Valutazione 4.87/ 5 (100.00%) 5838 voti

Condividi:        

log di hijack parecchio sospetto

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: kadosh, Luke57

log di hijack parecchio sospetto

Postdi cassathecaptain » 18/01/08 14:06

Ciao ragazzi aiutatemi a eliminare i file dannosi di questo log!! L'icona del disco C è diventata una X!! Aiuto

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 13.54.41, on 18/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\VEXPLITE\viritsvc.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\Lexmark 1200 Series\lxczbmgr.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\Lexmark 1200 Series\lxczbmon.exe
C:\Programmi\D-Tools\daemon.exe
C:\VEXPLITE\MONLITE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\MSN Messenger\livecall.exe
C:\Documents and Settings\Filippo\Documenti\File ricevuti\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tgsoft.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\Programmi\vmntoolbar\vmntoolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {96D43120-26BC-4AAA-95D0-39EDAAAC5B6B} - C:\WINDOWS\system32\ssqrq.dll
O2 - BHO: (no name) - {9B4868E3-767E-4A1C-A792-3CC451BA8CAC} - C:\WINDOWS\system32\fccbxvu.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\haxynvri.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O2 - BHO: {b5ad268d-ce10-f5ba-0704-9ff4d78a2aeb} - {bea2a87d-4ff9-4070-ab5f-01ecd862da5b} - C:\WINDOWS\system32\yqehkoko.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\Programmi\vmntoolbar\vmntoolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Programmi\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmi\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [I downloaded pirated Software from P2P] Virtua Tennis 3
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - HKLM\..\Run: [I downloaded pirated Software from P2P ] NHL Live 2007
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [devenv] C:\WINDOWS\system\smvss.exe /w
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [0c7b55f1] rundll32.exe "C:\WINDOWS\system32\whqvdged.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: exomgg.exe
O4 - Startup: udflxro.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmi\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Apri in nuova scheda in primo piano - res://C:\Programmi\Windows Live Toolbar\Components\it-it\msntabres.dll.mui/230?850d536cf43044f6a2d88a5fd9a336c1
O8 - Extra context menu item: Apri in nuova scheda in secondo piano - res://C:\Programmi\Windows Live Toolbar\Components\it-it\msntabres.dll.mui/229?850d536cf43044f6a2d88a5fd9a336c1
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O20 - Winlogon Notify: fccbxvu - fccbxvu.dll (file missing)
O20 - Winlogon Notify: haxynvri - haxynvri.dll (file missing)
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\yhgjsckw.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas http://www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

--
End of file - 8245 bytes
cassathecaptain
Utente Junior
 
Post: 31
Iscritto il: 16/01/07 19:34

Sponsor
 

Re: log di hijack parecchio sospetto

Postdi Luke57 » 18/01/08 15:41

Ciao, scarica questi 2 files sul desktop
ComboFix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
VundoFix
http://www.atribune.org/ccount/click.php?id=4

Disconettiti da internet
disattiva l'antivirus

Apri hijackthis, premi "do a system scan only", cerca e spunta le voci seguenti:
O2 - BHO: (no name) - {96D43120-26BC-4AAA-95D0-39EDAAAC5B6B} - C:\WINDOWS\system32\ssqrq.dll
O2 - BHO: (no name) - {9B4868E3-767E-4A1C-A792-3CC451BA8CAC} - C:\WINDOWS\system32\fccbxvu.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\haxynvri.dll (file missing)
O2 - BHO: {b5ad268d-ce10-f5ba-0704-9ff4d78a2aeb} - {bea2a87d-4ff9-4070-ab5f-01ecd862da5b} - C:\WINDOWS\system32\yqehkoko.dll
O4 - HKLM\..\Run: [devenv] C:\WINDOWS\system\smvss.exe /w
O4 - HKLM\..\Run: [0c7b55f1] rundll32.exe "C:\WINDOWS\system32\whqvdged.dll",b
O4 - Startup: exomgg.exe
O4 - Startup: udflxro.exe
O20 - Winlogon Notify: fccbxvu - fccbxvu.dll (file missing)
O20 - Winlogon Notify: haxynvri - haxynvri.dll (file missing)

premi fix checked.


Esegui vundofix
VundoFix si chiuderà e si riaprirà da solo, una volta riaperto, clicca sul pulsante "Scan for Vundo" quando la scansione è finita, clicca sul pulsante "Remove Vundo" a questo punto ti chiederà se vuoi eliminare i files, rispondi Yes una volta cliccato su Yes, non preoccuparti se il desktop scompare, è normale dato che è iniziata la procedura di eliminazione, finito la rimozione ti chiederà se vuoi riavviare, rispondi Yes e si riavvierà il pc.
E' possibile che vundofix non riesca ad eliminare alcuni files, in questo caso, vedrai vundofix apparire al riavvio basta che premi il pulsante Remove vundo per continuare la rimoazione.
Finito tutto, riavvia il pc

Avvia il file ComboFix.exe
Digita 1 per avviare il tool (non fare altre manovre durante la scansione)
Segui le instruzioni e alla fine verrà generato un log.

Riavvia il pc, collegati e posta questi 2 logs
C:\vundofix.txt
C:\combofix.txt
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: log di hijack parecchio sospetto

Postdi cassathecaptain » 29/01/08 18:15

ComboFix 08-01-29.3 - Filippo 2008-01-29 17.58.29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.511 [GMT 0:00]
Eseguito da: C:\Documents and Settings\Filippo\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Filippo\Dati applicazioni\addon.dat
C:\WINDOWS\system32\adsliicx.ini
C:\WINDOWS\system32\ajqytbot.ini
C:\WINDOWS\system32\axdvorpi.ini
C:\WINDOWS\system32\bgfypbee.ini
C:\WINDOWS\system32\bonoiqxk.ini
C:\WINDOWS\system32\bvjellgp.dll
C:\WINDOWS\system32\ccfuqfhd.ini
C:\WINDOWS\system32\cctloudy.ini
C:\WINDOWS\system32\dadohcdm.ini
C:\WINDOWS\system32\degdvqhw.ini
C:\WINDOWS\system32\domcdicg.ini
C:\WINDOWS\system32\dqkxwfhk.ini
C:\WINDOWS\system32\duoikeje.ini
C:\WINDOWS\system32\fjukfeql.dll
C:\WINDOWS\system32\flrxmhoe.ini
C:\WINDOWS\system32\fwoycrti.ini
C:\WINDOWS\system32\gqdgwlpc.ini
C:\WINDOWS\system32\gquqklfa.ini
C:\WINDOWS\system32\hbrysatf.ini
C:\WINDOWS\system32\hfmhkibq.dll
C:\WINDOWS\system32\igqynttb.ini
C:\WINDOWS\system32\jvynrhgn.ini
C:\WINDOWS\system32\kqiocmwx.ini
C:\WINDOWS\system32\kxhfrjho.ini
C:\WINDOWS\system32\lqwqoksw.ini
C:\WINDOWS\system32\lsvvwlhd.ini
C:\WINDOWS\system32\lvqloopr.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mhnmtbje.ini
C:\WINDOWS\system32\mivxlequ.ini
C:\WINDOWS\system32\mngidaec.ini
C:\WINDOWS\system32\mnicvysq.ini
C:\WINDOWS\system32\mugjmqbx.ini
C:\WINDOWS\system32\nsbwvoru.ini
C:\WINDOWS\system32\pdvqritj.dll
C:\WINDOWS\system32\pnbggjku.ini
C:\WINDOWS\system32\pnugkbcy.dll
C:\WINDOWS\system32\prldqguh.ini
C:\WINDOWS\system32\quxoigux.ini
C:\WINDOWS\system32\rhtlsclp.ini
C:\WINDOWS\system32\tlulhfpv.ini
C:\WINDOWS\system32\vyovmnas.ini
C:\WINDOWS\system32\walsvypd.ini
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\wkbeqcbo.ini
C:\WINDOWS\system32\wmgplnlr.dll
C:\WINDOWS\system32\wmotjrvx.ini
C:\WINDOWS\system32\wqdmvbqw.ini
C:\WINDOWS\system32\xgglvpvi.ini
C:\WINDOWS\system32\xrvsfqir.dll
C:\WINDOWS\system32\xyccpqir.dll
C:\WINDOWS\system32\yfwhfjlx.ini
C:\WINDOWS\system32\yvpgntmc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Creati Da 2007-12-28 al 2008-01-29 )))))))))))))))))))))))))))))))))))
.

2008-01-29 17:23 . 2008-01-29 17:53 <DIR> d-------- C:\VundoFix Backups
2008-01-29 16:54 . 2008-01-29 16:54 53,312 --a------ C:\WINDOWS\system32\rdudjodl.exe
2008-01-29 16:08 . 2008-01-29 16:08 53,312 --a------ C:\WINDOWS\system32\lllrwiic.exe
2008-01-29 09:58 . 2008-01-29 09:58 53,312 --a------ C:\WINDOWS\system32\lfoocroi.exe
2008-01-28 18:42 . 2008-01-28 18:42 53,312 --a------ C:\WINDOWS\system32\dsgvripp.exe
2008-01-28 08:40 . 2008-01-28 08:40 53,312 --a------ C:\WINDOWS\system32\ylqwonhd.exe
2008-01-27 09:34 . 2008-01-27 09:34 53,312 --a------ C:\WINDOWS\system32\hctfptvt.exe
2008-01-26 12:53 . 2008-01-26 12:53 53,312 --a------ C:\WINDOWS\system32\fqmfjajt.exe
2008-01-26 09:49 . 2008-01-26 09:49 53,312 --a------ C:\WINDOWS\system32\xcuhhibi.exe
2008-01-25 18:52 . 2008-01-25 18:52 53,312 --a------ C:\WINDOWS\system32\ymkagnay.exe
2008-01-25 09:04 . 2008-01-25 09:04 53,312 --a------ C:\WINDOWS\system32\vtphmqyb.exe
2008-01-24 09:02 . 2008-01-24 09:02 53,312 --a------ C:\WINDOWS\system32\csfxvgld.exe
2008-01-23 19:49 . 2008-01-23 19:49 53,312 --a------ C:\WINDOWS\system32\uqttgbwa.exe
2008-01-23 12:52 . 2008-01-23 12:52 53,312 --a------ C:\WINDOWS\system32\dmtpilri.exe
2008-01-22 21:33 . 2008-01-22 21:33 53,312 --a------ C:\WINDOWS\system32\vltpphht.exe
2008-01-18 19:58 . 2008-01-18 19:58 1,076,330 ---hs---- C:\WINDOWS\system32\degdvqhw.tmp
2008-01-18 12:59 . 2008-01-18 12:59 <DIR> d-------- C:\Programmi\Windows Live Safety Center
2008-01-12 14:00 . 2008-01-12 14:58 <DIR> d-------- C:\QUARANTENA_VIRIT
2008-01-12 13:17 . 2008-01-27 10:08 <DIR> d-------- C:\VEXPLITE
2008-01-12 13:17 . 2008-01-23 13:19 36,480 --a------ C:\WINDOWS\system32\drivers\VIRAGTLT.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 17:49 --------- d-----w C:\Documents and Settings\Filippo\Dati applicazioni\vmntoolbar
2008-01-28 20:20 --------- d-----w C:\Programmi\AdunanzA
2008-01-09 20:41 --------- d-----w C:\Programmi\EA SPORTS
2007-12-23 20:00 20,816 ----a-w C:\Documents and Settings\Filippo\tezuaxea.exe
2007-12-21 20:00 48,884 ----a-w C:\Programmi\update.zip
2007-12-15 14:34 --------- d-----w C:\Programmi\Polar
2007-12-02 14:00 32,764 ----a-w C:\WINDOWS\17PHolmes2000351.exe
2007-12-01 11:10 --------- d-----w C:\Programmi\GUILD WARS
2007-11-29 13:53 --------- d-----w C:\Programmi\THQ
2007-02-09 16:43 386,630 --sha-r C:\Programmi\wunauclt.zip
2007-02-09 16:43 386,630 --sha-r C:\Programmi\wunauclt.tbe
2006-08-27 13:38 1,015,973 --sha-r C:\Programmi\serial.zip
2006-08-27 13:38 1,015,973 --sha-r C:\Programmi\serial.tde
2006-08-27 13:19 56,239 ----a-w C:\Programmi\svchosts.tbe
2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
2005-09-28 08:56 185,856 ----a-w C:\Programmi\7za.exe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F82CB68-7BFE-477C-B6E8-769D30597B00}]
C:\WINDOWS\system32\ssqrq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 13:39 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 09:12 139264]
"MsnMsgr"="C:\Programmi\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"swg"="C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 19:53 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Programmi\Analog Devices\Core\smax4pnp.exe" [2006-05-01 10:07 843776]
"SoundMAX"="C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" [2006-04-10 07:19 729088]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-02 08:45 385024]
"ATICCC"="C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 15:41 45056]
"RemoteControl"="C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 18:24 32768]
"nod32kui"="C:\Programmi\Eset\nod32kui.exe" [2006-10-14 10:03 921600]
"NeroFilterCheck"="C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40 155648]
"Lexmark 1200 Series"="C:\Programmi\Lexmark 1200 Series\lxczbmgr.exe" [2006-03-16 07:20 57344]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"DAEMON Tools-1033"="C:\Programmi\D-Tools\daemon.exe" [2004-08-22 16:05 81920]
"I downloaded pirated Software from P2P"="Virtua Tennis 3" []
"I downloaded pirated Software from P2P "="NHL Live 2007" []
"Adobe Reader Speed Launcher"="C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"VIRIT LITE MONITOR"="C:\VEXPLITE\MONLITE.EXE" [2008-01-26 13:23 245760]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-19 13:39 160256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 13:39 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"helpsvc"=2 (0x2)
"ERSvc"=2 (0x2)

R0 VIRAGTLT;VIRAGTLT;C:\WINDOWS\system32\drivers\VIRAGTLT.SYS [2008-01-23 13:19]
R2 viritsvclite;Virit eXplorer Lite;C:\VEXPLITE\viritsvc.exe [2008-01-26 13:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49491f1f-5b6b-11db-b658-806d6172696f}]
\Shell\AutoRun\command - D:\ASUSACPI.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C5CD9787-54F4-6B5A-7054-5E50F28A8F48}]
C:\WINDOWS\crack\crack.exe s
.
Contenuto della cartella 'Scheduled Tasks'
"2007-12-02 14:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\wunauclt.exe
"2008-01-29 17:38:06 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Programmi\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 18:07:58
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Programmi\Eset\pr_imon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\VEXPLITE\viritsvc.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\Lexmark 1200 Series\lxczbmgr.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\Lexmark 1200 Series\lxczbmon.exe
C:\Programmi\D-Tools\daemon.exe
C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\VEXPLITE\MONLITE.EXE
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Eset\nod32.exe
C:\VEXPLITE\VIRITEXP.EXE
.
**************************************************************************
.
Ora fine scansione: 2008-01-29 18:10:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 18:10:28






VundoFix V6.7.7

Checking Java version...

Sun Java not detected
Scan started at 17.23.56 29/01/2008

Listing files found while scanning....

C:\WINDOWS\system32\dafymbxg.dll
C:\WINDOWS\system32\fjukfeql.dll
C:\WINDOWS\system32\fxqlsblv.dll
C:\WINDOWS\system32\gelnryjw.dll
C:\WINDOWS\system32\gqyposgj.dll
C:\windows\system32\haxynvri.dllbox
C:\WINDOWS\system32\hboqcdcl.dll
C:\WINDOWS\system32\hphewyhu.dll
C:\WINDOWS\system32\jtatqcvo.dll
C:\WINDOWS\system32\kpuncnmi.dll
C:\WINDOWS\system32\lqefkujf.ini
C:\WINDOWS\system32\nxryxaxv.dll
C:\WINDOWS\system32\obsajuwv.dll
C:\WINDOWS\system32\oenquejc.dll
C:\WINDOWS\system32\pbjobodc.dll
C:\WINDOWS\system32\qrqss.bak1
C:\WINDOWS\system32\qrqss.bak2
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\qrqss.tmp
C:\WINDOWS\system32\qslqfsbh.dll
C:\WINDOWS\system32\rjlwvyiy.dll
C:\WINDOWS\system32\sefvchar.dll
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\tdamsrhx.dll
C:\WINDOWS\system32\tgfkxcap.dll
C:\WINDOWS\system32\thtsnuxp.dll
C:\WINDOWS\system32\tpwiutxa.dll
C:\WINDOWS\system32\udheinhq.dll
C:\WINDOWS\system32\uokquylv.dll
C:\WINDOWS\system32\xgucylam.dll
C:\WINDOWS\system32\xixkhble.dll
C:\WINDOWS\system32\xljfhwfy.dll
C:\WINDOWS\system32\xyccpqir.dll
C:\WINDOWS\system32\yvpgntmc.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\dafymbxg.dll
C:\WINDOWS\system32\dafymbxg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fjukfeql.dll
C:\WINDOWS\system32\fjukfeql.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\fxqlsblv.dll
C:\WINDOWS\system32\fxqlsblv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gelnryjw.dll
C:\WINDOWS\system32\gelnryjw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gqyposgj.dll
C:\WINDOWS\system32\gqyposgj.dll Has been deleted!

Attempting to delete C:\windows\system32\haxynvri.dllbox
C:\windows\system32\haxynvri.dllbox Has been deleted!

Attempting to delete C:\WINDOWS\system32\hboqcdcl.dll
C:\WINDOWS\system32\hboqcdcl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hphewyhu.dll
C:\WINDOWS\system32\hphewyhu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jtatqcvo.dll
C:\WINDOWS\system32\jtatqcvo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kpuncnmi.dll
C:\WINDOWS\system32\kpuncnmi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lqefkujf.ini
C:\WINDOWS\system32\lqefkujf.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\nxryxaxv.dll
C:\WINDOWS\system32\nxryxaxv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\obsajuwv.dll
C:\WINDOWS\system32\obsajuwv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oenquejc.dll
C:\WINDOWS\system32\oenquejc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pbjobodc.dll
C:\WINDOWS\system32\pbjobodc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qrqss.bak1
C:\WINDOWS\system32\qrqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\qrqss.bak2
C:\WINDOWS\system32\qrqss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\qrqss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\qrqss.tmp
C:\WINDOWS\system32\qrqss.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\qslqfsbh.dll
C:\WINDOWS\system32\qslqfsbh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rjlwvyiy.dll
C:\WINDOWS\system32\rjlwvyiy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sefvchar.dll
C:\WINDOWS\system32\sefvchar.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\ssqrq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tdamsrhx.dll
C:\WINDOWS\system32\tdamsrhx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tgfkxcap.dll
C:\WINDOWS\system32\tgfkxcap.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\thtsnuxp.dll
C:\WINDOWS\system32\thtsnuxp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tpwiutxa.dll
C:\WINDOWS\system32\tpwiutxa.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\udheinhq.dll
C:\WINDOWS\system32\udheinhq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uokquylv.dll
C:\WINDOWS\system32\uokquylv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xgucylam.dll
C:\WINDOWS\system32\xgucylam.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xixkhble.dll
C:\WINDOWS\system32\xixkhble.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...



Aspetto notizie!!! Scusate il rita ;) rdo!!
cassathecaptain
Utente Junior
 
Post: 31
Iscritto il: 16/01/07 19:34

Re: log di hijack parecchio sospetto

Postdi Luke57 » 29/01/08 19:32

Ciao, sì, ma come va adesso?
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: log di hijack parecchio sospetto

Postdi cassathecaptain » 30/01/08 12:59

Allora la X sul disco locale è rimasta però almeno le sue sotto cartelle sono ritornate, nod mi ha torvato qualce virus con la scansione e li ho quarantenati!! Però ora la barra degli strumenti è disposta in modo strano senza che io abbia fatto niente!! Volete un altro log di hijack??
cassathecaptain
Utente Junior
 
Post: 31
Iscritto il: 16/01/07 19:34

Re: log di hijack parecchio sospetto

Postdi Luke57 » 30/01/08 13:06

Ciao, fai una nuova scansione con combofix e posta il suo report.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: log di hijack parecchio sospetto

Postdi cassathecaptain » 30/01/08 14:05

ComboFix 08-01-29.3 - Filippo 2008-01-30 13.52.29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.480 [GMT 0:00]
Eseguito da: C:\Documents and Settings\Filippo\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Creati Da 2007-12-28 al 2008-01-30 )))))))))))))))))))))))))))))))))))
.

2008-01-29 21:52 . 2008-01-29 22:03 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-29 17:23 . 2008-01-30 09:20 <DIR> d-------- C:\VundoFix Backups
2008-01-29 16:54 . 2008-01-29 16:54 53,312 --a------ C:\WINDOWS\system32\rdudjodl.exe
2008-01-29 16:08 . 2008-01-29 16:08 53,312 --a------ C:\WINDOWS\system32\lllrwiic.exe
2008-01-29 09:58 . 2008-01-29 09:58 53,312 --a------ C:\WINDOWS\system32\lfoocroi.exe
2008-01-28 18:42 . 2008-01-28 18:42 53,312 --a------ C:\WINDOWS\system32\dsgvripp.exe
2008-01-28 08:40 . 2008-01-28 08:40 53,312 --a------ C:\WINDOWS\system32\ylqwonhd.exe
2008-01-27 09:34 . 2008-01-27 09:34 53,312 --a------ C:\WINDOWS\system32\hctfptvt.exe
2008-01-26 12:53 . 2008-01-26 12:53 53,312 --a------ C:\WINDOWS\system32\fqmfjajt.exe
2008-01-26 09:49 . 2008-01-26 09:49 53,312 --a------ C:\WINDOWS\system32\xcuhhibi.exe
2008-01-25 18:52 . 2008-01-25 18:52 53,312 --a------ C:\WINDOWS\system32\ymkagnay.exe
2008-01-25 09:04 . 2008-01-25 09:04 53,312 --a------ C:\WINDOWS\system32\vtphmqyb.exe
2008-01-24 09:02 . 2008-01-24 09:02 53,312 --a------ C:\WINDOWS\system32\csfxvgld.exe
2008-01-23 19:49 . 2008-01-23 19:49 53,312 --a------ C:\WINDOWS\system32\uqttgbwa.exe
2008-01-23 12:52 . 2008-01-23 12:52 53,312 --a------ C:\WINDOWS\system32\dmtpilri.exe
2008-01-22 21:33 . 2008-01-22 21:33 53,312 --a------ C:\WINDOWS\system32\vltpphht.exe
2008-01-18 19:58 . 2008-01-18 19:58 1,076,330 ---hs---- C:\WINDOWS\system32\degdvqhw.tmp
2008-01-18 12:59 . 2008-01-18 12:59 <DIR> d-------- C:\Programmi\Windows Live Safety Center
2008-01-12 14:00 . 2008-01-12 14:58 <DIR> d-------- C:\QUARANTENA_VIRIT
2008-01-12 13:17 . 2008-01-30 09:20 <DIR> d-------- C:\VEXPLITE
2008-01-12 13:17 . 2008-01-26 13:23 36,480 --a------ C:\WINDOWS\system32\drivers\VIRAGTLT.SYS
2007-12-25 08:53 . 2007-12-25 08:53 1,010,326 ---hs---- C:\WINDOWS\system32\mhnmtbje.tmp
2007-12-23 20:00 . 2007-12-23 20:00 20,816 --a------ C:\Documents and Settings\Filippo\tezuaxea.exe
2007-12-07 20:26 . 2007-12-15 14:34 <DIR> d-------- C:\Programmi\Polar
2007-12-02 14:00 . 2007-12-02 14:00 32,764 --a------ C:\WINDOWS\17PHolmes2000351.exe
2007-12-01 11:10 . 2007-12-01 11:10 <DIR> d-------- C:\Programmi\GUILD WARS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 21:51 --------- d-----w C:\Documents and Settings\Filippo\Dati applicazioni\vmntoolbar
2008-01-28 20:20 --------- d-----w C:\Programmi\AdunanzA
2008-01-09 20:41 --------- d-----w C:\Programmi\EA SPORTS
2007-12-21 20:00 48,884 ----a-w C:\Programmi\update.zip
2007-11-29 13:53 --------- d-----w C:\Programmi\THQ
2007-10-21 08:36 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-02-09 16:43 386,630 --sha-r C:\Programmi\wunauclt.zip
2007-02-09 16:43 386,630 --sha-r C:\Programmi\wunauclt.tbe
2006-08-27 13:38 1,015,973 --sha-r C:\Programmi\serial.zip
2006-08-27 13:38 1,015,973 --sha-r C:\Programmi\serial.tde
2006-08-27 13:19 56,239 ----a-w C:\Programmi\svchosts.tbe
2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
2005-09-28 08:56 185,856 ----a-w C:\Programmi\7za.exe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F82CB68-7BFE-477C-B6E8-769D30597B00}]
C:\WINDOWS\system32\ssqrq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 13:39 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 09:12 139264]
"MsnMsgr"="C:\Programmi\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"swg"="C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 19:53 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Programmi\Analog Devices\Core\smax4pnp.exe" [2006-05-01 10:07 843776]
"SoundMAX"="C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" [2006-04-10 07:19 729088]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-02 08:45 385024]
"ATICCC"="C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 15:41 45056]
"RemoteControl"="C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 18:24 32768]
"nod32kui"="C:\Programmi\Eset\nod32kui.exe" [2006-10-14 10:03 921600]
"NeroFilterCheck"="C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40 155648]
"Lexmark 1200 Series"="C:\Programmi\Lexmark 1200 Series\lxczbmgr.exe" [2006-03-16 07:20 57344]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"DAEMON Tools-1033"="C:\Programmi\D-Tools\daemon.exe" [2004-08-22 16:05 81920]
"I downloaded pirated Software from P2P"="Virtua Tennis 3" []
"I downloaded pirated Software from P2P "="NHL Live 2007" []
"Adobe Reader Speed Launcher"="C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"VIRIT LITE MONITOR"="C:\VEXPLITE\MONLITE.EXE" [2008-01-29 21:38 245760]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-19 13:39 160256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 13:39 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"helpsvc"=2 (0x2)
"ERSvc"=2 (0x2)

R0 VIRAGTLT;VIRAGTLT;C:\WINDOWS\system32\drivers\VIRAGTLT.SYS [2008-01-26 13:23]
R2 viritsvclite;Virit eXplorer Lite;C:\VEXPLITE\viritsvc.exe [2008-01-29 21:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49491f1f-5b6b-11db-b658-806d6172696f}]
\Shell\AutoRun\command - D:\ASUSACPI.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C5CD9787-54F4-6B5A-7054-5E50F28A8F48}]
C:\WINDOWS\crack\crack.exe s
.
Contenuto della cartella 'Scheduled Tasks'
"2007-12-02 14:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\wunauclt.exe
"2008-01-30 13:38:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Programmi\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 13:54:14
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Programmi\Eset\pr_imon.dll
.
Ora fine scansione: 2008-01-30 13.54.30
ComboFix-quarantined-files.txt 2008-01-30 13:54:27
ComboFix2.txt 2008-01-29 18:10:32
.
2008-01-29 22:03:35 --- E O F ---
cassathecaptain
Utente Junior
 
Post: 31
Iscritto il: 16/01/07 19:34

Re: log di hijack parecchio sospetto

Postdi Luke57 » 30/01/08 15:53

Ciao, copia questo codice:

File::
C:\WINDOWS\system32\rdudjodl.exe
C:\WINDOWS\system32\lllrwiic.exe
C:\WINDOWS\system32\lfoocroi.exe
C:\WINDOWS\system32\dsgvripp.exe
C:\WINDOWS\system32\ylqwonhd.exe
C:\WINDOWS\system32\hctfptvt.exe
C:\WINDOWS\system32\fqmfjajt.exe
C:\WINDOWS\system32\xcuhhibi.exe
C:\WINDOWS\system32\ymkagnay.exe
C:\WINDOWS\system32\vtphmqyb.exe
C:\WINDOWS\system32\csfxvgld.exe
C:\WINDOWS\system32\uqttgbwa.exe
C:\WINDOWS\system32\dmtpilri.exe
C:\WINDOWS\system32\vltpphht.exe
C:\WINDOWS\system32\degdvqhw.tmp
C:\WINDOWS\system32\mhnmtbje.tmp
C:\Documents and Settings\Filippo\tezuaxea.exe
C:\Programmi\svchosts.tbe
C:\WINDOWS\system32\ssqrq.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F82CB68-7BFE-477C-B6E8-769D30597B00}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C5CD9787-54F4-6B5A-7054-5E50F28A8F48}]


Apri un file di testo (start>esegui>notepad.exe>Ok
ci incolli il codice e salvi il file di testo obbligatoriamente con il nome CFScript.txt.

Poi con il puntatore del mouse lo trascini sull'icona di combofix, attendi una nuova scansione ed eventuale riavvio.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: log di hijack parecchio sospetto

Postdi cassathecaptain » 31/01/08 14:19

Ecco il Log della scansione dopo il procedimento che mi hai detto:


ComboFix 08-01-29.3 - Filippo 2008-01-31 14.11.37.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.481 [GMT 0:00]
Eseguito da: C:\Documents and Settings\Filippo\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Filippo\Desktop\CFScript.txt..txt
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\Filippo\tezuaxea.exe
C:\Programmi\svchosts.tbe
C:\WINDOWS\system32\csfxvgld.exe
C:\WINDOWS\system32\degdvqhw.tmp
C:\WINDOWS\system32\dmtpilri.exe
C:\WINDOWS\system32\dsgvripp.exe
C:\WINDOWS\system32\fqmfjajt.exe
C:\WINDOWS\system32\hctfptvt.exe
C:\WINDOWS\system32\lfoocroi.exe
C:\WINDOWS\system32\lllrwiic.exe
C:\WINDOWS\system32\mhnmtbje.tmp
C:\WINDOWS\system32\rdudjodl.exe
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\uqttgbwa.exe
C:\WINDOWS\system32\vltpphht.exe
C:\WINDOWS\system32\vtphmqyb.exe
C:\WINDOWS\system32\xcuhhibi.exe
C:\WINDOWS\system32\ylqwonhd.exe
C:\WINDOWS\system32\ymkagnay.exe
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Filippo\tezuaxea.exe
C:\Programmi\svchosts.tbe
C:\WINDOWS\system32\csfxvgld.exe
C:\WINDOWS\system32\degdvqhw.tmp
C:\WINDOWS\system32\dmtpilri.exe
C:\WINDOWS\system32\dsgvripp.exe
C:\WINDOWS\system32\fqmfjajt.exe
C:\WINDOWS\system32\hctfptvt.exe
C:\WINDOWS\system32\lfoocroi.exe
C:\WINDOWS\system32\lllrwiic.exe
C:\WINDOWS\system32\mhnmtbje.tmp
C:\WINDOWS\system32\rdudjodl.exe
C:\WINDOWS\system32\uqttgbwa.exe
C:\WINDOWS\system32\vltpphht.exe
C:\WINDOWS\system32\vtphmqyb.exe
C:\WINDOWS\system32\xcuhhibi.exe
C:\WINDOWS\system32\ylqwonhd.exe
C:\WINDOWS\system32\ymkagnay.exe

----- BITS: Possible infected sites -----

hxxp://au.download.windowsuõj+|Cü¤Ì›v÷+È@™JŸ:®½‰NêGD_©½ºD˜QÄ{¶ÀzÎtç Ò»ÌHžG†.XóÆœ+Žóí˜HÑušéсWU Client Download S-1-5-18`€HT4?? 6ÚVwoQZC¬¬D¢HÿóM6ÚVwoQZC¬¬D¢HÿóM°uŒ÷sxIcȲ+
.
((((((((((((((((((((((((( Files Creati Da 2007-12-28 al 2008-01-31 )))))))))))))))))))))))))))))))))))
.

2008-01-31 14:02 . 2008-01-31 14:02 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-30 14:05 . 2008-01-30 14:05 <DIR> d-------- C:\Programmi\MSXML 4.0
2008-01-29 21:52 . 2008-01-30 14:51 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-29 17:23 . 2008-01-30 09:20 <DIR> d-------- C:\VundoFix Backups
2008-01-18 12:59 . 2008-01-31 14:02 <DIR> d-------- C:\Programmi\Windows Live Safety Center
2008-01-12 14:00 . 2008-01-12 14:58 <DIR> d-------- C:\QUARANTENA_VIRIT
2008-01-12 13:17 . 2008-01-30 09:20 <DIR> d-------- C:\VEXPLITE
2008-01-12 13:17 . 2008-01-26 13:23 36,480 --a------ C:\WINDOWS\system32\drivers\VIRAGTLT.SYS
2007-12-07 20:26 . 2007-12-15 14:34 <DIR> d-------- C:\Programmi\Polar
2007-12-02 14:00 . 2007-12-02 14:00 32,764 --a------ C:\WINDOWS\17PHolmes2000351.exe
2007-12-01 11:10 . 2007-12-01 11:10 <DIR> d-------- C:\Programmi\GUILD WARS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 13:56 --------- d-----w C:\Documents and Settings\Filippo\Dati applicazioni\vmntoolbar
2008-01-28 20:20 --------- d-----w C:\Programmi\AdunanzA
2008-01-09 20:41 --------- d-----w C:\Programmi\EA SPORTS
2007-12-21 20:00 48,884 ----a-w C:\Programmi\update.zip
2007-11-29 13:53 --------- d-----w C:\Programmi\THQ
2007-10-21 08:36 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-02-09 16:43 386,630 --sha-r C:\Programmi\wunauclt.zip
2007-02-09 16:43 386,630 --sha-r C:\Programmi\wunauclt.tbe
2006-08-27 13:38 1,015,973 --sha-r C:\Programmi\serial.zip
2006-08-27 13:38 1,015,973 --sha-r C:\Programmi\serial.tde
2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
2005-09-28 08:56 185,856 ----a-w C:\Programmi\7za.exe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 13:39 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 09:12 139264]
"MsnMsgr"="C:\Programmi\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"swg"="C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 19:53 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Programmi\Analog Devices\Core\smax4pnp.exe" [2006-05-01 10:07 843776]
"SoundMAX"="C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" [2006-04-10 07:19 729088]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-02 08:45 385024]
"ATICCC"="C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 15:41 45056]
"RemoteControl"="C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 18:24 32768]
"nod32kui"="C:\Programmi\Eset\nod32kui.exe" [2006-10-14 10:03 921600]
"NeroFilterCheck"="C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40 155648]
"Lexmark 1200 Series"="C:\Programmi\Lexmark 1200 Series\lxczbmgr.exe" [2006-03-16 07:20 57344]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"DAEMON Tools-1033"="C:\Programmi\D-Tools\daemon.exe" [2004-08-22 16:05 81920]
"I downloaded pirated Software from P2P"="Virtua Tennis 3" []
"I downloaded pirated Software from P2P "="NHL Live 2007" []
"Adobe Reader Speed Launcher"="C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"VIRIT LITE MONITOR"="C:\VEXPLITE\MONLITE.EXE" [2008-01-29 21:38 245760]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-19 13:39 160256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 13:39 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"helpsvc"=2 (0x2)
"ERSvc"=2 (0x2)

R0 VIRAGTLT;VIRAGTLT;C:\WINDOWS\system32\drivers\VIRAGTLT.SYS [2008-01-26 13:23]
R2 viritsvclite;Virit eXplorer Lite;C:\VEXPLITE\viritsvc.exe [2008-01-29 21:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49491f1f-5b6b-11db-b658-806d6172696f}]
\Shell\AutoRun\command - D:\ASUSACPI.exe

.
Contenuto della cartella 'Scheduled Tasks'
"2007-12-02 14:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\wunauclt.exe
"2008-01-31 13:38:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Programmi\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 14:13:35
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Programmi\Eset\pr_imon.dll
.
Ora fine scansione: 2008-01-31 14.13.57
ComboFix-quarantined-files.txt 2008-01-31 14:13:50
ComboFix2.txt 2008-01-30 13:54:30
ComboFix3.txt 2008-01-29 18:10:32
.
2008-01-30 14:43:24 --- E O F ---
cassathecaptain
Utente Junior
 
Post: 31
Iscritto il: 16/01/07 19:34


Torna a Sicurezza e Privacy


Topic correlati a "log di hijack parecchio sospetto":

controllo Hijack
Autore: dayfreeman
Forum: Sicurezza e Privacy
Risposte: 1

Chi c’è in linea

Visitano il forum: Nessuno e 6 ospiti