Aiutamici Forum
Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » log HijackThis, c'è qualcosa che non va !!!

3 pages: [1] 2 3
log HijackThis, c'è qualcosa che non va !!! Opzioni
Topic Precedente · Topic Sucessivo
mimmo86
Inviato: Friday, March 20, 2009 3:19:38 PM
Rank: Newbie

Iscritto dal : 3/20/2009
Posts: 0
ciao, qualcuno potrebbe gentilmente darmi una mano con HijackThis ? ho effettuato la scansione e credo ci sia qualcosa che non va. pero non me ne intendo molto e vorrei un' aiuto per non combinare guai. Il problema riscontrato è che il pc si blocca continuamente e mi funziona solo il task manager (sono costretto a riavviare ogni volta).
GRAZIE


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9.39.19, on 20/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Microsoft IntelliType Pro\type32.exe
C:\Programmi\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\SPYWAR~2\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\a-squared Free\a2service.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programmi\Spyware Terminator\sp_rsser.exe
C:\Programmi\System Protect\SysProtect_srv.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\Programmi\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Programmi\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Programmi\Windows Live\Messenger\msnmsgr.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\Programmi\Crawler\Toolbar\ctbr.dll
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\Programmi\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Programmi\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Toolbar &Crawler - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Programmi\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [type32] "C:\Programmi\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmi\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~2\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SystemProtect] C:\Programmi\System Protect\SysProtect_Tray.exe
O4 - HKLM\..\RunServices: [windosw.exe] mnwins.exe
O4 - HKLM\..\RunServices: [prgacpckfg] C:\WINDOWS\system32\prgacpckfg.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Programmi\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Programmi\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Programmi\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potg_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198396857868
O17 - HKLM\System\CCS\Services\Tcpip\..\{321BC7BD-4D93-4424-953B-6732A6C70262}: NameServer = 85.37.17.11 85.38.28.69
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\Programmi\Crawler\Toolbar\ctbr.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programmi\a-squared Free\a2service.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programmi\Spyware Terminator\sp_rsser.exe
O23 - Service: System Protect Deletion Prevention Service (SP_Service) - Xacti Corporation - C:\Programmi\System Protect\SysProtect_srv.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Print Spooler Service (vee3ie8yafi5towy) - Unknown owner - C:\WINDOWS\system32\prgacpckfg.exe (file missing)
O24 - Desktop Component 0: (no name) - http://wallpapers.dgreetings.com/images/christmas-wallpapers/merry-christmas/christmas-wallpaer04-t.jpg
O24 - Desktop Component 1: (no name) - http://static.blogo.it/guide/guida_sul_natale/sfondi-natalizi-per-il-desktop/big_christmaswallpaper05.jpg
O24 - Desktop Component 2: (no name) - http://static.blogo.it/guide/guida_sul_natale/sfondi-natalizi-per-il-desktop/thn_christmaswallpaper05.jpg
O24 - Desktop Component 3: (no name) - http://www.paddlingperfection.co.nz/images/gallery.jpg

--
End of file - 9738 bytes
Torna in alto
 
Sponsor
Inviato: Friday, March 20, 2009 3:19:38 PM

 
Torna in alto
 
shapiro
Inviato: Friday, March 20, 2009 3:27:06 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164
ciao

sei infetto, procedi a fare subito una scansione- dopo fixeremo le chiavi con hjt

scarica Malwarebytes http://www.malwarebytes.org/mbam/program/mbam-setup.exe
1) lo installi
2) lo aggiorni
3) fai una scansione scegliendo la modalità completa
4) NON eliminare per ora le ventuali minacce che rileva
5) finita la scansione seleziona il tabellino log, apri il file di testo e postalo sul forum
Torna in alto
 
mimmo86
Inviato: Friday, March 20, 2009 5:11:04 PM
Rank: Newbie

Iscritto dal : 3/20/2009
Posts: 0
ho appena terminato la scansione, ecco il risultato:

Malwarebytes' Anti-Malware 1.34
Versione del database: 1878
Windows 5.1.2600 Service Pack 2

20/03/2009 17.07.46
mbam-log-2009-03-20 (17-07-41).txt

Tipo di scansione: Scansione completa (A:\|C:\|D:\|)
Elementi scansionati: 216471
Tempo trascorso: 1 hour(s), 0 minute(s), 28 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 1
Chiavi di registro infette: 0
Valori di registro infetti: 1
Elementi dato del registro infetti: 4
Cartelle infette: 0
File infetti: 7

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
C:\WINDOWS\system32\nmdfgds0.dll (Spyware.OnLineGames) -> No action taken.

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdoosoft (Trojan.Agent) -> No action taken.

Elementi dato del registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
C:\WINDOWS\system32\olhrwef.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\nmdfgds0.dll (Spyware.OnLineGames) -> No action taken.
C:\WINDOWS\system32\nmdfgds1.dll (Spyware.OnLineGames) -> No action taken.
C:\WINDOWS\system32\nmdfgds2.dll (Spyware.OnLineGames) -> No action taken.
C:\WINDOWS\system32\nmdfgds3.dll (Spyware.OnLineGames) -> No action taken.
C:\WINDOWS\system32\nmdfgds4.dll (Spyware.OnLineGames) -> No action taken.
C:\WINDOWS\system32\nmdfgds5.dll (Spyware.OnLineGames) -> No action taken.
Torna in alto
 
shapiro
Inviato: Friday, March 20, 2009 10:41:53 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164
riavvia malwarebytes, togli tutto e posta un nuovo log di hjt
Torna in alto
 
mimmo86
Inviato: Saturday, March 21, 2009 12:47:16 PM
Rank: Newbie

Iscritto dal : 3/20/2009
Posts: 0
ho fatto come mi hai detto, ti posto tutto:

Malwarebytes' Anti-Malware 1.34
Versione del database: 1878
Windows 5.1.2600 Service Pack 2

21/03/2009 11.04.37
mbam-log-2009-03-21 (11-04-33).txt

Tipo di scansione: Scansione completa (A:\|C:\|D:\|)
Elementi scansionati: 218920
Tempo trascorso: 1 hour(s), 0 minute(s), 41 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 1
Chiavi di registro infette: 0
Valori di registro infetti: 1
Elementi dato del registro infetti: 4
Cartelle infette: 0
File infetti: 8

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
C:\WINDOWS\system32\nmdfgds0.dll (Spyware.OnLineGames) -> No action taken.

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdoosoft (Trojan.Agent) -> No action taken.

Elementi dato del registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
C:\WINDOWS\system32\olhrwef.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\nmdfgds0.dll (Spyware.OnLineGames) -> No action taken.
C:\WINDOWS\system32\nmdfgds1.dll (Spyware.OnLineGames) -> No action taken.
C:\WINDOWS\system32\nmdfgds2.dll (Spyware.OnLineGames) -> No action taken.
C:\WINDOWS\system32\nmdfgds3.dll (Spyware.OnLineGames) -> No action taken.
C:\WINDOWS\system32\nmdfgds4.dll (Spyware.OnLineGames) -> No action taken.
C:\WINDOWS\system32\nmdfgds5.dll (Spyware.OnLineGames) -> No action taken.
C:\WINDOWS\system32\nmdfgds6.dll (Spyware.OnLineGames) -> No action taken.









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12.42.51, on 21/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Microsoft IntelliType Pro\type32.exe
C:\Programmi\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\SPYWAR~2\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\a-squared Free\a2service.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programmi\Spyware Terminator\sp_rsser.exe
C:\Programmi\System Protect\SysProtect_srv.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\Programmi\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Programmi\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\Programmi\Crawler\Toolbar\ctbr.dll
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\Programmi\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Programmi\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Toolbar &Crawler - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Programmi\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [type32] "C:\Programmi\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmi\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~2\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SystemProtect] C:\Programmi\System Protect\SysProtect_Tray.exe
O4 - HKLM\..\RunServices: [windosw.exe] mnwins.exe
O4 - HKLM\..\RunServices: [prgacpckfg] C:\WINDOWS\system32\prgacpckfg.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Programmi\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Programmi\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Programmi\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potg_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198396857868
O17 - HKLM\System\CCS\Services\Tcpip\..\{321BC7BD-4D93-4424-953B-6732A6C70262}: NameServer = 85.37.17.11 85.38.28.69
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\Programmi\Crawler\Toolbar\ctbr.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programmi\a-squared Free\a2service.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programmi\Spyware Terminator\sp_rsser.exe
O23 - Service: System Protect Deletion Prevention Service (SP_Service) - Xacti Corporation - C:\Programmi\System Protect\SysProtect_srv.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Print Spooler Service (vee3ie8yafi5towy) - Unknown owner - C:\WINDOWS\system32\prgacpckfg.exe (file missing)
O24 - Desktop Component 0: (no name) - http://wallpapers.dgreetings.com/images/christmas-wallpapers/merry-christmas/christmas-wallpaer04-t.jpg
O24 - Desktop Component 1: (no name) - http://static.blogo.it/guide/guida_sul_natale/sfondi-natalizi-per-il-desktop/big_christmaswallpaper05.jpg
O24 - Desktop Component 2: (no name) - http://static.blogo.it/guide/guida_sul_natale/sfondi-natalizi-per-il-desktop/thn_christmaswallpaper05.jpg
O24 - Desktop Component 3: (no name) - http://www.paddlingperfection.co.nz/images/gallery.jpg

--
End of file - 9500 bytes


ora cosa dovrei fare? GRAZIE
Torna in alto
 
shapiro
Inviato: Saturday, March 21, 2009 1:05:14 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164
riavvia malwarebytes (come ti ho gia' consigliato) e togli tutto quello che ti ha trovato

Avvia Hijackthis e clicca su "do a system scan only"
Metti la spunta a queste voci e clicca su "fix checked

O4 - HKLM\..\RunServices: [windosw.exe] mnwins.exe


O4 - HKLM\..\RunServices: [prgacpckfg] C:\WINDOWS\system32\prgacpckfg.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O23 - Service: Print Spooler Service (vee3ie8yafi5towy) - Unknown owner - C:\WINDOWS\system32\prgacpckfg.exe (file missing)


Chiudi i programmi di sicurezza e scarica Combofix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
1. Doppio click su combofix.exe
2. Digita 1, premi Invio e segui le indicazioni (non fare altre manovre durante la scansione).
3. Al termine, verrà creato un file log chiamato C:\ComboFix.txt.
4. Posta il log creato che troverai in C:\combofix.txt.
Torna in alto
 
mimmo86
Inviato: Saturday, March 21, 2009 3:37:21 PM
Rank: Newbie

Iscritto dal : 3/20/2009
Posts: 0
ecco il log di conbofixc:


ComboFix 09-03-19.02 - xyz 2009-03-21 15:03:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.1023.560 [GMT 1:00]
Eseguito da: c:\documents and settings\xyz\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\xyz\Impostazioni locali\Dati applicazioni\doomily.dat
c:\documents and settings\xyz\Impostazioni locali\Dati applicazioni\doomily_nav.dat
c:\documents and settings\xyz\Impostazioni locali\Dati applicazioni\doomily_navps.dat
c:\documents and settings\xyz\Impostazioni locali\Dati applicazioni\iljqekgci.dat
c:\documents and settings\xyz\Impostazioni locali\Dati applicazioni\iljqekgci_nav.dat
c:\documents and settings\xyz\Impostazioni locali\Dati applicazioni\iljqekgci_navps.dat
c:\documents and settings\xyz\Impostazioni locali\Dati applicazioni\limfcya.dat
c:\documents and settings\xyz\Impostazioni locali\Dati applicazioni\limfcya_nav.dat
c:\documents and settings\xyz\Impostazioni locali\Dati applicazioni\limfcya_navps.dat
c:\programmi\QUAD Utilities
c:\programmi\QUAD Utilities\QUAD Registry Cleaner\Vista Scheduler.dll
C:\uxkl0apt.bat
c:\windows\system32\command.pif
c:\windows\system32\ICON.ico
C:\yh.cmd

.
((((((((((((((((((((((((( Files Creati Da 2009-02-21 al 2009-03-21 )))))))))))))))))))))))))))))))))))
.

2009-03-20 15:35 . 2009-03-20 15:35 <DIR> d-------- c:\programmi\Malwarebytes' Anti-Malware
2009-03-20 15:35 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-20 15:35 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-20 09:32 . 2009-03-20 09:32 <DIR> d-------- c:\programmi\Trend Micro
2009-03-19 19:38 . 2009-03-19 19:40 <DIR> d-------- c:\documents and settings\xyz\Dati applicazioni\Faxalo
2009-03-19 19:38 . 2007-07-25 20:53 1,382,356 --a------ c:\windows\system32\imgport.dll
2009-03-19 19:38 . 2006-03-28 19:50 376,832 --a------ c:\windows\system32\libtiff3.dll
2009-03-19 19:38 . 2005-05-15 23:08 127,488 --a------ c:\windows\system32\jpeg62.dll
2009-03-19 19:38 . 2005-07-21 03:05 75,264 --a------ c:\windows\system32\zlib1.dll
2009-03-19 19:38 . 2007-07-13 18:19 40,448 --a------ c:\windows\system32\PopFaxLocalMon.dll
2009-03-19 19:38 . 2006-03-28 19:51 36,352 --a------ c:\windows\system32\tiffcp.exe
2009-03-19 19:38 . 2007-06-27 18:38 16,896 --a------ c:\windows\system32\PopFaxLocalUI.dll
2009-03-18 19:35 . 2009-03-16 20:02 111,363 -r-hs---- C:\luk1ylq.com
2009-03-18 15:52 . 2009-03-18 21:22 <DIR> d-------- c:\programmi\SpeedFan
2009-03-18 15:52 . 2009-03-18 15:52 0 --a------ c:\windows\system32\initdebug.nfo
2009-03-18 14:54 . 2009-03-16 20:02 111,363 -r-hs---- C:\q0dhfjf.exe
2009-03-17 22:01 . 2009-03-17 22:01 3,166 --a------ c:\windows\tmp.xml
2009-03-17 19:02 . 2009-03-19 19:38 <DIR> d-------- c:\programmi\System Protect
2009-03-17 19:02 . 2009-03-17 19:02 12,288 --a------ c:\windows\system32\drivers\sp_prot.sys
2009-03-16 11:46 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-03-09 18:23 . 2009-03-09 18:23 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-09 18:23 . 2009-03-09 18:23 1,409 --a------ c:\windows\QTFont.for
2009-03-01 18:59 . 2009-03-01 19:11 <DIR> d--hs---- c:\documents and settings\xyz\Phone Browser

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 12:31 196,608 ----a-w c:\windows\system32\drivers\nStandard.bin
2009-03-21 10:13 --------- d-----w c:\documents and settings\xyz\Dati applicazioni\Spyware Terminator
2009-03-20 05:54 --------- d-----w c:\programmi\WinClamAVShield
2009-03-20 05:54 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Spyware Terminator
2009-03-17 21:27 --------- d-----w c:\programmi\Spyware Terminator
2009-03-17 21:26 --------- d-----w c:\programmi\eMule
2009-03-14 08:19 --------- d-----w c:\programmi\File comuni\Adobe
2009-03-08 09:32 --------- d-----w c:\documents and settings\xyz\Dati applicazioni\Nokia
2009-03-08 09:31 --------- d-----w c:\programmi\File comuni\Nokia
2009-03-08 09:30 --------- d-----w c:\programmi\Nokia
2009-02-20 14:22 --------- d-----w c:\documents and settings\xyz\Dati applicazioni\PC Suite
2009-02-20 14:21 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-02-20 14:21 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-02-20 14:15 --------- d-----w c:\programmi\PC Connectivity Solution
2009-02-20 14:15 --------- d-----w c:\programmi\File comuni\PCSuite
2009-02-20 14:13 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Installations
2009-02-20 14:04 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Nokia
2009-02-20 13:54 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\PC Suite
2009-02-20 13:53 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-02-20 13:53 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2009-02-20 13:50 --------- d-----w c:\documents and settings\xyz\Dati applicazioni\Nseries
2009-02-18 16:10 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\NokiaMusic
2009-02-18 16:06 --------- d-----w c:\programmi\DIFX
2009-02-18 15:54 --------- d-----w c:\programmi\Reference Assemblies
2009-02-18 15:54 --------- d-----w c:\programmi\MSBuild
2009-02-18 15:39 --------- d-----w c:\programmi\MSXML 6.0
2009-02-17 08:43 --------- d-----w c:\programmi\Messenger Plus! Live
2009-02-06 18:06 --------- d-----w c:\programmi\Dream Aquarium
2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr
2008-12-26 10:07 113,600 -c--a-w c:\documents and settings\xyz\Dati applicazioni\GDIPFONTCACHEV1.DAT
2008-05-07 12:56 614 ----a-w c:\programmi\BorisGraffitiUI.xml
2008-03-15 19:18 14,348 ----a-w c:\documents and settings\xyz\SkyTel(2).EXE
2008-03-15 19:18 14,348 ----a-w c:\documents and settings\xyz\SkyTel .exe
2008-03-15 19:18 14,348 ----a-w c:\documents and settings\xyz\RTHDCPL(2).EXE
2008-03-15 19:18 14,348 ----a-w c:\documents and settings\xyz\RTHDCPL .exe
2008-02-05 23:44 200,704 ----a-w c:\programmi\BorisFXUI.fex
2008-01-05 13:12 22,328 ----a-w c:\documents and settings\xyz\Dati applicazioni\PnkBstrK.sys
2006-09-07 20:08 53,606,550 -c----w c:\documents and settings\xyz\Desktop.zip
2007-11-23 18:26 2 --shatr c:\windows\winstart.bat
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"NBJ"="c:\programmi\Ahead\Nero BackItUp\NBJ.exe" [2005-05-19 1957888]
"PC Suite Tray"="c:\programmi\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\programmi\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="c:\programmi\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2006-10-25 282624]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-16 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-16 81920]
"SpywareTerminator"="c:\progra~1\SPYWAR~2\SpywareTerminatorShield.exe" [2008-05-08 1817600]
"SystemProtect"="c:\programmi\System Protect\SysProtect_Tray.exe" [2009-03-17 1223680]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-04-04 c:\windows\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-09-16 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-19 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma Loader.lnk - c:\programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2004-07-09 110592]
Microsoft Office.lnk - c:\programmi\Microsoft Office\Office10\OSA.EXE [2003-01-21 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"= ctwdm32.dll
"aux5"= ctwdm32.dll
"aux6"= ctwdm32.dll
"aux7"= ctwdm32.dll
"VIDC.GJPG"= GJPG.DLL
"vidc.mjpg"= pvmjpg30.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\MSN\\MSNCoreFiles\\msn6.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programmi\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Documents and Settings\\xyz\\Desktop\\SCARICA\\zdc\\zDCPlusPlus.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Hercules\\Classic Silver\\Station2.exe"=
"c:\\Programmi\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"=
"c:\\Programmi\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Programmi\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Programmi\\Pinnacle\\Studio 12\\Programs\\umi.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12800:TCP"= 12800:TCP:NortonAV
"14016:TCP"= 14016:TCP:NortonAV

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-03-16 28544]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [2005-12-06 35328]
R0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\Si3112r.sys [2005-07-19 84529]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2003-10-01 77056]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-04-03 141312]
R2 SP_Service;System Protect Deletion Prevention Service;c:\programmi\System Protect\SysProtect_srv.exe [2009-03-17 598528]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\drivers\l251x86.sys [2008-03-06 29696]
R3 camfilt2;camfilt2;c:\windows\system32\drivers\camfilt2.sys [2008-01-26 94208]
R3 sp_prot;System Protect Filter Driver;c:\windows\system32\drivers\sp_prot.sys [2009-03-17 12288]
S2 MtxVideo;Driver Matrox WDM capture/crossbar;c:\windows\system32\drivers\mtxvideo.sys [2004-04-09 103296]
S2 vee3ie8yafi5towy;Print Spooler Service;c:\windows\system32\prgacpckfg.exe /service --> c:\windows\system32\prgacpckfg.exe [?]
S3 Camdrv30;Philips ToUcam XS;c:\windows\system32\drivers\camdrv30.sys [2005-11-26 171264]
S3 ctlsb16;Driver Creative SB16/AWE32/AWE64 (WDM);c:\windows\system32\drivers\ctlsb16.sys [2003-11-25 96256]
S3 G200;G200;c:\windows\system32\drivers\G200m.sys [2003-11-20 320384]
S3 PAC207;Trust WB-1400T Webcam;c:\windows\system32\DRIVERS\pfc027.sys --> c:\windows\system32\DRIVERS\pfc027.sys [?]
S3 S3SAVAGE4M;S3SAVAGE4M;c:\windows\system32\drivers\s3sav4m.sys [2004-01-05 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b4629f0-b2cd-11dc-8547-0013d44e1471}]
\Shell\AutoRun\command - E:\iqe68o.bat
\Shell\explore\Command - E:\iqe68o.bat
\Shell\open\Command - E:\iqe68o.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0cbcf9a0-ec5b-11dd-8b3c-001e8c14215f}]
\Shell\AutoRun\command - wx8o0bt1.com
\Shell\open\Command - wx8o0bt1.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29db8530-d702-11dc-860a-0013d44e1471}]
\Shell\AutoRun\command - E:\2fiy.bat
\Shell\open\Command - E:\2fiy.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48c439c0-5c35-11db-be9b-0013d44e1471}]
\Shell\AutoRun\command - E:\m9ma.exe
\Shell\explore\Command - E:\m9ma.exe
\Shell\open\Command - E:\m9ma.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d80c321-5112-11d9-9be5-806d6172696f}]
\Shell\AutoRun\command - e:\bin\Assetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1f2e6a0-fe97-11dd-8baf-001e8c14215f}]
\Shell\AutoRun\command - E:\gi2ky.exe
\Shell\open\Command - E:\gi2ky.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1f2e6a1-fe97-11dd-8baf-001e8c14215f}]
\Shell\AutoRun\command - G:\cv22.cmd
\Shell\open\Command - G:\cv22.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e199d690-00a8-11dc-81db-0013d44e1471}]
\Shell\AutoRun\command - I:\xdw.com
\Shell\open\Command - I:\xdw.com
.
Contenuto della cartella 'Scheduled Tasks'

2009-03-09 c:\windows\Tasks\At3.job
- c:\windows\system32\username.exe []

2009-03-07 c:\windows\Tasks\At4.job
- c:\windows\system32\expIorer.exe []

2009-03-15 c:\windows\Tasks\At5.job
- c:\windows\system32\sp2protect.exe []

2009-03-11 c:\windows\Tasks\Schedule Task Weekly.job
- c:\programmi\Registry Easy\RE.exe []

2009-03-21 c:\windows\Tasks\Symantec NetDetect.job
- c:\programmi\Symantec\LiveUpdate\NDETECT.EXE [2005-03-16 11:48]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKCU-Run-WebCamRT.exe - (no file)
Notify-AtiExtEvent - (no file)


.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Connection Wizard,ShellNext = iexplore
IE: &eBay Search - c:\programmi\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Crawler Search - tbr:iemenu
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {321BC7BD-4D93-4424-953B-6732A6C70262} = 85.37.17.11 85.38.28.69
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\programmi\Crawler\Toolbar\ctbr.dll
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\xyz\Dati applicazioni\Mozilla\Firefox\Profiles\tkxqxsx4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - MyStart Search
FF - prefs.js: browser.startup.homepage - hxxp://mystart.magentic.com/italian/
FF - prefs.js: keyword.URL - hxxp://mystart.magentic.com/?loc=FF_Magentic_AddressBar&search=
FF - component: c:\programmi\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\programmi\Google\Picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.10);user_pref(general.useragent.extra.zencast, .

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-21 15:06:31
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...


**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1275210071-746137067-854245398-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,41,84,ba,09,90,
26,96,5c,c8,28,51,af,b0,29,a3,98,cf,8e,aa,08,8e,27,36,f5,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,03,56,6e,1f,f2,
b4,df,a5,71,3b,04,66,8b,46,0d,96,8d,20,fd,91,0f,8f,c4,14,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:7a,45,05,fd,91,e8,6f,31,29,48,89,0f,f3,
15,ae,6e,25,da,ec,7e,55,20,c9,26,f9,8f,6b,80,2c,43,47,50,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,a6,e0,fe,67,aa,
9e,f7,ab,3e,1e,9e,e0,57,5a,93,61,89,dd,3a,c3,53,d4,57,77,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,a0,91,14,21,f8,
8b,ce,36,cd,44,cd,b9,a6,33,6c,cd,d3,8c,9f,72,39,1a,50,21,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,f0,a7,5a,48,c6,
61,18,69,b0,18,ed,a7,3f,8d,37,a4,2a,b7,f9,86,d9,ff,72,41,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,5a,cb,e2,70,62,
4c,aa,31,31,77,e1,ba,b1,f8,68,02,d6,fb,57,8f,9c,26,0f,4d,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,73,7c,d8,bc,8f,
10,ed,58,83,6c,56,8b,a0,85,96,ab,0d,26,1a,0f,50,a3,64,81,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,1b,11,06,0d,a6,
55,16,77,51,fa,6e,91,28,9e,14,cc,4f,82,aa,67,98,86,ef,55,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,37,d7,a8,c4,f3,
b0,cf,78,b1,cd,45,5a,a8,c4,f8,b9,b6,a2,65,c3,8d,16,a2,df,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,8e,84,30,7f,c2,
22,cf,7f,e3,0e,66,d5,eb,bc,2f,6b,18,e4,64,57,0f,1d,bb,ee,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,6e,40,09,8f,b9,
2b,28,43,fa,ea,66,7f,d4,3b,6b,70,44,e1,e0,81,8a,2b,06,d3,6c,43,2d,1e,aa,22,\
.
Ora fine scansione: 2009-03-21 15:10:03
ComboFix-quarantined-files.txt 2009-03-21 14:08:46

Pre-Run: 50,879,012,864 byte disponibili
Post-Run: 51,819,884,544 byte disponibili

WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

320
Torna in alto
 
shapiro
Inviato: Saturday, March 21, 2009 5:39:34 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164
avevi dei navipromo e hjt non li ha segnalati...mah


hai altre infezioni

scarica Avenger da qui

http://swandog46.geekstogo.com/avenger.zip

lo installi e lo lanci

Copi e incolli nella finestra: "Input script here" il testo in rosso così come lo vedi scritto:


files to delete:
C:\q0dhfjf.exe
C:\luk1ylq.com
C:\q0dhfjf.exe



Spunta "Automatically disable any rootkits found"

clicca sul pulsante "Execute"
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente

posta il log di avenger che trovi in c:\



analizza qui â–º http://www.virustotal.com/it/

questo file segnato in rosso e posta il rapporto

c:\windows\system32\zlib1.dll
Torna in alto
 
steven75
Inviato: Saturday, March 21, 2009 6:13:02 PM
Rank: Member

Iscritto dal : 5/8/2006
Posts: 0
ciao shapiro, scusa l'intromissione ma c'é anche molto altro da eliminare;

@mimmo86: per non fare due procedure fai cosi;
inserisci tutte le periferiche esterne che usi ma senza aprirle

Ora apri una pagina del blocco note e copia incolla quanto segue;

Commenta:

killAll
file::
C:\q0dhfjf.exe
C:\luk1ylq.com
C:\q0dhfjf.exe
I:\xdw.com
G:\cv22.cmd
E:\gi2ky.exe
E:\2fiy.bat
E:\m9ma.exe
D:\autorun.exe
F:\autorun.exe
E:\iqe68o.bat
c:\windows\system32\sp2protect.exe
c:\windows\system32\expIorer.exe
c:\windows\system32\username.exe
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job

registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b4629f0-b2cd-11dc-8547-0013d44e1471}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0cbcf9a0-ec5b-11dd-8b3c-001e8c14215f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29db8530-d702-11dc-860a-0013d44e1471}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48c439c0-5c35-11db-be9b-0013d44e1471}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d80c321-5112-11d9-9be5-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1f2e6a0-fe97-11dd-8baf-001e8c14215f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1f2e6a1-fe97-11dd-8baf-001e8c14215f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e199d690-00a8-11dc-81db-0013d44e1471}]


salva la pagina nominandola obligatoriamente in CFScript.txt
a questo punto trascina e lascia il file CFScript.txt sull'icona di combofix
lascialo lavorare fino alla fine e riposta il suo log ...
Torna in alto
 
mimmo86
Inviato: Saturday, March 21, 2009 8:21:19 PM
Rank: Newbie

Iscritto dal : 3/20/2009
Posts: 0
X steven: innanzitutto grazie, ma ho letto il tuo messaggio dopo aver gia avviato la procedura di shapiro, mi consigliate di effettuare anche l'altra procedura?


X shapiro:

log Avanger:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\q0dhfjf.exe" deleted successfully.
File "C:\luk1ylq.com" deleted successfully.

Error: file "C:\q0dhfjf.exe" not found!
Deletion of file "C:\q0dhfjf.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.





rapporto virustotal:

Antivirus Versione Ultimo aggiornamento Risultato
a-squared 4.0.0.73 2009.01.28 -
AhnLab-V3 5.0.0.2 2009.01.27 -
AntiVir 7.9.0.60 2009.01.27 -
Authentium 5.1.0.4 2009.01.27 -
Avast 4.8.1281.0 2009.01.27 -
AVG 8.0.0.229 2009.01.27 -
BitDefender 7.2 2009.01.28 -
CAT-QuickHeal 10.00 2009.01.28 -
ClamAV 0.94.1 2009.01.27 -
Comodo 948 2009.01.27 -
DrWeb 4.44.0.09170 2009.01.28 -
eSafe 7.0.17.0 2009.01.27 -
eTrust-Vet 31.6.6330 2009.01.28 -
F-Prot 4.4.4.56 2009.01.27 -
F-Secure 8.0.14470.0 2009.01.28 -
Fortinet 3.117.0.0 2009.01.28 -
GData 19 2009.01.28 -
Ikarus T3.1.1.45.0 2009.01.28 -
K7AntiVirus 7.10.607 2009.01.27 -
Kaspersky 7.0.0.125 2009.01.28 -
McAfee 5508 2009.01.27 -
McAfee+Artemis 5508 2009.01.27 -
Microsoft 1.4205 2009.01.28 -
NOD32 3805 2009.01.28 -
Norman 5.93.01 2009.01.27 -
nProtect 2009.1.8.0 2009.01.28 -
Panda 9.5.1.2 2009.01.27 -
PCTools 4.4.2.0 2009.01.27 -
Prevx1 V2 2009.01.28 -
Rising 21.13.42.00 2009.01.23 -
SecureWeb-Gateway 6.7.6 2009.01.27 -
Sophos 4.37.0 2009.01.27 -
Sunbelt 3.2.1835.2 2009.01.16 -
TheHacker 6.3.1.5.229 2009.01.26 -
TrendMicro 8.700.0.1004 2009.01.27 -
VBA32 3.12.8.11 2009.01.27 -
ViRobot 2009.1.23.1577 2009.01.26 -
VirusBuster 4.5.11.0 2009.01.27 -
Informazioni addizionali
File size: 75264 bytes
MD5...: c7d4d685a0af2a09cbc21cb474358595
SHA1..: b784599c82bb90d5267fd70aaa42acc0c614b5d2
SHA256: e96b397b499d9eaa3f52eaf496ca8941e80c0ad1544879ccadf02bf2c6a1ecfc
SHA512: fed2c126a499fae6215e0ef7d76aeec45b60417ed11c7732379d1e92c87e2735
5fe8753efed86af4f58d52ea695494ef674538192fac1e8a2a114467061a108b

ssdeep: 1536:+4nToIf2W/nkQRZHaamLQHoIOah7Vryh7IO4cZlIXw6Epb:bTBfHdRZH9mL
QHuaBVGn4FXw6E1

PEiD..: -
TrID..: File type identification
Win32 Dynamic Link Library (generic) (65.4%)
Generic Win/DOS Executable (17.2%)
DOS Executable Generic (17.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000
timedatestamp.....: 0x42de7657 (Wed Jul 20 16:05:43 2005)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xfc44 0xfe00 6.67 fb3eaf5f44062b7d42dbd85cc675d83e
.data 0x11000 0x70 0x200 0.70 bd7e579b89c755c8500d95e13eab3504
.bss 0x12000 0x90 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.edata 0x13000 0x656 0x800 4.51 e26b95848ef2f8c86d11449797fd50e2
.idata 0x14000 0x348 0x400 3.76 323b2c261624a2ea56fe3c3757a9653b
.rsrc 0x15000 0x1058 0x1200 3.51 36ccbb297d53d3e054df3bafe19ed25b
.reloc 0x17000 0x348 0x400 5.54 9f7837634a6ec513794db623c0eadbe5

( 3 imports )
> KERNEL32.dll: AddAtomA, FindAtomA, GetAtomNameA
> msvcrt.dll: _fdopen
> msvcrt.dll: __dllonexit, _errno, _filelengthi64, _vsnprintf, abort, clearerr, fclose, fflush, fgetpos, fopen, fprintf, fputc, fread, free, fsetpos, fwrite, malloc, memcpy, memset, sprintf, strcat, strcpy, strerror, strlen

( 73 exports )
DllGetVersion, _dist_code, _length_code, _tr_align, _tr_flush_block, _tr_init, _tr_stored_block, _tr_tally, adler32, adler32_combine, compress, compress2, compressBound, crc32, crc32_combine, deflate, deflateBound, deflateCopy, deflateEnd, deflateInit2_, deflateInit_, deflateParams, deflatePrime, deflateReset, deflateSetDictionary, deflateSetHeader, deflateTune, deflate_copyright, get_crc_table, gzclearerr, gzclose, gzdirect, gzdopen, gzeof, gzerror, gzflush, gzgetc, gzgets, gzopen, gzprintf, gzputc, gzputs, gzread, gzrewind, gzseek, gzsetparams, gztell, gzungetc, gzwrite, inflate, inflateBack, inflateBackEnd, inflateBackInit_, inflateCopy, inflateEnd, inflateGetHeader, inflateInit2_, inflateInit_, inflatePrime, inflateReset, inflateSetDictionary, inflateSync, inflateSyncPoint, inflate_copyright, inflate_fast, inflate_table, uncompress, zError, z_errmsg, zcalloc, zcfree, zlibCompileFlags, zlibVersion

CWSandbox info: http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=c7d4d685a0af2a09cbc21cb474358595

GRAZIE
Torna in alto
 
mimmo86
Inviato: Saturday, March 21, 2009 8:29:30 PM
Rank: Newbie

Iscritto dal : 3/20/2009
Posts: 0
x steve: dimenticavo, scusa l'ignoranza ma se devo effettuare la tua procedura non ho capito cosa significa inserisci tutte le periferiche ma non aprirle? cioe devo inserire tutte le periferiche come penna usb, cellulare, mp3, joypad, hd esterno, etc ??in questo caso come faccio a collegarle tutte insieme? Grazie
Torna in alto
 
shapiro
Inviato: Saturday, March 21, 2009 8:35:29 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164
si va bene la procedura di steven 75, solamente dovrai togliere dalla lista queste due

C:\q0dhfjf.exe

C:\luk1ylq.com

le ha eliminate avenger
Torna in alto
 
mimmo86
Inviato: Saturday, March 21, 2009 8:38:39 PM
Rank: Newbie

Iscritto dal : 3/20/2009
Posts: 0
x la questione delle periferiche? cosa devo fare di preciso?
Torna in alto
 
steven75
Inviato: Saturday, March 21, 2009 8:54:03 PM
Rank: Member

Iscritto dal : 5/8/2006
Posts: 0
inserisci la penna usb, l'MP3 e il disco esterno
Torna in alto
 
mimmo86
Inviato: Saturday, March 21, 2009 9:41:14 PM
Rank: Newbie

Iscritto dal : 3/20/2009
Posts: 0
fatto come avete detto, posto il log:

ComboFix 09-03-19.02 - xyz 2009-03-21 21.25.44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.1023.603 [GMT 1:00]
Eseguito da: c:\documents and settings\xyz\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\xyz\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

FILE ::
C:\luk1ylq.com
C:\q0dhfjf.exe
c:\windows\system32\expIorer.exe
c:\windows\system32\sp2protect.exe
c:\windows\system32\username.exe
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
D:\autorun.exe
E:\2fiy.bat
E:\gi2ky.exe
E:\iqe68o.bat
E:\m9ma.exe
F:\autorun.exe
G:\cv22.cmd
I:\xdw.com
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
E:\autorun.inf
G:\Autorun.inf
G:\h3.bat
G:\iqe68o.bat
G:\uxkl0apt.bat
F:\autorun.exe . . . . Eliminazione Fallita

.
((((((((((((((((((((((((( Files Creati Da 2009-02-21 al 2009-03-21 )))))))))))))))))))))))))))))))))))
.

2009-03-21 21:30 . 2009-03-21 21:30 227 --a------ c:\windows\system.ini
2009-03-20 15:35 . 2009-03-20 15:35 <DIR> d-------- c:\programmi\Malwarebytes' Anti-Malware
2009-03-20 15:35 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-20 15:35 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-20 09:32 . 2009-03-20 09:32 <DIR> d-------- c:\programmi\Trend Micro
2009-03-19 19:38 . 2009-03-19 19:40 <DIR> d-------- c:\documents and settings\xyz\Dati applicazioni\Faxalo
2009-03-19 19:38 . 2007-07-25 20:53 1,382,356 --a------ c:\windows\system32\imgport.dll
2009-03-19 19:38 . 2006-03-28 19:50 376,832 --a------ c:\windows\system32\libtiff3.dll
2009-03-19 19:38 . 2005-05-15 23:08 127,488 --a------ c:\windows\system32\jpeg62.dll
2009-03-19 19:38 . 2005-07-21 03:05 75,264 --a------ c:\windows\system32\zlib1.dll
2009-03-19 19:38 . 2007-07-13 18:19 40,448 --a------ c:\windows\system32\PopFaxLocalMon.dll
2009-03-19 19:38 . 2006-03-28 19:51 36,352 --a------ c:\windows\system32\tiffcp.exe
2009-03-19 19:38 . 2007-06-27 18:38 16,896 --a------ c:\windows\system32\PopFaxLocalUI.dll
2009-03-18 15:52 . 2009-03-18 21:22 <DIR> d-------- c:\programmi\SpeedFan
2009-03-18 15:52 . 2009-03-18 15:52 0 --a------ c:\windows\system32\initdebug.nfo
2009-03-17 22:01 . 2009-03-17 22:01 3,166 --a------ c:\windows\tmp.xml
2009-03-17 19:02 . 2009-03-19 19:38 <DIR> d-------- c:\programmi\System Protect
2009-03-17 19:02 . 2009-03-17 19:02 12,288 --a------ c:\windows\system32\drivers\sp_prot.sys
2009-03-16 11:46 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-03-09 18:23 . 2009-03-09 18:23 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-09 18:23 . 2009-03-09 18:23 1,409 --a------ c:\windows\QTFont.for
2009-03-01 18:59 . 2009-03-01 19:11 <DIR> d--hs---- c:\documents and settings\xyz\Phone Browser

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 20:07 196,608 ----a-w c:\windows\system32\drivers\nStandard.bin
2009-03-21 10:13 --------- d-----w c:\documents and settings\xyz\Dati applicazioni\Spyware Terminator
2009-03-20 05:54 --------- d-----w c:\programmi\WinClamAVShield
2009-03-20 05:54 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Spyware Terminator
2009-03-17 21:27 --------- d-----w c:\programmi\Spyware Terminator
2009-03-17 21:26 --------- d-----w c:\programmi\eMule
2009-03-14 08:19 --------- d-----w c:\programmi\File comuni\Adobe
2009-03-08 09:32 --------- d-----w c:\documents and settings\xyz\Dati applicazioni\Nokia
2009-03-08 09:31 --------- d-----w c:\programmi\File comuni\Nokia
2009-03-08 09:30 --------- d-----w c:\programmi\Nokia
2009-02-20 14:22 --------- d-----w c:\documents and settings\xyz\Dati applicazioni\PC Suite
2009-02-20 14:21 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-02-20 14:21 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-02-20 14:15 --------- d-----w c:\programmi\PC Connectivity Solution
2009-02-20 14:15 --------- d-----w c:\programmi\File comuni\PCSuite
2009-02-20 14:13 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Installations
2009-02-20 14:04 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Nokia
2009-02-20 13:54 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\PC Suite
2009-02-20 13:53 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-02-20 13:53 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2009-02-20 13:50 --------- d-----w c:\documents and settings\xyz\Dati applicazioni\Nseries
2009-02-18 16:10 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\NokiaMusic
2009-02-18 16:06 --------- d-----w c:\programmi\DIFX
2009-02-18 15:54 --------- d-----w c:\programmi\Reference Assemblies
2009-02-18 15:54 --------- d-----w c:\programmi\MSBuild
2009-02-18 15:39 --------- d-----w c:\programmi\MSXML 6.0
2009-02-17 08:43 --------- d-----w c:\programmi\Messenger Plus! Live
2009-02-06 18:06 --------- d-----w c:\programmi\Dream Aquarium
2008-12-26 10:07 113,600 -c--a-w c:\documents and settings\xyz\Dati applicazioni\GDIPFONTCACHEV1.DAT
2008-05-07 12:56 614 ----a-w c:\programmi\BorisGraffitiUI.xml
2008-03-15 19:18 14,348 ----a-w c:\documents and settings\xyz\SkyTel(2).EXE
2008-03-15 19:18 14,348 ----a-w c:\documents and settings\xyz\SkyTel .exe
2008-03-15 19:18 14,348 ----a-w c:\documents and settings\xyz\RTHDCPL(2).EXE
2008-03-15 19:18 14,348 ----a-w c:\documents and settings\xyz\RTHDCPL .exe
2008-02-05 23:44 200,704 ----a-w c:\programmi\BorisFXUI.fex
2008-01-05 13:12 22,328 ----a-w c:\documents and settings\xyz\Dati applicazioni\PnkBstrK.sys
2006-09-07 20:08 53,606,550 -c----w c:\documents and settings\xyz\Desktop.zip
2007-11-23 18:26 2 --shatr c:\windows\winstart.bat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-21_15.07.00.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-21 11:56:23 71,444 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-21 19:47:04 71,444 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-21 11:56:23 84,552 ----a-w c:\windows\system32\perfc010.dat
+ 2009-03-21 19:47:04 84,552 ----a-w c:\windows\system32\perfc010.dat
- 2009-03-21 11:56:23 441,760 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-21 19:47:04 441,760 ----a-w c:\windows\system32\perfh009.dat
- 2009-03-21 11:56:23 489,970 ----a-w c:\windows\system32\perfh010.dat
+ 2009-03-21 19:47:04 489,970 ----a-w c:\windows\system32\perfh010.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"NBJ"="c:\programmi\Ahead\Nero BackItUp\NBJ.exe" [2005-05-19 1957888]
"PC Suite Tray"="c:\programmi\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\programmi\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="c:\programmi\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2006-10-25 282624]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-16 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-16 81920]
"SpywareTerminator"="c:\progra~1\SPYWAR~2\SpywareTerminatorShield.exe" [2008-05-08 1817600]
"SystemProtect"="c:\programmi\System Protect\SysProtect_Tray.exe" [2009-03-17 1223680]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-04-04 c:\windows\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-09-16 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-19 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma Loader.lnk - c:\programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2004-07-09 110592]
Microsoft Office.lnk - c:\programmi\Microsoft Office\Office10\OSA.EXE [2003-01-21 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"= ctwdm32.dll
"aux5"= ctwdm32.dll
"aux6"= ctwdm32.dll
"aux7"= ctwdm32.dll
"VIDC.GJPG"= GJPG.DLL
"vidc.mjpg"= pvmjpg30.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\MSN\\MSNCoreFiles\\msn6.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programmi\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Documents and Settings\\xyz\\Desktop\\SCARICA\\zdc\\zDCPlusPlus.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Hercules\\Classic Silver\\Station2.exe"=
"c:\\Programmi\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"=
"c:\\Programmi\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Programmi\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Programmi\\Pinnacle\\Studio 12\\Programs\\umi.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12800:TCP"= 12800:TCP:NortonAV
"14016:TCP"= 14016:TCP:NortonAV
"1295:UDP"= 1295:UDP:Windows Media Format SDK (iexplore.exe)
"1294:UDP"= 1294:UDP:Windows Media Format SDK (iexplore.exe)
"1302:UDP"= 1302:UDP:Windows Media Format SDK (iexplore.exe)

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-03-16 28544]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [2005-12-06 35328]
R0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\Si3112r.sys [2005-07-19 84529]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2003-10-01 77056]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-04-03 141312]
R2 SP_Service;System Protect Deletion Prevention Service;c:\programmi\System Protect\SysProtect_srv.exe [2009-03-17 598528]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\drivers\l251x86.sys [2008-03-06 29696]
R3 sp_prot;System Protect Filter Driver;c:\windows\system32\drivers\sp_prot.sys [2009-03-17 12288]
S2 MtxVideo;Driver Matrox WDM capture/crossbar;c:\windows\system32\drivers\mtxvideo.sys [2004-04-09 103296]
S2 vee3ie8yafi5towy;Print Spooler Service;c:\windows\system32\prgacpckfg.exe /service --> c:\windows\system32\prgacpckfg.exe [?]
S3 Camdrv30;Philips ToUcam XS;c:\windows\system32\drivers\camdrv30.sys [2005-11-26 171264]
S3 camfilt2;camfilt2;c:\windows\system32\drivers\camfilt2.sys [2008-01-26 94208]
S3 ctlsb16;Driver Creative SB16/AWE32/AWE64 (WDM);c:\windows\system32\drivers\ctlsb16.sys [2003-11-25 96256]
S3 G200;G200;c:\windows\system32\drivers\G200m.sys [2003-11-20 320384]
S3 PAC207;Trust WB-1400T Webcam;c:\windows\system32\DRIVERS\pfc027.sys --> c:\windows\system32\DRIVERS\pfc027.sys [?]
S3 S3SAVAGE4M;S3SAVAGE4M;c:\windows\system32\drivers\s3sav4m.sys [2004-01-05 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contenuto della cartella 'Scheduled Tasks'

2009-03-11 c:\windows\Tasks\Schedule Task Weekly.job
- c:\programmi\Registry Easy\RE.exe []

2009-03-21 c:\windows\Tasks\Symantec NetDetect.job
- c:\programmi\Symantec\LiveUpdate\NDETECT.EXE [2005-03-16 11:48]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &eBay Search - c:\programmi\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Crawler Search - tbr:iemenu
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\programmi\Crawler\Toolbar\ctbr.dll
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\xyz\Dati applicazioni\Mozilla\Firefox\Profiles\tkxqxsx4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - MyStart Search
FF - prefs.js: browser.startup.homepage - hxxp://mystart.magentic.com/italian/
FF - prefs.js: keyword.URL - hxxp://mystart.magentic.com/?loc=FF_Magentic_AddressBar&search=
FF - component: c:\programmi\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\programmi\Google\Picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.10);user_pref(general.useragent.extra.zencast, .

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-21 21:29:32
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1275210071-746137067-854245398-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,41,84,ba,09,90,
26,96,5c,c8,28,51,af,b0,29,a3,98,cf,8e,aa,08,8e,27,36,f5,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,03,56,6e,1f,f2,
b4,df,a5,71,3b,04,66,8b,46,0d,96,8d,20,fd,91,0f,8f,c4,14,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:7a,45,05,fd,91,e8,6f,31,29,48,89,0f,f3,
15,ae,6e,25,da,ec,7e,55,20,c9,26,f9,8f,6b,80,2c,43,47,50,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,a6,e0,fe,67,aa,
9e,f7,ab,3e,1e,9e,e0,57,5a,93,61,89,dd,3a,c3,53,d4,57,77,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,a0,91,14,21,f8,
8b,ce,36,cd,44,cd,b9,a6,33,6c,cd,d3,8c,9f,72,39,1a,50,21,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,f0,a7,5a,48,c6,
61,18,69,b0,18,ed,a7,3f,8d,37,a4,2a,b7,f9,86,d9,ff,72,41,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,5a,cb,e2,70,62,
4c,aa,31,31,77,e1,ba,b1,f8,68,02,d6,fb,57,8f,9c,26,0f,4d,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,73,7c,d8,bc,8f,
10,ed,58,83,6c,56,8b,a0,85,96,ab,0d,26,1a,0f,50,a3,64,81,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,1b,11,06,0d,a6,
55,16,77,51,fa,6e,91,28,9e,14,cc,4f,82,aa,67,98,86,ef,55,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,37,d7,a8,c4,f3,
b0,cf,78,b1,cd,45,5a,a8,c4,f8,b9,b6,a2,65,c3,8d,16,a2,df,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,8e,84,30,7f,c2,
22,cf,7f,e3,0e,66,d5,eb,bc,2f,6b,18,e4,64,57,0f,1d,bb,ee,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,6e,40,09,8f,b9,
2b,28,43,fa,ea,66,7f,d4,3b,6b,70,44,e1,e0,81,8a,2b,06,d3,6c,43,2d,1e,aa,22,\
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\WgaTray.exe
c:\programmi\a-squared Free\a2service.exe
c:\windows\ATKKBService.exe
c:\windows\system32\drivers\CDANTSRV.EXE
c:\programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\programmi\Spyware Terminator\sp_rsser.exe
c:\windows\system32\PAStiSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\programmi\PC Connectivity Solution\ServiceLayer.exe
c:\programmi\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\programmi\PC Connectivity Solution\Transports\NclRSSrv.exe
.
**************************************************************************
.
Ora fine scansione: 2009-03-21 21:34:06 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-03-21 20:33:55
ComboFix2.txt 2009-03-21 14:10:04

Pre-Run: 51.775.246.336 byte disponibili
Post-Run: 51,791,843,328 byte disponibili

321
Torna in alto
 
shapiro
Inviato: Sunday, March 22, 2009 10:57:27 AM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164
ciao steven 75

ci sarebbe anche questo wx8o0bt1.com
Torna in alto
 
steven75
Inviato: Sunday, March 22, 2009 11:21:46 AM
Rank: Member

Iscritto dal : 5/8/2006
Posts: 0
riapri la pagina del bloc note ,copia incolla quanto segue e fai la procedura di prima;

(inserisci la periferica F:\)

Commenta:
killall::
file::
F:\autorun.exe
c:\windows\system32\prgacpckfg.exe


a questo punto fai uno scan online Kaspersky, postaci il suo log e dicci come vanno le cose

@Shapiro: quel file non c'é, era solo il richiamo nel registro
Torna in alto
 
shapiro
Inviato: Sunday, March 22, 2009 12:54:47 PM

Rank: AiutAmico

Iscritto dal : 8/24/2008
Posts: 4,164
mimmo 86 controlla per sicurezza se wx8o0bt1.com e' ancora nel tuo pc

usa il ''cerca'' di windows

@ steven 75

meglio perdere un minuto in piu'
Torna in alto
 
mimmo86
Inviato: Sunday, March 22, 2009 2:12:53 PM
Rank: Newbie

Iscritto dal : 3/20/2009
Posts: 0
x shapiro: il file wx8o0bt1.com per fortuna non c'è piu...

x steven: la periferica F:\ dovrebbe corrispondere ad una periferica virtuale creata dal programma daemon per giocare a Pes09.
cosa faccio la elimino e ripeto la procedura? o passo direttamente alla scansione con Kaspersky?

GRAZIE
Torna in alto
 
Utenti presenti in questo topic
Guest

3 pages: [1] 2 3

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » log HijackThis, c'è qualcosa che non va !!!


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.