Olimpo Informatico

MindFlyer · Mortale devoto Registrato: 29/01/08 15:18 Messaggi: 5

Salve, questa è la mia situazione: usavo Norton Antivirus, ma mi è scaduta la licenza, ed al suo posto ho messo Avira AntiVir versione 7.06. Ho inoltre Spybot S&D 1.5.0.9. Purtroppo, nel passare da un antivirus all'altro, è successo qualcosa di spiacevole, e mi sono ritrovato il pc infettato.

Ho fatto del mio meglio per ripulirlo, ma ho ancora qualche problema: circa ogni ora, AntiVir trova questi 2 file infetti:

C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\9GO8852U\mmdmm[1].exe

C:\WINDOWS\System32\a.exe

e mi dice che si tratta del Trojan horse TR/Buzus.OJ. Io li cancello, e loro continuano a rispuntare.

Questo è il logfile di HijackThis:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14.16.04, on 29/01/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Antimalware\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)

--
End of file - 3700 bytes

Grazie in anticipo per l'aiuto!

bdoriano

Ciao MindFlyer, Ciao

Fai questa scansione con FindAWF.

Segui le istruzioni di questo topic per postare il log di combofix.

Collegati a Kaspersky on-line scanner e fai la scansione estesa, come indicato qui.
Salva il risultato della scansione in un file (in formato HTML), carica il file su Freefilehosting e posta qui il link che ti viene assegnato.

Scarica e installa il service pack 2 prima possibile, mi raccomando!!! Old

PS: se vuoi, puoi presentarti qui

MindFlyer · Mortale devoto Registrato: 29/01/08 15:18 Messaggi: 5

Ciao e grazie dell'aiuto.
Come prima cosa ho cercato di installare il service pack 2.

Edit: il service pack 2 mi aveva causato un mare di problemi che però in qualche modo ho risolto... Faccio il resto delle cose che mi hai detto, e ti faccio sapere. Scusa lo SPAM.

MindFlyer · Mortale devoto Registrato: 29/01/08 15:18 Messaggi: 5

Ok, ho finito la trafila.

-----------------------------------

HijackThis:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 18.44.48, on 29/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
D:\Antimalware\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\RunOnce: [Rmpxinst] command.com /c del C:\WINDOWS\SYSTEM32\ctpxinst.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4425 bytes

-----------------------------------------------

FindAWF:

Find AWF report by noahdfear ©2006
Version 1.40

bak folders found
~~~~~~~~~~~

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

---------------------------------------------------

ComboFix:

ComboFix 08-01-29.3 - MindFlyer 2008-01-29 18.50.56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.714 [GMT 1:00]
Eseguito da: D:\Antimalware\ComboFix.exe
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Creati Da 2007-12-28 al 2008-01-29 )))))))))))))))))))))))))))))))))))
.

2008-01-29 18:17 . 2008-01-29 18:17 <DIR> d-------- C:\Programmi\Realtek Sound Manager
2008-01-29 18:17 . 2008-01-29 18:17 <DIR> d-------- C:\Programmi\AvRack
2008-01-29 18:17 . 2004-12-22 10:06 17,584,128 --a------ C:\WINDOWS\system32\ALSNDMGR.CPL
2008-01-29 18:17 . 2004-12-22 10:13 9,524,224 --a------ C:\WINDOWS\system32\RTLCPL.EXE
2008-01-29 18:17 . 2004-12-22 10:07 2,304,320 --a------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2008-01-29 18:17 . 2004-11-05 09:29 208,896 --------- C:\WINDOWS\alcupd.exe
2008-01-29 18:17 . 2004-09-07 07:23 156,672 --a------ C:\WINDOWS\system32\RTLCPAPI.dll
2008-01-29 18:17 . 2002-02-05 06:54 141,016 --a------ C:\WINDOWS\system32\ALSNDMGR.WAV
2008-01-29 18:17 . 2004-09-01 13:04 139,264 --------- C:\WINDOWS\alcrmv.exe
2008-01-29 18:17 . 2004-12-22 10:09 77,824 --a------ C:\WINDOWS\SOUNDMAN.EXE
2008-01-29 18:17 . 2004-10-27 08:47 40,960 --------- C:\WINDOWS\system32\ChCfg.exe
2008-01-29 18:17 . 2001-07-05 17:19 164 --------- C:\WINDOWS\avrack.ini
2008-01-29 18:16 . 2008-01-29 18:16 <DIR> d-------- C:\NV2876340.TMP
2008-01-29 18:16 . 2008-01-29 18:16 <DIR> d-------- C:\NV28242956.TMP
2008-01-29 18:16 . 2008-01-29 18:16 <DIR> d-------- C:\NV25962400.TMP
2008-01-29 18:16 . 2004-06-11 04:15 83,968 -ra------ C:\WINDOWS\system32\nvraidservice.exe
2008-01-29 18:15 . 2008-01-29 18:15 <DIR> d-------- C:\NV544448.TMP
2008-01-29 18:15 . 2008-01-29 18:15 <DIR> d-------- C:\NV3096452.TMP
2008-01-29 18:05 . 2008-01-29 18:05 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\PC Drivers Headquarters
2008-01-29 17:28 . 2008-01-29 18:13 4,096 --a------ C:\WINDOWS\gdrv.sys
2008-01-29 17:08 . 2008-01-29 17:08 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-01-29 17:08 . 2008-01-29 17:08 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-01-29 17:08 . 2008-01-29 17:08 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-01-29 16:56 . 2003-05-12 15:28 77,824 --------- C:\WINDOWS\system32\nvuaudio.exe
2008-01-29 16:56 . 2003-05-12 15:28 2,815 --------- C:\WINDOWS\system32\nvaudio.nvu
2008-01-29 16:46 . 1999-10-11 02:01 41,984 --------- C:\WINDOWS\CTRegRun.exe
2008-01-29 16:37 . 2007-07-09 14:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-29 16:22 . 2008-01-29 16:25 <DIR> d-------- C:\Programmi\Windows Live
2008-01-29 16:22 . 2008-01-29 16:24 <DIR> d--hsc--- C:\Programmi\File comuni\WindowsLiveInstaller
2008-01-29 16:22 . 2008-01-29 16:22 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\WLInstaller
2008-01-29 16:20 . 2008-01-29 17:47 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-29 16:18 . 2008-01-29 16:18 <DIR> d-------- C:\Documents and Settings\LocalService\Menu Avvio
2008-01-29 16:13 . 2008-01-29 16:13 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-01-29 16:10 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002387_.tmp
2008-01-29 15:53 . 2008-01-29 18:34 4,958,588 --a------ C:\WINDOWS\{00000002-00000000-00000007-00001102-00000004-00531102}.BAK
2008-01-29 15:53 . 2008-01-29 18:34 29,952 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-00000007-00001102-00000004-00531102}.rfx
2008-01-29 15:53 . 2008-01-29 18:34 29,952 --a------ C:\WINDOWS\system32\BMXState-{00000002-00000000-00000007-00001102-00000004-00531102}.rfx
2008-01-29 15:53 . 2008-01-29 18:34 27,408 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000002-00000000-00000007-00001102-00000004-00531102}.rfx
2008-01-29 15:53 . 2008-01-29 18:34 27,408 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000002-00000000-00000007-00001102-00000004-00531102}.rfx
2008-01-29 15:53 . 2008-01-29 18:34 11,564 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-00000007-00001102-00000004-00531102}.rfx
2008-01-29 15:44 . 2008-01-29 18:34 <DIR> d-------- C:\Documents and Settings\MindFlyer\Dati applicazioni\Creative
2008-01-29 15:44 . 2008-01-29 18:34 4,958,588 --a------ C:\WINDOWS\{00000002-00000000-00000007-00001102-00000004-00531102}.CDF
2008-01-29 15:44 . 2008-01-29 18:22 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-01-29 15:44 . 2008-01-29 18:22 114,688 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-01-29 15:44 . 2004-08-03 23:08 10,624 --a------ C:\WINDOWS\system32\drivers\gameenum.sys
2008-01-29 15:43 . 2008-01-29 18:22 <DIR> d-------- C:\WINDOWS\system32\data
2008-01-29 15:43 . 2004-08-03 23:15 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-01-29 15:43 . 2004-08-03 23:15 145,792 --a--c--- C:\WINDOWS\system32\dllcache\portcls.sys
2008-01-29 15:43 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-01-29 15:43 . 2004-08-03 23:08 60,288 --a--c--- C:\WINDOWS\system32\dllcache\drmk.sys
2008-01-29 15:09 . 2008-01-29 15:09 <DIR> d-------- C:\WINDOWS\provisioning
2008-01-29 15:09 . 2008-01-29 16:15 <DIR> d-------- C:\WINDOWS\peernet
2008-01-29 15:03 . 2008-01-29 16:15 <DIR> d-------- C:\WINDOWS\EHome
2008-01-29 13:33 . 2008-01-29 13:37 2,320 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-29 13:11 . 2008-01-29 16:19 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Impostazioni locali
2008-01-29 12:52 . 2008-01-29 12:52 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Dati applicazioni
2008-01-29 11:05 . 2008-01-29 11:05 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-29 10:03 . 2008-01-29 10:03 <DIR> d-------- C:\Documents and Settings\MindFlyer\Dati applicazioni\SuperAdBlocker.com
2008-01-29 10:02 . 2008-01-29 10:02 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-01-28 20:36 . 2008-01-29 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\SecTaskMan
2008-01-28 19:26 . 2008-01-28 19:26 <DIR> d-------- C:\Programmi\Avira
2008-01-28 19:26 . 2008-01-28 19:26 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Avira
2008-01-28 18:05 . 2008-01-28 18:05 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab Setup Files
2008-01-28 17:00 . 2008-01-28 17:00 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Avg7
2008-01-28 16:34 . 2008-01-28 16:34 <DIR> d-------- C:\Documents and Settings\MindFlyer\Dati applicazioni\Uniblue
2008-01-28 12:50 . 2008-01-28 12:54 <DIR> d-------- C:\Documents and Settings\MindFlyer\.housecall6.6
2008-01-28 11:12 . 2008-01-28 11:12 <DIR> d-------- C:\Documents and Settings\MindFlyer\DoctorWeb
2008-01-28 10:51 . 2008-01-28 12:08 250 --a------ C:\WINDOWS\gmer.ini
2008-01-26 13:57 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-26 13:57 . 2003-03-18 20:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-01-26 13:57 . 2003-02-21 04:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-01-19 16:36 . 2006-08-14 11:34 332,928 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-01-19 16:36 . 2006-08-16 10:37 225,664 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-01-19 16:36 . 2006-08-16 12:59 100,352 -----c--- C:\WINDOWS\system32\dllcache\6to4svc.dll
2008-01-19 16:35 . 2006-06-22 11:47 181,248 -----c--- C:\WINDOWS\system32\dllcache\rasmans.dll
2008-01-19 16:34 . 2006-08-25 16:51 617,472 -----c--- C:\WINDOWS\system32\dllcache\comctl32.dll
2008-01-19 16:33 . 2006-06-26 18:41 148,480 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-01-19 16:33 . 2006-06-26 18:41 8,192 -----c--- C:\WINDOWS\system32\dllcache\rasadhlp.dll
2008-01-17 07:45 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-01-17 07:45 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-01-17 07:45 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-01-17 07:45 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2008-01-17 07:45 . 2004-08-03 14:06 187,160 --a------ C:\WINDOWS\system32\wuaueng1.dll
2008-01-17 07:45 . 2004-08-03 14:04 169,752 --a------ C:\WINDOWS\system32\wuauclt1.exe
2008-01-17 07:45 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-01-16 01:02 . 2008-01-16 01:02 56 --a------ C:\WINDOWS\MinGW.INI
2008-01-15 22:45 . 2008-01-16 00:56 <DIR> d-------- C:\cygwin
2008-01-15 10:18 . 2008-01-15 10:18 <DIR> d-------- C:\Documents and Settings\MindFlyer\.netbeans-derby
2008-01-15 10:17 . 2008-01-15 10:17 <DIR> d-------- C:\Documents and Settings\MindFlyer\.netbeans
2008-01-15 10:11 . 2008-01-15 10:15 <DIR> d-------- C:\Documents and Settings\MindFlyer\.nbi
2008-01-15 10:03 . 2008-01-15 10:03 <DIR> d-------- C:\Programmi\Sun
2008-01-15 09:20 . 2008-01-16 01:11 <DIR> d-------- C:\MinGW
2008-01-15 07:54 . 2008-01-15 07:54 <DIR> d-------- C:\WINDOWS\Sun
2008-01-15 07:53 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-15 07:51 . 2008-01-15 07:51 <DIR> d-------- C:\Programmi\File comuni\Java
2008-01-15 06:02 . 2008-01-18 07:15 790 --a------ C:\WINDOWS\CamlWin.ini
2008-01-08 02:42 . 2008-01-08 02:42 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\nView_Profiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 17:17 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-01-28 15:30 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-01-26 12:52 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Symantec
2007-12-14 07:44 --------- d-----w C:\Documents and Settings\MindFlyer\Dati applicazioni\PLT Scheme
2007-12-11 09:47 --------- d-----w C:\Documents and Settings\MindFlyer\Dati applicazioni\Winamp
2007-12-11 04:39 --------- d-----w C:\Programmi\WinLemm
2007-12-09 07:56 --------- d-----w C:\Programmi\File comuni\Blizzard Entertainment
2007-12-06 07:42 --------- d-----w C:\Programmi\WinSCP
2007-12-06 06:32 --------- d-----w C:\Documents and Settings\MindFlyer\Dati applicazioni\xm1
2007-12-06 06:19 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\MiKTeX
2007-12-06 05:49 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2007-12-06 05:30 --------- d-----w C:\Programmi\File comuni\Adobe
2007-12-06 04:36 --------- d-----w C:\Documents and Settings\MindFlyer\Dati applicazioni\Symantec
2007-12-06 04:25 --------- d-----w C:\Programmi\File comuni\InstallShield
2007-12-06 04:16 --------- d--h--w C:\Programmi\Uninstall Information
2007-12-06 04:13 --------- d-----w C:\Programmi\microsoft frontpage
2007-12-06 04:11 --------- d-----w C:\Programmi\File comuni\MSSoap
2007-12-06 04:10 --------- d-----w C:\Programmi\Servizi in linea
2007-12-06 04:03 --------- d-----w C:\Programmi\File comuni\SpeechEngines
2007-12-06 04:03 --------- d-----w C:\Programmi\File comuni\ODBC
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Programmi\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"SpybotSD TeaTimer"="C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 01:39 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 01:39 455168]
"Adobe Reader Speed Launcher"="C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SunJavaUpdateSched"="D:\Programmi\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"avgnt"="C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-29 11:44 249896]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-08 02:25 7622656]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-06-11 04:15 83968]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 10:09 77824 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2006-08-08 02:25 1519616 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-08-08 02:25 7622656 C:\WINDOWS\System32\NvCpl.dll

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\DRIVERS\avgntmgr.sys [2007-07-18 14:22]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2007-08-09 13:04]
S1 SABKUTIL;SABKUTIL;C:\Programmi\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys []
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-01-29 18:13]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 18:53:05
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
.
**************************************************************************
.
Ora fine scansione: 2008-01-29 18:54:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 17:54:35
.
2008-01-29 16:48:12 --- E O F ---

------------------------------------------------------------

Kaspersky:

http://www.freefilehosting.net/download/3b70l

------------------------------------------------------------

Grazie ancora!!!

bdoriano

Ho un dubbio sul file C:\WINDOWS\gdrv.sys che potrebbe essere legittimo... ma stranamente piccolo... Think

Fai questa scansione con SystemScan e posta il log su FreeFileHosting come indicato qui.

MindFlyer · Mortale devoto Registrato: 29/01/08 15:18 Messaggi: 5

Ecco fatto:
http://www.freefilehosting.net/download/3b71m

Comunque, da quando ho installato il service pack 2, AntiVir ha smesso di trovare virus. Può essere che l'installazione abbia sovrascritto dei file infetti, e il problema si sia risolto da solo??

bdoriano · Inviato: 01 Feb 2008 00:01 Oggetto:

probabilmente il virus sfruttava le falle pre-SP2. Think

Tra qualche giorno darò un'occhiata al log di SystemScan e vedremo se salta fuori qualcos'altro. Wink

MindFlyer · Mortale devoto Registrato: 29/01/08 15:18 Messaggi: 5

Grazie ancora, attendo con ansia. Very Happy

P.S.
C'è anche da dire che nell'installare il sp2 la prima volta ho fatto qualche casino, e l'installazione è fallita, ho riavviato e mi sono ritrovato tutti i driver cancellati. Ho reinstallato i driver, rifatto partire l'installazione di sp2, e stavolta ha funzionato. Dopodiché non ho più avuto notizie del virus. Quindi può essere anche che avesse infettato qualche driver e sia stato spazzato via dalla catastrofe.

bdoriano · Inviato: 01 Feb 2008 23:31 Oggetto:

Ciao MindFlyer, Ciao

ho dato un'occhiata al log e mi sembra pulito.

Eventualmente, fai una scansione con BitDefender (usando IE). Wink