Precedente :: Successivo |
Autore |
Messaggio |
Blacks84 Dio maturo


Registrato: 26/04/07 14:50 Messaggi: 2446 Residenza: Nelpaese bagnato da tre mari e prosciugato da Tremonti
|
Inviato: 27 Mar 2008 11:37 Oggetto: Win32/Adware. virtumonde |
|
|
ecoomi qua a chiedere aiuto, mannaggia, dal pc di lavoro.
Come antivirus c'è nod32 che mi rileva di aver trovato la seguente applicazione:
Win32/Adware.Virtumonde
Ho fatto fare la scansione piu volte con l'antivirus ma non lo trova, mi da solo l'avviso di aver trovato il codice dannoso.
Ho fatto anche scansioni con Ccleaner e Spybot S&D ma nulla, l'avviso continua a darmelo.
Come sistema operativo sul pc c'è MS windows xp sp2.
Help please.
 |
|
Top |
|
 |
bdoriano Amministratore


Registrato: 02/04/07 12:05 Messaggi: 14391 Residenza: 3° pianeta del sistema solare...
|
Inviato: 27 Mar 2008 13:02 Oggetto: |
|
|
questa è la punizione per le testate che dai al monitor indifeso!!!!!
Scherzi a parte, procedi così:
- Disabilita il ripristino di sistema.
- Pulisci i files temporanei con ATF-Cleaner e/o CCleaner
- Scarica VundoFix e VirtumundoBegone e salvali sul desktop.
- Avvia VundoFix
Seleziona Scan for Vundo e a scansione terminata scegli Remove Vundo.
Clicca Yes e alla richiesta di riavviare il Pc rispondi Ok.
Al riavvio dovrebbe comparire il blocco-note con dentro il log, copia e posta sul forum il contenuto.
- Ora avvia in modalità provvisoria
Avvia VirtumundoBeGone e segui le indicazioni a video.
riavvia il Pc in modalità normale e posta il log.
- Segui le istruzioni di questo topic per postare il log di combofix.
- Segui le istruzioni di questo topic per postare il log di hijackthis.
|
|
Top |
|
 |
Blacks84 Dio maturo


Registrato: 26/04/07 14:50 Messaggi: 2446 Residenza: Nelpaese bagnato da tre mari e prosciugato da Tremonti
|
Inviato: 27 Mar 2008 14:38 Oggetto: |
|
|
Darei volentieri 'na testata al virus che mi ha infettato il pc
Dunque:
Disabilitato il ripristino del sistema.
Pulito con Ccleaner
Scaricato VundoFix e VirtumundoBegone.
Avviato di Vudofix ma non mi ha trovato nulla.
Dopo l'avvio di VirtumundoBegone in modalità provvisoria mi è comparso la schermato blu con il seguente messaggio:
Codice: | Stop:0000021a[errore irreversibile di sistema
Processo di sistema windows logon process terminato in modo inatteso con stato do 0X000000001
Il sistema è stato chiuso |
Il log VirtumundoBegone è il seguente:
[03/27/2008, 13:03:29] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\provera\Desktop\VirtumundoBeGone.exe" )
[03/27/2008, 13:03:38] - Detected System Information:
[03/27/2008, 13:03:38] - Windows Version: 5.1.2600, Service Pack 2
[03/27/2008, 13:03:38] - Current Username: Administrator (Admin)
[03/27/2008, 13:03:39] - Windows is in SAFE mode with Networking.
[03/27/2008, 13:03:39] - Searching for Browser Helper Objects:
[03/27/2008, 13:03:39] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/27/2008, 13:03:39] - BHO 2: {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} ()
[03/27/2008, 13:03:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/27/2008, 13:03:39] - Checking for HKLM\...\Winlogon\Notify\ljjgffe
[03/27/2008, 13:03:39] - Found: HKLM\...\Winlogon\Notify\ljjgffe - This is probably Virtumundo.
[03/27/2008, 13:03:39] - Assigning {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} MSEvents Object
[03/27/2008, 13:03:39] - BHO list has been changed! Starting over...
[03/27/2008, 13:03:39] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/27/2008, 13:03:39] - BHO 2: {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} (MSEvents Object)
[03/27/2008, 13:03:39] - ALERT: Found MSEvents Object!
[03/27/2008, 13:03:39] - BHO 3: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[03/27/2008, 13:03:39] - BHO 4: {6102ED2E-92D4-4D17-9FB1-FD38A7DC4693} ()
[03/27/2008, 13:03:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/27/2008, 13:03:39] - Checking for HKLM\...\Winlogon\Notify\mlljk
[03/27/2008, 13:03:39] - Key not found: HKLM\...\Winlogon\Notify\mlljk, continuing.
[03/27/2008, 13:03:39] - BHO 5: {9509a370-c7c6-4a9e-956a-8755359c7f4c} ()
[03/27/2008, 13:03:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/27/2008, 13:03:39] - Checking for HKLM\...\Winlogon\Notify\cytfvwnv
[03/27/2008, 13:03:39] - Key not found: HKLM\...\Winlogon\Notify\cytfvwnv, continuing.
[03/27/2008, 13:03:39] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[03/27/2008, 13:03:39] - BHO 7: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[03/27/2008, 13:03:39] - Finished Searching Browser Helper Objects
[03/27/2008, 13:03:39] - *** Detected MSEvents Object
[03/27/2008, 13:03:39] - Trying to remove MSEvents Object...
[03/27/2008, 13:03:40] - Terminating Process: IEXPLORE.EXE
[03/27/2008, 13:03:40] - Terminating Process: RUNDLL32.EXE
[03/27/2008, 13:03:40] - Disabling Automatic Shell Restart
[03/27/2008, 13:03:41] - Terminating Process: EXPLORER.EXE
[03/27/2008, 13:03:41] - Suspending the NT Session Manager System Service
[03/27/2008, 13:03:41] - Terminating Windows NT Logon/Logoff Manager
[03/27/2008, 13:03:41] - Re-enabling Automatic Shell Restart
[03/27/2008, 13:03:41] - File to disable: C:\WINDOWS\system32\ljjgffe.dll
[03/27/2008, 13:03:41] - Renaming C:\WINDOWS\system32\ljjgffe.dll -> C:\WINDOWS\system32\ljjgffe.dll.vir
[03/27/2008, 13:03:41] - File successfully renamed!
[03/27/2008, 13:03:41] - Removing HKLM\...\Browser Helper Objects\{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}
[03/27/2008, 13:03:41] - Removing HKCR\CLSID\{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}
[03/27/2008, 13:03:41] - Adding Kill Bit for ActiveX for GUID: {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}
[03/27/2008, 13:03:41] - Deleting ATLEvents/MSEvents Registry entries
[03/27/2008, 13:03:41] - Removing HKLM\...\Winlogon\Notify\ljjgffe
[03/27/2008, 13:03:41] - Searching for Browser Helper Objects:
[03/27/2008, 13:03:41] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/27/2008, 13:03:42] - BHO 2: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[03/27/2008, 13:03:42] - BHO 3: {6102ED2E-92D4-4D17-9FB1-FD38A7DC4693} ()
[03/27/2008, 13:03:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/27/2008, 13:03:42] - Checking for HKLM\...\Winlogon\Notify\mlljk
[03/27/2008, 13:03:42] - Key not found: HKLM\...\Winlogon\Notify\mlljk, continuing.
[03/27/2008, 13:03:42] - BHO 4: {9509a370-c7c6-4a9e-956a-8755359c7f4c} ()
[03/27/2008, 13:03:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/27/2008, 13:03:42] - Checking for HKLM\...\Winlogon\Notify\cytfvwnv
[03/27/2008, 13:03:42] - Key not found: HKLM\...\Winlogon\Notify\cytfvwnv, continuing.
[03/27/2008, 13:03:42] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[03/27/2008, 13:03:42] - BHO 6: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[03/27/2008, 13:03:42] - Finished Searching Browser Helper Objects
[03/27/2008, 13:03:42] - Finishing up...
[03/27/2008, 13:03:42] - A restart is needed.
[03/27/2008, 13:03:42] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[03/27/2008, 13:03:50] - Attempting to Restart via STOP error (Blue Screen!)
Invece Hjt mi ha detto questo:
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Eset\nod32kui.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\SkypeLink\SkypeLink.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Skype\Plugin Manager\skypePM.exe
C:\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.italnolo.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [8400459d] rundll32.exe "C:\WINDOWS\system32\qnwtbxou.dll",b
O4 - HKLM\..\Run: [BM87337601] Rundll32.exe "C:\WINDOWS\system32\unrgkugs.dll",s
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SkypeLink] C:\Programmi\SkypeLink\SkypeLink.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Programmi\MP3 Player Utilities 4.05\AMVConverter\grab.html
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Programmi\MP3 Player Utilities 4.05\MediaManager\grab.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.onerateld.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7DA4ACD-E898-4402-A2BD-0E31651104C5}: NameServer = 151.99.125.1,151.99.0.100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - http://www.inter.it/media/_icodefault.jpg
--
End of file - 5183 bytes
C'è bisogno anche di combofix?
Grazie bdorianoooooo!!!!!
 |
|
Top |
|
 |
bdoriano Amministratore


Registrato: 02/04/07 12:05 Messaggi: 14391 Residenza: 3° pianeta del sistema solare...
|
Inviato: 27 Mar 2008 16:57 Oggetto: |
|
|
Eh si, serve anche combofix... fornisce qualche dettaglio in più.
Oltre a quanto già fatto, fai i controlli sul file di registro descritti in quest'altro messaggio |
|
Top |
|
 |
Blacks84 Dio maturo


Registrato: 26/04/07 14:50 Messaggi: 2446 Residenza: Nelpaese bagnato da tre mari e prosciugato da Tremonti
|
Inviato: 27 Mar 2008 17:46 Oggetto: |
|
|
si capo, appena mi è possibile posto anche i risultati di combofix
per quanto riguarda il controllo sul file di registro nella prima chiave:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options non c'è nè explorer.exe e neanche iexplore.exe
Invece per la seconda chiave:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
il file Userinit presenta i seguenti valori:
Nome: Usernit
Tipo: REG_SZ
Dati: C:\WINDOWS\system32\userinit.exe,(con la virgola finale)
|
|
Top |
|
 |
bdoriano Amministratore


Registrato: 02/04/07 12:05 Messaggi: 14391 Residenza: 3° pianeta del sistema solare...
|
Inviato: 27 Mar 2008 17:50 Oggetto: |
|
|
Ok, le chiavi di registro sono a posto.  |
|
Top |
|
 |
Blacks84 Dio maturo


Registrato: 26/04/07 14:50 Messaggi: 2446 Residenza: Nelpaese bagnato da tre mari e prosciugato da Tremonti
|
Inviato: 27 Mar 2008 19:48 Oggetto: |
|
|
oh yeahhh.....grazie bdorianooooo
ecco il log di combofix
ComboFix 08-03-26.1 - provera 2008-03-27 18.34.12.1 - NTFSx86
Eseguito da: C:\Documents and Settings\provera\Desktop\ComboFix.exe
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM87337601.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cytfvwnv.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\SYSTEM32\kjllm.ini
C:\WINDOWS\SYSTEM32\kjllm.ini2
C:\WINDOWS\system32\mlljk.dll
C:\WINDOWS\system32\qnwtbxou.dll
C:\WINDOWS\system32\unrgkugs.dll
C:\WINDOWS\SYSTEM32\uoxbtwnq.ini
.
((((((((((((((((((((((((( Files Creati Da 2008-02-27 al 2008-03-27 )))))))))))))))))))))))))))))))))))
.
2008-03-27 13:13 . 2008-03-27 13:17 <DIR> d-------- C:\HiJackThis
2008-03-27 13:12 . 2008-03-27 13:12 318,369 --a------ C:\HiJackThis.zip
2008-03-27 13:00 . 2004-01-20 01:12 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di stampa
2008-03-27 13:00 . 2004-01-20 01:12 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di rete
2008-03-27 13:00 . 2004-01-20 01:12 <DIR> dr------- C:\Documents and Settings\Administrator\Preferiti
2008-03-27 13:00 . 2004-01-20 01:12 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2008-03-27 13:00 . 2004-01-20 01:12 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Avvio
2008-03-27 13:00 . 2008-03-27 18:37 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2008-03-27 13:00 . 2004-01-20 01:12 <DIR> dr------- C:\Documents and Settings\Administrator\Documenti
2008-03-27 13:00 . 2004-01-20 01:41 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Symantec
2008-03-27 13:00 . 2004-01-20 01:43 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Sonic
2008-03-27 13:00 . 2004-01-20 01:41 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dati applicazioni
2008-03-27 12:55 . 2008-03-27 12:55 <DIR> d-------- C:\VundoFix Backups
2008-03-25 17:00 . 2008-03-25 17:00 <DIR> d-------- C:\Programmi\CCleaner
2008-03-25 13:36 . 2008-03-25 13:35 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-25 13:36 . 2008-03-25 13:36 2,545 --a------ C:\WINDOWS\unins000.dat
2008-03-25 08:11 . 2008-03-25 08:11 38,400 --a------ C:\WINDOWS\SYSTEM32\ljjgffe.dll.vir
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 17:21 --------- d-----w C:\Documents and Settings\provera\Dati applicazioni\Skype
2008-03-27 15:02 --------- d-----w C:\Documents and Settings\provera\Dati applicazioni\skypePM
2008-03-27 12:55 --------- d-----w C:\Documents and Settings\provera\Dati applicazioni\AdobeUM
2008-03-25 16:07 --------- d-----w C:\Programmi\Microsoft AntiSpyware
2008-03-25 13:41 --------- d-----w C:\Programmi\Spybot - Search & Destroy
2008-03-25 13:34 --------- d-----w C:\Programmi\Windows Live
2008-03-25 13:33 --------- d-----w C:\Programmi\File comuni\Real
2008-03-25 13:31 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-03-25 13:26 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-03-13 13:45 --------- d-----w C:\Programmi\QuickTime
2008-02-25 11:55 --------- d-----w C:\Programmi\Windows Media Connect 2
2008-02-08 06:46 --------- d-----w C:\Programmi\Eset
2008-02-05 15:50 --------- d-----w C:\Documents and Settings\provera\Dati applicazioni\Participatory Culture Foundation
2008-01-30 13:59 --------- d-----w C:\Programmi\File comuni\Adobe
2008-01-09 10:09 32 ----a-w C:\Documents and Settings\All Users\Dati applicazioni\ezsid.dat
2007-01-04 12:39 8,192 ----a-w C:\Documents and Settings\provera\ledbdunm.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Programmi\Skype\Phone\Skype.exe" [2007-12-07 15:08 21686568]
"SkypeLink"="C:\Programmi\SkypeLink\SkypeLink.exe" [2005-06-22 01:38 839680]
"swg"="C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 06:47 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 23:39 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-10-02 14:37 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-10-02 14:19 118784]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04 114741]
"StorageGuard"="C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" [2003-02-13 02:01 155648]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2005-05-04 16:34 98304]
"nod32kui"="C:\Programmi\Eset\nod32kui.exe" [2007-05-07 16:29 949376]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 23:39 15360]
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
NkbMonitor.exe.lnk - C:\Programmi\Nikon\PictureProject\NkbMonitor.exe [2005-05-04 16:36:10 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E-nrgyPlus]
C:\Programmi\E-nrgyPlus\E-nrgyPlus.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firefly]
C:\Program Files\Firefly\Firefly.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a------ 2005-07-12 14:35 473928 C:\Programmi\Microsoft AntiSpyware\gcasServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Programmi\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programmi\\Skype\\Phone\\Skype.exe"=
.
Contenuto della cartella 'Scheduled Tasks'
"2008-03-27 14:16:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Programmi\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 18:39:44
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Programmi\Eset\pr_imon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Ora fine scansione: 2008-03-27 18:43:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-27 17:43:45
16 Directory 30,519,291,904 byte disponibili
18 Directory 32,170,868,736 byte disponibili
.
2008-03-12 17:31:32 --- E O F --- |
|
Top |
|
 |
Blacks84 Dio maturo


Registrato: 26/04/07 14:50 Messaggi: 2446 Residenza: Nelpaese bagnato da tre mari e prosciugato da Tremonti
|
Inviato: 27 Mar 2008 19:50 Oggetto: |
|
|
ed ecco il log di hjt dopo combofix
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18.49.50, on 27/03/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\SkypeLink\SkypeLink.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.italnolo.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SkypeLink] C:\Programmi\SkypeLink\SkypeLink.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Programmi\MP3 Player Utilities 4.05\AMVConverter\grab.html
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Programmi\MP3 Player Utilities 4.05\MediaManager\grab.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.onerateld.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7DA4ACD-E898-4402-A2BD-0E31651104C5}: NameServer = 151.99.125.1,151.99.0.100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - http://www.inter.it/media/_icodefault.jpg
--
End of file - 5402 bytes
 |
|
Top |
|
 |
bdoriano Amministratore


Registrato: 02/04/07 12:05 Messaggi: 14391 Residenza: 3° pianeta del sistema solare...
|
Inviato: 27 Mar 2008 21:20 Oggetto: |
|
|
Crea un file di testo con le seguenti istruzioni:
Codice: | file::
C:\WINDOWS\SYSTEM32\ljjgffe.dll.vir
C:\Documents and Settings\provera\ledbdunm.exe
C:\Programmi\E-nrgyPlus\E-nrgyPlus.exe
C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL
registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E-nrgyPlus] |
Salva il file sul desktop con il nome CFScript.txt e trascinalo sull'icona di ComboFix, come indicato in seguito:
Attendi pazientemente la fine dei lavori senza toccare tastiera, mouse o altro.
Posta i logs aggiornati di combofix e di hijackthis
- Disabilita il tuo antivirus
- Collegati a BitDefender (con IE) e fai la scansione completa.
- Collegati a Kaspersky on-line scanner e fai la scansione estesa, come indicato qui.
Salva il risultato della scansione in un file (in formato HTML), carica il file su Freefilehosting e posta qui il link che ti viene assegnato.
|
|
Top |
|
 |
Blacks84 Dio maturo


Registrato: 26/04/07 14:50 Messaggi: 2446 Residenza: Nelpaese bagnato da tre mari e prosciugato da Tremonti
|
Inviato: 28 Mar 2008 09:53 Oggetto: |
|
|
fatto l'operazione con combofix
Log aggiornato di combofix:
ComboFix 08-03-26.1 - provera 2008-03-28 8.41.39.2 - NTFSx86
Eseguito da: C:\Documents and Settings\provera\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\provera\Desktop\CFScript.txt
* Creato nuovo punto di ripristino
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Creati Da 2008-02-28 al 2008-03-28 )))))))))))))))))))))))))))))))))))
.
2008-03-27 13:13 . 2008-03-27 18:49 <DIR> d-------- C:\HiJackThis
2008-03-27 13:12 . 2008-03-27 13:12 318,369 --a------ C:\HiJackThis.zip
2008-03-27 13:00 . 2004-01-20 01:12 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di stampa
2008-03-27 13:00 . 2004-01-20 01:12 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di rete
2008-03-27 13:00 . 2004-01-20 01:12 <DIR> dr------- C:\Documents and Settings\Administrator\Preferiti
2008-03-27 13:00 . 2004-01-20 01:12 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2008-03-27 13:00 . 2004-01-20 01:12 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Avvio
2008-03-27 13:00 . 2008-03-27 18:43 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2008-03-27 13:00 . 2004-01-20 01:12 <DIR> dr------- C:\Documents and Settings\Administrator\Documenti
2008-03-27 13:00 . 2004-01-20 01:41 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Symantec
2008-03-27 13:00 . 2004-01-20 01:43 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Sonic
2008-03-27 13:00 . 2004-01-20 01:41 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dati applicazioni
2008-03-27 12:55 . 2008-03-27 12:55 <DIR> d-------- C:\VundoFix Backups
2008-03-25 17:00 . 2008-03-25 17:00 <DIR> d-------- C:\Programmi\CCleaner
2008-03-25 13:36 . 2008-03-25 13:35 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-25 13:36 . 2008-03-25 13:36 2,545 --a------ C:\WINDOWS\unins000.dat
2008-03-25 08:11 . 2008-03-25 08:11 38,400 --a------ C:\WINDOWS\SYSTEM32\ljjgffe.dll.vir
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 07:38 --------- d-----w C:\Documents and Settings\provera\Dati applicazioni\Skype
2008-03-28 07:08 --------- d-----w C:\Documents and Settings\provera\Dati applicazioni\skypePM
2008-03-27 12:55 --------- d-----w C:\Documents and Settings\provera\Dati applicazioni\AdobeUM
2008-03-25 16:07 --------- d-----w C:\Programmi\Microsoft AntiSpyware
2008-03-25 13:41 --------- d-----w C:\Programmi\Spybot - Search & Destroy
2008-03-25 13:34 --------- d-----w C:\Programmi\Windows Live
2008-03-25 13:33 --------- d-----w C:\Programmi\File comuni\Real
2008-03-25 13:31 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-03-25 13:26 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-03-13 13:45 --------- d-----w C:\Programmi\QuickTime
2008-02-25 11:55 --------- d-----w C:\Programmi\Windows Media Connect 2
2008-02-08 06:46 --------- d-----w C:\Programmi\Eset
2008-02-05 15:50 --------- d-----w C:\Documents and Settings\provera\Dati applicazioni\Participatory Culture Foundation
2008-01-30 13:59 --------- d-----w C:\Programmi\File comuni\Adobe
2008-01-11 05:32 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2008-01-09 10:09 32 ----a-w C:\Documents and Settings\All Users\Dati applicazioni\ezsid.dat
2007-01-04 12:39 8,192 ----a-w C:\Documents and Settings\provera\ledbdunm.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Programmi\Skype\Phone\Skype.exe" [2007-12-07 15:08 21686568]
"SkypeLink"="C:\Programmi\SkypeLink\SkypeLink.exe" [2005-06-22 01:38 839680]
"swg"="C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 06:47 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 23:39 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-10-02 14:37 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-10-02 14:19 118784]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04 114741]
"StorageGuard"="C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" [2003-02-13 02:01 155648]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2005-05-04 16:34 98304]
"nod32kui"="C:\Programmi\Eset\nod32kui.exe" [2007-05-07 16:29 949376]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 23:39 15360]
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
NkbMonitor.exe.lnk - C:\Programmi\Nikon\PictureProject\NkbMonitor.exe [2005-05-04 16:36:10 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firefly]
C:\Program Files\Firefly\Firefly.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a------ 2005-07-12 14:35 473928 C:\Programmi\Microsoft AntiSpyware\gcasServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Programmi\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programmi\\Skype\\Phone\\Skype.exe"=
S3 ATHENUSB;ATHENUSB;C:\WINDOWS\system32\drivers\AthenUsb.sys [2002-09-11 14:06]
S3 DMSKSSRh;DMSKSSRh;C:\DOCUME~1\provera\IMPOST~1\Temp\DMSKSSRh.sys []
.
Contenuto della cartella 'Scheduled Tasks'
"2008-03-27 14:16:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Programmi\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 08:44:21
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe
e log aggiornato di hjt:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8.50.23, on 28/03/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Skype\Plugin Manager\skypePM.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmi\Eset\nod32kui.exe
C:\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.italnolo.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SkypeLink] C:\Programmi\SkypeLink\SkypeLink.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Programmi\MP3 Player Utilities 4.05\AMVConverter\grab.html
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Programmi\MP3 Player Utilities 4.05\MediaManager\grab.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.onerateld.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7DA4ACD-E898-4402-A2BD-0E31651104C5}: NameServer = 151.99.125.1,151.99.0.100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - http://www.inter.it/media/_icodefault.jpg
--
End of file - 5396 bytes
appena posso forò anche le scansioni con bitdefender e kaspersky.  |
|
Top |
|
 |
bdoriano Amministratore


Registrato: 02/04/07 12:05 Messaggi: 14391 Residenza: 3° pianeta del sistema solare...
|
Inviato: 28 Mar 2008 11:53 Oggetto: |
|
|
Vedo che combofix non è riuscito a eliminare un paio di files.
Aspettiamo di vedere gli altri logs.
dimenticavo: fai questa scansione con RogueRemoverFree e fai anche una scansione SuperAntiSpyware. |
|
Top |
|
 |
Blacks84 Dio maturo


Registrato: 26/04/07 14:50 Messaggi: 2446 Residenza: Nelpaese bagnato da tre mari e prosciugato da Tremonti
|
Inviato: 29 Mar 2008 11:59 Oggetto: |
|
|
RogueRemoverFree - RogueRemover did not detected any items.
SuperAntiSpyware mi ha trovato parecchie schifezze.
faccio le due scansioni che mi hai detto e posto.
Grazie bdo
 |
|
Top |
|
 |
Blacks84 Dio maturo


Registrato: 26/04/07 14:50 Messaggi: 2446 Residenza: Nelpaese bagnato da tre mari e prosciugato da Tremonti
|
Inviato: 31 Mar 2008 12:58 Oggetto: |
|
|
scan on line con bitdefender, il link:
http://www.freefilehosting.net/download/3edf5 |
|
Top |
|
 |
Blacks84 Dio maturo


Registrato: 26/04/07 14:50 Messaggi: 2446 Residenza: Nelpaese bagnato da tre mari e prosciugato da Tremonti
|
Inviato: 31 Mar 2008 14:28 Oggetto: |
|
|
scan on line con kaspersky:
http://www.freefilehosting.net/download/3edic |
|
Top |
|
 |
bdoriano Amministratore


Registrato: 02/04/07 12:05 Messaggi: 14391 Residenza: 3° pianeta del sistema solare...
|
Inviato: 31 Mar 2008 18:53 Oggetto: |
|
|
I logs evidenziano solo dei virus messi in quarantena (resi innocui).
Riscontri ancora problemi? |
|
Top |
|
 |
Blacks84 Dio maturo


Registrato: 26/04/07 14:50 Messaggi: 2446 Residenza: Nelpaese bagnato da tre mari e prosciugato da Tremonti
|
Inviato: 31 Mar 2008 23:18 Oggetto: |
|
|
no, niente piu problemi.tutto sembra tornato normale.
grazie bdoriano.  |
|
Top |
|
 |
|
|
Non puoi inserire nuovi argomenti Non puoi rispondere a nessun argomento Non puoi modificare i tuoi messaggi Non puoi cancellare i tuoi messaggi Non puoi votare nei sondaggi
|
|