Olimpo Informatico

[Jon Snow]

Ciao a tutti. Mi si presenta un problema assai snervante mentre uso emule. Praticamente il firewall che uso (outpost) mi rileva un tentativo di intrusione tramite ip spoofing da un certo indirizzo ip. Mi sono documentato e ho scoperto che l'ip spoofing può presentarsi in lan o connessioni wifi e io non uso nessuna delle due, infatti ho un normale modem adsl.
Comunque, non appena accade questo emule comincia a ridurre il download in corso fino a 0, gli upload vengono bloccati, l'instant messenger che uso (pidgin) viene sconnesso e se ho delle pagine aperte con mozilla non riesco piu a caricarle, se invece chiudo e riapro mozilla non mi viene visualizzato nulla.
Ho notato che solo una volta, dopo qualche minuto, mi è ripartito tutto perfettamente, altrimenti devo staccare la connessione e riconettermi nuovamente per tornare alla normalità. E' una cosa che mi irrita parechhio perchè se non sono presente la connessione non riparte e il pc sta acceso tutta notte inutilmente.
Comunque sia durante questa situazione la connessione rimane attiva benchè il pc si comporti come se questa fosse assente.
Il mio antivirus è avg.
Se qualche anima pia ha una qualche idea su come aiutarmi mi farebbe davvero un enorme favore.. Grazie a tutti e auguri a tutti per l'epifania.

[Sante62]

Ciao Jon Snow
Evidentemente hai un intruso e il firewall sta facendo il suo dovere..
Comunque posta intanto un log di Hijackthis.

[Jon Snow]

Ciao Sante62!!
Sei il mio angelo custode eheh, comunque eccoti il log di HJT:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 18.12.11, on 06/01/2008
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\System32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
G:\WINDOWS\system32\spoolsv.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
c:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\System32\WgaTray.exe
G:\WINDOWS\Mixer.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
G:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
C:\Programmi\Corel\Graphics9\Register\Remind32.exe
G:\WINDOWS\System32\wuauclt.exe
G:\WINDOWS\explorer.exe
G:\Documents and Settings\Bar Ferraris\Desktop\utility pc\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dbsarticles.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Virgilio Toolbar - {D3403F28-7D39-435F-A8CB-45016C29E48E} - C:\Programmi\Virgilio Toolbar\VirgilioBand.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AtiPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Programmi\Agnitum\Outpost Firewall 1.0\feedback.exe /dump:os_startup
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] G:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Registrazione Corel.lnk = C:\Programmi\Corel\Graphics9\Register\Remind32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5190/mcfscan.cab
O20 - AppInit_DLLs: C:\Programmi\Agnitum\Outpost Firewall 1.0\wl_hook.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - G:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - G:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe

--
End of file - 6458 bytes

[Sante62]

Il log sembra pulito.....
Fai la scansione con Combofix, mi pare che l'hai già usato e sai come procedere, e posta poi il risultato. Fai anche le Scansione con GMER
Ricorda che i log di GMER sono due: Autostart e Rootkit. E non postarli quì perchè sono troppo lunghi.

[Jon Snow]

Allora ho usato combofix e gmer. Però il pc mi si è riavviato quando gmer stava finendo l'analisi rootkit
Non è normale vero?
Ti allego quindi solo il log di autostart e il log di combofix

log autostart: http://www.freefilehosting.net/download/3a4k2

log combofix:

ComboFix 08-01-07.1 - Bar Ferraris 2008-01-06 21.50.59.2 - NTFSx86
Eseguito da: G:\Documents and Settings\Bar Ferraris\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((( Files Creati Da 2007-12-07 al 2008-01-07 )))))))))))))))))))))))))))))))))))
.

2008-01-06 21:49 . 2000-08-31 08:00 51,200 --a------ G:\WINDOWS\NirCmd.exe
2007-12-28 14:07 . 2008-01-06 21:00 <DIR> d-------- G:\Documents and Settings\Bar Ferraris\Dati applicazioni\gtk-2.0
2007-12-28 14:05 . 2008-01-06 21:09 <DIR> d-------- G:\Documents and Settings\Bar Ferraris\Dati applicazioni\.purple
2007-12-28 14:02 . 2007-12-28 14:02 <DIR> d-------- C:\Programmi\Pidgin
2007-12-28 14:02 . 2007-12-28 14:02 <DIR> d-------- C:\Programmi\File comuni\GTK
2007-12-26 17:32 . 2008-01-05 16:00 49 --a------ G:\WINDOWS\transp.gif
2007-12-26 11:15 . 2007-12-26 11:15 <DIR> d-------- G:\WINDOWS\system32\Kaspersky Lab
2007-12-26 11:15 . 2007-12-26 11:15 <DIR> d-------- G:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab
2007-12-25 17:50 . 2007-12-25 17:50 135 --a------ G:\fix.reg
2007-12-24 20:27 . 2007-12-24 20:27 <DIR> d-------- C:\Programmi\File comuni\Agnitum Shared
2007-12-24 20:27 . 2007-12-24 20:27 <DIR> d-------- C:\Programmi\Agnitum
2007-12-23 21:50 . 2007-12-24 11:51 250 --a------ G:\WINDOWS\gmer.ini
2007-12-23 00:23 . 2007-12-23 00:26 <DIR> d-------- G:\QUARANTENA_VIRIT
2007-12-22 22:22 . 2007-12-27 07:37 <DIR> d-------- C:\Programmi\RegCure
2007-12-21 22:21 . 2007-12-21 22:21 0 --a------ G:\WINDOWS\system32\bb.exe
2007-12-21 21:13 . 2007-06-05 10:56 44,928 --a------ G:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-21 20:31 . 2007-12-21 20:31 <DIR> d-------- G:\WINDOWS\McAfee.com
2007-12-20 21:13 . 2007-12-20 21:13 0 --a------ G:\WINDOWS\system32\gg.exe
2007-12-19 22:49 . 2007-12-19 22:49 0 --a------ G:\WINDOWS\system32\sh.exe
2007-12-16 20:05 . 2007-12-16 20:05 208 --a------ G:\WINDOWS\system32\MRT.INI
2007-12-14 21:20 . 2007-12-14 21:20 <DIR> d-------- G:\WINDOWS\system32\bak
2007-12-14 09:00 . 2007-12-14 09:00 244 --ah----- G:\sqmnoopt19.sqm
2007-12-14 09:00 . 2007-12-14 09:00 232 --ah----- G:\sqmdata19.sqm
2007-12-14 08:56 . 2007-12-14 08:56 244 --ah----- G:\sqmnoopt18.sqm
2007-12-14 08:56 . 2007-12-14 08:56 244 --ah----- G:\sqmnoopt17.sqm
2007-12-14 08:56 . 2007-12-14 08:56 244 --ah----- G:\sqmnoopt16.sqm
2007-12-14 08:56 . 2007-12-14 08:56 232 --ah----- G:\sqmdata18.sqm
2007-12-14 08:56 . 2007-12-14 08:56 232 --ah----- G:\sqmdata17.sqm
2007-12-14 08:56 . 2007-12-14 08:56 232 --ah----- G:\sqmdata16.sqm
2007-12-13 09:04 . 2007-12-13 09:04 244 --ah----- G:\sqmnoopt15.sqm
2007-12-13 09:04 . 2007-12-13 09:04 232 --ah----- G:\sqmdata15.sqm
2007-12-12 18:45 . 2007-12-12 18:45 244 --ah----- G:\sqmnoopt14.sqm
2007-12-12 18:45 . 2007-12-12 18:45 232 --ah----- G:\sqmdata14.sqm
2007-12-12 18:24 . 2007-12-12 18:24 244 --ah----- G:\sqmnoopt13.sqm
2007-12-12 18:24 . 2007-12-12 18:24 232 --ah----- G:\sqmdata13.sqm
2007-12-11 20:46 . 2007-12-11 20:46 3,596,288 --a------ G:\WINDOWS\system32\qt-dx331.dll
2007-12-11 20:46 . 2007-12-11 20:46 524,288 --a------ G:\WINDOWS\system32\DivXsm.exe
2007-12-11 20:46 . 2007-12-11 20:46 4,816 --a------ G:\WINDOWS\system32\divxsm.tlb
2007-12-11 20:45 . 2007-12-11 20:45 1,044,480 --a------ G:\WINDOWS\system32\libdivx.dll
2007-12-11 20:45 . 2007-12-11 20:45 200,704 --a------ G:\WINDOWS\system32\ssldivx.dll
2007-12-11 20:43 . 2007-12-11 20:43 12,288 --a------ G:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-11 12:18 . 2007-12-11 12:18 244 --ah----- G:\sqmnoopt12.sqm
2007-12-11 12:18 . 2007-12-11 12:18 232 --ah----- G:\sqmdata12.sqm
2007-12-11 12:17 . 2007-12-11 12:17 244 --ah----- G:\sqmnoopt11.sqm
2007-12-11 12:17 . 2007-12-11 12:17 232 --ah----- G:\sqmdata11.sqm
2007-12-11 09:58 . 2007-12-11 09:58 244 --ah----- G:\sqmnoopt10.sqm
2007-12-11 09:58 . 2007-12-11 09:58 232 --ah----- G:\sqmdata10.sqm
2007-12-11 09:45 . 2007-12-11 09:45 244 --ah----- G:\sqmnoopt09.sqm
2007-12-11 09:45 . 2007-12-11 09:45 232 --ah----- G:\sqmdata09.sqm
2007-12-11 09:37 . 2007-12-11 09:37 244 --ah----- G:\sqmnoopt08.sqm
2007-12-11 09:37 . 2007-12-11 09:37 232 --ah----- G:\sqmdata08.sqm
2007-12-11 09:36 . 2007-12-11 09:36 244 --ah----- G:\sqmnoopt07.sqm
2007-12-11 09:36 . 2007-12-11 09:36 244 --ah----- G:\sqmnoopt06.sqm
2007-12-11 09:36 . 2007-12-11 09:36 232 --ah----- G:\sqmdata07.sqm
2007-12-11 09:36 . 2007-12-11 09:36 232 --ah----- G:\sqmdata06.sqm
2007-12-11 09:35 . 2007-12-11 09:35 244 --ah----- G:\sqmnoopt05.sqm
2007-12-11 09:35 . 2007-12-11 09:35 232 --ah----- G:\sqmdata05.sqm
2007-12-11 09:33 . 2007-12-11 09:33 244 --ah----- G:\sqmnoopt04.sqm
2007-12-11 09:33 . 2007-12-11 09:33 232 --ah----- G:\sqmdata04.sqm
2007-12-08 10:58 . 2007-12-08 10:58 244 --ah----- G:\sqmnoopt03.sqm
2007-12-08 10:58 . 2007-12-08 10:58 232 --ah----- G:\sqmdata03.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 20:09 --------- d-----w G:\Documents and Settings\Bar Ferraris\Dati applicazioni\.purple
2008-01-06 16:23 --------- d-----w G:\Documents and Settings\Bar Ferraris\Dati applicazioni\AVG7
2008-01-06 14:43 --------- d-----w C:\Programmi\eMule
2007-12-25 16:21 --------- d-----w C:\Programmi\PDFCreator Toolbar
2007-12-25 16:21 --------- d-----w C:\Programmi\PDF-Creator 2
2007-12-22 20:48 --------- d---a-w G:\Documents and Settings\All Users\Dati applicazioni\TEMP
2007-12-21 20:26 --------- d-----w C:\Programmi\a-squared Free
2007-12-19 16:36 --------- d-----w C:\Programmi\DivX
2007-12-15 10:15 9,344 ----a-w G:\WINDOWS\system32\drivers\NSDriver.sys
2007-12-15 10:15 8,320 ----a-w G:\WINDOWS\system32\drivers\AWRTRD.sys
2007-12-14 20:27 --------- d-----w C:\Programmi\QuickTime
2007-12-14 20:27 --------- d-----w C:\Programmi\DAEMON Tools
2007-12-11 19:44 823,296 ----a-w G:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 19:44 823,296 ----a-w G:\WINDOWS\system32\divx_xx07.dll
2007-12-11 19:44 81,920 ----a-w G:\WINDOWS\system32\dpl100.dll
2007-12-11 19:44 802,816 ----a-w G:\WINDOWS\system32\divx_xx11.dll
2007-12-11 19:44 682,496 ----a-w G:\WINDOWS\system32\DivX.dll
2007-12-11 19:44 593,920 ----a-w G:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w G:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w G:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w G:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w G:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w G:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44 196,608 ----a-w G:\WINDOWS\system32\dtu100.dll
2007-12-11 19:44 156,992 ----a-w G:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-30 19:05 --------- d-----w C:\Programmi\XviD
2007-11-26 20:39 11,060,978 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2007_11_22_15_33_24_full.dmp.zip
2007-11-23 19:04 36,096 ----a-w G:\WINDOWS\system32\drivers\VIRAGTLT.SYS
2007-11-22 15:07 --------- d-----w G:\Documents and Settings\All Users\Dati applicazioni\Lavasoft
2007-11-22 15:07 --------- d-----w C:\Programmi\Lavasoft
2007-11-22 15:07 --------- d-----w C:\Documents and Settings\Bar Ferraris\Dati applicazioni\Lavasoft
2007-11-22 15:06 --------- d-----w C:\Programmi\File comuni\Wise Installation Wizard
2007-11-11 13:04 --------- d-----w C:\Programmi\PDFCreator
2007-11-11 12:51 98,304 ----a-w G:\WINDOWS\system32\pdfmona.dll
2007-11-11 12:51 50,364 ----a-w G:\WINDOWS\system32\pdf995mon.dll
2007-11-09 18:49 72,192 ----a-w G:\WINDOWS\cadkasdeinst01e.exe
2007-11-07 17:04 --------- d-----w C:\Programmi\Google
2007-10-04 12:20 36,885 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2007_10_02_16_55_45_small.dmp.zip
2007-08-24 06:32 38,146 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2007_08_24_08_15_44_small.dmp.zip
2007-08-17 16:33 36,224 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2007_08_17_18_27_28_small.dmp.zip
2007-08-04 05:34 36,390 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2007_08_02_15_57_22_small.dmp.zip
2007-07-12 12:40 36,471 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2007_07_12_14_32_27_small.dmp.zip
2007-07-11 10:58 42,078 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2007_07_11_12_52_14_small.dmp.zip
2007-05-12 09:15 39,621 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2007_05_12_11_06_29_small.dmp.zip
2007-04-05 08:43 39,883 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2007_04_05_10_35_39_small.dmp.zip
2007-03-29 15:57 38,721 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2007_03_27_12_07_06_small.dmp.zip
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="G:\WINDOWS\System32\ctfmon.exe" [2001-08-31 11:00 13312]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-11-15 15:18 1670144]
"updateMgr"="C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2007-12-14 21:25 14348]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2001-12-07 16:24 1216512 G:\WINDOWS\mixer.exe]
"AtiPTA"="C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-12-14 21:25 14348]
"HydarVisionDesktopManager"="" []
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2007-12-14 21:25 14348]
"QuickTime Task"="C:\Programmi\QuickTime\bak\qttask.exe" [2003-05-02 08:57 77824]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.5.0_03\bin\jusched.exe" [2007-12-14 21:25 14348]
"DAEMON Tools"="C:\Programmi\DAEMON Tools\daemon.exe" [2007-12-14 21:25 14348]
"AVG7_CC"="G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-24 15:03 579072]
"Outpost Firewall"="C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe" [2006-03-30 10:51 91648]
"OutpostFeedBack"="C:\Programmi\Agnitum\Outpost Firewall 1.0\feedback.exe" [2006-05-11 12:05 356420]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-08-31 11:00 13312]
"AVG7_Run"="G:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-31 08:34 219136]
"OfficeWord Monitors"="G:\WINDOWS\System32\Offlce.exe" [ ]

G:\Documents and Settings\Bar Ferraris\Menu Avvio\Programmi\Esecuzione automatica\
Registrazione Corel.lnk - C:\Programmi\Corel\Graphics9\Register\Remind32.exe [2002-08-09 10:00:14]

G:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Reader Speed Launch.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 07:05:26]
Microsoft Office.lnk - C:\Programmi\Microsoft Office\Office\OSA9.EXE [1999-02-17 18:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\Programmi\Agnitum\Outpost Firewall 1.0\wl_hook.dll

R0 BsStor;InCD Storage Helper Driver;G:\WINDOWS\System32\DRIVERS\bsstor.sys [2002-08-09 10:07]
R1 VFILT;Outpost Firewall Kernel Driver;C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS [2006-03-30 10:53]
R3 Linux.DLL;Outpost Firewall PlugIn (Linux.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\Linux.DLL [2006-03-30 10:53]
R3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);C:\Programmi\Agnitum\Outpost Firewall 1.0\kernel\ARP.DLL [2006-03-30 10:53]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL [2006-03-30 10:53]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL [2006-03-30 10:53]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL [2006-03-30 10:53]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL [2006-03-30 10:53]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL [2006-03-30 10:53]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL [2006-03-30 10:53]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL [2006-03-30 10:53]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL [2006-03-30 10:53]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL [2006-03-30 10:53]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL [2006-03-30 10:53]
R3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);C:\Programmi\Agnitum\Outpost Firewall 1.0\kernel\SECRET.DLL [2006-03-30 10:53]
S3 s3m;s3m;G:\WINDOWS\System32\DRIVERS\s3m.sys [2001-08-17 19:50]
S4 BsUDF;InCD UDF Driver;G:\WINDOWS\System32\drivers\BsUDF.sys [2002-08-09 10:07]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
.
Contenuto della cartella 'Scheduled Tasks'
"2008-01-06 16:00:02 G:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Programmi\RegCure\RegCure.exe
"2007-12-27 06:40:19 G:\WINDOWS\Tasks\RegCure.job"
- C:\Programmi\RegCure\RegCure.exe
"2008-01-07 21:07:15 G:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Programmi\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 22:08:50
Windows 5.1.2600 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-01-07 22.12.54
ComboFix2.txt 2007-12-23 16:33:19
.
2007-12-16 19:05:04 --- E O F ---

[Sante62]

Il fatto che il PC si è riavviato non è normale sicuramente ed è strano che si sia reinfettato nuovamente....
Se non sbaglio ho visto che possiedi Virit. Fai la scansione completa con questo, anche se è scaduto falla lo stesso, individuerà ugualmente i file infetti. Dopo scarica Systemscan
e posta il risultato come indicato quì

[Jon Snow]

No purtroppo virit non ce l'ho più. Ho solo avg. Lo riscarico e ti faccio sapere.

[Jon Snow]

Ho riscaricato virit e l'unico file che mi ha trovato è questo:

G:\QUARANTENA_VIRIT\spool.exe Infetto da Backdoor.RBot.AAK

Poi ho lanciato Systemscan ma mi appare il seguente messaggio:

Warning! You don't have the seDebugPrivilege, which is required for SystemScan to work.
seDebugPrivilege will be restred to Administrators Group. A REBOOT is required for changes to take effect.
Please save all data and press Ok to REBOOT your system now, or Cancel to reboot later.


Ho fatto come consigliato, cioè scaricato SeDebug-Restore.exe, l'ho lanciato, ho riavviato il pc e mi è riapparso il ,messaggio di cui sopra. Infatti quando lancio il programma dice che:
"\cscript.exe non è riconosciuto come comando interno o esterno"
Che faccio???

[bdoriano]

Apri un nuovo file con notepad e inserisci queste righe:

[Jon Snow]

Ho fatto come mi hai consigliato ma non mi ha chiesto di riavviare il pc.
Comunque ecco qua i log di combofix e HJT.

ComboFix 08-01-07.1 - Bar Ferraris 2008-01-07 13.59.29.3 - NTFSx86
Eseguito da: G:\Documents and Settings\Bar Ferraris\Desktop\ComboFix.exe
Command switches used :: G:\Documents and Settings\Bar Ferraris\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

FILE
G:\WINDOWS\McAfee.com
G:\WINDOWS\system32\bb.exe
G:\WINDOWS\system32\gg.exe
G:\WINDOWS\System32\Offlce.exe
G:\WINDOWS\system32\sh.exe
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

G:\WINDOWS\system32\bb.exe
G:\WINDOWS\system32\gg.exe
G:\WINDOWS\system32\sh.exe

.
((((((((((((((((((((((((( Files Creati Da 2007-12-07 al 2008-01-07 )))))))))))))))))))))))))))))))))))
.

2008-01-06 21:49 . 2000-08-31 08:00 51,200 --a------ G:\WINDOWS\NirCmd.exe
2007-12-28 14:07 . 2008-01-06 21:00 <DIR> d-------- G:\Documents and Settings\Bar Ferraris\Dati applicazioni\gtk-2.0
2007-12-28 14:05 . 2008-01-07 11:19 <DIR> d-------- G:\Documents and Settings\Bar Ferraris\Dati applicazioni\.purple
2007-12-28 14:02 . 2007-12-28 14:02 <DIR> d-------- C:\Programmi\Pidgin
2007-12-28 14:02 . 2007-12-28 14:02 <DIR> d-------- C:\Programmi\File comuni\GTK
2007-12-26 17:32 . 2008-01-07 13:11 49 --a------ G:\WINDOWS\transp.gif
2007-12-26 11:15 . 2007-12-26 11:15 <DIR> d-------- G:\WINDOWS\system32\Kaspersky Lab
2007-12-26 11:15 . 2007-12-26 11:15 <DIR> d-------- G:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab
2007-12-25 17:50 . 2007-12-25 17:50 135 --a------ G:\fix.reg
2007-12-24 20:27 . 2007-12-24 20:27 <DIR> d-------- C:\Programmi\File comuni\Agnitum Shared
2007-12-24 20:27 . 2007-12-24 20:27 <DIR> d-------- C:\Programmi\Agnitum
2007-12-23 21:50 . 2008-01-06 22:15 250 --a------ G:\WINDOWS\gmer.ini
2007-12-23 00:23 . 2007-12-23 00:26 <DIR> d-------- G:\QUARANTENA_VIRIT
2007-12-22 22:22 . 2007-12-27 07:37 <DIR> d-------- C:\Programmi\RegCure
2007-12-21 21:13 . 2007-06-05 10:56 44,928 --a------ G:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-21 20:31 . 2007-12-21 20:31 <DIR> d-------- G:\WINDOWS\McAfee.com
2007-12-16 20:05 . 2007-12-16 20:05 208 --a------ G:\WINDOWS\system32\MRT.INI
2007-12-14 21:20 . 2007-12-14 21:20 <DIR> d-------- G:\WINDOWS\system32\bak
2007-12-14 09:00 . 2007-12-14 09:00 244 --ah----- G:\sqmnoopt19.sqm
2007-12-14 09:00 . 2007-12-14 09:00 232 --ah----- G:\sqmdata19.sqm
2007-12-14 08:56 . 2007-12-14 08:56 244 --ah----- G:\sqmnoopt18.sqm
2007-12-14 08:56 . 2007-12-14 08:56 244 --ah----- G:\sqmnoopt17.sqm
2007-12-14 08:56 . 2007-12-14 08:56 244 --ah----- G:\sqmnoopt16.sqm
2007-12-14 08:56 . 2007-12-14 08:56 232 --ah----- G:\sqmdata18.sqm
2007-12-14 08:56 . 2007-12-14 08:56 232 --ah----- G:\sqmdata17.sqm
2007-12-14 08:56 . 2007-12-14 08:56 232 --ah----- G:\sqmdata16.sqm
2007-12-13 09:04 . 2007-12-13 09:04 244 --ah----- G:\sqmnoopt15.sqm
2007-12-13 09:04 . 2007-12-13 09:04 232 --ah----- G:\sqmdata15.sqm
2007-12-12 18:45 . 2007-12-12 18:45 244 --ah----- G:\sqmnoopt14.sqm
2007-12-12 18:45 . 2007-12-12 18:45 232 --ah----- G:\sqmdata14.sqm
2007-12-12 18:24 . 2007-12-12 18:24 244 --ah----- G:\sqmnoopt13.sqm
2007-12-12 18:24 . 2007-12-12 18:24 232 --ah----- G:\sqmdata13.sqm
2007-12-11 20:46 . 2007-12-11 20:46 3,596,288 --a------ G:\WINDOWS\system32\qt-dx331.dll
2007-12-11 20:46 . 2007-12-11 20:46 524,288 --a------ G:\WINDOWS\system32\DivXsm.exe
2007-12-11 20:46 . 2007-12-11 20:46 4,816 --a------ G:\WINDOWS\system32\divxsm.tlb
2007-12-11 20:45 . 2007-12-11 20:45 1,044,480 --a------ G:\WINDOWS\system32\libdivx.dll
2007-12-11 20:45 . 2007-12-11 20:45 200,704 --a------ G:\WINDOWS\system32\ssldivx.dll
2007-12-11 20:43 . 2007-12-11 20:43 12,288 --a------ G:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-11 12:18 . 2007-12-11 12:18 244 --ah----- G:\sqmnoopt12.sqm
2007-12-11 12:18 . 2007-12-11 12:18 232 --ah----- G:\sqmdata12.sqm
2007-12-11 12:17 . 2007-12-11 12:17 244 --ah----- G:\sqmnoopt11.sqm
2007-12-11 12:17 . 2007-12-11 12:17 232 --ah----- G:\sqmdata11.sqm
2007-12-11 09:58 . 2007-12-11 09:58 244 --ah----- G:\sqmnoopt10.sqm
2007-12-11 09:58 . 2007-12-11 09:58 232 --ah----- G:\sqmdata10.sqm
2007-12-11 09:45 . 2007-12-11 09:45 244 --ah----- G:\sqmnoopt09.sqm
2007-12-11 09:45 . 2007-12-11 09:45 232 --ah----- G:\sqmdata09.sqm
2007-12-11 09:37 . 2007-12-11 09:37 244 --ah----- G:\sqmnoopt08.sqm
2007-12-11 09:37 . 2007-12-11 09:37 232 --ah----- G:\sqmdata08.sqm
2007-12-11 09:36 . 2007-12-11 09:36 244 --ah----- G:\sqmnoopt07.sqm
2007-12-11 09:36 . 2007-12-11 09:36 244 --ah----- G:\sqmnoopt06.sqm
2007-12-11 09:36 . 2007-12-11 09:36 232 --ah----- G:\sqmdata07.sqm
2007-12-11 09:36 . 2007-12-11 09:36 232 --ah----- G:\sqmdata06.sqm
2007-12-11 09:35 . 2007-12-11 09:35 244 --ah----- G:\sqmnoopt05.sqm
2007-12-11 09:35 . 2007-12-11 09:35 232 --ah----- G:\sqmdata05.sqm
2007-12-11 09:33 . 2007-12-11 09:33 244 --ah----- G:\sqmnoopt04.sqm
2007-12-11 09:33 . 2007-12-11 09:33 232 --ah----- G:\sqmdata04.sqm
2007-12-08 10:58 . 2007-12-08 10:58 244 --ah----- G:\sqmnoopt03.sqm
2007-12-08 10:58 . 2007-12-08 10:58 232 --ah----- G:\sqmdata03.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-07 10:19 --------- d-----w G:\Documents and Settings\Bar Ferraris\Dati applicazioni\.purple
2008-01-07 09:55 --------- d-----w G:\Documents and Settings\Bar Ferraris\Dati applicazioni\AVG7
2008-01-07 00:21 --------- d-----w C:\Programmi\eMule
2007-12-25 16:21 --------- d-----w C:\Programmi\PDFCreator Toolbar
2007-12-25 16:21 --------- d-----w C:\Programmi\PDF-Creator 2
2007-12-22 20:48 --------- d---a-w G:\Documents and Settings\All Users\Dati applicazioni\TEMP
2007-12-21 20:26 --------- d-----w C:\Programmi\a-squared Free
2007-12-19 16:36 --------- d-----w C:\Programmi\DivX
2007-12-15 10:15 9,344 ----a-w G:\WINDOWS\system32\drivers\NSDriver.sys
2007-12-15 10:15 8,320 ----a-w G:\WINDOWS\system32\drivers\AWRTRD.sys
2007-12-14 20:27 --------- d-----w C:\Programmi\QuickTime
2007-12-14 20:27 --------- d-----w C:\Programmi\DAEMON Tools
2007-12-11 19:44 823,296 ----a-w G:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 19:44 823,296 ----a-w G:\WINDOWS\system32\divx_xx07.dll
2007-12-11 19:44 81,920 ----a-w G:\WINDOWS\system32\dpl100.dll
2007-12-11 19:44 802,816 ----a-w G:\WINDOWS\system32\divx_xx11.dll
2007-12-11 19:44 682,496 ----a-w G:\WINDOWS\system32\DivX.dll
2007-12-11 19:44 593,920 ----a-w G:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w G:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w G:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w G:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w G:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w G:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44 196,608 ----a-w G:\WINDOWS\system32\dtu100.dll
2007-12-11 19:44 156,992 ----a-w G:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-30 19:05 --------- d-----w C:\Programmi\XviD
2007-11-26 20:39 11,060,978 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2007_11_22_15_33_24_full.dmp.zip
2007-11-22 15:07 --------- d-----w G:\Documents and Settings\All Users\Dati applicazioni\Lavasoft
2007-11-22 15:07 --------- d-----w C:\Programmi\Lavasoft
2007-11-22 15:07 --------- d-----w C:\Documents and Settings\Bar Ferraris\Dati applicazioni\Lavasoft
2007-11-22 15:06 --------- d-----w C:\Programmi\File comuni\Wise Installation Wizard
2007-11-11 13:04 --------- d-----w C:\Programmi\PDFCreator
2007-11-11 12:51 98,304 ----a-w G:\WINDOWS\system32\pdfmona.dll
2007-11-11 12:51 50,364 ----a-w G:\WINDOWS\system32\pdf995mon.dll
2007-11-09 18:49 72,192 ----a-w G:\WINDOWS\cadkasdeinst01e.exe
2007-11-07 17:04 --------- d-----w C:\Programmi\Google
2007-10-04 12:20 36,885 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2007_10_02_16_55_45_small.dmp.zip
2007-08-24 06:32 38,146 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2007_08_24_08_15_44_small.dmp.zip
2007-08-17 16:33 36,224 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2007_08_17_18_27_28_small.dmp.zip
2007-08-04 05:34 36,390 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2007_08_02_15_57_22_small.dmp.zip
2007-07-12 12:40 36,471 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2007_07_12_14_32_27_small.dmp.zip
2007-07-11 10:58 42,078 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2007_07_11_12_52_14_small.dmp.zip
2007-05-12 09:15 39,621 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2007_05_12_11_06_29_small.dmp.zip
2007-04-05 08:43 39,883 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2007_04_05_10_35_39_small.dmp.zip
2007-03-29 15:57 38,721 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2007_03_27_12_07_06_small.dmp.zip
.

((((((((((((((((((((((((((((( snapshot@2008-01-07_22.08.58,11 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-07 21:07:00 32,768 -c--a-w G:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-07 12:02:11 32,768 -c--a-w G:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-07 21:07:00 32,768 -c--a-w G:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
+ 2008-01-07 12:02:11 32,768 -c--a-w G:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
- 2008-01-07 21:07:00 49,152 -c--a-w G:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-07 12:02:11 32,768 ----a-w G:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-06 20:50:53 266,240 ----a-w G:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-01-07 12:59:22 266,240 ----a-w G:\WINDOWS\system32\config\systemprofile\ntuser.dat
- 2007-11-23 19:04:40 36,096 ----a-w G:\WINDOWS\system32\drivers\VIRAGTLT.SYS
+ 2007-10-10 08:00:36 36,096 ----a-w G:\WINDOWS\system32\drivers\VIRAGTLT.SYS
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="G:\WINDOWS\System32\ctfmon.exe" [2001-08-31 11:00 13312]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-11-15 15:18 1670144]
"updateMgr"="C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2007-12-14 21:25 14348]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2001-12-07 16:24 1216512 G:\WINDOWS\mixer.exe]
"AtiPTA"="C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-12-14 21:25 14348]
"HydarVisionDesktopManager"="" []
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2007-12-14 21:25 14348]
"QuickTime Task"="C:\Programmi\QuickTime\bak\qttask.exe" [2003-05-02 08:57 77824]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.5.0_03\bin\jusched.exe" [2007-12-14 21:25 14348]
"DAEMON Tools"="C:\Programmi\DAEMON Tools\daemon.exe" [2007-12-14 21:25 14348]
"AVG7_CC"="G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-24 15:03 579072]
"Outpost Firewall"="C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe" [2006-03-30 10:51 91648]
"OutpostFeedBack"="C:\Programmi\Agnitum\Outpost Firewall 1.0\feedback.exe" [2006-05-11 12:05 356420]
"VIRIT LITE MONITOR"="G:\VEXPLITE\MONLITE.EXE" [2008-01-07 11:19 245760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-08-31 11:00 13312]
"AVG7_Run"="G:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-31 08:34 219136]
"OfficeWord Monitors"="G:\WINDOWS\System32\Offlce.exe" [ ]

G:\Documents and Settings\Bar Ferraris\Menu Avvio\Programmi\Esecuzione automatica\
Registrazione Corel.lnk - C:\Programmi\Corel\Graphics9\Register\Remind32.exe [2002-08-09 10:00:14]

G:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Reader Speed Launch.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 07:05:26]
Microsoft Office.lnk - C:\Programmi\Microsoft Office\Office\OSA9.EXE [1999-02-17 18:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\Programmi\Agnitum\Outpost Firewall 1.0\wl_hook.dll



[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
.
Contenuto della cartella 'Scheduled Tasks'
"2008-01-07 12:02:21 G:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Programmi\RegCure\RegCure.exe
"2007-12-27 06:40:19 G:\WINDOWS\Tasks\RegCure.job"
- C:\Programmi\RegCure\RegCure.exe
"2008-01-07 12:02:34 G:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Programmi\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 14:15:58
Windows 5.1.2600 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-01-07 14.16.58
ComboFix-quarantined-files.txt 2008-01-07 13:16:31
ComboFix2.txt 2008-01-07 21:12:58
ComboFix3.txt 2007-12-23 16:33:19
.
2007-12-16 19:05:04 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14.37.25, on 07/01/2008
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\System32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
G:\WINDOWS\system32\spoolsv.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
c:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
G:\WINDOWS\System32\svchost.exe
G:\VEXPLITE\viritsvc.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\System32\WgaTray.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
G:\WINDOWS\System32\wuauclt.exe
G:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Corel\Graphics9\Register\Remind32.exe
G:\Programmi\Grisoft\AVG Free\avgcc.exe
C:\Programmi\Agnitum\Outpost Firewall 1.0\outpost.exe
G:\WINDOWS\explorer.exe
G:\WINDOWS\system32\notepad.exe
G:\Documents and Settings\Bar Ferraris\Desktop\utility pc\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dbsarticles.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Virgilio Toolbar - {D3403F28-7D39-435F-A8CB-45016C29E48E} - C:\Programmi\Virgilio Toolbar\VirgilioBand.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AtiPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Programmi\Agnitum\Outpost Firewall 1.0\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] G:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] G:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Registrazione Corel.lnk = C:\Programmi\Corel\Graphics9\Register\Remind32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5190/mcfscan.cab
O20 - AppInit_DLLs: C:\Programmi\Agnitum\Outpost Firewall 1.0\wl_hook.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - G:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - G:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - G:\VEXPLITE\viritsvc.exe

--
End of file - 6679 bytes

[bdoriano]

Non ha cancellato tutte le voci indicate...

Scarica avenger e scompattalo in una sua cartella non temporanea e non sul desktop

Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:

[Jon Snow]

Fatto come mi hai detto ma avenger è riuscito a fare il suo lavoro?
Aspetto a usare GMER, attendo tua conferma sul lavoro di avenger.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jktikuqy

*******************

Script file located at: vjxtldcc

Could not open script file! Error

Could not open script file! Status: 0xc000003b Abort!

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 20.35.55, on 07/01/2008
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\System32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
G:\WINDOWS\system32\spoolsv.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
c:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
G:\WINDOWS\System32\svchost.exe
G:\VEXPLITE\viritsvc.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\System32\WgaTray.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\Mixer.exe
C:\Programmi\DAEMON Tools\daemon.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
G:\VEXPLITE\MONLITE.EXE
G:\WINDOWS\System32\wuauclt.exe
G:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
G:\WINDOWS\system32\notepad.exe
C:\Programmi\Corel\Graphics9\Register\Remind32.exe
G:\Documents and Settings\Bar Ferraris\Desktop\utility pc\HiJackThis_v2.exe
C:\Programmi\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dbsarticles.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Virgilio Toolbar - {D3403F28-7D39-435F-A8CB-45016C29E48E} - C:\Programmi\Virgilio Toolbar\VirgilioBand.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AtiPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Programmi\Agnitum\Outpost Firewall 1.0\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] G:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] G:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Registrazione Corel.lnk = C:\Programmi\Corel\Graphics9\Register\Remind32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5190/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{390CA4CF-DCB4-49DD-A3FB-5073DEFE96FC}: NameServer = 85.37.17.48 85.38.28.88
O20 - AppInit_DLLs: C:\Programmi\Agnitum\Outpost Firewall 1.0\wl_hook.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - G:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - G:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - G:\VEXPLITE\viritsvc.exe

--
End of file - 6787 bytes

[Sante62]

Hai commesso sicuramente un errore nell'inserire lo script in Avenger. Assicurati di inserire tutto lo script contenuto nel box bianco compresa anche la scritta in cima "files to delete":

[bdoriano]

Credo che sia stato proprio il virus a "bloccare" Avenger...

Scarica questo file (lo script è fatto apposta per te) e scompattalo in una sua cartella.
Avvia il programma AvRunner.exe, premi Invio, poi digita Y e accetta il reboot. Al riavvio si dovrebbe aprire lo script di Avenger con l´esito delle operazioni fatte. Se ti sembra che non abbia fatto nulla, cioè dopo la riga Beginning to process script file: non c´è scritto cosa ha fatto, ma solo Completed script processing., prova ad riavviare AvRunner ancora una volta. Vediamo se riesce a combinare qualcosa.

[Jon Snow]

aspetta, avenger poi sono riuscito a farlo funzionare, però gmer rootkit mi ha rifatto riavviare il pc 2 volte
posto qui di seguito il tutto. In caso tu lo ritenessi utile anche ora scarico il file che mi hai scritto.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ecroscmo

*******************

Script file located at: \??\G:\WINDOWS\qmjtpjhu.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at G:\Avenger

*******************

Beginning to process script file:



Error: G:\WINDOWS\McAfee.com is a folder, not a file!
Deletion of file G:\WINDOWS\McAfee.com failed!

Could not process line:
G:\WINDOWS\McAfee.com
Status: 0xc00000ba



File G:\WINDOWS\System32\Offlce.exe not found!
Deletion of file G:\WINDOWS\System32\Offlce.exe failed!

Could not process line:
G:\WINDOWS\System32\Offlce.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21.52.51, on 07/01/2008
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\System32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
G:\WINDOWS\system32\spoolsv.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
c:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\System32\svchost.exe
G:\VEXPLITE\viritsvc.exe
G:\Documents and Settings\Bar Ferraris\Desktop\utility pc\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dbsarticles.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Virgilio Toolbar - {D3403F28-7D39-435F-A8CB-45016C29E48E} - C:\Programmi\Virgilio Toolbar\VirgilioBand.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AtiPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Programmi\Agnitum\Outpost Firewall 1.0\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] G:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] G:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Registrazione Corel.lnk = C:\Programmi\Corel\Graphics9\Register\Remind32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5190/mcfscan.cab
O20 - AppInit_DLLs: C:\Programmi\Agnitum\Outpost Firewall 1.0\wl_hook.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - G:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - G:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - G:\VEXPLITE\viritsvc.exe

--
End of file - 6300 bytes

[URL="http://www.freefilehosting.net/files/3a5fj"]log autostart1.txt[/URL]
http://www.freefilehosting.net/download/3a5fj

[Jon Snow]

[Jon Snow]

Ieri sera ho provato a riutilizzare emule ma dopo un po' avviene lo stesso problema, ho notato che il firewall lo classifica anche come ethernet attack oltre ad ip spoofing.

[bdoriano]

Fai questa scansione con SystemScan e posta il log su FreeFileHosting come indicato qui.

[Jon Snow]

Rispondo solo ora perchè sono stato fuori casa, cmq mi si presenta sempre il solito problema:

[bdoriano]

SeDebugRestore non ha funzionato?
Che versione di XP hai? Home o Professional?