"iexplorer" parte e inizia a rubare Mb di ram???

[CuoreSportivo]

Ciao Ragazzi!
...di nuovo per chiedervi una mano...forse avete già risp a qualcuno su questa cosa...sul computer della mia fidanzata aprendo explorer , parte un processo "iexplorer.exe" ...do l'ok al firewall (zoneallarm) e parte la navigazione...sento pero' che il pc "gratta-gratta" cioè lavora in continuo...poi guardo sul task manager e vedo che sto processo occupa man mano piu' memoria ram...è normale? o si nasconde qualcosa di losco?...comunque potrebbe avere anche altri problemi visto che questo pc è stato un po' trascurato...poteti darci un'occhiata?
Grazie in anticipo e Auguri a tutti!

Vi posto il log di hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12.58.04, on 24/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Programmi\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
C:\Programmi\MessengerPlus! 3\MsgPlus.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\D-Link\AirPlus G\AirGCFG.exe
C:\Programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\gearsec.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Proprietario\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programmi\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programmi\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmi\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [UpdateManager] "c:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programmi\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Programmi\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Programmi\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {1230CB21-C88D-11CF-0000-000000000000} - http://www.browserupdate.co.uk/cabs/cus ... 3-2389.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://it.errorsafe.com/pages/scanner_i ... tallIT.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmi\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Programmi\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Provvedere al Servizio Sicurezza (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servizio iPod (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8983 bytes

[shel]

ciao

il processo iexplorer.exe e' riportato qui, ma per ora aspetta a terminarlo e comunque ih hijackthis non compare nulla a parte queste voci



http://www.processlibrary.com/it/direct ... iexplorer/

Lancia HiJackThis -> Clicca Do a scan only -> Metti la spunta a fianco delle righe che ti segnalo qui sotto -> Clicca su Fix Checked

Codice: Seleziona tutto

 O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)

Scarica http://www.malwarebytes.org/mbam/program/mbam-setup.exe
Aggiornalo
Esegui una scansione completa
Posta il risultato senza rimuovere niente

[CuoreSportivo]

Ciao Ragazzi,
grazie per la risposta.
Vi posto il log di Malwarebytes, anche se mi sa che ho fatto una cavolata, mi son scordato e ho cliccato "rimuovi" quando me l'ha chiesto ho fatto un danno??
Grazie ancora!
Saluto!

Malwarebytes' Anti-Malware 1.42
Versione del database: 3423
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

26/12/2009 22.45.29
mbam-log-2009-12-26 (22-45-24).txt

Tipo di scansione: Scansione completa (C:\|D:\|)
Elementi scansionati: 325584
Tempo trascorso: 2 hour(s), 19 minute(s), 38 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 2
Valori di registro infetti: 1
Elementi dato del registro infetti: 2
Cartelle infette: 4
File infetti: 3

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\winantivirus pro 2006 (Rogue.WinAntiVirus) -> No action taken.

Valori di registro infetti:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\bootstera (Rogue.WinAntiVirus) -> No action taken.

Elementi dato del registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Cartelle infette:
C:\Documents and Settings\All Users\Dati applicazioni\WinAntiVirus Pro 2006 (Rogue.WinAntiVirus) -> No action taken.
C:\Documents and Settings\Proprietario\Dati applicazioni\WinAntiVirus Pro 2006 (Rogue.WinAntiVirus) -> No action taken.
C:\Documents and Settings\Proprietario\Dati applicazioni\WinAntiVirus Pro 2006\Logs (Rogue.WinAntiVirus) -> No action taken.
C:\Programmi\File comuni\WinAntiVirus Pro 2006 (Rogue.WinAntiVirus) -> No action taken.

File infetti:
C:\Documents and Settings\Proprietario\Dati applicazioni\WinAntiVirus Pro 2006\PGE.dat (Rogue.WinAntiVirus) -> No action taken.
C:\Documents and Settings\Proprietario\Dati applicazioni\WinAntiVirus Pro 2006\Logs\update.log (Rogue.WinAntiVirus) -> No action taken.
C:\WINDOWS\system32\stera.job (Rogue.WinAntiVirus) -> No action taken.

[shel]

no non hai fatto male ad eliminarle, ma la prossima volta attendi la conferma

WinAntiVirus Pro 2006 e' un rogue che si installa e crea problemi abbastanza gravi nel pc, come tanti altri finti antivirus


per maggior sicurezza fai una scansione anche con combofix- Scarica ComboFix da qui http://download.bleepingcomputer.com/sUBs/ComboFix.exe , avvialo e quindi premi 1 per avviare la scansione. Alla fine della scansione ti verrà rilasciato un file chiamato combofix.txt nella cartella c:\combofix, allegami tale file nel prossimo messaggio.

[shel]

edit

non sono stati eliminati- per farlo devi riavviare il programma e premere su ''rimuovi selezionati''

[fandango2031]

Virus o meglio un finto antivirus guarda qui http://www.411-spyware.com/remove-winantivirus-pro-2006...non ho potuto testare l'integrita del tool remover dunque ti consiglio la rimozione manuale.


Ciao

[shel]

.non ho potuto testare l'integrita del tool remover dunque ti consiglio la rimozione manuale.

grazie fandango, ma e' gia' stata data una procedura, non confondiamo l'utente

semmai dopo si passa a quella manuale (se ne avra' bisogno)

[fandango2031]

Quando ho risposto non avevi ancora postato,non volevo procurare casini...

[CuoreSportivo]

Grazie Shel,
ho fatto girare Combofix, non so se si puo' allegare direttamente il file, ma provo a copiartelo qui:
Ri-grazie in anticipo,
saluti!

ComboFix 09-12-26.01 - Proprietario 27/12/2009 0.00.29.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.1023.589 [GMT 1:00]
Eseguito da: c:\documents and settings\Proprietario\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\LOG.TXT
c:\programmi\Need2Find
c:\programmi\Need2Find\bar\History\search
c:\windows\system32\ps2.bat
c:\windows\system32\stera.log
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FOPN
-------\Legacy_VSPF
-------\Legacy_VSPF_HK


((((((((((((((((((((((((( Files Creati Da 2009-11-26 al 2009-12-26 )))))))))))))))))))))))))))))))))))
.

2009-12-26 10:49 . 2009-12-26 10:49 0 ----a-w- c:\windows\nsreg.dat
2009-12-26 10:49 . 2009-12-26 10:49 -------- d-----w- c:\documents and settings\Proprietario\Impostazioni locali\Dati applicazioni\Mozilla
2009-12-24 14:12 . 2009-12-24 14:12 -------- d-----w- c:\documents and settings\Proprietario\Dati applicazioni\Malwarebytes
2009-12-24 14:11 . 2009-12-03 15:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-24 14:11 . 2009-12-24 14:11 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-12-24 14:11 . 2009-12-24 14:12 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2009-12-24 14:11 . 2009-12-03 15:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-22 00:35 . 2009-12-22 00:35 -------- d-----w- c:\programmi\Microsoft CAPICOM 2.1.0.2
2009-12-21 23:58 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-12-21 23:58 . 2009-03-06 14:19 286208 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-12-21 23:58 . 2009-02-09 11:22 111104 -c----w- c:\windows\system32\dllcache\services.exe
2009-12-21 23:58 . 2009-02-09 10:51 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-12-21 23:58 . 2009-02-09 10:51 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-12-21 23:58 . 2009-02-09 10:51 683520 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-12-21 23:58 . 2009-02-09 10:51 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-12-21 23:58 . 2009-02-09 10:51 736256 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-12-21 23:58 . 2009-06-21 21:47 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-12-21 23:57 . 2008-04-21 21:14 219136 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-12-05 17:33 . 2009-07-10 13:26 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-12-03 23:55 . 2009-08-06 18:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-03 23:55 . 2009-08-06 18:23 215920 ----a-w- c:\windows\system32\muweb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-26 23:22 . 2009-02-07 14:03 6719520 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-26 23:16 . 2009-02-07 14:03 79508 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-26 23:16 . 2009-01-25 20:33 12 ----a-w- c:\windows\bthservsdp.dat
2009-12-24 11:53 . 2004-01-01 16:21 64872 ----a-w- c:\windows\system32\perfc010.dat
2009-12-24 11:53 . 2004-01-01 16:21 429538 ----a-w- c:\windows\system32\perfh010.dat
2009-12-24 11:00 . 2009-02-07 10:33 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\avg8
2009-12-22 08:34 . 2009-02-02 22:06 -------- d-----w- c:\documents and settings\Proprietario\Dati applicazioni\gtk-2.0
2009-12-15 19:05 . 2009-11-25 23:23 2065688 ----a-w- c:\documents and settings\All Users\Dati applicazioni\avg8\update\backup\avgcorex.dll
2009-12-12 13:46 . 2008-12-10 10:41 -------- d-----w- c:\documents and settings\Proprietario\Dati applicazioni\U3
2009-12-04 22:08 . 2006-02-17 13:10 -------- d-----w- c:\documents and settings\Proprietario\Dati applicazioni\Nokia
2009-11-24 21:44 . 2009-01-13 22:34 -------- d-----w- c:\documents and settings\Proprietario\Dati applicazioni\Skype
2009-11-24 21:44 . 2009-01-13 23:06 -------- d-----w- c:\documents and settings\Proprietario\Dati applicazioni\skypePM
2009-10-29 07:42 . 2005-10-21 15:50 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:42 . 2004-08-19 22:39 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:42 . 2004-01-02 00:32 17408 ------w- c:\windows\system32\corpol.dll
2009-10-22 17:48 . 2009-02-07 10:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-22 17:48 . 2009-02-07 10:33 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-22 17:48 . 2009-02-07 10:33 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-22 17:48 . 2009-02-07 10:33 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-21 05:38 . 2004-08-19 22:39 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-19 22:39 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:33 . 2004-01-02 00:34 271360 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-01-02 00:34 150016 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-01-02 00:34 79872 ----a-w- c:\windows\system32\raschap.dll
2006-07-13 16:04 . 2006-07-13 16:01 10990104 ----a-w- c:\programmi\setupita.exe
2006-06-06 15:28 . 2006-06-06 15:28 243512 ----a-w- c:\programmi\jre-1_5_0_06-windows-i586-p-iftw.exe
2006-01-26 10:01 . 2006-06-20 12:44 1082742 ----a-w- c:\programmi\wrar351it.exe
2004-09-22 09:49 . 2006-03-05 16:52 121 ----a-w- c:\programmi\matlab13-crk.txt
2004-10-24 16:39 . 2004-10-24 16:39 0 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-12 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2004-01-27 229376]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]
"ATIPTA"="c:\programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-26 344064]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 50176]
"UpdateManager"="c:\programmi\File comuni\Sonic\Update Manager\sgtray.exe" [2003-08-18 110592]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DataLayer"="c:\programmi\File comuni\PCSuite\DataLayer\DataLayer.exe" [2005-06-07 819712]
"MessengerPlus3"="c:\programmi\MessengerPlus! 3\MsgPlus.exe" [2006-05-17 190024]
"TkBellExe"="c:\programmi\File comuni\Real\Update_OB\realsched.exe" [2006-05-29 180269]
"D-Link AirPlus G"="c:\programmi\D-Link\AirPlus G\AirGCFG.exe" [2006-11-17 1552384]
"ANIWZCS2Service"="c:\programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2006-06-29 49152]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-15 2043160]
"ZoneAlarm Client"="c:\programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Reader Speed Launch.lnk - c:\programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-22 17:48 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\MsgPlusLoader.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0A\0?\0stera

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Controllo del Calendario di Ulead Photo Express]
2004-01-12 18:40 69632 ----a-w- c:\programmi\Ulead Systems\Ulead Photo Express 5 SE\CalCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
2005-06-29 14:29 176128 ----a-w- c:\programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector]
2003-11-19 11:03 45056 ------w- c:\programmi\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"matlabserver"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\ANSYS Inc\\v100\\AISOL\\CommonFiles\\intel\\AnsysWBU.exe"=
"c:\\Programmi\\ANSYS Inc\\v100\\AISOL\\CAD Integration\\intel\\ActivePIMgrU.exe"=
"c:\\Programmi\\ANSYS Inc\\v100\\AISOL\\CAD Integration\\intel\\ReaderHostU.exe"=
"c:\\Programmi\\ANSYS Inc\\v100\\AISOL\\CE\\intel\\CEExeServerU.exe"=
"c:\\Programmi\\ANSYS Inc\\v100\\CommonFiles\\TCL\\bin\\intel\\tclsh.exe"=
"c:\\Programmi\\ANSYS Inc\\v100\\CommonFiles\\TCL\\bin\\intel\\wish.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

R0 pnpshark;pnpshark;c:\windows\system32\drivers\pnpshark.sys [02/10/2003 3.16.48 119552]
R0 st3shark;st3shark;c:\windows\system32\drivers\st3shark.sys [27/09/2003 14.37.16 5504]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [07/02/2009 11.33.32 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [07/02/2009 11.33.38 108552]
R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;c:\progra~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe [01/06/2006 14.19.45 909312]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [22/10/2009 18.48.07 297752]
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.yahoo.it/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\programmi\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {1230CB21-C88D-11CF-0000-000000000000} - hxxp://www.browserupdate.co.uk/cabs/cus ... 3-2389.cab
FF - ProfilePath - c:\documents and settings\Proprietario\Dati applicazioni\Mozilla\Firefox\Profiles\gviret6f.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/
FF - plugin: c:\programmi\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\programmi\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\programmi\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\programmi\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\programmi\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\programmi\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\programmi\Java\jre1.5.0_06\bin\NPOJI610.dll
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKLM-Run-VTTimer - VTTimer.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-27 00:21
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86C10780]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75bef28
\Driver\ACPI -> ACPI.sys @ 0xf7531cb8
\Driver\atapi -> 0x86c10780
IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\System32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2420)
c:\windows\system32\WININET.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\AGRSMMSG.exe
c:\windows\ALCXMNTR.EXE
c:\windows\system32\rundll32.exe
c:\windows\System32\gearsec.exe
c:\programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wdfmgr.exe
c:\programmi\iPod\bin\iPodService.exe
.
**************************************************************************
.
Ora fine scansione: 2009-12-27 00:28:21 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-12-26 23:28

Pre-Run: 85.656.952.832 byte disponibili
Post-Run: 86.316.232.704 byte disponibili

- - End Of File - - 85DC3A193DE25061D6F40E887FF3AAE1

[shel]

Scarica MBR:EXE direttamente nella Directory C:\
http://www2.gmer.net/mbr/mbr.exe


Entra in Modalità Provvisoria.

Start - Esegui - digita C:\mbr.exe -f e clicca su OK ( Per non sbagliare a digitare il comando, fai copia-incolla.)
Posta il log prodotto per il controllo e salvalo come MBR2

[CuoreSportivo]

Ok,
ho scaricato MBR, l'ho lanciato, c'ha messo pochissimo...non so se il risultato va bene, comunque ti posto il log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

[shel]

si l'MBR e' a posto

fai queste due scansioni da modalita' provvisoria

la prima con virit

http://www.tgsoft.it/italy/download.htm lo aggiorni (cliccando sulla parabola in alto)

Posta anche il log. (lo trovi sull'icona in alto, con raffigurato un block notes ,con una penna)

poi scarica Norman

http://normanasa.vo.llnwd.net/o29/publi ... leaner.exe

Finita la scansione, rimuovi i files infetti trovati e posta il log che viene generato sul desktop.

[CuoreSportivo]

Ok, ecco il log di Virit fatto in modalità provvisoria, ha trovato due file infetti (boh, sembrano file di un programma "normale") , ho chiuso e sembra non abbia cancellato niente...
...ora scarico anche Norman...

VirIT eXplorer Lite Log

[SCANSIONE DELLA MEMORIA]
OK
[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
27/12/2009 - 12:16:03

[SCANSIONE DEL REGISTRO]
OK

[A:]
BOOT SECTOR: OK


[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

C:\Programmi\Easy CD-DA Extractor 7\burn.exe Possibile variante da Trojan.Win32.Agent.IU
C:\Programmi\Easy CD-DA Extractor 7\convert.exe Possibile variante da Trojan.Win32.Agent.IU

[D:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK


[E:]


[F:]


[G:]


Chiavi Registro infette: 0.
Files Infetti: 2.
Files Sospetti: 0.
Files Analizzati: 178477.
Files Totali: 178477.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.

[CuoreSportivo]

Ciao,

ho scaricato Norman, ma purtroppo lanciandolo dalla modalità provvisoria non mi fa fare la scansione, mi compare la scritta:

"unable to load nsak.sys.error (0x00000001)"

...i tasti per la partenza della scansione sono in grigio e non cliccabili, che faccio? faccio la scansione dalla modalità "normale" ? (li funziona).
Grazie

[shel]

ciao


lascia stare norman, ci sono dei problemi con il programma

virit ha riconosciuto delle infezioni e proprio nel programma Easy CD-DA Extractor....vuoi tenerlo nel pc?

semmai dopo lo reinstalli pulito


scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
Decomprimi l'archivio

Avvia il file avenger.exe

Copi e incolli nella finestra: "Imput script here" il SEGUENTE testo COSI' come l'ho scritto CON la dicitura files to delete:


files to delete:
C:\Programmi\Easy CD-DA Extractor 7\burn.exe
C:\Programmi\Easy CD-DA Extractor 7\convert.exe

Togli il segno di spunta dalla voce Scan for Rootkits
Premi il pulsante Execute
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà.

[CuoreSportivo]

Ok, ma prima disinstallo il programma cd extractor?

[shel]

certo che devi disinstallarlo- dopo la procedura con avenger comunque sara' inutile tenerlo nel pc

[CuoreSportivo]

OK,
ho disinstallato cd extractor, fatto partire Avenger. Ti posto il log sotto:
(ma iil problema con iexplorer.exe pteva essere causato da cd extractor?)


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:


Error: could not open file "C:\Programmi\Easy CD-DA Extractor 7\burn.exe"
Deletion of file "C:\Programmi\Easy CD-DA Extractor 7\burn.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open file "C:\Programmi\Easy CD-DA Extractor 7\convert.exe"
Deletion of file "C:\Programmi\Easy CD-DA Extractor 7\convert.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.

[shel]

non ha funzionato

dovevo prima farti eseguire avenger.....


prova a fare una scansione con malwarebytes (completa) dopo averlo aggiornato

[CuoreSportivo]

Ok, ma se avenger non ha trovato i files, (perchè io li ho disinstallati) non dovrebbero esserci piu'? no? (scusa in anticipo l'ignoranza...)
Rilancio malwarebyte allora...