Olimpo Informatico

[TheHawk]

Buonasera a tutti voi!
Sono qui per chiedere un favore da parte vostra...
Ho aperto per sbaglio uno di quei fastidiosissimi virus che si inviano per msn.
Potreste gentilmente dare un'occhiata al log, e darmi qualche indicazione?

Grazie mille!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19.01.44, on 18/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\eMule\emule.exe
C:\WINDOWS\system32\poolsc.exe
C:\Programmi\Hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programmi\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Programmi\Aethra\ADSL EB1070 USB\CnxTrApp.dll",AppEntry -REG "Aethra\ADSL EB1070 USB"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scarica tutti i video usando BitComet - res://C:\Programmi\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Scarica tutto usando BitComet - res://C:\Programmi\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Scarica usando &BitComet - res://C:\Programmi\BitComet\BitComet.exe/AddLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Programmi\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35E791C8-14E9-4EFB-9C80-6E80DFE0EADE}: NameServer = 85.37.17.16 85.38.28.68
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 7381 bytes

[TheHawk]

Ho provato a scaricare MSNFix e ho fatto una scansione con ComboFix, ma ogni tanto ritorna l'avviso di Avast
Questo saranno 3 volte che torna:
C:\Documents and Settings\Unico\Impostazioni locali\Temporary Internet Files\Content.IE5\GDABW9UF\rim1[1].exe\[UPX]


Allego anche il log di ComboFix

ComboFix 08-02-18.1 - Unico 2008-02-18 20.59.38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.388 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Unico\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Creati Da 2008-01-18 al 2008-02-18 )))))))))))))))))))))))))))))))))))
.

2008-02-18 19:35 . 2008-02-18 20:58 <DIR> d-------- C:\Programmi\a-squared Anti-Malware
2008-02-18 18:57 . 2008-02-18 13:54 77,824 -r-hs---- C:\WINDOWS\system32\poolsc.exe
2008-02-18 11:44 . 2008-02-18 11:44 <DIR> d-------- C:\Programmi\Yetisports
2008-02-16 15:39 . 2008-02-16 15:45 <DIR> d-------- C:\Documents and Settings\Unico\Dati applicazioni\kctmon
2008-02-15 16:36 . 2008-02-18 08:14 <DIR> d-------- C:\Programmi\CodeStuff
2008-02-11 16:20 . 2008-02-11 16:20 <DIR> d-------- C:\Programmi\UltraGet Video Downloader
2008-02-11 16:20 . 2008-02-11 16:21 <DIR> d-------- C:\Documents and Settings\Unico\Dati applicazioni\UltraGet
2008-02-07 18:31 . 2008-02-07 18:31 <DIR> d-------- C:\Programmi\Veoh Networks
2008-02-07 18:30 . 2008-02-07 18:30 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-04 19:22 . 2003-06-19 01:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-02-04 19:21 . 2008-02-04 19:21 <DIR> d-------- C:\Programmi\Microsoft.NET
2008-01-27 15:39 . 2008-01-27 15:40 <DIR> d-------- C:\Programmi\BitComet
2008-01-27 15:39 . 2008-02-14 15:46 <DIR> d--h----- C:\Downloads
2008-01-27 15:39 . 2008-01-27 15:39 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-01-27 11:55 . 2008-01-27 11:55 <DIR> d-------- C:\Programmi\DNA
2008-01-27 11:55 . 2008-02-15 22:30 <DIR> d-------- C:\Documents and Settings\Unico\Dati applicazioni\DNA
2008-01-27 11:55 . 2008-01-27 12:00 <DIR> d-------- C:\Documents and Settings\Unico\Dati applicazioni\BitTorrent
2008-01-19 17:22 . 2008-01-31 16:38 <DIR> d--h----- C:\My Downloads

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 19:39 --------- d-----w C:\Programmi\eMule
2008-02-17 20:45 --------- d---a-w C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-02-09 17:05 --------- d-----w C:\Documents and Settings\Unico\Dati applicazioni\dvdcss
2008-02-09 06:41 --------- d-----w C:\Programmi\Mu Fight
2008-02-07 17:32 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-02-04 18:31 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-04 18:31 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-01-29 12:26 --------- d-----w C:\Programmi\softnyx
2008-01-18 12:29 --------- d-----w C:\Programmi\Activision
2008-01-16 16:25 --------- d-----w C:\Documents and Settings\Unico\Dati applicazioni\teamspeak2
2008-01-14 14:23 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\NVIDIA
2008-01-13 13:55 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-01-13 11:36 22,328 ----a-w C:\Documents and Settings\Unico\Dati applicazioni\PnkBstrK.sys
2008-01-11 12:14 --------- d-----w C:\Documents and Settings\Unico\Dati applicazioni\Xfire
2008-01-09 18:13 19,120 ----a-w C:\Documents and Settings\Unico\Dati applicazioni\GDIPFONTCACHEV1.DAT
2008-01-05 09:26 --------- d-----w C:\Documents and Settings\Unico\Dati applicazioni\Ahead
2008-01-01 17:36 --------- d-----w C:\Programmi\MSN Messenger
2008-01-01 17:36 --------- d-----w C:\Programmi\Messenger Plus! Live
2007-12-28 16:47 --------- d-----w C:\Programmi\Xfire
2007-12-25 08:21 --------- d-----w C:\Documents and Settings\Unico\Dati applicazioni\Samsung
2007-12-25 08:18 --------- d-----w C:\Programmi\Samsung
2007-12-25 08:17 --------- d-----w C:\Programmi\File comuni\Adobe
2007-12-24 18:49 --------- d-----w C:\Programmi\Google
2007-12-24 10:20 --------- d-----w C:\Programmi\Real Alternative
2007-12-24 10:08 --------- d-----w C:\Documents and Settings\Unico\Dati applicazioni\Media Player Classic
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-12-02 09:09 674,600 ----a-w C:\WINDOWS\system32\pbsvc.exe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 14:39 15360]
"SpybotSD TeaTimer"="C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 00:04 1415824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-12 08:19 7626752]
"nwiz"="nwiz.exe" [2006-07-12 08:19 1519616 C:\WINDOWS\system32\nwiz.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 09:04 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 07:48 16208384 C:\WINDOWS\RTHDCPL.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"CnxTrApp"="C:\Programmi\Aethra\ADSL EB1070 USB\CnxTrApp.dll" [2004-04-20 16:24 247296]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50 155648]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [ ]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-12 08:19 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 14:39 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent DNA"="C:\Programmi\DNA\btdna.exe"
"Veoh"="C:\Programmi\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Programmi\QuickTime\QTTask.exe" -atboottime


*Newly Created Service* - MCHINJDRV
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 21:00:46
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-02-18 21.01.07

[baciami]

hai un processo sconosciuto
C:\WINDOWS\system32\poolsc.exe
lo conosci?
il resto è tutto ok
fai SystemScan clicca qui----> http://forum.zeusnews.com/viewtopic.php?p=210548
metti il risultato qui----> http://www.freefilehosting.net
e postalo

[TheHawk]

Ecco il link della scansione con SystemScan http://www.freefilehosting.net/download/3c936

Comunque ieri sera ho fatto qualche scansione con Avast e un po' di pulizia con Registry Cleaner, e il problema sembra essersi risolto.


Vi ringrazio molto per l'attenzione.

[Sante62]

Il log di systemscan non presenta cose strane...
Adesso collegati a Kaspersky online scanner
Quando sta scaricando i file necessari, disattiva momentaneamente l'antivirus. Non appena inizia la scansione del PC disconnettiti da internet.
Alla fine carica il risultato su www.freefilehosting.net, riportando quì il link che ti viene assegnato come indicato quì
Mettiti anche un firewall scegliendone uno tramite questa discussione;