Condividi:        

Chi mi può aiutare...vi prego

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

Chi mi può aiutare...vi prego

Postdi dipettatony » 07/10/08 15:22

Penso di avere il computer "assaltato" da virus. Cosa dovrei fare? Questo il logo:

Logfile of HijackThis v1.99.1
Scan saved at 16:16:25, on 07/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Google\Update\GoogleUpdate.exe
C:\Programmi\Dell\OpenManage\Client\Iap.exe
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Winamp\winampa.exe
C:\Programmi\Companion Suite LL\MFServices.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\QuickTime\QTTask.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://172.16.16.100/internet/internet.cgi
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Update Helper - {77D7E795-33C5-4323-974D-A2A49AB75517} - C:\Programmi\Google\Update\1.2.131.11\GoopdateBho.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Programmi\Free Download Manager\iefdm2.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Programmi\Google\Google Gears\Internet Explorer\0.4.20.0\gears.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [MFServices] "C:\Programmi\Companion Suite LL\MFServices.exe" -n
O4 - HKLM\..\Run: [MFPrintServer] "C:\Programmi\Companion Suite LL\MFPrintServer.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdS7_0_0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Scarica con Free Download Manager - file://C:\Programmi\Free Download Manager\dllink.htm
O8 - Extra context menu item: Scarica i video con Free Download Manager - file://C:\Programmi\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Scarica selezionati con Free Download Manager - file://C:\Programmi\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Scarica tutto con Free Download Manager - file://C:\Programmi\Free Download Manager\dlall.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Programmi\Google\Google Gears\Internet Explorer\0.4.20.0\gears.dll
O9 - Extra 'Tools' menuitem: &Impostazioni di Google Gears - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Programmi\Google\Google Gears\Internet Explorer\0.4.20.0\gears.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDCA59C7-AEFF-4A14-999E-7FD9EF90469F}: NameServer = 172.16.16.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = css.it
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = css.it
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Update Service (gupdate1c91eda38f52124) (gupdate1c91eda38f52124) - Unknown owner - C:\Programmi\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Iap - Dell Inc - C:\Programmi\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programmi\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
dipettatony
Utente Junior
 
Post: 80
Iscritto il: 14/12/05 11:52
Località: Vasto

Sponsor
 

Re: Chi mi può aiutare...vi prego

Postdi Luke57 » 07/10/08 16:28

Ciao, scarica combofix sul desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
disattiva il tea timer di spybot che entra in conflitto con combofix
Poi avvia combofix.exe parte il programma che potrebbe impiegare molto (non fare altre manovre durante la scansione, se dovessero scomparire le icone sul desktop e la barra delle applicazioni, non è nulla di cui preoccuparsi),una volta terminata, se tutto è andato bene, in C:\ dovresti trovare il file combofix.txt , posta il contenuto del file.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Re: Chi mi può aiutare...vi prego

Postdi dipettatony » 08/10/08 07:35

Grazie LUKE57,
Eseguito COMBOFIX questa mattina, ti posto il log:

ComboFix 08-10-06.08 - CITT@DINOPIU 2008-10-08 8:19:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.230 [GMT 2:00]
Eseguito da: C:\Documents and Settings\CITT@DINOPIU\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino

ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\Documents and Settings\All Users\Dati applicazioni\imgdoc2.dll
C:\itsduel.exe
C:\njibyekk.com
C:\WINDOWS\IE4 Error Log.txt
C:\WINDOWS\system32\ckvo.exe
C:\WINDOWS\system32\ckvo0.dll
C:\WINDOWS\system32\ckvo1.dll
C:\WINDOWS\system32\ckvo2.dll
C:\yew.bat

.
((((((((((((((((((((((((( Files Creati Da 2008-09-08 al 2008-10-08 )))))))))))))))))))))))))))))))))))
.

2008-10-07 11:35 . 2008-10-07 11:35 22,368 --a------ C:\Documents and Settings\CITT@DINOPIU\yddoxqif.exe
2008-10-06 08:41 . 2008-10-06 08:47 325,372 --a------ C:\output.avi
2008-10-02 09:01 . 2008-10-02 09:01 <DIR> d-------- C:\Documents and Settings\CITT@DINOPIU\Dati applicazioni\NCH Software
2008-10-02 09:00 . 2008-10-02 09:01 <DIR> d-------- C:\Programmi\NCH Software
2008-10-02 09:00 . 2008-10-02 09:00 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\NCH Software
2008-09-30 16:38 . 2008-09-30 16:38 <DIR> d-------- C:\Programmi\OpenVideoConverter
2008-09-23 17:50 . 2008-09-23 17:50 <DIR> d-------- C:\Documents and Settings\CITT@DINOPIU\.drdivx2
2008-09-18 11:33 . 2008-09-18 11:33 58 --a------ C:\CompressAvi.ini
2008-09-18 11:17 . 2008-09-18 11:21 <DIR> d-------- C:\Programmi\AVICalc2
2008-09-08 10:38 . 2008-09-08 12:13 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-08 06:15 --------- d-----w C:\Programmi\Spybot - Search & Destroy
2008-10-08 06:13 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-10-07 16:22 --------- d-----w C:\Documents and Settings\CITT@DINOPIU\Dati applicazioni\Free Download Manager
2008-10-07 12:52 --------- d-----w C:\Programmi\eMule
2008-10-02 08:21 --------- d-----w C:\Programmi\Eset
2008-10-01 11:18 --------- d-----w C:\Documents and Settings\CITT@DINOPIU\Dati applicazioni\U3
2008-09-30 10:04 --------- d-----w C:\Documents and Settings\CITT@DINOPIU\Dati applicazioni\dvdcss
2008-09-25 06:45 --------- d-----w C:\Programmi\Google
2008-09-23 15:50 --------- d-----w C:\Programmi\DivX
2008-09-18 10:39 --------- d-----w C:\Programmi\XVid;-)
2008-09-18 09:43 --------- d-----w C:\Programmi\AviSynth 2.5
2008-09-04 13:53 --------- d-----w C:\Documents and Settings\Adminestrator\Dati applicazioni\Watchtower
2008-09-02 08:57 --------- d-----w C:\Documents and Settings\Adminestrator\Dati applicazioni\AdobeUM
2008-08-28 10:32 --------- d-----w C:\Programmi\Gabest
2008-08-27 10:50 --------- d-----w C:\Programmi\DVDx
2008-08-27 10:09 --------- d-----w C:\Programmi\QuickTime
2008-08-27 10:09 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Apple Computer
2008-08-27 10:07 --------- d-----w C:\Programmi\Apple Software Update
2008-08-27 10:07 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Apple
2008-04-11 11:00 72,088 ----a-w C:\Documents and Settings\CITT@DINOPIU\Dati applicazioni\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 917,504 2006-03-30 11:53:16 C:\Programmi\Eset\bak\nod32kui.exe
----a-w 949,376 2008-07-25 06:26:46 C:\Programmi\Eset\nod32kui.exe

----a-w 32,881 2003-11-19 16:48:14 C:\Programmi\Java\j2re1.4.2_03\bin\bak\jusched.exe

----a-w 36,864 2002-12-17 14:39:06 C:\Programmi\Scansoft\PaperPort\bak\IndexSearch.exe

----a-w 45,108 2002-12-17 14:11:44 C:\Programmi\Scansoft\PaperPort\bak\pptd40nt.exe

----a-w 15,360 2004-08-19 11:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-19 11:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 118,784 2004-08-20 19:51:14 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 155,648 2004-08-20 19:55:14 C:\WINDOWS\system32\bak\igfxtray.exe

.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
"kamsoft"="C:\WINDOWS\system32\ckvo.exe" [N/A]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15360]
"fsm"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="C:\Programmi\Winamp\winampa.exe" [2007-05-15 35328]
"MFServices"="C:\Programmi\Companion Suite LL\MFServices.exe" [2004-07-08 147456]
"MFPrintServer"="C:\Programmi\Companion Suite LL\MFPrintServer.exe" [N/A]
"nod32kui"="C:\Programmi\Eset\nod32kui.exe" [2008-07-25 949376]
"QuickTime Task"="C:\Programmi\QuickTime\QTTask.exe" [2008-05-27 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 15360]

C:\Documents and Settings\CITT@DINOPIU\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma.lnk - C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-22 110592]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma Loader.lnk - C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-22 110592]
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - C:\Programmi\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Service Manager.lnk - C:\MSSQL7\Binn\sqlmangr.exe [2006-03-30 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.divxa32"= DivXa32.acm
"msacm.l3codec"= L3codecp.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\Skype\\Phone\\Skype.exe"=
"C:\\Programmi\\eMule\\emule.exe"=

R1 mfxnt;mfxnt;C:\WINDOWS\system32\drivers\mfxnt.sys [2004-07-09 61288]
S2 gupdate1c91eda38f52124;Google Update Service (gupdate1c91eda38f52124);C:\Programmi\Google\Update\GoogleUpdate.exe [2008-09-25 133104]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]
S3 HttpUsb;XML interface;C:\WINDOWS\system32\Drivers\HttpUsb.sys [2004-07-09 33769]
S3 UsbItf;MF F@X activities;C:\WINDOWS\system32\Drivers\UsbItf.sys [2004-07-09 10240]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{009ad61a-0146-11dd-84a1-001320358366}]
\Shell\AutoRun\command - E:\xyw9tmdj.com
\Shell\explore\Command - E:\xyw9tmdj.com
\Shell\open\Command - E:\xyw9tmdj.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1af8dd8c-06cd-11dd-84a8-001320358366}]
\Shell\AutoRun\command - E:\6l6w8.com
\Shell\explore\Command - E:\6l6w8.com
\Shell\open\Command - E:\6l6w8.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23c6662d-c4d0-11dc-8466-001320358366}]
\Shell\AutoRun\command - E:\pv6mxu.bat
\Shell\explore\Command - E:\pv6mxu.bat
\Shell\open\Command - E:\pv6mxu.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34c8a2c6-4bf0-11dd-84e3-001320358366}]
\Shell\AutoRun\command - E:\b0j6j16.bat
\Shell\explore\Command - E:\b0j6j16.bat
\Shell\open\Command - E:\b0j6j16.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{350170c7-2264-11dd-84bc-001320358366}]
\Shell\AutoRun\command - xp19.com
\Shell\explore\Command - xp19.com
\Shell\open\Command - xp19.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36278242-e80a-11db-835b-001320358366}]
\Shell\AutoRun\command - E:\22wcb21o.exe
\Shell\explore\Command - E:\22wcb21o.exe
\Shell\open\Command - E:\22wcb21o.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36278246-e80a-11db-835b-001320358366}]
\Shell\AutoRun\command - E:\olb1iimw.bat
\Shell\explore\Command - E:\olb1iimw.bat
\Shell\open\Command - E:\olb1iimw.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3af1eaab-fa51-11dc-849a-001320358366}]
\Shell\AutoRun\command - E:\nlblkhq.com
\Shell\explore\Command - E:\nlblkhq.com
\Shell\open\Command - E:\nlblkhq.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e51d577-c802-11dc-8468-001320358366}]
\Shell\AutoRun\command - E:\njibyekk.com
\Shell\explore\Command - E:\njibyekk.com
\Shell\open\Command - E:\njibyekk.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ef8017d-ce33-11db-8340-001320358366}]
\Shell\AutoRun\command - E:\1yl2d.bat
\Shell\explore\Command - E:\1yl2d.bat
\Shell\open\Command - E:\1yl2d.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f2c1481-ef0b-11db-8363-001320358366}]
\Shell\AutoRun\command - E:\tyktjfww.exe
\Shell\explore\Command - E:\tyktjfww.exe
\Shell\open\Command - E:\tyktjfww.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50f0d3e2-9b0a-11db-82e1-001320358366}]
\Shell\AutoRun\command - E:\6l6w8.com
\Shell\explore\Command - E:\6l6w8.com
\Shell\open\Command - E:\6l6w8.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f181c55-fc9f-11dc-849d-001320358366}]
\Shell\AutoRun\command - E:\q.com
\Shell\explore\Command - E:\q.com
\Shell\open\Command - E:\q.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ee96a18-b6a0-11db-8321-001320358366}]
\Shell\AutoRun\command - E:\81d9.exe
\Shell\explore\Command - E:\81d9.exe
\Shell\open\Command - E:\81d9.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76dcd013-4738-11dd-84df-001320358366}]
\Shell\AutoRun\command - E:\1u0o8bnq.cmd
\Shell\explore\Command - E:\1u0o8bnq.cmd
\Shell\open\Command - E:\1u0o8bnq.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{798ac2ca-ac89-11dc-8450-001320358366}]
\Shell\AutoRun\command - E:\olb1iimw.bat
\Shell\explore\Command - E:\olb1iimw.bat
\Shell\open\Command - E:\olb1iimw.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ca91741-b472-11dc-8457-001320358366}]
\Shell\AutoRun\command - E:\xmnm2.cmd
\Shell\explore\Command - E:\xmnm2.cmd
\Shell\open\Command - E:\xmnm2.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f9f8bc1-428c-11dd-84da-001320358366}]
\Shell\Auto\command - E:\fun.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a49d918b-23ae-11dc-83a4-001320358366}]
\Shell\AutoRun\command - E:\kqnns.exe
\Shell\explore\Command - E:\kqnns.exe
\Shell\open\Command - E:\kqnns.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa4342f5-e050-11dc-8481-001320358366}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa4342f6-e050-11dc-8481-001320358366}]
\Shell\AutoRun\command - ino6.com
\Shell\explore\Command - ino6.com
\Shell\open\Command - ino6.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab8a9a24-a23a-11dc-8446-001320358366}]
\Shell\AutoRun\command - E:\olb1iimw.bat
\Shell\explore\Command - E:\olb1iimw.bat
\Shell\open\Command - E:\olb1iimw.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab8a9a26-a23a-11dc-8446-001320358366}]
\Shell\AutoRun\command - E:\yew.bat
\Shell\explore\Command - E:\yew.bat
\Shell\open\Command - E:\yew.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{addcd1cd-2d45-11dd-84c8-001320358366}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe
.
Contenuto della cartella 'Scheduled Tasks'

2008-08-27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-10-08 C:\WINDOWS\Tasks\GoogleUpdateTaskMachine.job
- C:\Programmi\Google\Update\GoogleUpdate.exe [2008-09-25 08:44]
.
- - - - ORFÃOS REMOVIDOS - - - -

ShellExecuteHooks-{C5F43BEF-CE2F-46D8-AFE6-A647BACD1F09} - C:\WINDOWS\system32\Bitkv0.dll


.
------- Supplementare di scansione -------
.
R0 -: HKCU-Main,Start Page = https://172.16.16.100/internet/internet.cgi
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.euro.dell.com/
O8 -: E&sporta in Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 -: Scarica con Free Download Manager - file://C:\Programmi\Free Download Manager\dllink.htm
O8 -: Scarica i video con Free Download Manager - file://C:\Programmi\Free Download Manager\dlfvideo.htm
O8 -: Scarica selezionati con Free Download Manager - file://C:\Programmi\Free Download Manager\dlselected.htm
O8 -: Scarica tutto con Free Download Manager - file://C:\Programmi\Free Download Manager\dlall.htm
O17 -: HKLM\CCS\Interface\{CDCA59C7-AEFF-4A14-999E-7FD9EF90469F}: NameServer = 172.16.16.100

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-08 08:25:44
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

PROCESSO: C:\WINDOWS\system32\lsass.exe
-> C:\Programmi\Eset\pr_imon.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
C:\Programmi\Dell\OpenManage\Client\Iap.exe
C:\Programmi\Eset\nod32krn.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Ora fine scansione: 2008-10-08 8:31:11 - macchina è stato riavviato
ComboFix-quarantined-files.txt 2008-10-08 06:31:07

Pre-Run: 5.709.459.456 byte disponibili
Post-Run: 6,094,200,832 byte disponibili

249 --- E O F --- 2008-09-10 12:03:16
dipettatony
Utente Junior
 
Post: 80
Iscritto il: 14/12/05 11:52
Località: Vasto

Re: Chi mi può aiutare...vi prego

Postdi Luke57 » 08/10/08 08:12

Ciao, apri un file di testo dal blocco note di windows e incollaci questo codice:

Codice: Seleziona tutto
Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{009ad61a-0146-11dd-84a1-001320358366}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1af8dd8c-06cd-11dd-84a8-001320358366}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23c6662d-c4d0-11dc-8466-001320358366}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34c8a2c6-4bf0-11dd-84e3-001320358366}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36278242-e80a-11db-835b-001320358366}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36278246-e80a-11db-835b-001320358366}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3af1eaab-fa51-11dc-849a-001320358366}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e51d577-c802-11dc-8468-001320358366}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ef8017d-ce33-11db-8340-001320358366}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f2c1481-ef0b-11db-8363-001320358366}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50f0d3e2-9b0a-11db-82e1-001320358366}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f181c55-fc9f-11dc-849d-001320358366}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ee96a18-b6a0-11db-8321-001320358366}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76dcd013-4738-11dd-84df-001320358366}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{798ac2ca-ac89-11dc-8450-001320358366}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ca91741-b472-11dc-8457-001320358366}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f9f8bc1-428c-11dd-84da-001320358366}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a49d918b-23ae-11dc-83a4-001320358366}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa4342f6-e050-11dc-8481-001320358366}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab8a9a24-a23a-11dc-8446-001320358366}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab8a9a26-a23a-11dc-8446-001320358366}]



salvalo in c:\ con il nome nome: fix.reg
tipo di file: tutti i file


scarica Avenger
http://swandog46.geekstogo.com/avenger.zip

scompatti il file avenger.exe sul desktop, disconnettiti da internet, chiudi applicazkioni e programmi, avvii avenger.exe
Copi e incolli nella finestra: "Input script here" il testo in neretto così come lo vedi scritto:

files to delete:
C:\Documents and Settings\CITT@DINOPIU\yddoxqif.exe

files to move:
C:\Programmi\Eset\bak\nod32kui.exe | C:\Programmi\Eset\nod32kui.exe
C:\Programmi\Scansoft\PaperPort\bak\IndexSearch.exe | C:\Programmi\Scansoft\PaperPort\IndexSearch.exe
C:\Programmi\Scansoft\PaperPort\bak\pptd40nt.exe | C:\Programmi\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\bak\ctfmon.exe | C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\bak\hkcmd.exe | C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\bak\igfxtray.exe | C:\WINDOWS\system32\igfxtray.exe

programs to launch on reboot:
c:\fix.reg



Spunta "Automatically disable any rootkits found"
clicca sul pulsante "Execute"
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente

posta il log di avenger che trovi in c:\
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Re: Chi mi può aiutare...vi prego

Postdi dipettatony » 08/10/08 08:43

Ok, ho fatto come detto. Ecco il log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Documents and Settings\CITT@DINOPIU\yddoxqif.exe" deleted successfully.
File move operation "C:\Programmi\Eset\bak\nod32kui.exe|C:\Programmi\Eset\nod32kui.exe" completed successfully.
File move operation "C:\Programmi\Scansoft\PaperPort\bak\IndexSearch.exe|C:\Programmi\Scansoft\PaperPort\IndexSearch.exe" completed successfully.
File move operation "C:\Programmi\Scansoft\PaperPort\bak\pptd40nt.exe|C:\Programmi\Scansoft\PaperPort\pptd40nt.exe" completed successfully.
File move operation "C:\WINDOWS\system32\bak\ctfmon.exe|C:\WINDOWS\system32\ctfmon.exe" completed successfully.
File move operation "C:\WINDOWS\system32\bak\hkcmd.exe|C:\WINDOWS\system32\hkcmd.exe" completed successfully.
File move operation "C:\WINDOWS\system32\bak\igfxtray.exe|C:\WINDOWS\system32\igfxtray.exe" completed successfully.
Program "c:\fix.reg" successfully queued to run on reboot.

Completed script processing.

*******************

Finished! Terminate.
dipettatony
Utente Junior
 
Post: 80
Iscritto il: 14/12/05 11:52
Località: Vasto

Re: Chi mi può aiutare...vi prego

Postdi Luke57 » 08/10/08 09:02

Ciao,è andato tutto ok.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Re: Chi mi può aiutare...vi prego

Postdi dipettatony » 08/10/08 09:26

Innanzitutto ti ringrazio per la disponibilità e la gentilezza, poi ne approfitto per chiederti una cosa:
in un pen drive ho questo cavallo di troia: F:\e.com - Win32/PSW.OnLineGames.NMY. Con il NOD non riesco ad eliminarlo, mi dice che è impossibile disinfettare, come posso procedere? Ti ringrazio anticipatamente
dipettatony
Utente Junior
 
Post: 80
Iscritto il: 14/12/05 11:52
Località: Vasto

Ckvo.exe

Postdi lake07 » 23/11/08 12:26

Ciao, avast mi ha beccato il "virus" ckvo.exe
Non avendo trovato una pagina dedicata esplicitamente all'argomento ho deciso di scrivere in questa in quanto leggendo tra le righe del collega qui sopra ho intravisto sto benedetto processo ckvo.exe.
Ora ho letto i primi passi e quindi incollo il log di combofix aspettando istruzioni:


ComboFix 08-11-22.02 - Administrator 2008-11-23 12.09.56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.157 [GMT 1:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino

ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\abk.bat
C:\autorun.inf
c:\windows\system32\ckvo.exe
c:\windows\system32\ckvo0.dll
c:\windows\system32\gasretyw0.dll
c:\windows\system32\kamsoft.exe
D:\0w.com
D:\abk.bat
D:\Autorun.inf
D:\xih9.cmd

.
((((((((((((((((((((((((( Files Creati Da 2008-10-23 al 2008-11-23 )))))))))))))))))))))))))))))))))))
.

2008-11-21 01:07 . 2008-11-21 01:07 <DIR> d-------- c:\programmi\RealVNC
2008-11-18 20:02 . 2008-11-18 20:02 <DIR> d-------- C:\Program Files (x86)
2008-11-15 13:50 . 2008-11-17 17:22 85,504 -r-hs---- c:\windows\system32\gasretyw1.dll
2008-11-13 10:35 . 2008-11-13 10:35 99,461 -r-hs---- C:\lky.exe
2008-11-12 18:38 . 2008-11-21 00:44 <DIR> d-------- c:\documents and settings\Administrator\Dati applicazioni\skypePM
2008-11-12 18:38 . 2008-11-12 18:38 48 --ah----- c:\windows\system32\ezsidmv.dat
2008-11-11 00:16 . 2008-11-11 00:16 <DIR> d-------- c:\programmi\File comuni\Skype
2008-11-10 12:09 . 2008-11-10 12:09 <DIR> d-------- c:\programmi\File comuni\PCSuite
2008-11-10 12:06 . 2008-05-07 07:38 20,864 --a------ c:\windows\system32\drivers\ccdcmbo.sys
2008-11-10 12:06 . 2008-05-07 07:38 8,064 --a------ c:\windows\system32\drivers\usbser_lowerfltj.sys
2008-11-10 12:06 . 2008-06-06 09:24 8,064 --a------ c:\windows\system32\drivers\usbser_lowerflt.sys
2008-11-10 12:05 . 2008-05-07 07:39 1,419,232 --a------ c:\windows\system32\wdfcoinstaller01005.dll
2008-11-10 12:05 . 2008-05-07 07:38 659,968 --a------ c:\windows\system32\nmwcdcocls.dll
2008-11-10 12:05 . 2008-05-07 07:38 17,536 --a------ c:\windows\system32\drivers\ccdcmb.sys
2008-10-29 21:52 . 2004-08-19 15:39 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-10-29 21:52 . 2001-08-30 23:07 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-10-29 21:49 . 2008-10-29 21:51 <DIR> d-------- c:\documents and settings\Administrator\Dati applicazioni\Nikon
2008-10-29 21:48 . 2008-10-29 21:48 <DIR> d-------- c:\programmi\Nikon
2008-10-29 21:48 . 2008-10-29 21:48 <DIR> d-------- c:\programmi\File comuni\muvee Technologies
2008-10-29 21:48 . 2008-10-29 21:48 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Ultima_T15
2008-10-29 21:48 . 2008-10-29 21:48 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Nikon
2008-10-29 21:48 . 2008-10-29 21:48 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\EnterNHelp
2008-10-29 21:48 . 2008-11-15 21:08 20 ---h----- c:\documents and settings\All Users\Dati applicazioni\PKP_DLdu.DAT
2008-10-29 21:47 . 2008-10-29 21:51 <DIR> d-------- c:\programmi\File comuni\Nikon
2008-10-28 11:44 . 2008-10-28 11:44 <DIR> d-------- c:\programmi\Malwarebytes' Anti-Malware
2008-10-28 11:44 . 2008-10-28 11:44 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2008-10-28 11:44 . 2008-10-28 11:44 <DIR> d-------- c:\documents and settings\Administrator\Dati applicazioni\Malwarebytes
2008-10-28 11:44 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-28 11:44 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-23 23:53 . 2008-10-22 08:26 105,018 -r-hs---- C:\xlk9.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 11:17 87,015,456 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-23 11:15 13,374,055 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-11-23 11:14 1,026,932 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-21 01:04 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Skype
2008-11-18 19:02 --------- d-----w c:\programmi\File comuni\Adobe
2008-11-12 17:23 3,252,224 ----a-w c:\windows\Internet Logs\xDBE.tmp
2008-11-12 17:22 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\uTorrent
2008-11-12 14:07 --------- d-----w c:\programmi\eMule
2008-11-10 23:16 --------- d-----w c:\programmi\Skype
2008-11-10 11:09 --------- d-----w c:\programmi\Nokia
2008-11-10 11:09 --------- d-----w c:\programmi\File comuni\Nokia
2008-11-10 10:47 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Installations
2008-10-29 20:45 --------- d--h--w c:\programmi\InstallShield Installation Information
2008-10-29 20:45 --------- d-----w c:\programmi\ArcSoft
2008-10-19 12:30 --------- d-----w c:\programmi\ERDAS
2008-09-24 10:33 --------- d-----w c:\programmi\PC Connectivity Solution
2008-09-19 12:51 1,992,192 ----a-w c:\windows\Internet Logs\xDBD.tmp
2008-09-05 12:15 400,384 ----a-w c:\windows\Internet Logs\xDBB.tmp
2008-09-05 12:15 1,981,952 ----a-w c:\windows\Internet Logs\xDBC.tmp
2008-09-03 17:07 3,003,904 ----a-w c:\windows\Internet Logs\xDB9.tmp
2008-09-03 17:07 1,979,392 ----a-w c:\windows\Internet Logs\xDBA.tmp
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\programmi\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"ZoneAlarm Client"="c:\programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 919016]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Menu Avvio^Programmi^Esecuzione automatica^Nikon Monitor.lnk]
path=c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\Nikon Monitor.lnk
backup=c:\windows\pss\Nikon Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-06-02 10:13 267048 c:\programmi\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 17:24 1694208 c:\programmi\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 c:\programmi\File comuni\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
--a------ 2008-06-17 16:00 1249280 c:\programmi\Nokia\Nokia PC Suite 7\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2008-10-02 07:00 1124352 c:\programmi\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\programmi\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-09 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-04-09 20560]
R3 V0260VID;Live! Cam Vista IM;c:\windows\system32\DRIVERS\V0260Vid.sys [2007-10-04 178913]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f364569-2e3d-11dd-ade9-000f3dbe400d}]
\Shell\AutoRun\command - I:\xlk9.com
\Shell\explore\Command - I:\xlk9.com
\Shell\open\Command - I:\xlk9.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb5024f1-e85a-11dc-a1b5-000f3dbe400d}]
\Shell\AutoRun\command - H:\xlk9.com
\Shell\explore\Command - H:\xlk9.com
\Shell\open\Command - H:\xlk9.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f104e27d-9b5c-11dd-9eca-0040f468a2c0}]
\Shell\AutoRun\command - wscript.exe .\.vbs
\Shell\open\command - wscript.exe .\.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f104e282-9b5c-11dd-9eca-0040f468a2c0}]
\Shell\AutoRun\command - G:\xlk9.com
\Shell\explore\Command - G:\xlk9.com
\Shell\open\Command - G:\xlk9.com
.
Contenuto della cartella 'Scheduled Tasks'

2008-09-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-11-22 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-04-23 16:17]

2008-11-23 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-04-23 16:17]
.
- - - - ORFÃOS REMOVIDOS - - - -

HKU-Default-Run-Nokia.PCSync - c:\programmi\Nokia\Nokia PC Suite 6\PcSync2.exe


.
------- Supplementare di scansione -------
.
FireFox -: Profile - c:\documents and settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\dl71j0o4.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://black-google.blogspot.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-23 12:16:09
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(604)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\WgaLogon.dll

- - - - - - - > 'lsass.exe'(660)
c:\windows\system32\msprivs.dll
c:\windows\system32\rsaenh.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\ati2evxx.exe
c:\programmi\Alwil Software\Avast4\aswUpdSv.exe
c:\programmi\Alwil Software\Avast4\ashServ.exe
c:\programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\sessmgr.exe
c:\windows\system32\wdfmgr.exe
c:\programmi\RealVNC\VNC4\winvnc4.exe
c:\programmi\Alwil Software\Avast4\ashMaiSv.exe
c:\programmi\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\WGATray.exe
.
**************************************************************************
.
Ora fine scansione: 2008-11-23 12:19:41 - macchina è stato riavviato
ComboFix-quarantined-files.txt 2008-11-23 11:19:34

Pre-Run: 6.254.211.072 byte disponibili
Post-Run: 6,322,593,792 byte disponibili

196 --- E O F --- 2008-06-22 20:18:55
lake07
Utente Junior
 
Post: 27
Iscritto il: 11/08/06 15:01

Re: Chi mi può aiutare...vi prego

Postdi Luke57 » 23/11/08 16:21

Ciao, apri un file di testo dal blocco note di windows, al suo interno incollaci il segunete codice:

Codice: Seleziona tutto
File::
C:\windows\system32\gasretyw1.dll
C:\lky.exe
C:\xlk9.com

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f364569-2e3d-11dd-ade9-000f3dbe400d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb5024f1-e85a-11dc-a1b5-000f3dbe400d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f104e282-9b5c-11dd-9eca-0040f468a2c0}]


Salva il file sul desktop con il nome obblogatorio di CFScript.txt nella stessa direzione di combofix e trascinalo sull'icona di ComboFix con il puntatore del mouse per una nuova scansione. Riavvia il computer e posta il nuovo report, se prodotto.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Re: Chi mi può aiutare...vi prego

Postdi lake07 » 23/11/08 21:53

Ottimo fatto come dici. Per errore o per fortuna (spero non faccia solo che casino sta cosa) la nuova scansione che mi hai detto di fare l'ho fatta con l'hard disk esterno acceso e mi è uscito l'Ow.exe che è un'altro problemino che ogni tanto mi compare.
Ecco il log:

ComboFix 08-11-22.02 - Administrator 2008-11-23 21.38.19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.135 [GMT 1:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Interruttori di comando utilizzati :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

FILE ::
C:\lky.exe
c:\windows\system32\gasretyw1.dll
C:\xlk9.com
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\abk.bat
C:\autorun.inf
C:\lky.exe
c:\windows\system32\gasretyw0.dll
c:\windows\system32\gasretyw1.dll
c:\windows\system32\kamsoft.exe
C:\xlk9.com
D:\abk.bat
D:\Autorun.inf
H:\0w.com
H:\abk.bat
H:\Autorun.inf

.
((((((((((((((((((((((((( Files Creati Da 2008-10-23 al 2008-11-23 )))))))))))))))))))))))))))))))))))
.

2008-11-21 01:07 . 2008-11-21 01:07 <DIR> d-------- c:\programmi\RealVNC
2008-11-18 20:02 . 2008-11-18 20:02 <DIR> d-------- C:\Program Files (x86)
2008-11-12 18:38 . 2008-11-21 00:44 <DIR> d-------- c:\documents and settings\Administrator\Dati applicazioni\skypePM
2008-11-12 18:38 . 2008-11-12 18:38 48 --ah----- c:\windows\system32\ezsidmv.dat
2008-11-11 00:16 . 2008-11-11 00:16 <DIR> d-------- c:\programmi\File comuni\Skype
2008-11-10 12:09 . 2008-11-10 12:09 <DIR> d-------- c:\programmi\File comuni\PCSuite
2008-11-10 12:06 . 2008-05-07 07:38 20,864 --a------ c:\windows\system32\drivers\ccdcmbo.sys
2008-11-10 12:06 . 2008-05-07 07:38 8,064 --a------ c:\windows\system32\drivers\usbser_lowerfltj.sys
2008-11-10 12:06 . 2008-06-06 09:24 8,064 --a------ c:\windows\system32\drivers\usbser_lowerflt.sys
2008-11-10 12:05 . 2008-05-07 07:39 1,419,232 --a------ c:\windows\system32\wdfcoinstaller01005.dll
2008-11-10 12:05 . 2008-05-07 07:38 659,968 --a------ c:\windows\system32\nmwcdcocls.dll
2008-11-10 12:05 . 2008-05-07 07:38 17,536 --a------ c:\windows\system32\drivers\ccdcmb.sys
2008-10-29 21:52 . 2004-08-19 15:39 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-10-29 21:52 . 2001-08-30 23:07 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-10-29 21:49 . 2008-10-29 21:51 <DIR> d-------- c:\documents and settings\Administrator\Dati applicazioni\Nikon
2008-10-29 21:48 . 2008-10-29 21:48 <DIR> d-------- c:\programmi\Nikon
2008-10-29 21:48 . 2008-10-29 21:48 <DIR> d-------- c:\programmi\File comuni\muvee Technologies
2008-10-29 21:48 . 2008-10-29 21:48 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Ultima_T15
2008-10-29 21:48 . 2008-10-29 21:48 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Nikon
2008-10-29 21:48 . 2008-10-29 21:48 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\EnterNHelp
2008-10-29 21:48 . 2008-11-15 21:08 20 ---h----- c:\documents and settings\All Users\Dati applicazioni\PKP_DLdu.DAT
2008-10-29 21:47 . 2008-10-29 21:51 <DIR> d-------- c:\programmi\File comuni\Nikon
2008-10-28 11:44 . 2008-10-28 11:44 <DIR> d-------- c:\programmi\Malwarebytes' Anti-Malware
2008-10-28 11:44 . 2008-10-28 11:44 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2008-10-28 11:44 . 2008-10-28 11:44 <DIR> d-------- c:\documents and settings\Administrator\Dati applicazioni\Malwarebytes
2008-10-28 11:44 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-28 11:44 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 20:42 87,283,744 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-23 11:15 13,374,055 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-11-23 11:14 1,026,932 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-21 01:04 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Skype
2008-11-18 19:02 --------- d-----w c:\programmi\File comuni\Adobe
2008-11-12 17:23 3,252,224 ----a-w c:\windows\Internet Logs\xDBE.tmp
2008-11-12 17:22 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\uTorrent
2008-11-12 14:07 --------- d-----w c:\programmi\eMule
2008-11-10 23:16 --------- d-----w c:\programmi\Skype
2008-11-10 11:09 --------- d-----w c:\programmi\Nokia
2008-11-10 11:09 --------- d-----w c:\programmi\File comuni\Nokia
2008-11-10 10:47 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Installations
2008-10-29 20:47 106,496 ----a-w c:\windows\system32\ATL71.DLL
2008-10-29 20:45 --------- d--h--w c:\programmi\InstallShield Installation Information
2008-10-29 20:45 --------- d-----w c:\programmi\ArcSoft
2008-10-19 12:30 --------- d-----w c:\programmi\ERDAS
2008-09-24 10:33 --------- d-----w c:\programmi\PC Connectivity Solution
2008-09-19 12:51 1,992,192 ----a-w c:\windows\Internet Logs\xDBD.tmp
2008-09-05 12:15 400,384 ----a-w c:\windows\Internet Logs\xDBB.tmp
2008-09-05 12:15 1,981,952 ----a-w c:\windows\Internet Logs\xDBC.tmp
2008-09-03 17:07 3,003,904 ----a-w c:\windows\Internet Logs\xDB9.tmp
2008-09-03 17:07 1,979,392 ----a-w c:\windows\Internet Logs\xDBA.tmp
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\programmi\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"ZoneAlarm Client"="c:\programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 919016]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Menu Avvio^Programmi^Esecuzione automatica^Nikon Monitor.lnk]
path=c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\Nikon Monitor.lnk
backup=c:\windows\pss\Nikon Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-06-02 10:13 267048 c:\programmi\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 17:24 1694208 c:\programmi\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 c:\programmi\File comuni\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
--a------ 2008-06-17 16:00 1249280 c:\programmi\Nokia\Nokia PC Suite 7\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2008-10-02 07:00 1124352 c:\programmi\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\programmi\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-09 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-04-09 20560]
R3 V0260VID;Live! Cam Vista IM;c:\windows\system32\DRIVERS\V0260Vid.sys [2007-10-04 178913]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f104e27d-9b5c-11dd-9eca-0040f468a2c0}]
\Shell\AutoRun\command - wscript.exe .\.vbs
\Shell\open\command - wscript.exe .\.vbs
.
Contenuto della cartella 'Scheduled Tasks'

2008-09-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-11-22 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-04-23 16:17]

2008-11-23 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-04-23 16:17]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-23 21:42:17
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(604)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\WgaLogon.dll

- - - - - - - > 'lsass.exe'(660)
c:\windows\system32\msprivs.dll
c:\windows\system32\rsaenh.dll
.
Ora fine scansione: 2008-11-23 21.43.56
ComboFix-quarantined-files.txt 2008-11-23 20:43:51
ComboFix2.txt 2008-11-23 11:19:44

Pre-Run: 6.071.603.200 byte disponibili
Post-Run: 6,052,765,696 byte disponibili

164 --- E O F --- 2008-06-22 20:18:55
lake07
Utente Junior
 
Post: 27
Iscritto il: 11/08/06 15:01

Re: Chi mi può aiutare...vi prego

Postdi MIKI68 » 24/11/08 16:42

Da hiackthis fixia queste voci:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://172.16.16.100/internet/internet.cgi
O4 - HKLM\..\Run: [MFServices] "C:\Programmi\Companion Suite LL\MFServices.exe" -n
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = css.it
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = css.it
Trucchi e impostazioni per un computer sempre efficiente http://miki68news.blogspot.com/
Avatar utente
MIKI68
Utente Senior
 
Post: 1732
Iscritto il: 17/10/08 15:26
Località: Bari


Torna a Sicurezza e Privacy


Topic correlati a "Chi mi può aiutare...vi prego":


Chi c’è in linea

Visitano il forum: Nessuno e 64 ospiti