lpt7.exe - cavallo di troia (Win32/Agent.NDG)

[Luke57]

Con hijackthis, premi "do a system scan oly", cerchi e spunti le seguenti voci:
O4 - HKLM\..\Run: [prpj1.exe] C:\WINDOWS\TEMP\prpj1.exe
O23 - Service: SecWnd - Unknown owner - \\?\C:\Programmi\File comuni\Services\lpt7.exe (file missing)
O23 - Service: Windows Service Manager (WSCM) - Unknown owner - C:\WINDOWS\System32\service.exe (file missing)

premi fix checked

Elimina questo file:
C:\WINDOWS\TEMP\prpj1.exe
insieme a tutti i file temp e tmp di windows.

Del linkoptmizer ci si può anche reinfettare

Per cui, esegui questo tool:
http://www.prevx.com/gromozon.asp
disattivi l'antivirus, con i programmi e le applicazioni chiusi, esegui il tool. Al riavvio del computer, il programma terminerà la scanione nelle altre cartelle di windows. Al termine della scansione, sarà rilasciato un report in C:\Gromozon_Removal.log.

Copialo e incollalo in un post.

[marcosesto]

Ciao sono marcosesto,ho cancellato tutto, mi rimane una cartella su C: avenger con dentro lpt5 come l'elimino?

[andorra24]

Ciao sono marcosesto,ho cancellato tutto, mi rimane una cartella su C: avenger con dentro lpt5 come l'elimino?

Prova cosi:

start>esegui>cmd>OK
Aperto il prompt dei comandi. digita letteralmente:
del \\.\c:\avenger\lpt5.exe ------ >Invio

[marcosesto]

Fatto, mi dice "impossibile trovare il file specificato"

[andorra24]

Fatto, mi dice "impossibile trovare il file specificato"

Ma non riesci ad eliminare manualmente quella cartella?

[lucas/s]

Ciao,puoi provare in questo modo
Scarica questo file
http://downloads.andymanchesta.com/Tools/IceSword1.zip
decomprimi l'archivio,avvia il file icesword.exe,sotto clicca sul pulsante "File" adesso clicca su "Loca disk" dovresti visualizzare la cartella Avenger,selezionala,destro del mouse e scegli "Delete"

Ciao

[marcosesto]

sei un grande, è sparito. Grazie.

[lucas/s]

sei un grande, è sparito. Grazie.

Grazie
Contento che hai risolto

[aprile]

non ho trovato il file prpj1.exe (neanche con "mostra file nascosti").
ho fatto il tool che mi consigliavi. Ecco il log:

Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Trojan.Gromozon does not exist - your system is clean.


Spy-bot NON lo rileva più.

L'antivirus mi dice: C:\Windows\File comuni\services\lpt7.exe errore durante l'apertura del file
...perchè ho disabilitato AUTOEXEC.NT?

mentre kb890830 lo vede ancora e me ne dà segnale.

ciao e grazie ancora per tutta la pazienza....

[marcosesto]

Un ultima cosa, perchè il mio nod32 non ha bloccato il lpt5, ancora grazie, marcosesto.

[marco.rm3]

Ciao a tutti,
ho problema con un trojan.horse

a parte che il mio windows (autentico!) non è mai riuscito ad accedere agli aggiornamenti automatici, adesso NOD32 ha rilevato il virus Win32/Agent.NDG nel file C:\Programmi\File comuni\System\wxWk.exe

ho utilizzato GMER per fare lo scan da Rootkit e Autostart, vi allego di seguito il log
(ho già scaricato Avenger, "TT456C8.exe" e "HiJackThis_v2.exe" ma ancora non li ho usati, aspetto vostre indicazioni, grazie)

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2008-04-22 12:40:05
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwClose
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateProcess
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateProcessEx
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateThread
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteValueKey
SSDT \SystemRoot\system32\drivers\khips.sys ZwLoadDriver
SSDT \SystemRoot\system32\drivers\khips.sys ZwMapViewOfSection
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwOpenFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwOpenKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwResumeThread
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwSetInformationFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwSetValueKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwWriteFile

---- Devices - GMER 1.0.10 ----

Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE A6096C8A

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{72AADD08-687F-4C38-883F-631F658CFC38}
File E:\System Volume Information\MountPointManagerRemoteDatabase
File E:\System Volume Information\tracking.log
File E:\System Volume Information\_restore{72AADD08-687F-4C38-883F-631F658CFC38}

---- EOF - GMER 1.0.10 ----


----------------------------------------------------------------------------

GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2008-04-22 12:40:59
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
KPF4 /*Sunbelt Kerio Personal Firewall 4*/@ = "C:\Programmi\Sunbelt Software\Personal Firewall 4\kpf4ss.exe"
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe"
MSIServer /*Windows Installer*/@ = C:\WINDOWS\system32\msiexec.exe /V
Nero BackItUp Scheduler 3 /*Nero BackItUp Scheduler 3*/@ = C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
NOD32krn /*NOD32 Kernel Service*/@ = C:\Programmi\Eset\nod32krn.exe
NVSvc /*NVIDIA Display Driver Service*/@ = %SystemRoot%\system32\nvsvc32.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
SysXfa /*SysXfa*/@ = "C:\Programmi\File comuni\System\wxWk.exe"
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe
Viewpoint Manager Service /*Viewpoint Manager Service*/@ = "C:\Programmi\Viewpoint\Common\ViewpointService.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@nod32kuiC:\Programmi\Eset\nod32kui.exe /WAITSERVICE = C:\Programmi\Eset\nod32kui.exe /WAITSERVICE
@nwiznwiz.exe /install = nwiz.exe /install
@Acrobat Assistant 7.0"C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" = "C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
@ /*file not found*/ = /*file not found*/
@BluetoothAuthenticationAgentrundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent = rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
@rydg1.exeC:\WINDOWS\TEMP\rydg1.exe /*file not found*/ = C:\WINDOWS\TEMP\rydg1.exe /*file not found*/
@SunJavaUpdateSched"C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe" = "C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe"
@SoundManSOUNDMAN.EXE = SOUNDMAN.EXE
@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
@NvMediaCenterRUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@NBKeyScan"C:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" = "C:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
@Microsoft©C:\WINDOWS\system32\dllcache\iexplore.exe = C:\WINDOWS\system32\dllcache\iexplore.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@MsnMsgr"C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background = "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
@MSMSGS"C:\Programmi\Messenger\msmsgs.exe" /background = "C:\Programmi\Messenger\msmsgs.exe" /background
@PlaxoUpdateC:\Programmi\Plaxo\2.13.1.3\PlaxoHelper.exe -a = C:\Programmi\Plaxo\2.13.1.3\PlaxoHelper.exe -a
@swgC:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe = C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
@IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"C:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 = "C:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
@Microsoft©C:\WINDOWS\system32\dllcache\iexplore.exe = C:\WINDOWS\system32\dllcache\iexplore.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll =


Ciao,
Marco

[Luke57]

Ciao, Scarica ATF-Cleaner sul desktop(lo userai dopo) o deve ti rimane più comodo
http://www.atribune.org/ccount/click.php?id=1

Scarica questi 2 removal tool sul desktop
1°
http://www.prevx.com/gromozon.asp (Clicca sul bottone verde "Download gromozon removal tool")
2°
http://securityresponse.symantec.com/av ... inkopt.exe

Esegui il primo tool, ti chiederà di riavviare, tu riavvia, una volta riavviato il pc partirà la scansione, attendi la fine della scansione e riavvia il pc in modalità provvisoria, una volta dentro esegui il secondo removal tool, attendi la fine della scansione, finita la scansione,
Avvia ATF-Cleaner
Esegui il programma(non necessita di installazione)
Spunta le voci sotto elencate, in grasetto, presenti nel tag "Main"
Windows Temp
Current User Temp
Cookies
Temporary Internet Files
Java Cache
Clicca sul pulsante [b]Empy Selected

Se hai firefox vedrai il tag "Firefox" in grasetto e selezioni le voci
Firefox cache
Firefox cookies
Clicca sul pulsante Empy Selected

Se hai opera vedrai il tag "Opera" in grasetto e selezioni le voci
Opera cache
Opera cookies
Clicca sul pulsante Empy Selected

Riavvia il pc normalmente

Incolla in un post poi questi logs:
1-C:\gromozon_removal.txt
2-FixLinkopt.log

[marco.rm3]

Grazie mille,
ho fatto ma i due tool non mi rilevano nulla. Anzi il tool prevx mi si è bloccato per un "violazione alla memoria 0x0... ecc.".
Ora Windows mi da un errore iexplorer.exe: istruzione a "0x0746cc7d6" riferita alla memoria "0x00000042" che non può essere "read".

Ho installato PREVX 2.0 (trial) e mi trova due virus
1) PATCH.EXE
This executable program has a file size of 244,224 bytes, it is called PATCH.EXE and is located in the %desktop%\ folder.
This file is considered unsafe and is part of the malware group, Generic9.ADHX. It was first seen on Saturday, Jun 2 2007. It has been seen frequently by 18 users in this section of the community.
PATCH.EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process

2) AUTORUN.EXE
This executable program has a file size of 708,608 bytes, it is most frequently called AUTORUN.EXE and is most frequently located in the ?:\run\ folder.
The file header contains the following information:
Vendor : OTAN
Version: 1.0

This file is considered unsafe and is part of the malware group, VCS. It was first seen on Thursday, Jan 10 2008. It has been seen frequently by 7 users in this section of the community. The file has only been seen in ITALY.
AUTORUN.EXE has been seen to perform the following behaviors:
- The Process is packed and/or encrypted using a software packing process
- Executes a Process
- Enables an In Process Object/Server - Common with DLL Injections
- Writes to another Process's Virtual Memory (Process Hijacking)
- Terminates Processes
- This Process Deletes Other Processes From Disk
- Adds a Registry Key (RUN) to auto start Programs on system start up
- This Process Creates Other Processes On Disk
- Can make outbound communication to other computers, IM chat rooms and other services using IRC protocols
- This Process uses Anti Dissasembly Tricks
- The Process is polymorphic and can change its structure
- This Process Contains User Mode Rootkit Functionality
- Enables a COM Object/Server on the Local Machine
AUTORUN.EXE has been the subject of the following behaviors:
- Executed as a Process
- Has code inserted into its Virtual Memory space by other programs
- Terminated as a Process
- Created as a process on disk
- Deleted as a process from disk
- Added as a Registry auto start to load Program on Boot up

Riporto sotto il log di "HijackThis"

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17.45.24, on 22/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\dllcache\iexplore.exe
C:\WINDOWS\system32\dllcache\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe
C:\Programmi\PrevxCSI\PrevxCSI.exe
C:\Programmi\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Programmi\PrevxCSI\PrevxCSI.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Viewpoint\Common\ViewpointService.exe
C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
C:\Programmi\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programmi\Prevx2\PXConsole.exe
C:\Programmi\Prevx2\PXAgent.exe
C:\Programmi\Outlook Express\msimn.exe
C:\HJT\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/ig?hl=it
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Dati applicazioni\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Class - {7A44F348-C00D-91B6-1D18-8BDD2AD5A4D3} - C:\WINDOWS\abotd1.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [nod32kui] C:\Programmi\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [rydg1.exe] C:\WINDOWS\TEMP\rydg1.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Microsoft©] C:\WINDOWS\system32\dllcache\iexplore.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Programmi\Prevx2\PXConsole.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Programmi\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Microsoft©] C:\WINDOWS\system32\dllcache\iexplore.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Avvio veloce di Adobe Acrobat.lnk = ?
O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ilariab81.spaces.live.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 1522684953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1522666921
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A335EC30-2007-4F57-A0D1-4FDFCCA18B91} - http://td8eau9td.com/1524c5f9/50310/1/xp/FreeAccess.cab
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MediaBar) - http://sib1.pvw.od2.com/common/musicman ... Plugin.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6915354F-CC90-419E-8921-673E0884EE56}: NameServer = 151.100.4.2,151.100.4.13
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CSIScanner - Prevx - C:\Programmi\PrevxCSI\\PrevxCSI.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Programmi\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Programmi\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PREVXAgent - Prevx - C:\Programmi\Prevx2\PXAgent.exe
O23 - Service: SysXfa - Unknown owner - C:\Programmi\File comuni\System\wxWk.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Programmi\Viewpoint\Common\ViewpointService.exe

--
End of file - 11013 bytes

Grazie ancora,
Marco

[marco.rm3]

Ciao, Scarica ATF-Cleaner sul desktop(lo userai dopo) o deve ti rimane più comodo
http://www.atribune.org/ccount/click.php?id=1

Scarica questi 2 removal tool sul desktop
1°
http://www.prevx.com/gromozon.asp (Clicca sul bottone verde "Download gromozon removal tool")
2°
http://securityresponse.symantec.com/av ... inkopt.exe

Esegui il primo tool, ti chiederà di riavviare, tu riavvia, una volta riavviato il pc partirà la scansione, attendi la fine della scansione e riavvia il pc in modalità provvisoria, una volta dentro esegui il secondo removal tool, attendi la fine della scansione, finita la scansione,
Avvia ATF-Cleaner
Esegui il programma(non necessita di installazione)
Spunta le voci sotto elencate, in grasetto, presenti nel tag "Main"
Windows Temp
Current User Temp
Cookies
Temporary Internet Files
Java Cache
Clicca sul pulsante [b]Empy Selected

Se hai firefox vedrai il tag "Firefox" in grasetto e selezioni le voci
Firefox cache
Firefox cookies
Clicca sul pulsante Empy Selected

Se hai opera vedrai il tag "Opera" in grasetto e selezioni le voci
Opera cache
Opera cookies
Clicca sul pulsante Empy Selected

Riavvia il pc normalmente

Incolla in un post poi questi logs:
1-C:\gromozon_removal.txt
2-FixLinkopt.log

Ho rifatto lo scan e inserisco i log che ho:

Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni


Trojan.Gromozon does not exist - your system is clean.

---------------------------------------

Symantec Trojan.Linkoptimizer Removal Tool 1.0.8
Restored SeDebugPrivilege to Administrators group

Trojan.Linkoptimizer has not been found on your computer.

------------------------------------------------------------------

C:\WINDOWS\system32\dllcache\iexplorer.exe
Hidden Key: S-1-5-21-2052111302-73586283-839522115-1003\Software\Microsoft\Windows\Run - Malicious Software


Please, help me

Marco

[Luke57]

Ciao, apri hijackthis, disconnesso da internet e con le applicazioni chiuse, premi "do a system scan only", cerca e spunta le voci seguenti:
O2 - BHO: Class - {7A44F348-C00D-91B6-1D18-8BDD2AD5A4D3} - C:\WINDOWS\abotd1.dll (file missing)O4 - HKLM\..\Run: [rydg1.exe] C:\WINDOWS\TEMP\rydg1.exe
O4 - HKLM\..\Run: [Microsoft©] C:\WINDOWS\system32\dllcache\iexplore.exe
O23 - Service: SysXfa - Unknown owner - C:\Programmi\File comuni\System\wxWk.exe (file missing)

premi fix checked


Riavvia in modalità provvisoria, cerca ed elimina il seguente file:
C:\WINDOWS\system32\dllcache\iexplorer.exe
avvia Atf cleaner e utilizzalo con la procedura suggerita

riavvia e posta nuovo log di hijackthis

[marco.rm3]

Ciao, apri hijackthis, disconnesso da internet e con le applicazioni chiuse, premi "do a system scan only", cerca e spunta le voci seguenti:
O2 - BHO: Class - {7A44F348-C00D-91B6-1D18-8BDD2AD5A4D3} - C:\WINDOWS\abotd1.dll (file missing)O4 - HKLM\..\Run: [rydg1.exe] C:\WINDOWS\TEMP\rydg1.exe
O4 - HKLM\..\Run: [Microsoft©] C:\WINDOWS\system32\dllcache\iexplore.exe
O23 - Service: SysXfa - Unknown owner - C:\Programmi\File comuni\System\wxWk.exe (file missing)

premi fix checked


Riavvia in modalità provvisoria, cerca ed elimina il seguente file:
C:\WINDOWS\system32\dllcache\iexplorer.exe
avvia Atf cleaner e utilizzalo con la procedura suggerita

riavvia e posta nuovo log di hijackthis

Grazie Luke,
ho rimosso il file in modalità provvisoria (internet scollegato) ho avviato ATF-cleaner e poi ho riavviato normalmente (con internet collegato) ed ho eseguito lo scan con hijackthis. Ti posto il nuovo log (cmq Prevx mi segnala ancora "iexplorer.exe" come riportato nel precedente post.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 13.33.41, on 23/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\PrevxCSI\PrevxCSI.exe
C:\Programmi\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Programmi\PrevxCSI\PrevxCSI.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Programmi\Prevx2\PXConsole.exe
C:\Programmi\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Prevx2\PXAgent.exe
C:\Programmi\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Programmi\Viewpoint\Common\ViewpointService.exe
C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
C:\Programmi\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/ig?hl=it
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Dati applicazioni\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [nod32kui] C:\Programmi\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [rydg1.exe] C:\WINDOWS\TEMP\rydg1.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Programmi\Prevx2\PXConsole.exe"
O4 - HKLM\..\Run: [PrevxCSI] "C:\Programmi\PrevxCSI\PrevxCSI.exe" /bootupreg
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Programmi\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Microsoft©] C:\WINDOWS\system32\dllcache\iexplore.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Avvio veloce di Adobe Acrobat.lnk = ?
O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ilariab81.spaces.live.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 1522684953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1522666921
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A335EC30-2007-4F57-A0D1-4FDFCCA18B91} - http://td8eau9td.com/1524c5f9/50310/1/xp/FreeAccess.cab
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MediaBar) - http://sib1.pvw.od2.com/common/musicman ... Plugin.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6915354F-CC90-419E-8921-673E0884EE56}: NameServer = 151.100.4.2,151.100.4.13
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CSIScanner - Prevx - C:\Programmi\PrevxCSI\\PrevxCSI.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Programmi\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Programmi\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PREVXAgent - Prevx - C:\Programmi\Prevx2\PXAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Programmi\Viewpoint\Common\ViewpointService.exe

--
End of file - 10665 bytes

Grazie,
Marco

[Luke57]

Ciao, scarica combofix sul desktop
ComboFix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disconettiti da internet
disattiva l'antivirus


Avvia il file ComboFix.exe
Digita 1 per avviare il tool (non fare altre manovre durante la scansione, se spariscono le icone dal desktop è normale, la scansione è piuttosto lenta)
Segui le istruzioni e alla fine verrà generato un log in C:\combofix.txt.

collegati e inserisci in una tua risposta il report di combofix

[marco.rm3]

Posto il log di CombiFix:

ComboFix 08-04-22.5 - FDN 2008-04-23 17.40.41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.1543 [GMT 2:00]
Eseguito da: C:\Documents and Settings\FDN\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\075C82B950.dll
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\ssprs.dll

.
((((((((((((((((((((((((( Files Creati Da 2008-03-23 al 2008-04-23 )))))))))))))))))))))))))))))))))))
.

2008-04-22 16:09 . 2008-04-23 17:34 <DIR> d-------- C:\Programmi\Prevx2
2008-04-22 16:09 . 2008-04-22 17:52 <DIR> d-------- C:\Documents and Settings\FDN\Dati applicazioni\Prevx
2008-04-22 16:09 . 2008-04-22 16:15 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Prevx
2008-04-22 15:59 . 2008-04-22 15:59 <DIR> d-------- C:\Programmi\PrevxCSI
2008-04-22 15:59 . 2008-04-23 15:01 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\PrevxCSI
2008-04-22 15:59 . 2008-04-23 15:00 10,880 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-04-22 12:35 . 2008-04-23 13:33 <DIR> d-------- C:\HJT
2008-04-22 12:31 . 2008-04-22 12:31 250 --a------ C:\WINDOWS\gmer.ini
2008-03-31 23:25 . 2008-03-31 23:25 831,488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 23:25 . 2008-03-31 23:25 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 23:25 . 2008-03-31 23:25 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 23:25 . 2008-03-31 23:25 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 23:25 . 2008-03-31 23:25 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2008-03-31 23:25 . 2008-03-31 23:25 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-24 21:45 . 2008-03-24 21:45 630,784 --a------ C:\WINDOWS\system32\divxdec.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 13:29 --------- d-----w C:\Programmi\Plaxo
2008-04-23 11:26 660 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2008-04-23 10:20 --------- d---a-w C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-04-22 15:53 --------- d-----w C:\Programmi\Microsoft ACT
2008-04-22 15:53 --------- d-----w C:\Programmi\HTML Help Workshop
2008-04-22 15:53 --------- d-----w C:\Programmi\AIMTunes
2008-04-21 14:37 --------- d-----w C:\Programmi\DivX
2008-04-21 14:36 --------- d-----w C:\Programmi\Picasa2
2008-04-15 14:01 --------- d-----w C:\Programmi\ESET
2008-04-14 16:35 --------- d-----w C:\Documents and Settings\FDN\Dati applicazioni\Skype
2008-04-08 12:44 --------- d-----w C:\Programmi\SPSS
2008-04-04 08:57 --------- d-----w C:\Programmi\Java
2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-14 16:13 --------- d-----w C:\Documents and Settings\FDN\Dati applicazioni\QQ Games Plugin
2008-03-14 16:12 --------- d-----w C:\Documents and Settings\FDN\Dati applicazioni\acccore
2008-03-14 16:11 --------- d-----w C:\Programmi\Tencent
2008-03-14 16:11 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\AOL Downloads
2008-03-14 16:10 --------- d-----w C:\Programmi\Viewpoint
2008-03-14 16:10 --------- d-----w C:\Programmi\AIM6
2008-03-14 16:10 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Viewpoint
2008-03-14 16:10 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\AOL OCP
2008-03-14 16:10 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\AOL
2008-03-14 16:09 --------- d-----w C:\Programmi\File comuni\AOL
2008-03-04 11:26 --------- d-----w C:\Programmi\File comuni\Ahead
2008-03-04 11:26 --------- d-----w C:\Programmi\Ahead
2008-03-04 11:22 --------- d-----w C:\Programmi\Windows Live
2008-03-04 11:21 --------- dcsh--w C:\Programmi\File comuni\WindowsLiveInstaller
2008-02-29 09:36 --------- d-----w C:\Documents and Settings\FDN\Dati applicazioni\Nero
2008-02-29 09:35 --------- d-----w C:\Programmi\File comuni\Nero
2008-02-29 09:32 --------- d-----w C:\Programmi\Nero
2008-02-29 09:32 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Nero
2007-03-08 10:10 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\MSHist012007030820070309\index.dat
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 14:00 15360]
"MsnMsgr"="C:\Programmi\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"PlaxoUpdate"="C:\Programmi\Plaxo\2.13.1.3\PlaxoHelper.exe" [2007-12-11 18:21 227914]
"swg"="C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 12:24 68856]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 20:10 1688872]
"Microsoft©"="C:\WINDOWS\system32\dllcache\iexplore.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Programmi\Eset\nod32kui.exe" [2006-06-23 13:17 778240]
"nwiz"="nwiz.exe" [2005-12-15 00:51 1519616 C:\WINDOWS\system32\nwiz.exe]
"Acrobat Assistant 7.0"="C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-19 14:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SoundMan"="SOUNDMAN.EXE" [2004-07-27 18:01 68096 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-15 00:51 7323648]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-12-15 00:51 86016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"NBKeyScan"="C:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 15:21 2213160]
"PrevxOne"="C:\Programmi\Prevx2\PXConsole.exe" [2008-01-23 12:32 1997880]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-19 14:00 160256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 14:00 15360]
"Picasa Media Detector"="C:\Programmi\Picasa2\PicasaMediaDetector.exe" [2008-02-26 03:23 443968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.scg726"= scg726.acm
"msacm.alf2cd"= alf2cd.acm
"vidc.dvsd"= mcdvd_32.dll
"msvideo8"= STV680tg.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^NaturalColorLoad.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\NaturalColorLoad.lnk
backup=C:\WINDOWS\pss\NaturalColorLoad.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-03-06 22:50 50528 C:\Programmi\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Programmi\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxCSI]
--a------ 2008-04-22 15:59 650296 C:\Programmi\PrevxCSI\PrevxCSI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 C:\Programmi\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\Messenger\\msmsgs.exe"=
"C:\\Programmi\\Sunbelt Software\\Personal Firewall 4\\kpf4gui.exe"=
"C:\\Programmi\\ESET\\nod32.exe"=
"C:\\Programmi\\ESET\\nod32kui.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Programmi\\File comuni\\AOL\\Loader\\aolload.exe"=
"C:\\Programmi\\AIM6\\aim6.exe"=
"C:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:151.100.18.95/255.255.255.255,151.100.18.227/255.255.255.255:Enabled:@xpsp2res.dll,-22009

R0 JAHCI;JAHCI;C:\WINDOWS\system32\DRIVERS\JAHCI.sys [2005-10-25 05:35]
R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-04-23 15:00]
R0 uliagpkx;ULi AGP Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\agpkx.sys [2005-05-03 18:31]
R1 bbcap;bbcap;C:\WINDOWS\system32\DRIVERS\bbcap.sys [2007-11-28 14:26]
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2005-12-15 18:13]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2005-12-15 18:01]
R2 CSIScanner;CSIScanner;"C:\Programmi\PrevxCSI\\PrevxCSI.exe" /service []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Programmi\Viewpoint\Common\ViewpointService.exe" [2007-01-04 23:38]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 20:36]
S2 Machnm32;Machnm32 Driver;C:\WINDOWS\system32\Machnm32.sys []
S4 SysXfa;SysXfa;"C:\Programmi\File comuni\System\wxWk.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a28e98d-c338-11db-8189-00138f80a3b4}]
\Shell\Auto\command - Cn911.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3de401b5-055a-11dd-82cc-00138f80a3b4}]
\Shell\AutoRun\command - G:\.\run\autorun.exe
\Shell\open\Command - G:\.\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a323d6e-06e8-11dd-82ce-00138f80a3b4}]
\Shell\AutoRun\command - .\run\autorun.exe
\Shell\open\Command - .\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55029698-c34b-11dc-827f-00138f80a3b4}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94fd3eea-ce56-11dc-828e-00138f80a3b4}]
\Shell\Auto\command - F:\UFO.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a15fc6a7-bc3b-11db-817e-00138f80a3b4}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - F:\Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d150d4d8-cb31-11dc-828c-00138f80a3b4}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d150d531-cb31-11dc-828c-00138f80a3b4}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE

*Newly Created Service* - CATCHME
.
Contenuto della cartella 'Scheduled Tasks'
"2006-12-13 18:35:43 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 17:46:37
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 339

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\imon.dll
-> C:\Programmi\Eset\pr_imon.dll
.
Ora fine scansione: 2008-04-23 17.48.57
ComboFix-quarantined-files.txt 2008-04-23 15:48:48

9 Directory 15,726,596,096 byte disponibili
12 Directory 15,721,410,560 byte disponibili

210

-------------------

Luke, grazie mille dell'aiuto!!

Marco

[Luke57]

Ciao, copia questo codice:

Codice: Seleziona tutto

registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft©"=-
[-HKLM\System\CurrentControlSet\Services\SysXfa]

poi apri un file di testo (stafrt>esegui>notepad.exe>OK) incolla il codice e salva il file di testo obbligatoriamente con il nome CFScript.exe. Trascina il file, con il puntatore del mouse, sull'icona di combofix per una nuova scansione. Allega il nuovo report.

[marco.rm3]

Allega il nuovo report.

Ciao Luke,
ecco il nuovo report di ComboFix (ho fatto lo scan sempre scollegato da internet e con l'antivirus disattivo).
Hai diagnosi e cure per il mio PC?
Grazie

ComboFix 08-04-22.5 - FDN 2008-04-24 16.21.40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.1497 [GMT 2:00]
Eseguito da: C:\Documents and Settings\FDN\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\FDN\Desktop\CFScript.exe
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Creati Da 2008-03-24 al 2008-04-24 )))))))))))))))))))))))))))))))))))
.

2008-04-24 13:22 . 2008-04-24 13:23 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-22 16:09 . 2008-04-24 16:17 <DIR> d-------- C:\Programmi\Prevx2
2008-04-22 16:09 . 2008-04-22 17:52 <DIR> d-------- C:\Documents and Settings\FDN\Dati applicazioni\Prevx
2008-04-22 16:09 . 2008-04-22 16:15 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Prevx
2008-04-22 15:59 . 2008-04-22 15:59 <DIR> d-------- C:\Programmi\PrevxCSI
2008-04-22 15:59 . 2008-04-23 15:01 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\PrevxCSI
2008-04-22 15:59 . 2008-04-23 15:00 10,880 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-04-22 12:35 . 2008-04-23 13:33 <DIR> d-------- C:\HJT
2008-04-22 12:31 . 2008-04-22 12:31 250 --a------ C:\WINDOWS\gmer.ini
2008-03-31 23:25 . 2008-03-31 23:25 831,488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 23:25 . 2008-03-31 23:25 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 23:25 . 2008-03-31 23:25 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 23:25 . 2008-03-31 23:25 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 23:25 . 2008-03-31 23:25 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2008-03-31 23:25 . 2008-03-31 23:25 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-24 21:45 . 2008-03-24 21:45 630,784 --a------ C:\WINDOWS\system32\divxdec.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 11:19 --------- d-----w C:\Programmi\Plaxo
2008-04-23 11:26 660 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2008-04-23 10:20 --------- d---a-w C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-04-22 15:53 --------- d-----w C:\Programmi\Microsoft ACT
2008-04-22 15:53 --------- d-----w C:\Programmi\HTML Help Workshop
2008-04-22 15:53 --------- d-----w C:\Programmi\AIMTunes
2008-04-21 14:37 --------- d-----w C:\Programmi\DivX
2008-04-21 14:36 --------- d-----w C:\Programmi\Picasa2
2008-04-15 14:01 --------- d-----w C:\Programmi\ESET
2008-04-14 16:35 --------- d-----w C:\Documents and Settings\FDN\Dati applicazioni\Skype
2008-04-08 12:44 --------- d-----w C:\Programmi\SPSS
2008-04-04 08:57 --------- d-----w C:\Programmi\Java
2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-14 16:13 --------- d-----w C:\Documents and Settings\FDN\Dati applicazioni\QQ Games Plugin
2008-03-14 16:12 --------- d-----w C:\Documents and Settings\FDN\Dati applicazioni\acccore
2008-03-14 16:11 --------- d-----w C:\Programmi\Tencent
2008-03-14 16:11 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\AOL Downloads
2008-03-14 16:10 --------- d-----w C:\Programmi\Viewpoint
2008-03-14 16:10 --------- d-----w C:\Programmi\AIM6
2008-03-14 16:10 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Viewpoint
2008-03-14 16:10 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\AOL OCP
2008-03-14 16:10 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\AOL
2008-03-14 16:09 --------- d-----w C:\Programmi\File comuni\AOL
2008-03-05 14:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 14:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 14:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 13:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 13:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2008-03-04 11:26 --------- d-----w C:\Programmi\File comuni\Ahead
2008-03-04 11:26 --------- d-----w C:\Programmi\Ahead
2008-03-04 11:22 --------- d-----w C:\Programmi\Windows Live
2008-03-04 11:21 --------- dcsh--w C:\Programmi\File comuni\WindowsLiveInstaller
2008-02-29 09:36 --------- d-----w C:\Documents and Settings\FDN\Dati applicazioni\Nero
2008-02-29 09:35 --------- d-----w C:\Programmi\File comuni\Nero
2008-02-29 09:32 --------- d-----w C:\Programmi\Nero
2008-02-29 09:32 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Nero
2008-02-05 21:07 462,864 ----a-w C:\WINDOWS\system32\d3dx10_37.dll
2007-03-08 10:10 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\MSHist012007030820070309\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-23_17.47.56,95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-23 11:31:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-24 11:18:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2006-09-28 14:03:28 15,128 ----a-w C:\WINDOWS\LastGood\system32\x3daudio1_1.dll
+ 2007-06-20 18:45:20 18,280 ----a-w C:\WINDOWS\LastGood\system32\x3daudio1_2.dll
+ 2007-03-12 14:42:30 1,123,696 ----a-w C:\WINDOWS\system32\D3DCompiler_33.dll
+ 2007-05-16 14:45:16 1,124,720 ----a-w C:\WINDOWS\system32\D3DCompiler_34.dll
+ 2007-07-19 16:14:42 1,358,192 ----a-w C:\WINDOWS\system32\D3DCompiler_35.dll
+ 2007-10-12 13:14:00 1,374,232 ----a-w C:\WINDOWS\system32\D3DCompiler_36.dll
+ 2007-03-15 14:57:58 443,752 ----a-w C:\WINDOWS\system32\d3dx10_33.dll
+ 2007-05-16 14:45:16 443,752 ----a-w C:\WINDOWS\system32\d3dx10_34.dll
+ 2007-07-19 16:14:42 444,776 ----a-w C:\WINDOWS\system32\d3dx10_35.dll
+ 2007-10-02 07:56:34 444,776 ----a-w C:\WINDOWS\system32\d3dx10_36.dll
+ 2006-09-28 14:05:20 2,414,360 ----a-w C:\WINDOWS\system32\d3dx9_31.dll
+ 2006-11-29 11:06:18 3,426,072 ----a-w C:\WINDOWS\system32\d3dx9_32.dll
+ 2007-03-12 14:42:30 3,495,784 ----a-w C:\WINDOWS\system32\d3dx9_33.dll
+ 2007-05-16 14:45:16 3,497,832 ----a-w C:\WINDOWS\system32\d3dx9_34.dll
+ 2007-07-19 16:14:42 3,727,720 ----a-w C:\WINDOWS\system32\d3dx9_35.dll
+ 2007-10-12 13:14:00 3,734,536 ----a-w C:\WINDOWS\system32\d3dx9_36.dll
- 2006-12-12 09:45:04 1,474,864 ----a-w C:\WINDOWS\system32\LegitCheckControl.DLL
+ 2008-03-20 16:06:36 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.DLL
- 2006-06-08 16:19:52 5,967,776 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-04-05 20:56:22 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
- 2008-04-23 11:36:11 63,324 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-24 11:23:12 63,324 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-23 11:36:11 75,408 ----a-w C:\WINDOWS\system32\perfc010.dat
+ 2008-04-24 11:23:12 75,408 ----a-w C:\WINDOWS\system32\perfc010.dat
- 2008-04-23 11:36:11 404,104 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-24 11:23:12 404,104 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-04-23 11:36:11 450,730 ----a-w C:\WINDOWS\system32\perfh010.dat
+ 2008-04-24 11:23:13 450,730 ----a-w C:\WINDOWS\system32\perfh010.dat
+ 2007-03-05 10:42:18 15,128 ----a-w C:\WINDOWS\system32\x3daudio1_1.dll
+ 2007-10-22 01:37:16 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
+ 2007-10-22 01:39:54 267,272 ----a-w C:\WINDOWS\system32\xactengine2_10.dll
+ 2006-09-28 14:05:56 237,848 ----a-w C:\WINDOWS\system32\xactengine2_4.dll
+ 2006-12-08 10:02:00 251,672 ----a-w C:\WINDOWS\system32\xactengine2_5.dll
+ 2007-01-24 13:27:30 255,848 ----a-w C:\WINDOWS\system32\xactengine2_6.dll
+ 2007-04-04 16:55:00 261,480 ----a-w C:\WINDOWS\system32\xactengine2_7.dll
+ 2007-06-20 18:46:04 266,088 ----a-w C:\WINDOWS\system32\xactengine2_8.dll
+ 2007-07-19 22:57:12 267,112 ----a-w C:\WINDOWS\system32\xactengine2_9.dll
+ 2007-04-04 16:53:42 81,768 ----a-w C:\WINDOWS\system32\xinput1_3.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 14:00 15360]
"MsnMsgr"="C:\Programmi\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"PlaxoUpdate"="C:\Programmi\Plaxo\2.13.1.3\PlaxoHelper.exe" [2007-12-11 18:21 227914]
"swg"="C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 12:24 68856]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 20:10 1688872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Programmi\Eset\nod32kui.exe" [2006-06-23 13:17 778240]
"nwiz"="nwiz.exe" [2005-12-15 00:51 1519616 C:\WINDOWS\system32\nwiz.exe]
"Acrobat Assistant 7.0"="C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-19 14:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SoundMan"="SOUNDMAN.EXE" [2004-07-27 18:01 68096 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-15 00:51 7323648]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-12-15 00:51 86016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"NBKeyScan"="C:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 15:21 2213160]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2006-10-25 19:58 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 14:00 15360]
"Picasa Media Detector"="C:\Programmi\Picasa2\PicasaMediaDetector.exe" [2008-02-26 03:23 443968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.scg726"= scg726.acm
"msacm.alf2cd"= alf2cd.acm
"vidc.dvsd"= mcdvd_32.dll
"msvideo8"= STV680tg.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^NaturalColorLoad.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\NaturalColorLoad.lnk
backup=C:\WINDOWS\pss\NaturalColorLoad.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-03-06 22:50 50528 C:\Programmi\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Programmi\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxCSI]
--a------ 2008-04-22 15:59 650296 C:\Programmi\PrevxCSI\PrevxCSI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne]
--a------ 2008-01-23 12:32 1997880 C:\Programmi\Prevx2\PXConsole.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 C:\Programmi\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\Messenger\\msmsgs.exe"=
"C:\\Programmi\\Sunbelt Software\\Personal Firewall 4\\kpf4gui.exe"=
"C:\\Programmi\\ESET\\nod32.exe"=
"C:\\Programmi\\ESET\\nod32kui.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Programmi\\File comuni\\AOL\\Loader\\aolload.exe"=
"C:\\Programmi\\AIM6\\aim6.exe"=
"C:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:151.100.18.95/255.255.255.255,151.100.18.227/255.255.255.255:Enabled:@xpsp2res.dll,-22009

R0 JAHCI;JAHCI;C:\WINDOWS\system32\DRIVERS\JAHCI.sys [2005-10-25 05:35]
R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-04-23 15:00]
R0 uliagpkx;ULi AGP Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\agpkx.sys [2005-05-03 18:31]
R1 bbcap;bbcap;C:\WINDOWS\system32\DRIVERS\bbcap.sys [2007-11-28 14:26]
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2005-12-15 18:13]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2005-12-15 18:01]
R2 CSIScanner;CSIScanner;"C:\Programmi\PrevxCSI\\PrevxCSI.exe" /service []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Programmi\Viewpoint\Common\ViewpointService.exe" [2007-01-04 23:38]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 20:36]
S2 Machnm32;Machnm32 Driver;C:\WINDOWS\system32\Machnm32.sys []
S4 SysXfa;SysXfa;"C:\Programmi\File comuni\System\wxWk.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a28e98d-c338-11db-8189-00138f80a3b4}]
\Shell\Auto\command - Cn911.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3de401b5-055a-11dd-82cc-00138f80a3b4}]
\Shell\AutoRun\command - G:\.\run\autorun.exe
\Shell\open\Command - G:\.\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a323d6e-06e8-11dd-82ce-00138f80a3b4}]
\Shell\AutoRun\command - .\run\autorun.exe
\Shell\open\Command - .\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55029698-c34b-11dc-827f-00138f80a3b4}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94fd3eea-ce56-11dc-828e-00138f80a3b4}]
\Shell\Auto\command - F:\UFO.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d150d4d8-cb31-11dc-828c-00138f80a3b4}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d150d531-cb31-11dc-828c-00138f80a3b4}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE

*Newly Created Service* - DISK
.
Contenuto della cartella 'Scheduled Tasks'
"2006-12-13 18:35:43 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 16:27:45
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 339

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\imon.dll
-> C:\Programmi\Eset\pr_imon.dll
.
Ora fine scansione: 2008-04-24 16.30.07
ComboFix-quarantined-files.txt 2008-04-24 14:29:54
ComboFix2.txt 2008-04-23 15:49:00

9 Directory 15,562,506,240 byte disponibili
11 Directory 15,563,931,648 byte disponibili

253