troian-Dropper.SEH - Sicurezza VIRUS - Aiutamici Forum

Aiutamici Forum

Benvenuto Ospite

Cerca | Topic Attivi | Utenti | | Log In | Registra

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » troian-Dropper.SEH

2 pages: [1] 2

troian-Dropper.SEH

Opzioni

Topic Precedente · Topic Sucessivo

gape

Inviato: Thursday, January 15, 2009 4:34:56 PM

Rank: AiutAmico

Iscritto dal : 2/8/2003
Posts: 68

Salve a tutti. Ho un grosso problema, il mio S.O.Vista è infetto da Troian-Dropper.SEH, infezione rilevata più volte e cancellata con Spyware Doctor. Però si rigenera continuamente e pare che mi blocchi anche la scansione totale che tento di fare con Malwarebytes. Esiste un programma (possibilmente free)che debelli definitivamente questo troian? Grazie a tutti coloro che saranno in grado di darmi qualche buon suggerimento.

Sponsor

Inviato: Thursday, January 15, 2009 4:34:56 PM

dario-vr

Inviato: Thursday, January 15, 2009 4:48:51 PM

Rank: AiutAmico

Iscritto dal : 3/28/2007
Posts: 633

gape ha scritto:

Salve a tutti. Ho un grosso problema, il mio S.O.Vista è infetto da Troian-Dropper.SEH, infezione rilevata più volte e cancellata con Spyware Doctor. Però si rigenera continuamente e pare che mi blocchi anche la scansione totale che tento di fare con Malwarebytes. Esiste un programma (possibilmente free)che debelli definitivamente questo troian? Grazie a tutti coloro che saranno in grado di darmi qualche buon suggerimento.

Spyware doctor dovrebbe eliminare il problema.
Ovviamente devi prima togliere il ripristino di sistema.
Lo hai fatto?

shapiro

Inviato: Thursday, January 15, 2009 4:50:44 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164

ciao

prova a fare una scansione con hijackthis

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php#

Ricordati di mettere HIJACKTHIS in una cartella a lui dedicata (in Programmi o Documenti), l'importante è che non si trovi sul desktop o in cartelle temporanee è importante se vuoi salvare i backup

Apri HijackThis e clicca "Do a system scan and save a logfile''

Posta il risultato qui nel forum

gape

Inviato: Thursday, January 15, 2009 5:09:49 PM

Rank: AiutAmico

Iscritto dal : 2/8/2003
Posts: 68

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17.05.51, on 15/01/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\RFA Platinum\rfagent.exe
C:\Windows\AuthManagerV3.exe
C:\Windows\OcsCertSynchronizer.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Users\gaetano\AppData\Local\csyuico.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\Presence 1.0.2\Presence.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Windows\OCSCryptolib_Server.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\conime.exe
c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=it_it&c=84&bd=Presario&pf=cndt
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://virgilio.alice.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=it_it&c=84&bd=Presario&pf=cndt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=it_it&c=84&bd=Presario&pf=cndt
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Hewlett-Packard\HP Software UI\Easy Internet Signup\Common\templates\general\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Hewlett-Packard\HP Software UI\Easy Internet Signup\Common\templates\general\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [rfagent] "C:\Program Files\RFA Platinum\rfagent.exe"
O4 - HKLM\..\Run: [AuthentIC Manager] C:\Windows\AuthManagerV3.exe
O4 - HKLM\..\Run: [Certificate Synchronizer] C:\Windows\OcsCertSynchronizer.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\Windows\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [csyuico] "c:\users\gaetano\appdata\local\csyuico.exe" csyuico
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO DI RETE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Presence.lnk = C:\Program Files\Presence 1.0.2\Presence.exe
O8 - Extra context menu item: Compila Modulo - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Personalizza - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: RF Barra strumenti - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Salva Moduli - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Compila - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Compila Modulo - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Salva - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Salva Moduli - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Barra strumenti - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O13 - Gopher Prefix:
O23 - Service: Utilità di pianificazione di LiveUpdate automatico (Automatic LiveUpdate Scheduler) - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Oberthur Cryptolib Service (OCSCryptolibService) - Oberthur Card Systems - C:\Windows\OCSCryptolib_Server.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 13277 bytes

shapiro

Inviato: Thursday, January 15, 2009 5:48:47 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164

Scarica http://perso.orange.fr/il.mafioso/Navifix/Navilog1.exe e installalo.
Riavvia il computer in modalità provvisoria: all'avvio del pc, prima che inizi a caricare Windows, premi ripetutamente F8. Uscirà la finestra del menu Opzioni avanzate di Windows
=> scegli modalità provvisoria (usa il tasto freccia ^).

esegui Navilog1 e scegli l'opzione 4, inserisci il nome csyuico e confermalo ridigitandolo quando richiesto

A questo punto, ripulirà il pc dai file infetti.
Quando finisce, riavvia il pc in modalità normale

Da modalità normale, svuota C:\WINDOWS\Prefetch

Ripulisci con CCleaner i file temporanei e cookie (eseguilo 2 volte).

http://www.filehippo.com/download_ccleaner/

Apri hjt e fixa queste voci

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Hewlett-Packard\HP Software UI\Easy Internet Signup\Common\templates\general\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Hewlett-Packard\HP Software UI\Easy Internet Signup\Common\templates\general\blank.htm

O4 - HKLM\..\Run: [AuthentIC Manager] C:\Windows\AuthManagerV3.exe

O4 - HKCU\..\Run: [csyuico] "c:\users\gaetano\appdata\local\csyuico.exe" csyuico

analizza su virus total il file in rosso

C:\Windows\AuthManagerV3.exe

scarica Malwarebytes

http://www.malwarebytes.org/mbam/program/mbam-setup.exe

1) lo installi
2) lo aggiorni
3) fai una scansione scegliendo la modalità completa
4) NON eliminare le eventuali minacce che rileva
5) finita la scansione seleziona il tabellino log, apri il file di testo e postalo sul forum

.

gape

Inviato: Friday, January 16, 2009 11:06:26 AM

Rank: AiutAmico

Iscritto dal : 2/8/2003
Posts: 68

Ho eseguito tutto il procedimento fino alla scansione con malwarebyts che non sono riuscito a completare perchè si blocca dopo aver scansionato circa 56000 elementi, bloccadosi al seguente punto:
C:\Program Files\Hewlett Packard\HP Software UI\FrameworkFrontEnd\cs\consumer\compag\all_screens.xml.
Tale blocco mi congela il video e mi blocca il computer tanto che per spegnerlo devo togliere l'alimentazione.. Eseguita una scansione con Spyware Doctor mi segnala una sospetta infezione HeurEngine.Packed.FSG. Tutto il resto mi sembra che funzioni normalmente. In attesa di ulteriori istruzioni ringrazio per tutto.-

maopapof

Inviato: Friday, January 16, 2009 11:45:42 AM

Rank: AiutAmico

Iscritto dal : 10/31/2004
Posts: 7,185

scusatemi ..... ma non basta spybot .... aggiormato naturalmente !

.......... il computer tanto che per spegnerlo devo togliere l'alimentazione ... sempre ctrl alt canc .... in modo che alla riaccensione vedi cosa ti bloccava ....
( incomincia a fare uno scandisck )

shapiro

Inviato: Friday, January 16, 2009 11:51:36 AM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164

fai la scansione da provvisoria e segui anche il consiglio di maopapof

gape

Inviato: Friday, January 16, 2009 1:44:34 PM

Rank: AiutAmico

Iscritto dal : 2/8/2003
Posts: 68

@ maopapof

Forse ti sei perso, inavvertitamente naturalmente, il passaggio dove dico che il computer si blocca e quindi non ho altre soluzioni che agire sull'alimentazione. Comunque grazie per il tuo intervento e suggerimento.

gape

Inviato: Friday, January 16, 2009 2:33:16 PM

Rank: AiutAmico

Iscritto dal : 2/8/2003
Posts: 68

Ho fatto la scansione in modalità provvisoria ed il risultato è il seguente:

Malwarebytes' Anti-Malware 1.33
Versione del database: 1656
Windows 6.0.6001 Service Pack 1

16/01/2009 14.17.27
mbam-log-2009-01-16 (14-17-27).txt

Tipo di scansione: Scansione completa (C:\|D:\|)
Elementi scansionati: 168491
Tempo trascorso: 20 minute(s), 26 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 0

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
(Nessun elemento malevolo rilevato)

Rimane solo il fatto che la scansione completa non riesco a farla in condizioni normali. Grazie

shapiro

Inviato: Friday, January 16, 2009 4:27:58 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164

Dunque......il tuo problema esposto all'inizio di questa discussione era proprio dovuto al fatto di non poter fare una scansione completa con malwarebytes, ma, come hai visto, abbiamo superato questo ostacolo facendo una scansione in provvisoria, anche se come vedi non ha trovato niente.E fin qui non ci piove....ora dobbiamo capire il perche' si rigenera questo virus....giusto?

proviamo a farlo cercare da colui che oramai e' diventato il ''simbolo'' della ricerca

ti presento mr combofix

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disattiva l'antivirus e i programmi anti-spyware
Disconnetti il pc da internet

Se hai delle icone di collegamento a programmi sul desktop, crea una cartella apposita e copiale al suo interno

Doppio click su combofix.exe e segui le istruzioni passo a passo

Quando avrà finito creerà il log C:\combofix.txt salvalo e postalo come gli altri report.

Nota bene : durante la scansione verranno creati dei file sul desktop e scompariranno le icone, potrebbe succedere che qualche programma ti chiede cosa fare per la rimozione dei drivers, in questo caso accossenti, si tratta probabilmente di drivers infetti.

Il programma creerà la cartella C:\QooBox ed all'interno della stessa verrà posizionato un backup dei files rimossi ed un file di backup del registro di windows chiamato Hiv-backup.

NON TOCCARE MOUSE E TASTIERA durante la scansione.

gape

Inviato: Friday, January 16, 2009 5:27:35 PM

Rank: AiutAmico

Iscritto dal : 2/8/2003
Posts: 68

ComboFix 09-01-15.01 - gaetano 2009-01-16 17.04.41.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1040.18.1918.983 [GMT 1:00]
Eseguito da: c:\users\gaetano\Downloads\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\gaetano\AppData\Roaming\.#
c:\windows\system32\CNCFLdAR.DLL
c:\windows\system32\CNCFLdCN.DLL
c:\windows\system32\CNCFLdCZ.DLL
c:\windows\system32\CNCFLdDE.DLL
c:\windows\system32\CNCFLdDK.DLL
c:\windows\system32\CNCFLdES.DLL
c:\windows\system32\CNCFLdFI.DLL
c:\windows\system32\CNCFLdFR.DLL
c:\windows\system32\CNCFLdGR.DLL
c:\windows\system32\CNCFLdHU.DLL
c:\windows\system32\CNCFLdID.DLL
c:\windows\system32\CNCFLdIT.DLL
c:\windows\system32\CNCFLdKR.DLL
c:\windows\system32\CNCFLdNL.DLL
c:\windows\system32\CNCFLdNO.DLL
c:\windows\system32\CNCFLdPL.DLL
c:\windows\system32\CNCFLdPT.DLL
c:\windows\system32\CNCFLdRU.DLL
c:\windows\system32\CNCFLdSE.DLL
c:\windows\system32\CNCFLdTH.DLL
c:\windows\system32\CNCFLdTR.DLL
c:\windows\system32\CNCFLdTW.DLL
c:\windows\system32\drivers\RKHit.sys
c:\windows\system32\hpgt35.dll
c:\windows\system32\hpxp3500.dll

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RKHIT
-------\Service_RkHit

((((((((((((((((((((((((( Files Creati Da 2008-12-16 al 2009-01-16 )))))))))))))))))))))))))))))))))))
.

2009-01-16 17:01 . 2009-01-16 17:01 <DIR> d-------- C:\32788R22FWJFW
2009-01-16 17:01 . 2009-01-16 17:01 6,736 --a------ c:\windows\System32\drivers\PROCEXP90.SYS
2009-01-15 22:07 . 2009-01-15 22:07 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-15 22:07 . 2009-01-14 16:11 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-01-15 22:07 . 2009-01-14 16:11 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-01-15 18:59 . 2009-01-16 12:01 <DIR> d-------- c:\program files\Navilog1
2009-01-15 17:05 . 2009-01-15 17:05 <DIR> d-------- c:\program files\Trend Micro
2009-01-15 15:05 . 2009-01-15 15:05 <DIR> d-------- C:\!KillBox
2009-01-14 20:23 . 2008-12-16 03:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-13 14:56 . 2009-01-13 14:56 <DIR> d-------- c:\users\gaetano\AppData\Roaming\PC Tools
2009-01-13 14:56 . 2009-01-16 17:13 <DIR> d-a------ c:\users\All Users\TEMP
2009-01-13 14:56 . 2009-01-16 17:13 <DIR> d-a------ c:\programdata\TEMP
2009-01-13 14:56 . 2009-01-16 09:57 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-13 14:56 . 2009-01-13 15:06 81,288 --a------ c:\windows\System32\drivers\iksyssec.sys
2009-01-13 14:56 . 2009-01-13 15:06 66,952 --a------ c:\windows\System32\drivers\iksysflt.sys
2009-01-13 14:56 . 2009-01-13 15:06 40,840 --a------ c:\windows\System32\drivers\ikfilesec.sys
2009-01-13 14:56 . 2008-06-02 15:19 29,576 --a------ c:\windows\System32\drivers\kcom.sys
2009-01-09 17:19 . 2009-01-09 17:20 <DIR> d-------- c:\program files\eMule
2009-01-09 17:02 . 2009-01-09 17:02 <DIR> d-------- c:\users\All Users\eMule
2009-01-09 17:02 . 2009-01-09 17:02 <DIR> d-------- c:\programdata\eMule
2009-01-09 13:05 . 2009-01-09 13:05 <DIR> d-------- c:\users\gaetano\AppData\Roaming\Template
2009-01-03 14:20 . 2009-01-03 14:24 <DIR> d-------- c:\users\gaetano\AppData\Roaming\Uniblue
2009-01-03 13:54 . 2009-01-03 13:54 <DIR> d-------- c:\program files\Tacmi
2009-01-03 13:49 . 2009-01-03 14:11 <DIR> d-------- c:\users\All Users\PrevxCSI
2009-01-03 13:49 . 2009-01-03 14:11 <DIR> d-------- c:\programdata\PrevxCSI
2009-01-03 13:38 . 2009-01-03 13:39 <DIR> d-------- c:\windows\Internet Logs
2009-01-02 13:51 . 2009-01-02 13:51 <DIR> d-------- c:\users\Public\CyberLink
2009-01-02 13:51 . 2009-01-02 13:51 <DIR> d-------- c:\users\gaetano\AppData\Roaming\CyberLink
2009-01-02 13:51 . 2009-01-02 13:51 <DIR> d-------- c:\users\All Users\CyberLink
2009-01-02 13:51 . 2009-01-02 13:51 <DIR> d-------- c:\programdata\CyberLink
2009-01-02 10:14 . 2009-01-02 10:14 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-31 21:24 . 2008-12-31 21:24 <DIR> d-------- c:\users\gaetano\AppData\Roaming\NewSoft
2008-12-31 21:23 . 2008-12-31 21:23 <DIR> d-------- c:\program files\Common Files\NewSoft
2008-12-31 21:23 . 1997-10-14 05:19 11,776 --a------ c:\windows\System32\pmsbfn32.dll
2008-12-31 21:23 . 2005-06-01 00:28 9,606 --a------ c:\windows\System32\NEWSOFT
2008-12-31 21:23 . 2008-12-31 21:23 264 --a------ c:\windows\setup.iss
2008-12-31 21:22 . 2008-12-31 21:22 <DIR> d-------- c:\windows\System32\Color
2008-12-31 21:22 . 2008-12-31 21:22 <DIR> d-------- c:\program files\NewSoft
2008-12-31 21:22 . 2008-12-31 21:22 <DIR> d-------- c:\program files\Common Files\PDFView
2008-12-31 21:21 . 2008-12-31 21:21 <DIR> d-------- c:\users\gaetano\AppData\Roaming\ScanSoft
2008-12-31 21:21 . 2008-12-31 21:21 <DIR> d-------- c:\users\All Users\ScanSoft
2008-12-31 21:21 . 2008-12-31 21:21 <DIR> d-------- c:\users\All Users\InstallShield
2008-12-31 21:21 . 2008-12-31 21:21 <DIR> d-------- c:\programdata\ScanSoft
2008-12-31 21:21 . 2008-12-31 21:21 <DIR> d-------- c:\programdata\InstallShield
2008-12-31 21:21 . 2008-12-31 21:21 <DIR> d-------- c:\program files\Common Files\ScanSoft Shared
2008-12-31 21:21 . 2008-12-31 21:21 412 --a------ c:\windows\MAXLINK.INI
2008-12-31 21:20 . 2008-12-31 21:20 <DIR> d-------- c:\program files\ScanSoft
2008-12-31 18:06 . 2009-01-02 15:44 <DIR> d-------- c:\users\gaetano\AppData\Roaming\Canon
2008-12-31 16:59 . 2008-12-31 16:59 <DIR> d-------- c:\users\All Users\CanonIJPLM
2008-12-31 16:59 . 2008-12-31 16:59 <DIR> d-------- c:\programdata\CanonIJPLM
2008-12-31 16:53 . 2008-12-31 16:53 <DIR> d-------- c:\program files\Common Files\CANON
2008-12-31 16:50 . 2008-12-31 16:50 <DIR> d--h----- c:\users\All Users\CanonBJ
2008-12-31 16:50 . 2008-12-31 16:50 <DIR> d--h----- c:\programdata\CanonBJ
2008-12-31 16:49 . 2008-12-31 16:49 <DIR> d--h----- c:\windows\System32\CanonIJ Uninstaller Information
2008-12-31 16:48 . 2008-12-31 16:48 <DIR> d-------- c:\users\gaetano\{42f783aa-fb51-4134-bc1e-f445c58e65bf}
2008-12-31 16:47 . 2007-03-23 08:30 1,400,832 --a------ c:\windows\System32\CNC310C.DLL
2008-12-31 16:47 . 2007-04-15 21:00 215,040 --a------ c:\windows\System32\CNMLM8Z.DLL
2008-12-31 16:47 . 2007-03-19 02:39 200,704 --a------ c:\windows\System32\CNC310L.DLL
2008-12-31 16:47 . 2007-03-15 06:12 188,416 --a------ c:\windows\System32\CNC310O.DLL
2008-12-31 16:47 . 2007-04-25 11:02 106,496 --a------ c:\windows\System32\CNCFMSd.EXE
2008-12-31 16:47 . 2007-03-23 08:29 98,304 --a------ c:\windows\System32\CNC310I.DLL
2008-12-31 16:47 . 2007-04-25 11:06 3,584 --a------ c:\windows\System32\CNCFLdUS.DLL
2008-12-31 16:47 . 2007-04-25 11:06 3,072 --a------ c:\windows\System32\CNCFLdJP.DLL
2008-12-31 16:46 . 2008-12-31 16:46 <DIR> d--h----- c:\program files\CanonBJ
2008-12-31 16:46 . 2007-04-25 11:09 151,552 --a------ c:\windows\System32\CNCF2Ld.DLL
2008-12-31 16:45 . 2008-12-31 16:59 <DIR> d-------- c:\program files\Canon
2008-12-30 13:46 . 2008-12-30 13:46 1,409 --a------ c:\windows\System32\tmpEC6DD.FOT
2008-12-30 13:46 . 2008-12-30 13:46 1,409 --a------ c:\windows\System32\tmpE59DD.FOT
2008-12-30 13:46 . 2008-12-30 13:46 1,409 --a------ c:\windows\System32\tmpBC9DD.FOT
2008-12-30 13:46 . 2008-12-30 13:46 1,409 --a------ c:\windows\System32\tmpA67DD.FOT
2008-12-30 13:46 . 2008-12-30 13:46 1,409 --a------ c:\windows\System32\tmp628DD.FOT
2008-12-30 13:46 . 2008-12-30 13:46 1,409 --a------ c:\windows\System32\tmp2C8DD.FOT
2008-12-30 13:08 . 2008-12-30 13:08 1,409 --a------ c:\windows\System32\tmpE9D87.FOT
2008-12-30 13:08 . 2008-12-30 13:08 1,409 --a------ c:\windows\System32\tmpD4B87.FOT
2008-12-30 13:08 . 2008-12-30 13:08 1,409 --a------ c:\windows\System32\tmpACB87.FOT
2008-12-30 13:08 . 2008-12-30 13:08 1,409 --a------ c:\windows\System32\tmp66C87.FOT
2008-12-30 13:08 . 2008-12-30 13:08 1,409 --a------ c:\windows\System32\tmp4CC87.FOT
2008-12-30 13:08 . 2008-12-30 13:08 1,409 --a------ c:\windows\System32\tmp13D87.FOT
2008-12-30 13:06 . 2008-12-30 13:06 <DIR> d----c--- c:\windows\System32\DRVSTORE
2008-12-30 13:06 . 2008-12-30 13:06 <DIR> d-------- c:\program files\DIFX
2008-12-27 16:06 . 2005-06-14 11:05 104,576 --a------ c:\windows\System32\drivers\wceusbsh.sys
2008-12-27 13:16 . 2008-12-27 13:16 <DIR> d-------- c:\program files\Foxit Software
2008-12-27 10:35 . 2008-12-27 10:35 <DIR> d-------- c:\program files\Presence 1.0.2
2008-12-26 18:25 . 2009-01-07 15:38 <DIR> d-------- c:\users\gaetano\Posta elettronica
2008-12-26 13:06 . 2008-12-26 13:06 1,409 --a------ c:\windows\System32\tmpE4B8B.FOT
2008-12-26 13:06 . 2008-12-26 13:06 1,409 --a------ c:\windows\System32\tmpBCB8B.FOT
2008-12-26 13:06 . 2008-12-26 13:06 1,409 --a------ c:\windows\System32\tmp83C8B.FOT
2008-12-26 13:06 . 2008-12-26 13:06 1,409 --a------ c:\windows\System32\tmp5AC8B.FOT
2008-12-26 13:06 . 2008-12-26 13:06 1,409 --a------ c:\windows\System32\tmp46A8B.FOT
2008-12-26 13:06 . 2008-12-26 13:06 1,409 --a------ c:\windows\System32\tmp2CA8B.FOT
2008-12-26 12:14 . 2008-12-26 12:14 1,409 --a------ c:\windows\System32\tmpF6940.FOT
2008-12-26 12:14 . 2008-12-26 12:14 1,409 --a------ c:\windows\System32\tmpCE940.FOT
2008-12-26 12:14 . 2008-12-26 12:14 1,409 --a------ c:\windows\System32\tmp9D740.FOT
2008-12-26 12:14 . 2008-12-26 12:14 1,409 --a------ c:\windows\System32\tmp95A40.FOT
2008-12-26 12:14 . 2008-12-26 12:14 1,409 --a------ c:\windows\System32\tmp6DA40.FOT
2008-12-26 12:14 . 2008-12-26 12:14 1,409 --a------ c:\windows\System32\tmp58840.FOT
2008-12-26 12:11 . 2008-12-26 12:11 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2008-12-26 12:10 . 2008-12-26 12:10 <DIR> d-------- C:\col3927
2008-12-26 10:57 . 2008-12-26 10:57 1,409 --a------ c:\windows\System32\tmpFCAA8.FOT
2008-12-26 10:57 . 2008-12-26 10:57 1,409 --a------ c:\windows\System32\tmpE78A8.FOT
2008-12-26 10:57 . 2008-12-26 10:57 1,409 --a------ c:\windows\System32\tmpC4BA8.FOT
2008-12-26 10:57 . 2008-12-26 10:57 1,409 --a------ c:\windows\System32\tmpA29A8.FOT
2008-12-26 10:57 . 2008-12-26 10:57 1,409 --a------ c:\windows\System32\tmp5D9A8.FOT
2008-12-26 10:57 . 2008-12-26 10:57 1,409 --a------ c:\windows\System32\tmp25AA8.FOT
2008-12-26 10:35 . 2008-12-26 10:35 <DIR> d-------- c:\users\gaetano\AppData\Roaming\Cartella di caricamento Share-to-Web
2008-12-26 10:27 . 2008-12-26 10:27 1,409 --a------ c:\windows\System32\tmpF9B69.FOT
2008-12-26 10:27 . 2008-12-26 10:27 1,409 --a------ c:\windows\System32\tmpC0C69.FOT
2008-12-26 10:27 . 2008-12-26 10:27 1,409 --a------ c:\windows\System32\tmpA6C69.FOT
2008-12-26 10:27 . 2008-12-26 10:27 1,409 --a------ c:\windows\System32\tmp83A69.FOT
2008-12-26 10:27 . 2008-12-26 10:27 1,409 --a------ c:\windows\System32\tmp7DC69.FOT
2008-12-26 10:27 . 2008-12-26 10:27 1,409 --a------ c:\windows\System32\tmp4CA69.FOT
2008-12-26 10:23 . 2008-12-26 10:23 1,375 --a------ c:\windows\wininit.ini
2008-12-26 10:23 . 2008-12-26 10:23 726 --a------ c:\windows\reg.prm
2008-12-26 10:22 . 2001-05-15 20:04 114,765 --a------ c:\windows\System32\hpzlnt03.dll
2008-12-26 10:22 . 2008-12-26 10:22 376 --a------ c:\windows\mozregistry.dat
2008-12-26 10:13 . 2007-01-17 01:23 438,272 --a------ c:\windows\System32\hp3500co.dll
2008-12-24 18:01 . 2008-12-24 18:01 <DIR> d-------- c:\users\gaetano\AppData\Roaming\OpenOffice.org
2008-12-24 17:59 . 2009-01-09 20:31 <DIR> d-------- c:\program files\OpenOffice.org 3
2008-12-24 12:21 . 2008-12-24 12:21 8 --a------ c:\windows\mex.tdv
2008-12-23 15:04 . 2008-12-23 15:04 <DIR> d-------- c:\program files\CNS Manager
2008-12-23 13:59 . 2009-01-16 14:46 <DIR> d-------- c:\users\All Users\RFA_Backups
2008-12-23 13:59 . 2009-01-16 14:46 <DIR> d-------- c:\programdata\RFA_Backups
2008-12-23 13:59 . 2008-12-23 13:59 <DIR> d-------- c:\program files\RFA Platinum
2008-12-23 12:18 . 2009-01-14 15:49 <DIR> d-------- c:\users\All Users\Google
2008-12-23 12:16 . 2009-01-14 15:49 <DIR> d-------- c:\program files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 08:28 --------- d-----w c:\program files\Windows Mail
2009-01-09 11:56 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-09 11:56 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-09 11:56 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-09 11:56 --------- d-----w c:\program files\Symantec
2009-01-03 12:54 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-01 10:05 --------- d-----w c:\program files\Hewlett-Packard
2008-12-31 20:21 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-24 16:58 --------- d-----w c:\program files\Java
2008-12-23 21:02 --------- d-----w c:\programdata\Symantec
2008-12-21 12:15 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-21 09:08 --------- d-----w c:\program files\Windows Sidebar
2008-12-21 09:07 --------- d-sh--w c:\programdata\Preferiti
2008-12-21 09:07 --------- d-sh--w c:\programdata\Modelli
2008-12-21 09:07 --------- d-sh--w c:\programdata\Menu Avvio
2008-12-21 09:07 --------- d-sh--w c:\programdata\Documenti
2008-12-21 09:07 --------- d-sh--w c:\programdata\Dati applicazioni
2008-12-21 09:07 --------- d-sh--w c:\program files\File comuni
2008-12-21 09:02 --------- d-----w c:\programdata\Hewlett-Packard
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-10-22 03:57 241,152 ----a-w c:\windows\System32\PortableDeviceApi.dll
2008-10-22 01:22 2,048 ----a-w c:\windows\System32\tzres.dll
2008-10-21 05:25 296,960 ----a-w c:\windows\System32\gdi32.dll
2008-10-21 05:25 1,645,568 ----a-w c:\windows\System32\connect.dll
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-07-03 972080]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-12-21 160592]
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [1999-08-04 122944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-02 75008]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15360]
"rfagent"="c:\program files\RFA Platinum\rfagent.exe" [2007-06-12 617088]
"Certificate Synchronizer"="c:\windows\OcsCertSynchronizer.exe" [2006-06-07 24576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-01-13 1168264]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
Presence.lnk - c:\program files\Presence 1.0.2\Presence.exe [2008-12-27 1519104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm
"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{073F96F4-E78F-452B-BE18-9CC29BAD7A8D}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{67FFD49D-8D64-4203-848A-7A851DE4DA30}"= UDP:c:\program files\deepinvent\MailStore Home\MailStoreLocal.exe:MailStore Home
"{C4B8ED0F-657A-438D-BA0D-D78B356839F2}"= TCP:c:\program files\deepinvent\MailStore Home\MailStoreLocal.exe:MailStore Home

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090113.002\IDSvix86.sys [2009-01-15 270384]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-21 99376]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2008-06-13 41008]
R4 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [2008-01-21 21504]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-06 149352]
R4 OCSCryptolibService;Oberthur Cryptolib Service;c:\windows\OCSCryptolib_Server.exe [2008-12-23 139264]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-13 356920]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [2008-01-12 23888]

--- Altri Servizi/Drivers In Memoria ---

*NewlyCreated* - COMHOST
*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc
.
Contenuto della cartella 'Scheduled Tasks'

2008-12-21 c:\windows\Tasks\HPCeeScheduleForgaetano.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2007-12-17 19:03]

2008-12-22 c:\windows\Tasks\Norton Internet Security - Scansione completa sistema - gaetano.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 01:05]

2009-01-13 c:\windows\Tasks\Schedule Task Weekly.job
- c:\program files\Registry Easy\RE.exe []

2009-01-14 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2009-01-03 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2009-01-16 c:\windows\Tasks\User_Feed_Synchronization-{99597633-B38F-475C-8F91-18CB504975A7}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 03:24]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://virgilio.alice.it/
uLocal Page = c:\program files\Hewlett-Packard\HP Software UI\Easy Internet Signup\Common\templates\general\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=it_it&c=84&bd=Presario&pf=cndt
mLocal Page = c:\program files\Hewlett-Packard\HP Software UI\Easy Internet Signup\Common\templates\general\blank.htm
IE: Compila Modulo - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Personalizza - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: RF Barra strumenti - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Salva Moduli - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 17:12:26
Windows 6.0.6001 Service Pack 1 NTFS

detected NTDLL code modification:
ZwClose

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

**************************************************************************
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\Canon\IJPLM\ijplmsvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\System32\WUDFHost.exe
c:\windows\System32\conime.exe
c:\windows\System32\rundll32.exe
c:\combofix\hidec.exe
c:\windows\ehome\ehmsas.exe
c:\windows\System32\spool\drivers\w32x86\3\WrtProc.exe
c:\windows\System32\WerFault.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\combofix\Catchme.tmp
.
**************************************************************************
.
Ora fine scansione: 2009-01-16 17:17:31 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-01-16 16:15:56

Pre-Run: 232.937.676.800 byte disponibili
Post-Run: 232,993,472,512 byte disponibili

338 --- E O F --- 2009-01-15 08:28:22

shapiro

Inviato: Friday, January 16, 2009 7:49:31 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164

mentre mi posti un nuovo log di hjt, fa una scansione col tuo Spyware Doctor e vedi se ti rileva ancora quel trojan

prima di farla, riavvia il sistema

fai la scansione da modalita' provvisoria

gape

Inviato: Saturday, January 17, 2009 3:44:26 PM

Rank: AiutAmico

Iscritto dal : 2/8/2003
Posts: 68

La scansione con Spyware Docton da modalità provvisoria presenta il seguente quadro:
-Applicazion NirCmd n.32 infezioni
-Trojan generic n.1 infezione

Ho provato una scansione con Malwarebytes da modalità provvisoria: Nussuna infezione

Scansione conMalwarebytes da modalità normale si blocca ed il computer non risponde a nussun comando al seguente punto: C:\Program Files\Window Sidebar\Gadget\PicturePuzzle..Gadget\Images\settings_left_rest.png.

Il nuovo log di hit è il seguente:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13.03.26, on 17/01/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\RFA Platinum\rfagent.exe
C:\Windows\OcsCertSynchronizer.exe
C:\Windows\WindowsMobile\wmdc.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\Presence 1.0.2\Presence.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe
C:\Windows\system32\conime.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Users\gaetano\Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://virgilio.alice.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=it_it&c=84&bd=Presario&pf=cndt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=it_it&c=84&bd=Presario&pf=cndt
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Hewlett-Packard\HP Software UI\Easy Internet Signup\Common\templates\general\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Hewlett-Packard\HP Software UI\Easy Internet Signup\Common\templates\general\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [rfagent] "C:\Program Files\RFA Platinum\rfagent.exe"
O4 - HKLM\..\Run: [Certificate Synchronizer] C:\Windows\OcsCertSynchronizer.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\Windows\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Presence.lnk = C:\Program Files\Presence 1.0.2\Presence.exe
O8 - Extra context menu item: Compila Modulo - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Personalizza - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: RF Barra strumenti - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Salva Moduli - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Compila - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Compila Modulo - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Salva - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Salva Moduli - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Barra strumenti - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O13 - Gopher Prefix:
O23 - Service: Utilità di pianificazione di LiveUpdate automatico (Automatic LiveUpdate Scheduler) - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Oberthur Cryptolib Service (OCSCryptolibService) - Oberthur Card Systems - C:\Windows\OCSCryptolib_Server.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 10648 bytes

GRAZIE PER LA PAZIENZA ED IL EMPO CHE MI STAI DEDICANDO

gape

Inviato: Saturday, January 17, 2009 3:49:36 PM

Rank: AiutAmico

Iscritto dal : 2/8/2003
Posts: 68

La scansione con Spyware Docton da modalità provvisoria presenta il seguente quadro:
-Applicazion NirCmd n.32 infezioni
-Trojan generic n.1 infezione

Ho provato una scansione con Malwarebytes da modalità provvisoria: Nussuna infezione

Scansione conMalwarebytes da modalità normale si blocca ed il computer non risponde a nussun comando al seguente punto: C:\Program Files\Window Sidebar\Gadget\PicturePuzzle..Gadget\Images\settings_left_rest.png.

Il nuovo log di hit è il seguente:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13.03.26, on 17/01/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\RFA Platinum\rfagent.exe
C:\Windows\OcsCertSynchronizer.exe
C:\Windows\WindowsMobile\wmdc.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\Presence 1.0.2\Presence.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe
C:\Windows\system32\conime.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Users\gaetano\Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://virgilio.alice.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=it_it&c=84&bd=Presario&pf=cndt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=it_it&c=84&bd=Presario&pf=cndt
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Hewlett-Packard\HP Software UI\Easy Internet Signup\Common\templates\general\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Hewlett-Packard\HP Software UI\Easy Internet Signup\Common\templates\general\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [rfagent] "C:\Program Files\RFA Platinum\rfagent.exe"
O4 - HKLM\..\Run: [Certificate Synchronizer] C:\Windows\OcsCertSynchronizer.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\Windows\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Presence.lnk = C:\Program Files\Presence 1.0.2\Presence.exe
O8 - Extra context menu item: Compila Modulo - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Personalizza - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: RF Barra strumenti - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Salva Moduli - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Compila - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Compila Modulo - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Salva - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Salva Moduli - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Barra strumenti - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O13 - Gopher Prefix:
O23 - Service: Utilità di pianificazione di LiveUpdate automatico (Automatic LiveUpdate Scheduler) - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Oberthur Cryptolib Service (OCSCryptolibService) - Oberthur Card Systems - C:\Windows\OCSCryptolib_Server.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 10648 bytes

GRAZIE PER LA PAZIENZA ED IL EMPO CHE MI STAI DEDICANDO

shapiro

Inviato: Saturday, January 17, 2009 4:21:07 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164

Commenta:

La scansione con Spyware Docton da modalità provvisoria presenta il seguente quadro:
-Applicazion NirCmd n.32 infezioni
-Trojan generic n.1 infezione

l'hai cancellata?

gape

Inviato: Saturday, January 17, 2009 5:07:54 PM

Rank: AiutAmico

Iscritto dal : 2/8/2003
Posts: 68

NO. Non ho fatto aluna operazione. Grazie

shapiro

Inviato: Saturday, January 17, 2009 7:21:46 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164

Applicazion NirCmd devi cancellarla

gape

Inviato: Sunday, January 18, 2009 1:08:00 PM

Rank: AiutAmico

Iscritto dal : 2/8/2003
Posts: 68

Cancellata Applicazion NrCmd. A questo punto mi permetto di chiederti se devo disinstallare le cartelle Qoobox e ComboFix da Windows ed infine un consiglio: Cosa faccio con Malwarebytes? Lo tengo solo per fare delle sansioni rapide visto che quelle complemente mi creano problemi di blocco del computer o lo disinstallo completamente? Grazie

Utenti presenti in questo topic

2 pages: [1] 2

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » troian-Dropper.SEH

Salta al Forum

Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS :

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.

Invia topic via Email

RSS Feed

Watch this topic

Stampa topic

Normale

Threaded