Olimpo Informatico

[NEURI]

Salve a tutti.
Sono nuovo (non anagraficamente) ed ho questo problema:
Ho installato da diverso tempo Advanced Windows Care 3 beta 2.02.
L'ultima sessione (Security Analyzer) restituisce un report con una bella evidenziazione in rosso :
"Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus".
Questo problema lo riscntro sul PC in ufficio (un vero gabinetto da 256 MB e varie porcherie intorno) che però uso anche per interagire con le banche e quant'altro.
Ho provato ad usare svariati AV ma... nisba !
Mi sono documentato sul sito CastleCop e sembra che il problema sia generato da framework.
Ho avviato anche 'CiaoJack' (hijacjthis), ottenendo il solito report, ma essendo ignorante quasi come una suola di scarpa non so che pesci pigliare (e dire che sono un pescatore !)
Morale della frittata: qualcuno potrebbe darmi una mano ?
Quello che segue è quanto ha 'rimesso' CiaoJack.
Grato, saluto cordialmente. Neuri

Logfile of HijackThis v1.99.1
Scan saved at 13.27.51, on 19/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\WINDOWS\system32\ufdsvc.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
C:\Programmi\My Lockbox\flockbox.exe
C:\Programmi\Alwil Software\Avast4\ashDisp.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Maurizio\Desktop\tools\IObit\Advanced WindowsCare 3 Beta 2_02\Sup_SmartRAM.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Maurizio\Desktop\tools\Total Uninstall 4\TuAgent.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Maurizio\Dati applicazioni\UpdateStar\UpdateStar.exe
C:\Documents and Settings\Maurizio\Desktop\tools\IObit\SmartDefrag beta 5_01\IObit SmartDefrag.exe
C:\Documents and Settings\Maurizio\Desktop\tools\IObit\Advanced WindowsCare 3 Beta 2_02\AWC.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Maurizio\Desktop\tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webagenzie.sai.it/portale/wps/wcm/connect/Agenziasai.net/login
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.sai.it:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [flockbox] C:\Programmi\My Lockbox\flockbox.exe /a
O4 - HKLM\..\Run: [avast!] "C:\Programmi\Alwil Software\Avast4\ashDisp.exe"
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Advanced WindowsCare 3] "C:\Documents and Settings\Maurizio\Desktop\tools\IObit\Advanced WindowsCare 3 Beta 2_02\AWC.exe" /startup
O4 - HKCU\..\Run: [SmartRAM] "C:\Documents and Settings\Maurizio\Desktop\tools\IObit\Advanced WindowsCare 3 Beta 2_02\Sup_SmartRAM.exe" /m
O4 - HKCU\..\Run: [Total Uninstall Agent] "C:\Documents and Settings\Maurizio\Desktop\tools\Total Uninstall 4\TuStarter.exe" "C:\Documents and Settings\Maurizio\Desktop\tools\Total Uninstall 4\TuAgent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Webshots.lnk = C:\Programmi\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Maurizio\MICROSOFT OFFICE\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Programmi\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Programmi\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Maurizio\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O15 - Trusted Zone: *.fondiaria-sai.it
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.gruppofondiaria.it
O15 - Trusted Zone: *.gruppofondiariasai.it
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.milass.it
O15 - Trusted Zone: *.sai.it
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D7DE17DF-E22F-4FCB-AAE1-F7A8D390D5C3} (TTImageViewerX Control) - http://to1msap3.sai.it/TTImageViewer.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{BCA3A13B-4B46-427E-98F9-079B4620AB0F}: NameServer = 10.1.48.194,151.99.125.2
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programmi\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: UFD Command Service (UFDSVC) - Generic - C:\WINDOWS\system32\ufdsvc.exe

edit by bdoriano: aggiunte alle informazioni

S.O. Widows XP SP2, AV AVAST 4.8 + SpyBot ->TeaTimer; scan con TUTTO: HJT, Bitdefender e vari altri
ho instalato (ed uso) CCleaner, ATF e AWC.

[bdoriano]

Ciao NEURI,

potrebbe anche essere un falso allarme.
Giusto per non sbagliare, fai le seguenti operazioni:

• Pulisci i files temporanei con ATF-Cleaner e/o CCleaner
  
• Fai una scansione cone Norman Malware Cleaner.
  
  • Scarica il programma
    
  • Avvia il pc in modalità provvisoria.
    
  • Avvia Norman Malware Cleaner e fagli fare la scansione completa.
    
  • Alla fine della scansione viene generato un log sul desktop chiamato NFix_2008-MM-gg_hh-mm-ss.log.
  
  
• Riavvia il computer in modalità normale
  
• Segui le istruzioni di questo topic per eseguire combofix.
  
• Riferisci con un nuovo messaggio in questa discussione dell'esito: se ci sono stati problemi particolari, ecc. ecc. E riporta:
  
  • Carica il log di Norman Malware Cleaner su FreeFileHosting come indicato qui e posta il link che ti viene assegnato
    
  • Il log di Combofix generalmente non è molto lungo, quindi postalo direttamente nel messaggio

PS: se vuoi, puoi presentarti qui

[NEURI]

Buon giorno a tutti.
Allora, tanto per cominciare, ho iniziato a scrivere 'BDORIANO MI FA NERO' prima della risposta all'HELP precedente, poi non nego di avere qualche quintale di lacune; certo che partire con una bella lavata di capo è sempre piacevole... ma almeno ci ho azzeccato: BDORIANO MI HA FATTO NERO !
Ho eseguito pedissequamente quanto indicato, con i seguenti risultati:
PROBLEMI 0, a parte alcuni tentativi segnalati da TeaTimer di modifiche di registro (negate x quel che non conoscevo)
Sono moderatamente allarmato da svariati 'Host entry' rimossi da Norman Malware Cleaner, del tipo 'www.adult777search.info' o 'www.adultan.com' etc, dei non comprendo la provenienza (se credete posso inviare il log salvato).
Il log restituito da FreeFileHosting è pari al log uploadato... dove ho sbagliato ? (anche qui ho seguito le istruzioni come un buon soldato).
COMBOFIX non ha dato problemi però ... ha un log lungo un Km, che comunque allego.
Grato, saluto cordialmente.
Neuri

ComboFix 08-05-15.3 - Maurizio 2008-05-20 9.26.20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.69 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Maurizio\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Creati Da 2008-04-20 al 2008-05-20 )))))))))))))))))))))))))))))))))))
.

2008-05-19 17:30 . 2008-05-19 18:46 514 --a------ C:\WINDOWS\axprmon.bak
2008-05-19 16:40 . 2008-05-19 16:40 <DIR> dr------- C:\Documents and Settings\Administrator\Preferiti
2008-05-19 16:40 . 2008-05-19 16:40 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2008-05-19 16:40 . 2003-12-02 21:37 <DIR> d-------- C:\Documents and Settings\Administrator\Menu Avvio
2008-05-19 16:40 . 2008-05-20 09:28 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2008-05-19 16:40 . 2008-03-26 11:13 <DIR> d-------- C:\Documents and Settings\Administrator\Documenti
2008-05-19 16:40 . 2008-02-05 11:15 <DIR> d--h----- C:\Documents and Settings\Administrator\Dati applicazioni
2008-05-19 16:40 . 2008-05-19 16:40 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-19 16:40 . 2008-05-19 18:42 1,024 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT.LOG
2008-05-15 17:33 . 2008-05-15 17:34 <DIR> d-------- C:\Programmi\Garmin
2008-05-15 17:10 . 2008-05-15 17:10 <DIR> d-------- C:\Documents and Settings\Maurizio\Dati applicazioni\GARMIN
2008-05-13 17:49 . 2008-05-13 17:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-13 17:49 . 2008-05-13 17:49 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab
2008-05-13 14:16 . 2008-05-13 14:16 <DIR> d-------- C:\Documents and Settings\Maurizio\BackUp
2008-05-12 14:11 . 2008-05-12 14:11 <DIR> d-------- C:\Programmi\ESET
2008-05-06 15:15 . 2008-05-13 12:51 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-05-05 17:38 . 2008-05-06 14:44 <DIR> d-------- C:\WINDOWS\system32\bkEur01
2008-05-05 17:38 . 2008-05-05 17:38 <DIR> d-------- C:\Temp\maxsv15
2008-05-05 17:38 . 2008-05-20 09:14 <DIR> d-------- C:\Temp
2008-05-05 13:57 . 2008-05-05 13:57 <DIR> d-------- C:\Programmi\Alwil Software
2008-05-05 13:06 . 2008-05-05 13:06 <DIR> d-------- C:\Documents and Settings\NetworkService\Documenti
2008-04-30 14:35 . 2008-05-05 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Avira
2008-04-23 15:59 . 2008-05-20 09:14 <DIR> d-------- C:\Programmi\Microsoft Silverlight
2008-04-23 10:49 . 2008-04-23 10:49 <DIR> d-------- C:\Documents and Settings\Maurizio\viewone
2008-04-22 14:46 . 2008-04-22 14:46 <DIR> d-------- C:\Programmi\My Lockbox
2008-04-22 13:50 . 2007-12-13 20:13 17,264 --a------ C:\WINDOWS\system32\drivers\mprifl.sys
2008-04-22 09:37 . 2008-04-22 09:37 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Martau
2008-04-21 16:02 . 2008-05-05 15:30 <DIR> d-------- C:\Documents and Settings\Maurizio\Dati applicazioni\UpdateStar
2008-04-21 11:04 . 2008-04-21 11:05 <DIR> dr------- C:\Documents and Settings\LocalService\Preferiti
2008-04-21 09:19 . 2008-04-17 16:19 90,668 --a------ C:\WINDOWS\system32\vobis32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-19 15:26 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-05-19 07:19 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Google Updater
2008-05-08 13:02 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-05-05 13:02 --------- d-----w C:\Documents and Settings\Maurizio\Dati applicazioni\IObit
2008-05-05 11:49 --------- d-----w C:\Programmi\Avast4
2008-05-05 11:25 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-04-30 17:32 --------- d-----w C:\Programmi\Norton Security Scan
2008-04-24 07:26 --------- d-----w C:\Programmi\Hewlett-Packard
2008-04-22 17:06 --------- d-----w C:\Programmi\Google
2008-04-21 09:12 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-04-18 10:52 --------- d-----w C:\Programmi\Spybot - Search & Destroy
2008-04-18 10:44 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-04-17 12:28 --------- d-----w C:\Programmi\Readiris Pro 9
2008-04-17 10:31 --------- d-----w C:\Programmi\hp
2008-04-17 09:33 --------- d--h--w C:\Programmi\Zero G Registry
2008-04-16 06:56 --------- d-----w C:\Documents and Settings\Maurizio\Dati applicazioni\ProcessLasso
2008-04-15 16:58 --------- d-----w C:\Programmi\QuickTime
2008-04-08 09:52 --------- d-----w C:\Programmi\Java
2008-04-08 09:49 --------- d-----w C:\Programmi\File comuni\Java
2008-03-31 09:51 --------- d-----w C:\Programmi\Microsoft Works
2008-03-31 09:30 --------- d-----w C:\Documents and Settings\Maurizio\Dati applicazioni\OfficeUpdate12
2008-03-31 09:17 --------- d-----w C:\Programmi\Microsoft.NET
2008-03-26 09:15 --------- d-----w C:\Programmi\File comuni\Adobe
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 183,072 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-20 08:06 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 12:49 524,288 -c--a-w C:\WINDOWS\opuc.dll
2008-02-20 06:50 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:33 45,568 -c--a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-19_18.51.05.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-19 16:46:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-20 07:00:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-20 07:00:17 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_574.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-27 15:10 68856]
"Advanced WindowsCare 3"="C:\Documents and Settings\Maurizio\Desktop\tools\IObit\Advanced WindowsCare 3 Beta 2_02\AWC.exe" [2008-04-28 10:05 1797632]
"SmartRAM"="C:\Documents and Settings\Maurizio\Desktop\tools\IObit\Advanced WindowsCare 3 Beta 2_02\Sup_SmartRAM.exe" [2008-04-16 19:54 169984]
"Total Uninstall Agent"="C:\Documents and Settings\Maurizio\Desktop\tools\Total Uninstall 4\TuStarter.exe" [2008-04-13 09:26 372224]
"SpybotSD TeaTimer"="C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2007-02-27 13:18 282624]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 15:19 4841472]
"nwiz"="nwiz.exe" [2003-07-28 15:19 323584 C:\WINDOWS\system32\nwiz.exe]
"Adobe Reader Speed Launcher"="C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"flockbox"="C:\Programmi\My Lockbox\flockbox.exe" [2007-12-14 16:59 1071472]

C:\Documents and Settings\Maurizio\Menu Avvio\Programmi\Esecuzione automatica\
Webshots.lnk - C:\Programmi\Webshots\Launcher.exe [2007-05-30 14:21:48 63064]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Microsoft Office.lnk - C:\Maurizio\MICROSOFT OFFICE\Office\OSA9.EXE [1999-02-17 22:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\RealVNC\\WinVNC\\winvnc.exe"=
"C:\\Programmi\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Programmi\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Programmi\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Programmi\\Internet Explorer\\iexplore.exe"=

R0 MPRIFL;MPRIFL;C:\WINDOWS\system32\DRIVERS\MPRIFL.SYS [2007-12-13 20:13]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]

*Newly Created Service* - CATCHME
.
Contenuto della cartella 'Scheduled Tasks'
"2008-05-15 15:02:00 C:\WINDOWS\Tasks\AWC AutoCare.job"
- C:\Documents and Settings\Maurizio\Desktop\tools\IObit\Advanced WindowsCare 3 Beta 2_02\AutoCare.ex
- C:\Documents and Settings\Maurizio\Desktop\tools\IObit\Advanced WindowsCare 3 Beta 2_02\
"2008-05-20 07:00:45 C:\WINDOWS\Tasks\AWC AutoSweep.job"
- C:\Documents and Settings\Maurizio\Desktop\tools\IObit\Advanced WindowsCare 3 Beta 2_02\AutoSweep.exe
"2008-05-07 18:00:36 C:\WINDOWS\Tasks\AWC Update.job"
- C:\Documents and Settings\Maurizio\Desktop\tools\IObit\Advanced WindowsCare 3 Beta 2_02\IObitUpdate.ex
- C:\Documents and Settings\Maurizio\Desktop\tools\IObit\Advanced WindowsCare 3 Beta 2_02\
"2008-05-09 13:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Programmi\Norton Security Scan\Nss.exe
"2008-05-15 12:20:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Programmi\Spybot - Search & Destroy\SpybotSD.exe
"2008-05-06 13:43:06 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Documents and Settings\Maurizio\Desktop\tools\Uniblue\SpyEraser\SpyEraser.exe
"2007-06-11 12:51:58 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Documents and Settings\Maurizio\Desktop\tools\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 09:28:25
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...


folder error: C:\DOCUME~1\Maurizio\IMPOST~1\Temp\

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-05-20 9.30.12
ComboFix-quarantined-files.txt 2008-05-20 07:30:06
ComboFix2.txt 2008-05-19 16:51:37

14 Directory 26,896,343,040 byte disponibili
17 Directory 26,882,613,248 byte disponibili

160 --- E O F --- 2008-05-20 07:14:34

[NEURI]

Ops.... mi ero dimenticato il link:
NFix_2008-05-19_17-35-28_1211273117180.log
BDORIANO ... ehm... sgurgle ... (da piccolo leggevo TOPOLINO.
Cordialità
Neuri

[bdoriano]

[NEURI]

BDORIANO (Torquemada di soprannome ?), è da questa mattina che provo ad uplodare sia il report zippato che il txt a FFH ma sembra che il server abbia dei problemi; me lo confermi ? proverò domani, ora andrei a casa.
Grazie e buona serata.
Neuri

PS il 'gosh' mi ha estasiato !
PPS Domani sarà una giornata moooolto balorda; spero di riuscire a fare qualcosa.

[bdoriano]

Non so di problemi con FFH.

Puoi provare a caricare il log su wikisend.

[NEURI]

Altro PS: mi sono presentato, come da tuo velato consiglio, con 'RISPOSTA' ... credo di essere finito in ultima pagina.
Data l'evidenza della mia assolutamentetotalmentecompleta ignoranza, vai a leggertela: non ci crederai ma ho le prove; conservo ancora qualche Km di codice scritto.
Riciao

[NEURI]

Ciao BDORIANO, solo ora riesco ad entrare.
Con FFH non c'è niente da fare e non capisco perchè (ma non capisco un sacco di cose e, una +, una -.... praticamente sono un NULLOLOGO).
Nessun problema con WIKISEND: ecco il link:
report.txt

Quando avrai il responso (speriamo non ferale), ti prego di introdurlo con un 'AAARG' solo se mi trovo nel letame fino alle orecchie; il 'GULP' lo opzionerei per le perplessità.
Sempre grato
Neuri

[bdoriano]

Ehm... problemino...

il log risulta troncato a 64KB.

Di solito, SystemScan genera logs di circa 200KB.

[NEURI]

Porc... è vero; ho riprovato e blocca l'upload a 64K... e adesso ?
Senti, non mandarmi al diavolo: te lo carico qui di seguito; non è che mi potresti dire cosa cavolo succede ? c'è forse qualche superporcheria ? potrebbe essere la spiegazione dei prolemi con l'upload in FFH ?
Ci provo:

SystemScan - www.suspectfile.com - ver. 3.5.5 (code: holifay & bReAkdOWn)

edit by bdoriano: log eliminato perché incompleto.
Non c'è la versione zippata?

[NEURI]

Porc... è vero; ho riprovato e blocca l'upload a 64K... e adesso ?
Senti, non mandarmi al diavolo: te lo carico qui di seguito; non è che mi potresti dire cosa cavolo succede ? c'è forse qualche superporcheria ? potrebbe essere la spiegazione dei prolemi con l'upload in FFH ?
Ci provo:

SystemScan - www.suspectfile.com - ver. 3.5.5 (code: holifay & bReAkdOWn)

edit by bdoriano: log eliminato perché incompleto.

[NEURI]

roba da chiodi ! Si, c'è il file zippato ma non viene caricato; come posso mandartelo ? Vuoi che tenti di inviarti la parte mancante del log txt ?
Mi sto innervosendo io, mi immagino tu....

Neuri

[bdoriano]

Ho appena provato a inviare un file di 113KB zippato su FFH e su WikiSend e ha funzionato regolarmente.

Magari qualche problema di linea adsl?

Prova uno di questi altri:
FilesHost GigaSize MediaFire.com XZShare

[NEURI]

E' un dramma.... forse ce l'ho fatta con GigaSize; questo è il link:
link

Sono sfinito.
Attendo di rileggerti.

Ciao BDORIANO, buona serata
Neuri

PS su C.A.N.I. si è scatenata la bagarre.... non ci sono solo io, come vecchietto !

[bdoriano]

Stavolta il report è completo.

Ora, sii paziente che ci vuole del tempo per analizzarlo bene.

[NEURI]

[bdoriano]

Scusa NEURI, fine settimana pessimo, inizio settimana al fulmicotone...

Ho controllato il log che hai postato, ci sono alcune voci "incomplete" che mi fanno supporre un'infezione già risolta.

Per il resto, non ho notato presenze oscure.

Ho notato, invece, una iperattività da parte di AWC (nel senso che ci sono diversi tasks programmati a suo nome).

Per completezza di informazioni, puoi postare anche il log di AWC? (sempre se si può fare).

[NEURI]

Forse è un eccesso di zelo ma ... meglio 1in + che 1 in meno:
ti invio tutto quanto contenuto nel report di AWC; ho evidenziato in rosso il problema.
Per completezza: ho fatto scan con tutto, compreso DrWeb (che mi ha trovato svariati problemi (virus veri o presunti, e mi ha eliminato il VNC, sigh !).
Fai tu, quando puoi.
Grato
Neuri

P.S. fine settimana da schifo anche x me (non consola ma almeno non ti senti solo), compresa la Ferrari III e IX !
Segue report:

Security Analyzer Log File Analysis

The online application will automatically analyze your Security Analyzer log file, and give you recommendations based on the analysis. Please note they are far from perfect and should be used with extreme caution!!! So any changes you make to your PC are your own responsibility. This online application is always evolving. We keep making it better to recognize more malware!
Please note the log file of Security Analyzer is 100% compatible with HijackThis log. So you can save the report and submit it to any qualified online HijackThis log analyzer and HijackThis forum.

Tips:

1) Try Alternative Online Analyzer

2) If suspicious files or settings are found, you can use NOD32 Online Antivirus (Top, Free, Scan and Remove)
Type Status Entry Describe
Process System No Record
Process smss.exe Session Manager Subsystem
Process csrss.exe Client/Server Runtime Server Subsystem
Process winlogon.exe Windows Logon Process
Process services.exe Windows Service Controller
Process lsass.exe Local Security Service
Process svchost.exe Service Host Process
Process svchost.exe Service Host Process
Process svchost.exe Service Host Process
Process aswUpdSv.exe No Record
Process ashServ.exe No Record
Process spoolsv.exe Printer Spooler Service
Process BTNtService.exe No Record
Process svchost.exe Service Host Process
Process eac_productsvc.exe No Record
Process GoogleUpdaterService.exe No Record
Process MDM.EXE Machine Debug Manager
Process nvsvc32.exe NVIDIA Driver Helper Service
Process HPZipm12.exe No Record
Process explorer.exe Windows Explorer
Process ufdsvc.exe No Record
Process ashMaiSv.exe No Record
Process wmiprvse.exe No Record
Process ashWebSv.exe No Record
Process qttask.exe Quick Time Tray Icon
Process jusched.exe "jusched.exe" belongs to Java - this is an OS independent application environment.(http://java.sun.com: Java technology is a portfolio of products that are based on the power of networks and the idea that the same software should run on many different kinds of systems and devices.)
Process alg.exe Application-Level Gateways
Process flockbox.exe No Record
Process stopsignav.exe No Record
Process AWC.exe Advanced WindowsCare
Process Sup_SmartRAM.exe No Record
Process TeaTimer.exe No Record
Process ashDisp.exe No Record
Process GoogleToolbarNotifier.exe No Record
Process Webshots.scr No Record
Process station_bk.exe No Record
Process rundll32.exe Windows RUNDLL32 Helper
Process iexplore.exe Internet Explorer
Process svchost.exe Service Host Process
Process AWC.exe Advanced WindowsCare
Services aswUpdSv.exe Related to Avast AntiVirus
Services ashServ.exe Related to Avast AntiVirus
Services ashMaiSv.exe Related to Avast AntiVirus
Services ashWebSv.exe Related to AWIL Software http://www.avast.com/
Services BTNtService.exe BlueSoleil is a Bluetooth device manager for Windows. Made by the IVT_Corporation The file associated with this service is found in the Program Files\IVT Corporation\BlueSoleil folder.
Services ccSvcHst.exe Related to Symantec_Lic_NetConnect service. Note: Located in \%Program Files%\Common Files\Symantec Shared\
Services eac_svc.exe No Record
Services eac_productsvc.exe No Record
Services GoogleDesktop.exe Related to google desktop
Services GoogleUpdaterService.exe Related to Google_Updater_Service Note: Located in C:\Program Files\Google\Common\Google Updater\
Services nvsvc32.exe Related to NVIDIA drivers.
Services hpzipm12.exe Related to HP printers.
Services ufdsvc.exe USB flash drive driver
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Start UP startup No Record
Start UP m No Record
Start UP TeaTimer.exe TeaTimer is a permanent process and registry monitor of the Spybot S&D system protector which perpetually monitors the processes called/initiated. Detects processes wanting to start and gives you options on how to deal with this process in the future
Start UP ashDisp.exe Part of Avast! anti-virus software
Start UP GoogleToolbarNotifier.exe Companion to the Google Toolbar that lets you keep Google as your default search engine and prevents this setting from being changed without your consent. Shouldn't remain in memory after the feature is disabled as it's a bug - see here
Start UP rundll32.exe nview.dll No Record
Start UP nViewLoadHook No Record
Start UP qttask.exe -atboottime No Record
Start UP NvCpl.dll No Record
Start UP NvStartup No Record
Start UP install No Record
Start UP Reader_sl.exe Speeds up the launch of Adobe (Acrobat) Reader 7
Start UP jusched.exe Checks with Sun's Java updates site to see if newer Java versions are available. Visit http://java.sun.com or just run the Java Plug-In Control Panel
Start UP a No Record
Start UP b Startup No Record
Start UP sstsmon.dll No Record
Start UP VerifyStatus No Record
Start UP ssssmon.dll No Record
Start UP VerifyStatus No Record
Start UP stopsignav.exe -k No Record
BHO 06849E9F-C8D7-4D59-B87D-784B7D6BE0B3 AcroIEhelper.ocx, AcroIEhelper.dll - Adobe Acrobat reader, http://www.adobe.com/products/acrobat/readstep2.html
BHO 53707962-6F74-2D53-2644-206D7942484F SDhelper.dll - SpyBot Search&Destroy, http://www.safer-networking.org/index.php
BHO 761497BB-D6F0-462C-B6EB-D4DAF1D92D43 ssv.dll - Related to Sun_Java_software, http://java.com/en/download/index.jsp
BHO AA58ED58-01DD-4d91-8333-CF10577473F7 googletoolbar.dll, googletoolbar*.dll, googlenav.dll, googletoolbar_en_*.**-big.dll, googletoolbar_en_*.*.**-deleon.dll - Google Toolbar, http://toolbar.google.com/
BHO AF69DE43-7D58-4638-B6FA-CE66B5AD205D swg.dll - Google Toolbar Notifier, http://googlesystem.blogspot.com/2006/07/google-is-your-default-search.html
Tool Bar C17590D2-ECB4-4b15-8820-F58798DCC118 Wstoolbar4ie.dll - WebShots, //www.webshots.com/ toolbar
Tool Bar 2318C2B1-4965-11d4-9B18-009027A5CD4F googletoolbar.dll, googletoolbar*.dll, googlenav.dll, googletoolbar_en_*.**-big.dll, googletoolbar_en_*.*.**-deleon.dll - Google Toolbar, //toolbar.google.com/
Button {08B0E5C0-4FCB-11CF-AAA5-00401C608501} No Database
Button {85d1f590-48f4-11d9-9669-0800200c9a66} No Database
Button {92780B25-18CC-41C8-B9BE-3C9C571A8263} No Database
Button {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} No Database
Button {FB5F1910-F110-11d2-BB9E-00C04F795683} No Database
ActiveX 0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75 http://www.kaspersky.com
ActiveX 56762DEC-6B0D-4AB4-A8AD-989993B5D08B OnlineScanner.cab NOD32 online scanner
ActiveX 5D86DDB5-BDF9-441B-9E9E-D4730F4EE499 oscan8.cab Bitdefender
ActiveX 8FFBE65D-2C9C-4669-84BD-5829DC0B603C No Record
ActiveX C7DB51B4-BCF7-4923-8874-7F1A0DC92277 No Record
ActiveX D7DE17DF-E22F-4FCB-AAE1-F7A8D390D5C3 No Record

[bdoriano]

Ho ricontrollato il log e cercato informazioni in merito al trojan riscontrato da AWC.