Salve ragazzi, sono appena uscito dal virus Interpol/FBI con relativo blocco del pc. Strano Anti-malware (Malwarebytes) e Avast sempre regolare (e relativo scan) comunque con windows xp, grazie a combofix in modalità provvisoria, ne sono uscito; ho letto naturalmente nella vostra sezione come fare da un altro pc: BRAVISSIMI
Sembra che sia tutto posto visto che il pc è ripartito e gli scan non trovano nulla, ma ad ogni avvio trovo il seguente errore:
errore durante il caricamento di C:\DOCUME~1\ALLUSE~1\DATIAP~1\RQMDFLWIJ.JSS
Non sono sicuro se termina con .JSS oppure .JIS. Ancora non tolgo combofix (esegui combofix / unistall) come indicato nella vostra guida.
Posto il log di combofix:
ComboFix 13-12-29.01 - Administrator 29/12/2013 20.19.08.1.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1535.1142 [GMT 1:00]
Eseguito da: g:\avast! sandbox\S-1-5-21-1993962763-1202660629-682003330-500\r103\ComboFix.exe_{b1eeceec-70a8-11e3-a3de-0017c25d0e66}\G\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Dati applicazioni\rqmdflwjl.jss
c:\documents and settings\All Users\Dati applicazioni\TEMP
c:\windows\IsUn0410.exe
.
c:\windows\system32\msgsvc.dll . . . è infetto!!
.
.
((((((((((((((((((((((((( Files Creati Da 2013-11-28 al 2013-12-29 )))))))))))))))))))))))))))))))))))
.
.
2013-12-29 18:42 . 2013-12-29 18:42 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:12 121528 ----a-w- c:\programmi\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HW_OPENEYE_OUC_Chiavetta Internet Tre.it"="c:\programmi\Chiavetta Internet Tre.it\UpdateDog\ouc.exe" [2013-08-20 246112]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\programmi\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 24576]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"Jet Detection"="c:\programmi\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-28 28672]
"CTStartup"="c:\programmi\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-19 28672]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2002-12-31 15360]
.
c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\
ljwlfdmqr.lnk - c:\windows\system32\rundll32.exe c:\docume~1\ALLUSE~1\DATIAP~1\rqmdflwjl.jss,GGF0 [2002-12-31 33280]
.
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Alice ti aiuta.lnk - c:\programmi\Alice ti aiuta\bin\matcli.exe -boot [2012-3-1 212992]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-10-23 13:18 202024 ----a-w- c:\programmi\File comuni\Nero\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 13:57 153136 ----a-w- c:\programmi\File comuni\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-10 23:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"idsvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"d:\\mulo\\Nuova cartella\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
.
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [20/08/2013 13.57.17 76544]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [29/02/2012 11.23.32 729752]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [29/02/2012 11.23.36 355632]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [29/02/2012 11.23.36 21256]
S2 Chiavetta Internet Tre.it. RunOuc;Chiavetta Internet Tre.it. OUC;c:\programmi\Chiavetta Internet Tre.it\UpdateDog\ouc.exe [20/08/2013 13.56.56 246112]
S2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [01/03/2012 19.45.59 99896]
S2 HWDeviceService.exe;HWDeviceService.exe;c:\documents and settings\All Users\Dati applicazioni\DatacardService\HWDeviceService.exe [14/03/2011 16.27.28 271712]
S3 cwrwdm;Driver WDM SoundFusion(tm);c:\windows\system32\drivers\cwrwdm.sys [04/04/2012 15.38.38 48640]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [20/08/2013 13.57.16 102784]
S3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\drivers\ew_usbenumfilter.sys [20/08/2013 13.57.16 11136]
S3 Generalusbserialser20675;USB Legacy Serial Communication 20675;c:\windows\system32\DRIVERS\CT_U_USBSER.sys --> c:\windows\system32\DRIVERS\CT_U_USBSER.sys [?]
S3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\drivers\ew_jucdcacm.sys [20/08/2013 13.57.17 95616]
S3 huawei_cdcecm;huawei_cdcecm;c:\windows\system32\drivers\ew_jucdcecm.sys [20/08/2013 13.57.17 70016]
S3 huawei_ext_ctrl;huawei_ext_ctrl;c:\windows\system32\drivers\ew_juextctrl.sys [20/08/2013 13.57.17 27520]
S3 mvusbews;USB EWS Device;c:\windows\system32\drivers\mvusbews.sys [01/03/2012 19.44.54 17408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-12-06 12:47 1210320 ----a-w- c:\programmi\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe
.
Contenuto della cartella 'Scheduled Tasks'
.
2013-01-09 c:\windows\Tasks\avast! Emergency Update.job
- c:\programmi\AVAST Software\Avast\AvastEmUpdate.exe [2012-08-14 09:12]
.
2013-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cef337119c5232.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2012-08-14 19:23]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://libero.it/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {{605E5D27-BFA0-471F-87ED-98A2623D633C} - c:\programmi\CADE Pro 2.20.3\Web\new.htm
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\av0orgad.default\
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
AddRemove-DSite - c:\documents and settings\Administrator\Dati applicazioni\DSite\UpdateProc\UpdateTask.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-12-29 20:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = c:\programmi\Creative\Splash Screen\CTEaxSpl.EXE /run??s????h???\????????\?w? ?w???????w???w4???????.??w4???????4????>?s4????????:3?????\??? ??? ???\???\???????????5?:~e?:~\???\?????????`??????C@?\???\???$??s????\??????s\????:3?5??s?:3??C@?x???`|?w\?????@
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_USERS\S-1-5-21-1644491937-1390067357-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3f,69,a6,2d,56,9e,60,42,b4,3a,38,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,17,04,8e,2e,8c,24,50,4b,9f,e8,11,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ac,0c,50,73,98,9c,d5,48,83,c8,59,\
.
[HKEY_USERS\S-1-5-21-1644491937-1390067357-1177238915-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•9~*]
"0140710900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
Ora fine scansione: 2013-12-29 20:26:03
ComboFix-quarantined-files.txt 2013-12-29 19:25
.
Pre-Run: 4.222.754.816 byte disponibili
Post-Run: 5.937.233.920 byte disponibili
.
- - End Of File - - FF6B234F67C38D117768B45EE69F50C7
828E02D5C4A4FBE53441EE9DBEE51F43
Registrazione
Grazie tantissimo, ma in attesa della vostra risposta il pc mi ha abbandonato nuovamente con lo stesso problema, non riuscendo a farlo ripartire e il 31/12/2013 l'ho dovuto portare in assistenza, ripreso pochi minuti fa. Ho trovato anti virus cambiato: zone allarm, a parte un messaggio dell'antivirus: Nuova rete rilevata: selezionare una zona attendibile per la wirless di indirizzi ip: 192.168.1.0 (utilizzo la classica alice adsl con il filo NO wirless) cosa bisogna selezionare INTERNET o ATTENDIBILE ?