...ho potuto ottemperare a quanto mi è stato consigliato solo oggi, di seguito i file .log di combofix e hijackthis
ComboFix 08-12-09.02 - Dera 2008-12-10 10.23.41.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.80 [GMT 1:00]
Running from: c:\documents and settings\Dera\Desktop\percorso salvataggio\
04_COMBOFIX\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Dera\Dati applicazioni\addons.dat
c:\windows\system32\crviewer.dll
E:\Autorun.inf
----- BITS: Possible infected sites -----
hxxp://bmt2.info
.
((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.
2008-12-09 15:02 . 2008-12-09 15:02 <DIR> d-------- c:\programmi\IESurfBar
2008-12-07 21:46 . 2008-12-07 21:47 69 --a------ c:\windows\NeroDigital.ini
2008-12-04 17:03 . 2008-12-05 15:34 0 --a------ c:\windows\system32\luna.jss
2008-12-04 15:55 . 2008-12-04 15:55 <DIR> d-------- c:\windows\system32\URTTEMP
2008-12-04 15:52 . 2008-12-04 15:53 <DIR> d-------- c:\programmi\MapInfo MapX
2008-12-04 15:52 . 2001-02-03 01:26 663,609 --a------ c:\windows\system32\exlate32.dll
2008-12-04 15:51 . 1998-10-29 15:45 306,688 --a------ c:\windows\IsUninst.exe
2008-12-04 15:51 . 2002-12-17 16:23 33,340 --a------ c:\windows\system32\dbmsqlgc.dll
2008-12-04 15:51 . 2002-10-20 14:05 24,576 --a------ c:\windows\system32\dbmsgnet.dll
2008-12-04 15:50 . 2008-12-04 15:50 <DIR> d-------- c:\programmi\Microsoft SQL Server
2008-12-04 15:49 . 2008-12-04 15:53 <DIR> d-------- c:\programmi\Seagate Software
2008-12-04 15:48 . 2008-12-05 14:46 <DIR> d-------- c:\windows\Crystal
2008-12-04 15:48 . 2008-12-04 15:49 <DIR> d-------- c:\programmi\File comuni\Software FX Shared
2008-12-04 15:48 . 2008-12-04 15:48 <DIR> d-------- c:\programmi\File comuni\DBS
2008-12-04 15:48 . 2008-12-04 15:48 <DIR> d-------- c:\programmi\File comuni\Data Dynamics
2008-12-01 15:44 . 2004-03-22 05:17 24,816 --a------ c:\windows\system32\mdimon.dll
2008-12-01 15:44 . 2008-12-01 15:44 424 --a------ c:\windows\ODBC.INI
2008-12-01 15:37 . 2008-12-01 15:41 <DIR> d-------- c:\windows\SHELLNEW
2008-12-01 15:37 . 2008-12-01 15:37 <DIR> d-------- c:\programmi\Microsoft.NET
2008-12-01 13:42 . 2008-12-01 13:42 <DIR> d-------- c:\documents and settings\Dera\Dati applicazioni\Ahead
2008-12-01 13:39 . 2006-03-02 13:00 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-01 13:27 . 2008-12-01 13:27 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Ahead
2008-12-01 13:22 . 2008-12-01 13:22 <DIR> d-------- c:\programmi\Nero
2008-12-01 13:22 . 2008-12-01 13:25 <DIR> d-------- c:\programmi\File comuni\Ahead
2008-12-01 13:22 . 2008-12-01 13:22 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Nero
2008-12-01 12:21 . 2008-12-01 12:21 <DIR> d-------- c:\windows\ASYM
2008-12-01 12:21 . 2008-12-01 12:21 185,680 --a------ c:\windows\_9847960.TTF
2008-12-01 12:21 . 2008-12-01 12:21 60,012 --a------ c:\windows\_1C57E67.TTF
2008-12-01 12:21 . 2008-12-01 12:21 54,032 --a------ c:\windows\_BB6627C.TTF
2008-12-01 12:20 . 2008-12-01 12:21 141 --a------ c:\windows\asym.ini
2008-11-30 21:42 . 2008-11-30 21:42 <DIR> d-------- c:\programmi\PowerISO
2008-11-30 21:42 . 2008-12-01 12:54 1,291 --ah----- c:\windows\system32\drivers\logg.dat
2008-11-28 10:41 . 2008-11-28 10:41 13,030 --a------ C:\PDOXUSRS.NET
2008-11-28 09:45 . 2008-11-28 09:45 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\FLEXnet
2008-11-28 09:27 . 2008-11-28 09:27 <DIR> d-------- c:\programmi\Bonjour
2008-11-28 09:07 . 2008-11-28 09:07 <DIR> d-------- c:\programmi\File comuni\Macrovision Shared
2008-11-28 08:32 . 2008-11-28 08:42 <DIR> d-------- C:\ACCA
2008-11-28 08:32 . 1999-11-12 04:11 183,808 --a------ c:\windows\system32\bdeadmin.cpl
2008-11-28 08:32 . 1997-05-30 00:00 21,824 --a------ c:\windows\system32\drivers\CPWNT.SYS
2008-11-28 08:32 . 2002-05-21 00:05 16,948 --a------ c:\windows\system32\CPWIN32.DLL
2008-11-19 22:13 . 2008-11-19 22:13 543 --a------ c:\windows\EvvivaRG.ini
2008-11-19 22:13 . 2008-11-19 22:13 502 --a------ c:\windows\NEXTRG.INI
2008-11-19 22:11 . 2008-11-19 22:11 <DIR> d-------- c:\programmi\Finson Live Update
2008-11-19 22:11 . 2004-12-16 17:14 717,824 --a------ c:\windows\system32\NextRG.exe
2008-11-19 22:11 . 2005-04-13 11:07 79,360 --a------ c:\windows\system32\FinsonLU.dll
2008-11-19 22:11 . 2001-08-31 12:00 26,647 --a------ c:\windows\system32\hh.exe
2008-11-19 22:08 . 2000-10-02 00:00 122,128 --a------ c:\windows\system32\Vb6it.dll
2008-11-19 22:08 . 1999-06-02 23:00 101,888 --a------ c:\windows\system32\Vb6stkit.dll
2008-11-19 22:08 . 2008-11-19 22:09 61 --a------ c:\windows\FINSON.INI
2008-11-10 16:33 . 2008-11-10 16:33 <DIR> d-------- c:\programmi\Alwil Software
2008-11-10 16:28 . 2008-12-09 15:18 <DIR> d-------- c:\programmi\Spyware Terminator
2008-11-10 16:28 . 2008-12-09 15:04 <DIR> d-------- c:\documents and settings\Dera\Dati applicazioni\Spyware Terminator
2008-11-10 16:28 . 2008-12-09 15:18 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Spyware Terminator
2008-11-10 16:28 . 2008-11-10 16:28 141,312 --a------ c:\windows\system32\drivers\sp_rsdrv2.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-10 09:10 --------- d-----w c:\documents and settings\Dera\Dati applicazioni\BitTorrent
2008-12-10 07:20 --------- d-----w c:\programmi\eMule
2008-12-07 20:47 --------- d-----w c:\documents and settings\Dera\Dati applicazioni\dvdcss
2008-12-05 15:22 --------- d--h--w c:\programmi\InstallShield Installation Information
2008-12-04 14:46 --------- d-----w c:\programmi\File comuni\InstallShield
2008-11-28 08:27 --------- d-----w c:\programmi\File comuni\Adobe
2008-11-10 15:28 --------- d-----w c:\programmi\Crawler
2008-11-09 13:50 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-11-07 10:04 --------- d-----w c:\documents and settings\Dera\Dati applicazioni\vlc
2008-11-07 09:56 --------- d-----w c:\programmi\VideoLAN
2008-11-02 09:37 --------- d---a-w c:\documents and settings\All Users\Dati applicazioni\TEMP
2008-11-02 09:30 --------- d-----w c:\programmi\CCleaner
2008-10-31 15:52 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-10-31 15:52 --------- d-----w c:\programmi\Java
2008-10-29 16:26 --------- d-----w c:\documents and settings\Dera\Dati applicazioni\DNA
2008-10-17 16:47 --------- d-----w c:\documents and settings\Dera\Dati applicazioni\ZipGenius
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-03-02 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminator"="c:\programmi\Spyware Terminator\SpywareTerminatorShield.exe" [2008-11-10 1783808]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"SENTINEL"= snti386.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\DNA\\btdna.exe"=
"c:\\Programmi\\BitTorrent\\bittorrent.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:bittorrent TCP
"3587:TCP"= 3587:TCP:Gruppi peer-to-peer Windows
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-10 111184]
R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\c:\windows\system32\drivers\sp_rsdrv2.sys [2008-11-10 141312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-10 20560]
R2 cpwnt;cpwnt;c:\windows\system32\drivers\cpwnt.sys [2008-11-28 21824]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;"c:\programmi\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe" [2008-01-30 106496]
R3 banshee;banshee;c:\windows\system32\DRIVERS\banshee.sys [2008-07-06 36128]
S3 MSSQL$SQLINFOTEL;MSSQL$SQLINFOTEL;c:\programmi\Microsoft SQL Server\MSSQL$SQLINFOTEL\Binn\sqlservr.exe -sSQLINFOTEL []
S3 SQLAgent$SQLINFOTEL;SQLAgent$SQLINFOTEL;c:\programmi\Microsoft SQL Server\MSSQL$SQLINFOTEL\Binn\sqlagent.EXE -i SQLINFOTEL []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
*Newly Created Service* - CATCHME
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{74233E61-EF19-25AF-B35C-83DCA1391BA5}]
c:\windows\system32\drivers\smss.exe s
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-12-10 10:28:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-12-10 10.30.20
ComboFix-quarantined-files.txt 2008-12-10 09:30:16
ComboFix2.txt 2008-10-31 15:41:02
ComboFix3.txt 2008-10-30 11:41:31
Pre-Run: 3.997.605.888 byte disponibili
Post-Run: 4,001,595,392 byte disponibili
150
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10.39.23, on 10/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\Spyware Terminator\sp_rsser.exe
C:\Programmi\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Dera\Desktop\percorso salvataggio\03_HIJACKTHIS\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.it/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
http://www.crawler.com/search/ie.aspx?tb_id=60327R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\Programmi\Crawler\Toolbar\ctbr.dll
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\Programmi\Crawler\Toolbar\ctbr.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Toolbar &Crawler - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Programmi\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\Programmi\Crawler\Toolbar\ctbr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programmi\Spyware Terminator\sp_rsser.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Programmi\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
--
End of file - 5627 bytes
