Aiutamici Forum
Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » Mi controllate il log ( x a.rosselli, alfonso, pidue e r16)

3 pages: [1] 2 3
Mi controllate il log ( x a.rosselli, alfonso, pidue e r16) Opzioni
Topic Precedente · Topic Sucessivo
ciccillo
Inviato: Thursday, March 19, 2009 2:43:27 PM
Rank: Member

Iscritto dal : 1/25/2009
Posts: 17
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.42.21, on 19/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Eset\nod32kui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Programmi\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\Programmi\Packard Bell Data Secure\PBDataSecure.exe
C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\fxsteller.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmi\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Documents and Settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\eMule\eMule.exe
c:\pht.exe
\?\globalroot\C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\ARCC20\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66022
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66022
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: MyPlayCity Toolbar - {4724C5D8-DFA7-417A-A2F5-1EABFEE9B4AC} - C:\Programmi\MyPlayCity\tbMyPl.dll
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MyPlayCity Toolbar - {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - C:\Programmi\MyPlayCity\tbMyPl.dll
O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Programmi\jZip\WebmailPlugin.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MyPlayCity Toolbar - {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - C:\Programmi\MyPlayCity\tbMyPl.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows UDP Control Center] fxsteller.exe
O4 - HKLM\..\Run: [Lbululaqocubalep] rundll32.exe "C:\WINDOWS\Xmima.dll",e
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Programmi\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Packard Bell Data Secure] C:\Programmi\Packard Bell Data Secure\PBDataSecure.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Utilità controllo supporti di Picture Motion Browser.lnk = C:\Programmi\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scarica con Free Download Manager - file://C:\Programmi\Free Download Manager\dllink.htm
O8 - Extra context menu item: Scarica i video con Free Download Manager - file://C:\Programmi\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Scarica selezionati con Free Download Manager - file://C:\Programmi\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Scarica tutto con Free Download Manager - file://C:\Programmi\Free Download Manager\dlall.htm
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208884194531
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programmi\Spyware Terminator\sp_rsser.exe

--
End of file - 8203 bytes
Torna in alto
 
Sponsor
Inviato: Thursday, March 19, 2009 2:43:27 PM

 
Torna in alto
 
r16
Inviato: Thursday, March 19, 2009 5:15:19 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Ciao ciccillo .
Fai queste 2 scansioni:
Scarica ed installa MalwareBytes:
clicca qui per il download : http://www.aiutamici.com/software?id=80346
Prima di fare la scansione AGGIORNALO. (è importante)
Esegui una scansione completa del sistema
Posta il log.
*********************************************************************************************************
Importante: Disabilita il tuo antivirus e chiudi TUTTI i programmi aperti,e dopo aver scaricato COMBOFIX, chiudi la connessione.

Scarica Combofix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Salvalo sul desktop.
Doppio click su combofix.exe (comparirà una videata.)
Se ti verrà chiesto se vuoi Installare LA CONSOLE DI RIPRISTINO DI EMERGENZA, clicca NO.
Digita 1 premi Invio e segui le indicazioni.
Al termine, verrà creato un file log chiamato C:\ComboFix.txt. Postalo qui.
Durante l'operazione di scansione è importante non usare il PC (neanche il mouse) e attendere pazientemente la fine delle operazioni.
Poi posta un nuovo log di HJT e vediamo cosa è rimasto.
Torna in alto
 
ciccillo
Inviato: Thursday, March 19, 2009 10:33:34 PM
Rank: Member

Iscritto dal : 1/25/2009
Posts: 17
Ecco il log di malware mi aiuti grazie, va sempre peggio!!!
Intanto faccio la scansione con combofix!


Malwarebytes' Anti-Malware 1.34
Versione del database: 1872
Windows 5.1.2600 Service Pack 2

19/03/2009 22.29.11
mbam-log-2009-03-19 (22-29-07).txt

Tipo di scansione: Scansione completa (C:\|D:\|E:\|F:\|)
Elementi scansionati: 155731
Tempo trascorso: 35 minute(s), 23 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 4
Chiavi di registro infette: 8
Valori di registro infetti: 8
Elementi dato del registro infetti: 12
Cartelle infette: 1
File infetti: 25

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
C:\WINDOWS\system32\vemeteta.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\yiyizesa.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\fimijole.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\kipipasu.dll (Trojan.Vundo.H) -> No action taken.

Chiavi di registro infette:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf11aaef-9c1d-49d4-ac36-8eb36c4d7356} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{bf11aaef-9c1d-49d4-ac36-8eb36c4d7356} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bf11aaef-9c1d-49d4-ac36-8eb36c4d7356} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\IGB (Rogue.Residue) -> No action taken.

Valori di registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f4e7c634 (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fidiwafuje (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmf7d4f5a8 (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbululaqocubalep (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows UDP Control Center (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> No action taken.

Elementi dato del registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\fimijole.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\fimijole.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\kipipasu.dll -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\kipipasu.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\kipipasu.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Cartelle infette:
C:\Programmi\NetPumper (Adware.NetPumper) -> No action taken.

File infetti:
C:\WINDOWS\system32\vemeteta.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\atetemev.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\popuvoso.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\fimijole.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\yiyizesa.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\kipipasu.dll (Trojan.Vundo.H) -> No action taken.
C:\gtb.exe (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\Administrator\Impostazioni locali\temp\INFE359.tmp (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\Administrator\Impostazioni locali\temp\ovfsthbnemujnwkb.tmp (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\FUBJWPJ6\gur[1].jpg (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\FUBJWPJ6\gur[2].jpg (Backdoor.Bot) -> No action taken.
C:\RECYCLER\S-1-5-21-746137067-1202660629-725345543-500\Dc187.EXE (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\ovfsthkidgwkpnnjwqiwqilbsjxaubjgfmojqa.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\ovfsthoccleounroeppdevduihrkcpwwnawaqe.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\drivers\ovfsthbubturngpmtbolxeynuhnihkaqgpgbpd.sys (Trojan.TDSS) -> No action taken.
C:\WINDOWS\Xmima.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\~.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\temp\ntdll64.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\temp\mousehook.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\ovfsthctvmrnsirxombcwupeaqyyfrdqonrshy.dll (Trojan.Agent) -> No action taken.
Torna in alto
 
r16
Inviato: Thursday, March 19, 2009 10:38:25 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Elimina tutto quello che ha trovato Malwarebytes e riavvia il pc
Fai un' altra scansione per verificare se trova ancora tracce del Vundo.
Dai una pulita (registro compreso)con CCleaner http://www.aiutaamici.com/software?ID=11223
Poi la scansione con Combofix. (con relativo log da postare)
E dopo un log di HJT.
Torna in alto
 
ciccillo
Inviato: Friday, March 20, 2009 9:40:44 AM
Rank: Member

Iscritto dal : 1/25/2009
Posts: 17
Ti fornisco il log di malware perchè non so vedere se i sono tracce di Vundo intanto continuo a fare quello che mi hai detto ( pulizia con Ccleaner e scansione con Combofix.
Intanto sono scomparse le icone sul desktop ( sono costretto a lavorare con il task menager) sai come farle ricomparire)



Malwarebytes' Anti-Malware 1.34
Versione del database: 1872
Windows 5.1.2600 Service Pack 2

20/03/2009 9.35.05
mbam-log-2009-03-20 (09-34-59).txt

Tipo di scansione: Scansione completa (C:\|D:\|E:\|F:\|)
Elementi scansionati: 147749
Tempo trascorso: 31 minute(s), 22 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 2
Cartelle infette: 0
File infetti: 1

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> No action taken.

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> No action taken.
Torna in alto
 
r16
Inviato: Friday, March 20, 2009 11:52:02 AM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Ciao .
Elimina quello che ha trovato Malwarebytes.
Per le icone:
Clicca sul desktop con il tasto destro del mouse->disponi icone->Mostra icone del desktop.
Se non funziona:
Apri il TaskManager (ctrl + alt + canc).
Da file->Nuova operazione, digita: explorer.exe oppure solo explorer e dai l'OK.
Le icone dovrebbero comparire.
Torna in alto
 
ciccillo
Inviato: Friday, March 20, 2009 2:08:30 PM
Rank: Member

Iscritto dal : 1/25/2009
Posts: 17
Questo è il log di Hj quello di combofix non me lo da perchè terminata l'analisi si riavvia il pc automaticamente



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:05, on 2009-03-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Documents and Settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\PROGRA~1\IZArc\IZArc.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\ARC1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66022
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66022
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: MyPlayCity Toolbar - {4724C5D8-DFA7-417A-A2F5-1EABFEE9B4AC} - C:\Programmi\MyPlayCity\tbMyPl.dll
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MyPlayCity Toolbar - {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - C:\Programmi\MyPlayCity\tbMyPl.dll
O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Programmi\jZip\WebmailPlugin.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MyPlayCity Toolbar - {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - C:\Programmi\MyPlayCity\tbMyPl.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF20444.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\RunOnce: [combofix] C:\WINDOWS\system32\CF20444.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Packard Bell Data Secure] C:\Programmi\Packard Bell Data Secure\PBDataSecure.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Utilità controllo supporti di Picture Motion Browser.lnk = C:\Programmi\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scarica con Free Download Manager - file://C:\Programmi\Free Download Manager\dllink.htm
O8 - Extra context menu item: Scarica i video con Free Download Manager - file://C:\Programmi\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Scarica selezionati con Free Download Manager - file://C:\Programmi\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Scarica tutto con Free Download Manager - file://C:\Programmi\Free Download Manager\dlall.htm
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208884194531
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programmi\Spyware Terminator\sp_rsser.exe

--
End of file - 7184 bytes
Torna in alto
 
ciccillo
Inviato: Friday, March 20, 2009 2:22:05 PM
Rank: Member

Iscritto dal : 1/25/2009
Posts: 17
Ristabilendo le icone sul desktop sono riuscito ad avere il log di combofix eccolo:


ComboFix 09-03-19.01 - Administrator 2009-03-20 14:10:49.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.1014.544 [GMT 1:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Sistema Antivirus NOD32 2.70 *On-access scanning disabled* (Updated)

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\win32hlp.cnf
c:\windows\system32\drivers\str.sys . . . . Eliminazione Fallita
.
---- Esecuzione precedente -------
.
c:\windows\system32\win32hlp.cnf
c:\windows\system32\drivers\str.sys . . . . Eliminazione Fallita

.
((((((((((((((((((((((((( Files Creati Da 2009-02-20 al 2009-03-20 )))))))))))))))))))))))))))))))))))
.

2009-03-19 23:15 . 2009-03-19 23:15 <DIR> d-------- c:\programmi\Nuova cartella
2009-03-19 15:45 . 2009-03-19 15:45 2,745 ---hs---- c:\windows\system32\tifakapu.dll
2009-03-19 15:12 . 2009-03-19 22:21 110,592 --a------ C:\bla.exe
2009-03-19 14:03 . 2009-03-19 14:03 40,960 --a------ c:\windows\system32\kuzDeccode.exe
2009-03-19 08:40 . 2009-03-19 08:40 45,056 --a------ C:\pht.exe
2009-03-18 23:57 . 2009-03-18 23:57 <DIR> d-------- c:\programmi\Malwarebytes' Anti-Malware
2009-03-18 23:57 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-18 23:57 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-18 21:49 . 2009-03-18 21:49 1,516 --a------ C:\br.exe
2009-03-15 00:40 . 2009-03-15 00:39 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-15 00:39 . 2009-03-15 00:39 <DIR> d-------- c:\programmi\Java
2009-03-13 22:28 . 2009-03-13 22:28 <DIR> d-------- c:\programmi\892Client
2009-03-13 22:28 . 2005-10-13 20:58 108,336 --a------ c:\windows\system32\MSWINSCK.OCX
2009-03-07 21:53 . 2009-03-07 21:53 <DIR> d-------- c:\programmi\Microsoft Silverlight
2009-03-05 22:36 . 2009-03-05 22:39 <DIR> d-------- c:\programmi\eToro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-20 13:16 --------- d-----w c:\programmi\Packard Bell Data Secure
2009-03-19 22:23 --------- d-----w c:\programmi\ESET
2009-03-19 00:20 --------- d-----w c:\programmi\eMule
2009-03-16 21:34 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\dvdcss
2009-03-05 13:25 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Any Video Converter
2009-03-05 13:15 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Nokia Multimedia Player
2009-02-25 13:40 --------- d-----w c:\programmi\SUPERAntiSpyware
2009-02-07 23:29 --------- d-----w c:\programmi\eMule2
2009-01-29 20:59 --------- d-----w c:\programmi\Spybot - Search & Destroy
2009-01-29 20:59 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-01-29 20:58 --------- d-----w c:\programmi\Panda Security
2009-01-26 21:51 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-01-26 21:51 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Malwarebytes
2009-01-26 21:19 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\vlc
2009-01-25 16:00 --------- d-----w c:\programmi\CCleaner
2009-01-25 12:11 --------- d-----w c:\programmi\ABBYY FineReader 6.0 Sprint
2009-01-25 12:10 --------- d-----w c:\programmi\Realtek
2009-01-25 12:10 --------- d-----w c:\programmi\MyPlayCity
2009-01-25 12:10 --------- d-----w c:\programmi\jZip
2009-01-25 12:10 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\InstallShield
2009-01-25 12:00 --------- d-----w c:\programmi\Conduit
2009-01-25 02:07 --------- d--h--w c:\programmi\InstallShield Installation Information
2009-01-25 02:07 --------- d-----w c:\programmi\epson
2009-01-25 01:56 --------- d-----w c:\programmi\MyPlayCity.com
2009-01-25 01:54 --------- d-----w c:\programmi\CONEXANT
2009-01-25 00:45 --------- d-----w c:\programmi\Trend Micro
2009-01-20 23:02 --------- d-----w c:\programmi\Any Video Converter
2009-01-20 22:44 --------- d---a-w c:\documents and settings\All Users\Dati applicazioni\TEMP
2009-01-20 20:36 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2009-01-20 20:35 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\SUPERAntiSpyware.com
2009-01-20 20:15 --------- d-----w c:\programmi\File comuni\Wise Installation Wizard
2009-01-20 00:13 --------- d-----w c:\programmi\Winamp Remote
2009-01-20 00:13 --------- d-----w c:\programmi\Winamp
2009-01-20 00:13 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\OrbNetworks
2009-01-20 00:13 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Winamp
2009-01-20 00:12 --------- d-----w c:\programmi\SoftInform
2009-01-20 00:12 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\SoftInform
2009-01-20 00:11 --------- d-----w c:\programmi\Spyware Terminator
2009-01-20 00:11 --------- d-----w c:\programmi\IZArc
2009-01-20 00:11 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Spyware Terminator
.

------- Sigcheck -------

2008-04-14 03:14 26624 df69726907357c3add243f48902b0331 c:\windows\SoftwareDistribution\Download\fc8deab818fa7e7ffabfc43e34347907\userinit.exe
2009-03-19 21:53 104960 5fe2f75f7cd9c7cac0f0c2e711a51004 c:\windows\system32\userinit.exe
2009-03-19 21:53 104960 5fe2f75f7cd9c7cac0f0c2e711a51004 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( snapshot@2009-01-27_23.32.46,29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-03-20 13:13:35 32,768 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-20 13:13:35 32,768 --sha-w c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
+ 2009-03-19 21:08:54 32,768 --sha-w c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\MSHist012009031920090320\index.dat
+ 2009-03-19 21:09:03 78,924 ----a-w c:\windows\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat
+ 2009-03-20 13:13:35 32,768 --sha-w c:\windows\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-21 22:46:30 410,984 ----a-w c:\windows\system32\deploytk.dll
+ 2009-03-14 23:39:49 410,984 ----a-w c:\windows\system32\deploytk.dll
- 2009-01-21 22:46:30 144,792 ----a-w c:\windows\system32\java.exe
+ 2009-03-14 23:39:49 144,792 ----a-w c:\windows\system32\java.exe
- 2009-01-21 22:46:30 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2009-03-14 23:39:49 144,792 ----a-w c:\windows\system32\javaw.exe
- 2009-01-21 22:46:30 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-14 23:39:49 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-20 13:13:37 16,384 ----atw c:\windows\temp\Perflib_Perfdata_298.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{4724C5D8-DFA7-417A-A2F5-1EABFEE9B4AC}"= "c:\programmi\MyPlayCity\tbMyPl.dll" [2008-03-04 1470488]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]
2008-03-04 12:44 1470488 --a------ c:\programmi\MyPlayCity\tbMyPl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}"= "c:\programmi\MyPlayCity\tbMyPl.dll" [2008-03-04 1470488]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{4724C5D8-DFA7-417A-A2F5-1EABFEE9B4AC}"= "c:\programmi\MyPlayCity\tbMyPl.dll" [2008-03-04 1470488]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]
"Packard Bell Data Secure"="c:\programmi\Packard Bell Data Secure\PBDataSecure.exe" [2006-06-20 2361856]
"MsnMsgr"="c:\programmi\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"PcSync"="c:\programmi\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2004-08-19 1667584]
"SUPERAntiSpyware"="c:\programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-25 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"nod32kui"="c:\programmi\Eset\nod32kui.exe" [2008-04-11 949376]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-05 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-05 137752]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"PCSuiteTrayApplication"="c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-06-15 229376]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-03-15 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\
Utilit… controllo supporti di Picture Motion Browser.lnk - c:\programmi\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-09-27 344064]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programmi\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\programmi\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"c:\\pht.exe"=
"c:\\Programmi\\File comuni\\Nokia\\MPAPI\\MPAPI3s.exe"=
"c:\\Programmi\\File comuni\\Ahead\\Lib\\NMIndexStoreSvr.exe"=
"c:\\Programmi\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"34509:TCP"= 34509:TCP:ww
"35307:UDP"= 35307:UDP:udp

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-04-11 15424]
R1 SASDIFSV;SASDIFSV;c:\programmi\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\programmi\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R3 SASENUM;SASENUM;c:\programmi\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8aaefc8-0d52-11de-a5c1-0016d38e2f41}]
\Shell\AutoRun\command - G:\setup-totopc2004_privati.exe
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Scarica con Free Download Manager - file://c:\programmi\Free Download Manager\dllink.htm
IE: Scarica i video con Free Download Manager - file://c:\programmi\Free Download Manager\dlfvideo.htm
IE: Scarica selezionati con Free Download Manager - file://c:\programmi\Free Download Manager\dlselected.htm
IE: Scarica tutto con Free Download Manager - file://c:\programmi\Free Download Manager\dlall.htm
FF - ProfilePath - c:\documents and settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\th3nhdpo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-20 14:16:02
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...


c:\windows\system32\drivers\sjmqj.sys 31104 bytes executable
c:\windows\system32\drivers\str.sys 0 bytes

Scansione completata con successo
Files nascosti: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jvxii]
"ImagePath"="\??\c:\windows\system32\drivers\sjmqj.sys"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\programmi\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\File comuni\EPSON\EBAPI\SAgent2.exe
c:\documents and settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\programmi\Java\jre6\bin\jqs.exe
c:\programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\programmi\ESET\nod32krn.exe
c:\programmi\Spyware Terminator\sp_rsser.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\programmi\File comuni\PCSuite\Services\ServiceLayer.exe
c:\programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
c:\progra~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
c:\programmi\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Ora fine scansione: 2009-03-20 14:18:58 - Il pc è stato riavviato [Administrator]
ComboFix-quarantined-files.txt 2009-03-20 13:18:54
ComboFix2.txt 2009-03-19 22:29:19
ComboFix3.txt 2009-01-28 14:41:51
ComboFix4.txt 2009-01-27 22:33:41
ComboFix5.txt 2009-03-20 08:44:14

Pre-Run: 41,513,484,288 byte disponibili
Post-Run: 41,503,264,768 byte disponibili

222
Torna in alto
 
r16
Inviato: Friday, March 20, 2009 5:02:47 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Ciao.
Assicurati di avere accesso a file e cartelle nascosti
(Pannello di controllo-> Opzioni Cartella-> Visualizzazione)
1) Metti la spunta su: Visualizza file e cartelle nascoste
2) Togli la spunta: nascondi file protetti di sistema (consigliato)


Avvia hijackthis, metti la spunta alle voci che andrò ad elencarti e con tutte le applicazioni chiuse e disconnesso da Internet,premi su fix checked

R3 - URLSearchHook: MyPlayCity Toolbar - {4724C5D8-DFA7-417A-A2F5-1EABFEE9B4AC} - C:\Programmi\MyPlayCity\tbMyPl.dll
O2 - BHO: MyPlayCity Toolbar - {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - C:\Programmi\MyPlayCity\tbMyPl.dll
O3 - Toolbar: MyPlayCity Toolbar - {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - C:\Programmi\MyPlayCity\tbMyPl.dll
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF20444.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\RunOnce: [combofix] C:\WINDOWS\system32\CF20444.exe /c C:\ComboFix\Combobatch.bat

Trova e cancella i file in rosso:
C:\Programmi\MyPlayCity\tbMyPl.dll (è una cartella)
Vai in "Installazione Applicazioni" e rimuovi la "MyPlayCity Toolbar "
Dai una pulita (registro compreso)con CCleaner http://www.aiutaamici.com/software?ID=11223
Riavvia il computer.
*********************************************************************************************************

Apri un file di testo sul Desktop (start\esegui\digita: notepad.exe\ Ok
Ci incolli il codice che vedi qui sotto, e salvi il file di testo obbligatoriamente con il nome CFScript.txt

killall::
file::
C:\bla.exe
C:\pht.exe
C:\br.exe
c:\windows\system32\kuzDeccode.exe
c:\windows\system32\tifakapu.dll
c:\windows\system32\drivers\sjmqj.sys
c:\windows\system32\drivers\str.sys

registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jvxii]

Driver::
c:\windows\system32\drivers\sjmqj.sys
c:\windows\system32\drivers\str.sys


e trascinalo sull'icona di ComboFix.
Attendi la fine dei lavori, senza toccare tastiera, mouse o altro.
Posta il log aggiornato di combofix
Torna in alto
 
steven75
Inviato: Friday, March 20, 2009 8:40:42 PM
Rank: Member

Iscritto dal : 5/8/2006
Posts: 0
si dovrebbero eliminare anche questi ;

c:\windows\system32\win32hlp.cnf

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]
[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]
[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{4724C5D8-DFA7-417A-A2F5-1EABFEE9B4AC}"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{4724C5D8-DFA7-417A-A2F5-1EABFEE9B4AC}"
Torna in alto
 
ciccillo
Inviato: Friday, March 20, 2009 9:40:49 PM
Rank: Member

Iscritto dal : 1/25/2009
Posts: 17
Bisogno cancellare anche i file che ha detto Steven75.
Il file testo sul desktop con il nome "notepad.exe\ Ok" non me lo fa salvare però me lo fa salvare con "notepad.exe"!
Torna in alto
 
r16
Inviato: Friday, March 20, 2009 10:06:35 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Ciao ciccillo .
Quelle chiavi sono relazionate alle voci di HJT che ti ho detto di eliminare.
Vediamo se restano anche dopo che hai eseguito le indicazioni che ti ho dato.
Per il file di testo, apri il block note e lo salvi con il nome CFScript.txt
Torna in alto
 
ciccillo
Inviato: Friday, March 20, 2009 10:29:59 PM
Rank: Member

Iscritto dal : 1/25/2009
Posts: 17
Eccoti il report di combpfix.
Ogni volta che si riavvia il Pc scompaiono le icone dal desktop e per farle ricomparire segue il metodo da te detto precedentemente (explorer) ma come faccio a far diventare queste impostazioni definitive




ComboFix 09-03-19.02 - Administrator 2009-03-20 22.23.58.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.1014.617 [GMT 1:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Administrator\Desktop\CFScript.txt.txt
AV: Sistema Antivirus NOD32 2.70 *On-access scanning disabled* (Updated)
* Creato nuovo punto di ripristino

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!

FILE ::
C:\bla.exe
C:\br.exe
C:\pht.exe
c:\windows\system32\drivers\sjmqj.sys
c:\windows\system32\drivers\str.sys
c:\windows\system32\kuzDeccode.exe
c:\windows\system32\tifakapu.dll
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\win32hlp.cnf
.
---- Esecuzione precedente -------
.
C:\bla.exe
C:\br.exe
C:\pht.exe
c:\windows\system32\drivers\sjmqj.sys
c:\windows\system32\drivers\str.sys
c:\windows\system32\kuzDeccode.exe
c:\windows\system32\tifakapu.dll
c:\windows\system32\win32hlp.cnf

.
((((((((((((((((((((((((( Files Creati Da 2009-02-20 al 2009-03-20 )))))))))))))))))))))))))))))))))))
.

2009-03-19 23:15 . 2009-03-19 23:15 <DIR> d-------- c:\programmi\Nuova cartella
2009-03-18 23:57 . 2009-03-18 23:57 <DIR> d-------- c:\programmi\Malwarebytes' Anti-Malware
2009-03-18 23:57 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-18 23:57 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-15 00:40 . 2009-03-15 00:39 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-15 00:39 . 2009-03-15 00:39 <DIR> d-------- c:\programmi\Java
2009-03-13 22:28 . 2009-03-13 22:28 <DIR> d-------- c:\programmi\892Client
2009-03-13 22:28 . 2005-10-13 20:58 108,336 --a------ c:\windows\system32\MSWINSCK.OCX
2009-03-07 21:53 . 2009-03-07 21:53 <DIR> d-------- c:\programmi\Microsoft Silverlight
2009-03-05 22:36 . 2009-03-05 22:39 <DIR> d-------- c:\programmi\eToro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-20 21:21 --------- d-----w c:\programmi\Packard Bell Data Secure
2009-03-20 19:59 --------- d-----w c:\programmi\MyPlayCity
2009-03-19 22:23 --------- d-----w c:\programmi\ESET
2009-03-19 20:53 104,960 ----a-w c:\windows\system32\userinit.exe
2009-03-19 20:53 104,960 ----a-w c:\windows\system32\dllcache\userinit.exe
2009-03-19 00:20 --------- d-----w c:\programmi\eMule
2009-03-16 21:34 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\dvdcss
2009-03-14 23:39 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-05 13:25 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Any Video Converter
2009-03-05 13:15 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Nokia Multimedia Player
2009-02-25 13:40 --------- d-----w c:\programmi\SUPERAntiSpyware
2009-02-07 23:29 --------- d-----w c:\programmi\eMule2
2009-01-29 20:59 --------- d-----w c:\programmi\Spybot - Search & Destroy
2009-01-29 20:59 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-01-29 20:58 --------- d-----w c:\programmi\Panda Security
2009-01-26 21:51 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-01-26 21:51 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Malwarebytes
2009-01-26 21:19 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\vlc
2009-01-25 16:00 --------- d-----w c:\programmi\CCleaner
2009-01-25 12:11 --------- d-----w c:\programmi\ABBYY FineReader 6.0 Sprint
2009-01-25 12:10 --------- d-----w c:\programmi\Realtek
2009-01-25 12:10 --------- d-----w c:\programmi\jZip
2009-01-25 12:10 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\InstallShield
2009-01-25 12:00 --------- d-----w c:\programmi\Conduit
2009-01-25 02:07 --------- d--h--w c:\programmi\InstallShield Installation Information
2009-01-25 02:07 --------- d-----w c:\programmi\epson
2009-01-25 01:56 --------- d-----w c:\programmi\MyPlayCity.com
2009-01-25 01:54 --------- d-----w c:\programmi\CONEXANT
2009-01-25 00:45 --------- d-----w c:\programmi\Trend Micro
2009-01-20 23:02 --------- d-----w c:\programmi\Any Video Converter
2009-01-20 22:44 --------- d---a-w c:\documents and settings\All Users\Dati applicazioni\TEMP
2009-01-20 20:36 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2009-01-20 20:35 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\SUPERAntiSpyware.com
2009-01-20 20:15 --------- d-----w c:\programmi\File comuni\Wise Installation Wizard
2009-01-20 00:13 --------- d-----w c:\programmi\Winamp Remote
2009-01-20 00:13 --------- d-----w c:\programmi\Winamp
2009-01-20 00:13 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\OrbNetworks
2009-01-20 00:13 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Winamp
2009-01-20 00:12 --------- d-----w c:\programmi\SoftInform
2009-01-20 00:12 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\SoftInform
2009-01-20 00:11 --------- d-----w c:\programmi\Spyware Terminator
2009-01-20 00:11 --------- d-----w c:\programmi\IZArc
2009-01-20 00:11 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Spyware Terminator
.

------- Sigcheck -------

2008-04-14 03:14 26624 df69726907357c3add243f48902b0331 c:\windows\SoftwareDistribution\Download\fc8deab818fa7e7ffabfc43e34347907\userinit.exe
2009-03-19 21:53 104960 5fe2f75f7cd9c7cac0f0c2e711a51004 c:\windows\system32\userinit.exe
2009-03-19 21:53 104960 5fe2f75f7cd9c7cac0f0c2e711a51004 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( snapshot@2009-01-27_23.32.46,29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-03-20 20:24:56 32,768 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-20 20:24:56 32,768 --sha-w c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
+ 2009-03-19 21:08:54 32,768 --sha-w c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\MSHist012009031920090320\index.dat
+ 2009-03-19 21:09:03 78,924 ----a-w c:\windows\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat
- 2009-01-21 22:46:30 144,792 ----a-w c:\windows\system32\java.exe
+ 2009-03-14 23:39:49 144,792 ----a-w c:\windows\system32\java.exe
- 2009-01-21 22:46:30 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2009-03-14 23:39:49 144,792 ----a-w c:\windows\system32\javaw.exe
- 2009-01-21 22:46:30 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-14 23:39:49 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-20 21:17:52 16,384 ----atw c:\windows\temp\Perflib_Perfdata_2a8.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]
"Packard Bell Data Secure"="c:\programmi\Packard Bell Data Secure\PBDataSecure.exe" [2006-06-20 2361856]
"MsnMsgr"="c:\programmi\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"PcSync"="c:\programmi\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2004-08-19 1667584]
"SUPERAntiSpyware"="c:\programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-25 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"nod32kui"="c:\programmi\Eset\nod32kui.exe" [2008-04-11 949376]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-05 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-05 137752]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"PCSuiteTrayApplication"="c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-06-15 229376]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-03-15 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\
Utilit… controllo supporti di Picture Motion Browser.lnk - c:\programmi\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-09-27 344064]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programmi\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\programmi\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"c:\\Programmi\\File comuni\\Nokia\\MPAPI\\MPAPI3s.exe"=
"c:\\Programmi\\File comuni\\Ahead\\Lib\\NMIndexStoreSvr.exe"=
"c:\\Programmi\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"34509:TCP"= 34509:TCP:ww
"35307:UDP"= 35307:UDP:udp

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-04-11 15424]
R1 SASDIFSV;SASDIFSV;c:\programmi\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\programmi\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R3 SASENUM;SASENUM;c:\programmi\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8aaefc8-0d52-11de-a5c1-0016d38e2f41}]
\Shell\AutoRun\command - G:\setup-totopc2004_privati.exe
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

WebBrowser-{4724C5D8-DFA7-417A-A2F5-1EABFEE9B4AC} - (no file)


.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Scarica con Free Download Manager - file://c:\programmi\Free Download Manager\dllink.htm
IE: Scarica i video con Free Download Manager - file://c:\programmi\Free Download Manager\dlfvideo.htm
IE: Scarica selezionati con Free Download Manager - file://c:\programmi\Free Download Manager\dlselected.htm
IE: Scarica tutto con Free Download Manager - file://c:\programmi\Free Download Manager\dlall.htm
FF - ProfilePath - c:\documents and settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\th3nhdpo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-20 22:25:25
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\programmi\SUPERAntiSpyware\SASWINLO.dll
.
Ora fine scansione: 2009-03-20 22.26.35
ComboFix-quarantined-files.txt 2009-03-20 21:26:23
ComboFix2.txt 2009-03-20 13:18:59
ComboFix3.txt 2009-03-19 22:29:19
ComboFix4.txt 2009-01-28 14:41:51
ComboFix5.txt 2009-03-20 21:14:35

Pre-Run: 41.492.516.864 byte disponibili
Post-Run: 41,483,792,384 byte disponibili

200
Torna in alto
 
r16
Inviato: Friday, March 20, 2009 10:36:29 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Ok.
Fai una pulizia (registro compreso) con CCleaner.
Fai una scansione con Malwarebytes. (aggiornalo prima)
Posta il log.
Che problemi riscontri?
Torna in alto
 
ciccillo
Inviato: Saturday, March 21, 2009 8:15:46 AM
Rank: Member

Iscritto dal : 1/25/2009
Posts: 17
Ho fatto tutto quello che mi hai chiesto ma riscontro ancore 2 anomalie, quando ravvio il pc devo digitare explorer per far comparire le icone e malware mi trova sempre 2 virus (prodotti da trojan agent, di categoria registy data) che elimino ma se rifaccio la scansione ricompaiono sempre.
Torna in alto
 
ciccillo
Inviato: Saturday, March 21, 2009 8:16:55 AM
Rank: Member

Iscritto dal : 1/25/2009
Posts: 17
Ecco mil log di malware:



Malwarebytes' Anti-Malware 1.34
Versione del database: 1879
Windows 5.1.2600 Service Pack 2

21/03/2009 8.16.10
mbam-log-2009-03-21 (08-16-10).txt

Tipo di scansione: Scansione completa (C:\|D:\|E:\|F:\|)
Elementi scansionati: 149256
Tempo trascorso: 28 minute(s), 40 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 2
Cartelle infette: 0
File infetti: 0

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
(Nessun elemento malevolo rilevato)
Torna in alto
 
r16
Inviato: Saturday, March 21, 2009 10:35:36 AM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Ciao ciccillo .
I due problemi che riscontri sono collegati fra loro.
Apri il Task Manager e dimmi quanti explorer ci sono.
Fai attenzione a non confoderli con iexplore.exe .
Facciamo una scansione con SystemScan :

scaricalo sul desktop
http://www.suspectfile.com/systemscan
aprilo, ed assicurati che tutte le opzioni siano spuntate, clicca su "Scan Now" al termine della scansione verranno rilasciati (sempre sul desktop all'interno della cartella suspectfile) due file.
Vai su http://www.freefilehosting.net carica il file con estensione .zip e scrivi, nella tua prossima replica l'URL per poterlo scaricare.
Carica il file su Direct Link.
Ricordati d'effettuare la scansione senza connessione attiva e con l'antivirus disabilitato salvo poi riattivarlo a scansione terminata.

NB:
la durata della scansione può risultare lunga, potrebbe addirittura sembrare che il programma non stia lavorando, non preoccuparti non è così.

SystemScan viene riconosciuto, erroneamente, da alcuni antivirus come infetto.
Torna in alto
 
ciccillo
Inviato: Saturday, March 21, 2009 2:35:01 PM
Rank: Member

Iscritto dal : 1/25/2009
Posts: 17
I processi con il nome exlorer nel task manager ce n'è solo uno.
Ora eseguo le restanti cose che mi hai detto di fare e ti farò sapere.
Torna in alto
 
ciccillo
Inviato: Saturday, March 21, 2009 3:22:33 PM
Rank: Member

Iscritto dal : 1/25/2009
Posts: 17



ho caricato il file su freefilehosting e il suo url è http://freefilehosting.net/download/466ia
Non sono riuscito a capire se dopo dovevo fare altro (oltre alla scansione efettuata precedentemente)
Torna in alto
 
Utenti presenti in questo topic
Guest

3 pages: [1] 2 3

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » Mi controllate il log ( x a.rosselli, alfonso, pidue e r16)


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.