

Iscritto dal : 12/22/2005
Posts: 165

La scansione con Malwarebytes' Anti-Malware 1.36 mi ha riportato il seguente file infetto:

Chiavi di registro infette:
HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> No action taken.

Il log di HiJackThis è il seguente:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.49.59, on 18/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\Multimedia Card Reader\shwicon2k.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe
C:\Programmi\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Programmi\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programmi\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\documents and settings\nannarino\impostazioni locali\dati applicazioni\gkcscgi.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Sandboxie\SbieSvc.exe
C:\Programmi\Spyware Doctor\pctsAuxs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Programmi\Spyware Doctor\pctsSvc.exe
C:\Programmi\AVG\AVG8\avgcsrvx.exe
C:\Programmi\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Programmi\Spyware Terminator\sp_rsser.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Programmi\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Windows Live\Toolbar\wltuser.exe
C:\Programmi\AVG\AVG8\aAvgApi.exe
C:\Documents and Settings\Nannarino\Documenti\File ricevuti\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60076
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60076
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60076
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60076
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programmi\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programmi\AVG\AVG8\avgtoolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programmi\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programmi\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programmi\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Sunkist2k] C:\Programmi\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Programmi\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Programmi\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Programmi\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SandboxieControl] "C:\Programmi\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [gkcscgi] "c:\documents and settings\nannarino\impostazioni locali\dati applicazioni\gkcscgi.exe" gkcscgi
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab?e=1235084186859&h=4cf64d080558fd732a1d1a7f4f92eb6d/&filename=jinstall-6u12-windows-i586-jc.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmi\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Programmi\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Programmi\File comuni\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Programmi\Sandboxie\SbieSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\pctsSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programmi\Spyware Terminator\sp_rsser.exe

--
End of file - 10003 bytes

Torna in alto

Sponsor

Inviato: Saturday, April 18, 2009 2:55:46 PM

Torna in alto

r16

Inviato: Saturday, April 18, 2009 3:01:17 PM

Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016

Ciao.
Hai ancora un'infezione:
Importante: Disabilita il tuo antivirus e chiudi TUTTI i programmi aperti,e dopo aver scaricato COMBOFIX, chiudi la connessione.

Scarica Combofix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Salvalo sul desktop.
Doppio click su combofix.exe (comparirà una videata.)
Se ti verrà chiesto se vuoi Installare LA CONSOLE DI RIPRISTINO DI EMERGENZA, clicca NO.
E' probabile che ti siano inviati messaggi dall'antivirus, tu ignorali.
Durante l'operazione di scansione è importante non usare il PC (neanche il mouse) e attendere pazientemente la fine delle operazioni.
Al termine, verrà creato un file log sul Desktop, chiamato C:\ComboFix.txt. Postalo qui.
Posta anche un nuovo log di HJT.

Torna in alto

bazzurlone

Inviato: Saturday, April 18, 2009 4:16:15 PM

Rank: AiutAmico

Iscritto dal : 1/20/2005
Posts: 1,537

Ciao r16 dopo che stupidamente ,per curiosita',ho seguito il consiglio di un fesso e ho installato Live Player infognandomi, mi ritrovo il rogue.
ti posto il log di combofix,grazie
ComboFix 09-04-18.05 - Manlio & Paola 18/04/09 16.01.30.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.2046.1460 [GMT 2:00]
Eseguito da: c:\documents and settings\Manlio & Paola\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Creato nuovo punto di ripristino

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
Error: Cfolders.dat

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Manlio & Paola\Impostazioni locali\Dati applicazioni\oucuu.dat
c:\documents and settings\Manlio & Paola\Impostazioni locali\Dati applicazioni\oucuu.exe
c:\documents and settings\Manlio & Paola\Impostazioni locali\Dati applicazioni\oucuu_nav.dat
c:\documents and settings\Manlio & Paola\Impostazioni locali\Dati applicazioni\oucuu_navps.dat
c:\windows\system32\_000228_.tmp.dll

.
((((((((((((((((((((((((( Files Creati Da 2009-03-18 al 2009-04-18 )))))))))))))))))))))))))))))))))))
.

2009-04-17 14:38 . 2009-04-17 14:38 -------- d-----w c:\documents and settings\Manlio & Paola\Dati applicazioni\live-player
2009-04-15 16:42 . 2009-04-15 16:43 1374 ----a-w c:\windows\imsins.BAK
2009-04-15 16:08 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 16:08 . 2009-03-06 14:19 286208 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 16:08 . 2009-02-09 11:22 111104 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 16:08 . 2009-02-09 10:51 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 16:08 . 2009-02-09 10:51 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 16:07 . 2008-04-21 21:14 219136 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 07:44 . 2009-04-13 07:47 -------- d-----w c:\documents and settings\Manlio & Paola\Impostazioni locali\Dati applicazioni\Ashampoo
2009-04-10 14:23 . 2008-09-25 13:20 483328 ----a-w c:\windows\system32\actskn45.ocx
2009-04-08 17:25 . 2009-04-08 17:25 1048576 ---h--w c:\windows\cache.dmx
2009-04-06 17:40 . 2008-07-09 09:05 421888 ----a-w c:\windows\system32\ac3filter.acm
2009-04-06 17:16 . 2009-04-06 17:16 1048576 ---h--w C:\cache.dmx
2009-04-04 17:44 . 2005-08-25 20:10 9804 ----a-w c:\windows\system\temp.000
2009-04-04 17:44 . 2005-08-25 20:09 7244 ----a-w c:\windows\system\temp.001
2009-04-04 15:27 . 2005-08-25 20:10 9804 ----a-w c:\windows\system\vdremote.dll
2009-04-04 15:27 . 2005-08-25 20:09 7244 ----a-w c:\windows\system\vdsvrlnk.dll
2009-04-04 15:00 . 2006-08-01 18:06 12952 ----a-w c:\windows\system32\drivers\DLACDBHM.SYS
2009-04-04 15:00 . 2006-08-01 17:46 51800 ----a-w c:\windows\system32\drivers\DRVNDDM.SYS
2009-04-04 15:00 . 2009-04-04 15:08 -------- d-----w c:\windows\system32\DLA
2009-04-04 15:00 . 2006-08-08 07:18 56056 ----a-w c:\windows\system32\DLAAPI_W.DLL
2009-04-04 15:00 . 2006-08-08 07:18 92920 ----a-w c:\windows\DLA.EXE
2009-04-04 15:00 . 2006-08-01 18:06 28216 ----a-w c:\windows\system32\drivers\DLARTL_M.SYS
2009-03-31 17:35 . 2009-03-31 17:35 142592 ----a-w c:\windows\system32\drivers\sp_rsdrv2.sys
2009-03-20 13:20 . 2009-03-20 13:20 -------- d-----w c:\documents and settings\Manlio & Paola\Dati applicazioni\OpenOffice.org
2009-03-19 17:50 . 2009-03-19 17:50 -------- d-sh--w c:\documents and settings\Manlio & Paola\IECompatCache
2009-03-19 17:48 . 2009-03-19 17:48 -------- d-sh--w c:\documents and settings\Manlio & Paola\PrivacIE
2009-03-19 17:47 . 2009-03-19 17:47 -------- d-sh--w c:\documents and settings\Manlio & Paola\IETldCache
2009-03-19 17:40 . 2009-02-20 17:08 78336 -c--a-w c:\windows\system32\dllcache\ieencode.dll
2009-03-19 17:40 . 2009-02-20 17:08 78336 ----a-w c:\windows\system32\ieencode.dll
2009-03-19 17:38 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 14:08 . 2009-01-23 17:51 33046560 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-18 13:58 . 2009-01-07 19:19 -------- d-----w c:\documents and settings\Manlio & Paola\Dati applicazioni\Spamihilator
2009-04-18 13:50 . 2008-04-18 17:02 -------- d-----w c:\programmi\EMCO Malware Destroyer
2009-04-17 20:30 . 2009-01-23 17:51 385928 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-17 20:29 . 2009-04-18 06:39 2251264 ----a-w c:\windows\Internet Logs\xDB17.tmp
2009-04-17 20:29 . 2009-04-18 06:39 21504 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-04-17 18:49 . 2009-04-17 20:09 161792 ----a-w c:\windows\Internet Logs\xDB16.tmp
2009-04-16 17:38 . 2009-04-16 17:38 -------- d-----w c:\programmi\Lphant Applications
2009-04-16 17:38 . 2009-04-10 14:17 -------- d-----w c:\programmi\Lphant
2009-04-14 17:20 . 2008-03-08 08:57 -------- d-----w c:\documents and settings\Manlio & Paola\Dati applicazioni\Roxio
2009-04-11 13:22 . 2009-04-11 17:52 166912 ----a-w c:\windows\Internet Logs\xDB18.tmp
2009-04-11 13:09 . 2008-10-24 17:18 -------- d-----w c:\programmi\Download Express
2009-04-11 07:25 . 2008-03-08 14:00 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-04-11 07:21 . 2008-03-08 14:00 -------- d-----w c:\programmi\Spybot - Search & Destroy
2009-04-08 18:36 . 2009-02-09 17:25 -------- d-----w c:\programmi\Malwarebytes' Anti-Malware
2009-04-08 17:24 . 2009-04-08 17:23 -------- d-----w c:\programmi\InterActual
2009-04-07 08:38 . 2009-01-02 14:39 -------- d-----w c:\programmi\LimeWire
2009-04-07 07:30 . 2009-04-04 14:52 -------- d-----w c:\programmi\Roxio
2009-04-06 19:21 . 2009-04-06 19:21 -------- d-----w c:\programmi\Smart Projects
2009-04-06 19:12 . 2008-03-08 08:49 -------- d-----w c:\programmi\File comuni\Sonic Shared
2009-04-06 17:40 . 2009-04-06 17:40 -------- d-----w c:\programmi\XP Codec Pack
2009-04-06 13:32 . 2009-02-09 17:25 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 13:32 . 2009-02-09 17:25 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 13:07 . 2008-03-07 18:46 65928 ----a-w c:\documents and settings\Manlio & Paola\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-04-05 18:42 . 2009-04-05 19:09 25600 ----a-w c:\windows\Internet Logs\xDB1F.tmp
2009-04-05 18:42 . 2009-04-05 19:09 2148352 ----a-w c:\windows\Internet Logs\xDB23.tmp
2009-04-05 15:38 . 2009-04-05 17:56 2147840 ----a-w c:\windows\Internet Logs\xDB22.tmp
2009-04-05 15:38 . 2009-04-05 17:56 182784 ----a-w c:\windows\Internet Logs\xDB20.tmp
2009-04-05 13:55 . 2009-01-25 13:52 -------- d-----w c:\documents and settings\Manlio & Paola\Dati applicazioni\Free Download Manager
2009-04-04 14:58 . 2009-04-04 14:58 -------- d-----w c:\programmi\File comuni\SureThing Shared
2009-04-04 14:56 . 2008-03-08 08:49 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\Roxio
2009-04-04 14:55 . 2008-03-08 08:48 -------- d-----w c:\programmi\File comuni\Roxio Shared
2009-04-04 14:50 . 2008-03-08 08:47 -------- d-----w c:\programmi\DivX
2009-04-02 18:24 . 2008-03-07 18:23 -------- d-----w c:\programmi\Java
2009-04-02 18:23 . 2004-08-19 12:00 86014 ----a-w c:\windows\system32\perfc010.dat
2009-04-02 18:23 . 2004-08-19 12:00 472868 ----a-w c:\windows\system32\perfh010.dat
2009-03-31 18:40 . 2009-03-31 18:42 183808 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-03-24 18:02 . 2009-03-24 18:02 -------- d-----w c:\programmi\JRE
2009-03-24 18:02 . 2009-01-22 20:33 -------- d-----w c:\programmi\OpenOffice.org 3
2009-03-18 17:26 . 2009-03-09 16:37 -------- d-----w c:\programmi\iDC++
2009-03-09 03:19 . 2008-11-23 19:08 410984 -c--a-w c:\windows\system32\deploytk.dll
2009-03-06 14:19 . 2004-08-19 12:00 286208 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:03 . 2004-08-19 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-01 14:28 . 2009-01-02 14:40 -------- d-----w c:\documents and settings\Manlio & Paola\Dati applicazioni\LimeWire
2009-03-01 08:47 . 2009-03-01 08:38 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\iolo
2009-03-01 08:47 . 2009-03-01 08:47 74703 ----a-w c:\windows\system32\mfc45.dll
2009-02-09 14:04 . 2004-08-19 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:23 . 2004-08-19 15:34 2027520 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 11:22 . 2004-08-19 12:00 2148864 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 11:22 . 2004-08-19 12:00 111104 ----a-w c:\windows\system32\services.exe
2009-02-09 10:51 . 2004-08-19 12:00 734720 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:51 . 2004-08-19 12:00 683520 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:51 . 2004-08-19 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:51 . 2004-08-19 12:00 736256 ----a-w c:\windows\system32\ntdll.dll
2009-02-07 15:32 . 2009-02-07 15:32 76875 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-02-06 10:39 . 2004-08-19 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:57 . 2004-08-19 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-26 19:31 . 2008-09-02 17:00 737280 -c--a-w c:\windows\iun6002.exe
2009-01-23 17:49 . 2009-01-23 17:47 4212 ---h--w c:\windows\system32\zllictbl.dat
2008-03-07 18:11 . 2008-03-07 18:11 143 -c--a-w c:\documents and settings\Manlio & Paola\Impostazioni locali\Dati applicazioni\fusioncache.dat
2008-05-06 19:24 . 2008-05-06 19:24 32768 -csha-w c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\MSHist012008050620080507\index.dat
.

------- Sigcheck -------

[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2009-01-11 08:33 360320 3C966F647BAB332093CB0F92692B5CB8 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-19 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2004-08-19 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2009-02-07 14:21 361344 68F06FE0021B01E670AF37B8C5964FDF c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2009-02-07 14:21 361600 CBEEBEB899E31EF52B962CB31FC8CA5C c:\windows\system32\dllcache\tcpip.sys
[-] 2009-02-07 14:21 361600 CBEEBEB899E31EF52B962CB31FC8CA5C c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"IncrediMail"="c:\programmi\IncrediMail\bin\IncMail.exe" [2009-02-02 251264]
"swg"="c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-08 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spamihilator"="c:\programmi\Spamihilator\spamihilator.exe" [2008-12-23 1321984]
"StartupDelayer"="c:\programmi\r2 Studios\Startup Delayer\Startup Launcher.exe" [2008-11-29 73728]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"egui"="c:\programmi\ESET\ESET NOD32 Antivirus\egui.exe" [2008-09-24 1447168]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-19 44544]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\e:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Programmi\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Programmi\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Programmi\\IncrediMail\\bin\\ImpCnt.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Magentic\\bin\\MgImp.exe"=
"c:\\Programmi\\Magentic\\bin\\Magentic.exe"=
"c:\\Programmi\\Magentic\\bin\\MgApp.exe"=
"c:\\Programmi\\PhotoJoy\\Bin\\PjApp.exe"=
"c:\\Programmi\\PhotoJoy\\Bin\\PjImp.exe"=
"c:\\Programmi\\PhotoJoy\\Bin\\PhotoJoy.exe"=
"c:\\Programmi\\eMule AdunanzA\\eMule_AdnzA.exe"=

R2 MalwareDefenderService;Malware Defender Service; [x]
R3 MODRC;WinFast DTV Dongle Infrared receiver driver;c:\windows\system32\DRIVERS\wfdbmodr.sys [2005-09-20 8320]
R3 wfdbbda;WinFast DTV Dongle BDA Driver;c:\windows\system32\Drivers\wfdbbda.sys [2005-10-27 29952]
R3 WFDBLOAD;WinFast DTV Dongle Firmware Loader;c:\windows\system32\DRIVERS\wfdbload.sys [2005-09-20 18560]
R3 WFIOCTL;WFIOCTL;c:\programmi\WinFast\WFDTV\WFIOCTL.SYS [2005-01-06 9446]
S1 c2scsi;c2scsi; [x]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-09-24 34312]
S1 hhlleimo;hhlleimo;c:\windows\system32\drivers\hhlleimo.sys [2009-02-13 231424]
S1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-03-31 142592]
S2 ekrn;Eset Service;c:\programmi\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-09-24 468224]
S2 NwSapAgent;Agente SAP;c:\windows\system32\svchost.exe [2008-04-14 14336]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1980412c-185d-11dd-b38d-00c09fde9baf}]
\Shell\AutoRun\command - F:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dff428bc-dfb7-11dd-b224-00c09fde9baf}]
\Shell\AutoRun\command - G:\StartPortableApps.exe
.
Contenuto della cartella 'Scheduled Tasks'

2009-02-21 c:\windows\Tasks\SmartDefrag.job
- c:\programmi\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-02-21 17:15]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKCU-Run-oucuu - c:\documents and settings\manlio & paola\impostazioni locali\dati applicazioni\oucuu.exe
Notify-WgaLogon - (no file)

.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.fastweb.it/portale/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Invia a &Bluetooth - c:\programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
IE: Scarica con Download &Express - c:\programmi\Download Express\Add_Url.htm
IE: Scarica con Free Download Manager - file://c:\programmi\Free Download Manager\dllink.htm
IE: Scarica i video con Free Download Manager - file://c:\programmi\Free Download Manager\dlfvideo.htm
IE: Scarica selezionati con Free Download Manager - file://c:\programmi\Free Download Manager\dlselected.htm
IE: Scarica tutto con Free Download Manager - file://c:\programmi\Free Download Manager\dlall.htm
TCP: {7E4B9424-2CD5-4AA7-B3B0-3597804C49D6} = 29.253.128.10,1.253.128.39
Name-Space Handler: ftp\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
Name-Space Handler: http\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
Name-Space Handler: https\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
FF - ProfilePath - c:\documents and settings\Manlio & Paola\Dati applicazioni\Mozilla\Firefox\Profiles\p4h90lxx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - MyStart Cerca
FF - prefs.js: browser.startup.homepage - hxxp://www.fastweb.it/portale/
FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar&search=
FF - component: c:\documents and settings\Manlio & Paola\Dati applicazioni\Mozilla\Firefox\Profiles\p4h90lxx.default\extensions\{D249FD00-4DF9-11D9-9FDC-0080481ADA61}\components\mpint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 16:08
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\UnlockerDriver5]
"ImagePath"="\??\c:\programmi\Unlocker\UnlockerDriver5.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ASFWHide]
"ImagePath"="\??\c:\docume~1\MANLIO~1\IMPOST~1\Temp\ASFWHide"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\windows\system32\Ati2evxx.dll
.
Ora fine scansione: 2009-04-18 16.10.35
ComboFix-quarantined-files.txt 2009-04-18 14:10

Pre-Run: 61.837.971.456 byte disponibili
Post-Run: 62.000.979.968 byte disponibili

235

Torna in alto

enigmista63

Inviato: Saturday, April 18, 2009 4:34:15 PM

Rank: AiutAmico

Iscritto dal : 4/28/2007
Posts: 1,976

Ciao mi spiace che sia troppo tardi,ma non scarivare nulla che ti chiede di installare questi 2 software,non vengono rilevati ancora dalla maggiorranza degli antivirus.

Torna in alto

r16

Inviato: Saturday, April 18, 2009 6:17:41 PM

Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016

Ciao bazzurlone .
Apri un topic tutto tuo, che ti seguo meglio. Drool

Fai una scansione con Malwarebytes,e posti il log, mi posti il log di Combofix, e anche uno di HJT.
Malwarebytes, è in grado di eliminare quel rogue.
Comunque segui il percorso ed elimina la voce in rosso:
c:\documents and settings\Manlio & Paola\Dati applicazioni\live-player

Torna in alto

bazzurlone

Inviato: Saturday, April 18, 2009 7:42:08 PM

Rank: AiutAmico

Iscritto dal : 1/20/2005
Posts: 1,537

Per enigmista:questo è il post incriminato dove mi son lasciato convincere (da vero stupidone) http://forum.aiutamici.com/yaf_postst59534_latvgratis.aspx
Per r16 :Malawarebytes l'aveva gia' eliminato ma al riavvio me lo ritrovava,per questo ho approfittato del vostro topic.dopo il giro con combofix non dovrei piu' avere schifezze,comunque ti apro un nuovo post per non intralciare il tuo lavoro con umberto
Grazie a tutt'e due

Torna in alto

Umberto19870

Inviato: Saturday, April 18, 2009 7:51:11 PM

Rank: AiutAmico

Iscritto dal : 12/22/2005
Posts: 165

Ho fatto scaricare il programma Combofix a mio fratello ed è sorto il seguente problema (gli ho fatto disabilitare l'antivirus e l'antispyware); ha avviato il programma e dopo un po' (sono apparse delle scritte con un numero sequenziale) e dopo è arrivato un avvisio di riavvio del PC. Quando si è riavvito il pc si sono riattivati i software di sicurezza e non è riuscito a fare la scansione con combofix. Dove ha sbagliato? Come posso aiutarlo?

Torna in alto

r16

Inviato: Saturday, April 18, 2009 8:14:19 PM

Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016

Fà niente Umberto19870 , lo leviamo a mano quel navipromo.
Assicurati di avere accesso a file e cartelle nascosti
(Pannello di controllo-> Opzioni Cartella-> Visualizzazione)
1) Metti la spunta su: Visualizza file e cartelle nascoste
2) Togli la spunta: nascondi file protetti di sistema (consigliato)
Disattiva il ripristino configurazione di sistema, e tienilo disattivato, fino alla soluzione del problema http://guide.aiutamici.com/guide?C1=7&C2=68&ID=80121
Se non sai "fixare"le voci,segui questa guida dettagliata: http://www.aiutaamici.com/software?ID=11175
Avvia hijackthis, metti la spunta alle voci che andrò ad elencarti e con tutte le applicazioni chiuse e disconnesso da Internet,premi su fix checked:

O4 - HKCU\..\Run: [gkcscgi] "c:\documents and settings\nannarino\impostazioni locali\dati applicazioni\gkcscgi.exe" gkcscgi

Trova e cancella i file in rosso:
C:\documents and settings\nannarino\impostazioni locali\dati applicazioni\gkcscgi.exe

Dai una pulita (registro compreso)con CCleaner http://www.aiutaamici.com/software?ID=11223

Riavvia il pc.
Riprova Combofix.

Torna in alto

Umberto19870

Inviato: Saturday, April 18, 2009 8:30:43 PM

Rank: AiutAmico

Iscritto dal : 12/22/2005
Posts: 165

Grazie r16 in settimana vado a casa da mio fratello e seguiro' la guida che mi hai indicato così ti posterò nuovamente il log. Recentemente gli avevo installato Acronis True Image e gli avevo consigliato di acquistare un hard disk esterno dove effettuare un'immagine del PC che in caso di problema ripristinava il tutto (parliamo di circa 1 mese fa). Non mi ha dato ascolto e ogni volta si ritrova a dover combatter con qualche virus & C. menomale che ci siete voi.

Torna in alto

r16

Inviato: Saturday, April 18, 2009 8:33:42 PM

Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016

Tranquillo Umberto19870 , non è un'infezione grave, ma bisognerebbe toglierla subito.
Infezioni, portano altre infezioni, se si trascurano per troppo tempo.
Ciao.

Torna in alto

Utenti presenti in questo topic

Guest

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » Infezione Rouge Residue

Salta al Forum

Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Invia topic via Email

RSS Feed

Watch this topic

Stampa topic

Normale

Threaded