Olimpo Informatico

[Alexbrg]

Un saluto a tutti, spero possiate aiutarmi a risolvere il mio problema.
Negli ultimi 2-3 giorni ho ravvisato un notevole rallentamento del mio pc e un comportamento piuttosto anomalo durante la navigazione in internet ma non solo. Firefox ed Explorer si "congelano" spesso quando cerco di caricare alcune pagine e si blocca momentaneamente anche Explorer.exe.

Ieri ho anche avuto non pochi problemi, sempre per questo motivo, anche solo per riuscire a completare il download del Service Pack di Vista.

Credo si tratti del tristemente noto trojan Vundo.gen!M che pensavo di aver rimosso.

Ho fatto anche doverse altre scansioni. Windows Defender non ha trovato alcuna minaccia, così come Avira AntiVir Personal Edition, l'antivirus che uso da diversi anni senza problemi di sorta.

SpySweeper ha invece rivelato il maledetto Virtumonde, Mentre con SuperAntiSpyware ho messo in quarantena due minacce. In questo momento è in corso una scansione sempre con SUPErAntiSpyware che finora ha trovato il trojan Vundo-Variant/Small.


Vi posto i log di HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20.19.32, on 24/06/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehmsas.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.repubblica.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=it_it&c=81&bd=Pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=it_it&c=81&bd=Pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [HPAdvisor] "C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\ALESSA~1\AppData\Local\Temp\ddccYpqo.dll,c
O4 - HKCU\..\Run: [76937039] rundll32.exe "C:\Users\ALESSA~1\AppData\Local\Temp\tahtypye.dll",b
O4 - HKCU\..\Run: [RunSpySweeperScheduleAtStartup] "C:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{032392B8-A493-45E0-A9EB-43902E1BEA34}
O4 - HKCU\..\Run: [BM75a043a5] Rundll32.exe "C:\Users\ALESSA~1\AppData\Local\Temp\foojumai.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO DI RETE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O13 - Gopher Prefix:
O23 - Service: Avira AntiVir Personal ? Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal ? Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EPGService - Hauppauge Computer Works - C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Sistema Webroot Spy Sweeper (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6953 bytes


-------------------------------------

E il log di Combofix:

ComboFix 08-06-20.4 - Alessandro 2008-06-24 23.22.19.1 - NTFSx86
Microsoft® Windows Vista? Home Premium 6.0.6001.1.1252.1.1040.18.1157 [GMT 2:00]
Eseguito da: C:\Users\Alessandro\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\jusched.exe

.
((((((((((((((((((((((((( Files Creati Da 2008-05-24 al 2008-06-24 )))))))))))))))))))))))))))))))))))
.

2008-06-24 23:00 . 2008-06-24 23:18 <DIR> d-a------ C:\Users\All Users\TEMP
2008-06-24 23:00 . 2008-06-24 23:00 <DIR> d-------- C:\Users\Alessandro\AppData\Roaming\PC Tools
2008-06-24 23:00 . 2008-06-24 23:18 <DIR> d-a------ C:\ProgramData\TEMP
2008-06-24 23:00 . 2008-06-24 23:02 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-24 23:00 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\System32\drivers\iksyssec.sys
2008-06-24 23:00 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\System32\drivers\iksysflt.sys
2008-06-24 23:00 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\System32\drivers\ikfilesec.sys
2008-06-24 23:00 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\System32\drivers\kcom.sys
2008-06-24 21:49 . 2008-06-24 21:49 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-06-24 21:49 . 2008-06-24 21:49 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-06-24 21:48 . 2008-06-24 21:48 <DIR> d-------- C:\Users\Alessandro\AppData\Roaming\SUPERAntiSpyware.com
2008-06-24 21:48 . 2008-06-24 21:48 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-24 21:48 . 2008-06-24 21:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-24 20:19 . 2008-06-24 20:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-24 19:54 . 2008-06-24 19:54 <DIR> d-------- C:\Users\All Users\Webroot
2008-06-24 19:54 . 2008-06-24 19:54 <DIR> d-------- C:\Users\Alessandro\AppData\Roaming\Webroot
2008-06-24 19:54 . 2008-06-24 19:54 <DIR> d-------- C:\ProgramData\Webroot
2008-06-24 19:54 . 2008-06-24 19:54 <DIR> d-------- C:\Program Files\Webroot
2008-06-24 19:54 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-06-24 19:54 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\System32\drivers\ssidrv.sys
2008-06-24 19:54 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\System32\drivers\sskbfd.sys
2008-06-24 19:54 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\System32\drivers\sshrmd.sys
2008-06-24 19:54 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\System32\drivers\SSFS0BB9.sys
2008-06-24 16:10 . 2008-06-24 19:41 <DIR> d-------- C:\Users\Alessandro\AppData\Roaming\Uniblue
2008-06-24 16:10 . 2008-06-24 19:51 <DIR> d-------- C:\Program Files\Uniblue
2008-06-24 15:19 . 2008-06-24 15:19 <DIR> d-------- C:\WINDOWS\Sun
2008-06-24 14:39 . 2008-06-24 14:39 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-24 13:59 . 2008-06-24 13:59 <DIR> d-------- C:\PerfLogs
2008-06-24 13:52 . 2008-01-08 13:10 98,304 --a------ C:\WINDOWS\RTKAUDIOSERVICE.EXE
2008-06-24 13:32 . 2008-01-19 09:35 4,875,776 --a------ C:\WINDOWS\System32\NlsData0009.dll
2008-06-24 13:31 . 2008-01-19 09:35 9,847,296 --a------ C:\WINDOWS\System32\NlsData000a.dll
2008-06-24 13:30 . 2008-01-19 09:32 5,714,432 --a------ C:\WINDOWS\System32\logon.scr
2008-06-24 13:29 . 2008-01-19 08:06 8,147,456 --a------ C:\WINDOWS\System32\wmploc.DLL
2008-06-24 13:28 . 2008-01-19 09:36 357,888 --a------ C:\WINDOWS\System32\wbemcomn.dll
2008-06-24 13:27 . 2008-01-19 09:36 704,512 --a------ C:\WINDOWS\System32\SmiEngine.dll
2008-06-24 13:27 . 2008-01-19 09:36 139,264 --a------ C:\WINDOWS\System32\SmiInstaller.dll
2008-06-24 13:26 . 2008-01-19 09:36 218,624 --a------ C:\WINDOWS\System32\wdscore.dll
2008-06-24 13:26 . 2008-01-19 09:33 130,560 --a------ C:\WINDOWS\System32\PkgMgr.exe
2008-06-24 13:25 . 2008-01-19 09:34 305,152 --a------ C:\WINDOWS\System32\msdelta.dll
2008-06-24 13:25 . 2008-01-19 09:34 258,560 --a------ C:\WINDOWS\System32\dpx.dll
2008-06-24 13:25 . 2008-01-19 09:34 246,784 --a------ C:\WINDOWS\System32\drvstore.dll
2008-06-24 13:25 . 2008-01-19 09:35 35,328 --a------ C:\WINDOWS\System32\mspatcha.dll
2008-06-23 16:47 . 2008-06-23 16:48 <DIR> d-------- C:\Users\Alessandro\Fotocamera
2008-06-23 14:57 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-06-22 16:14 . 2008-06-22 16:14 <DIR> d-------- C:\Users\Public\CyberLink
2008-06-22 16:14 . 2008-06-22 16:14 <DIR> d-------- C:\Users\All Users\CyberLink
2008-06-22 16:14 . 2008-06-22 16:14 <DIR> d-------- C:\Users\Alessandro\AppData\Roaming\CyberLink
2008-06-22 16:14 . 2008-06-22 16:14 <DIR> d-------- C:\ProgramData\CyberLink
2008-06-19 18:05 . 2008-06-19 18:05 <DIR> d-------- C:\Users\All Users\Azureus
2008-06-19 18:05 . 2008-06-22 18:44 <DIR> d-------- C:\Users\Alessandro\AppData\Roaming\Azureus
2008-06-19 18:05 . 2008-06-19 18:05 <DIR> d-------- C:\ProgramData\Azureus
2008-06-17 16:19 . 2008-06-17 16:19 <DIR> d-------- C:\Program Files\vtplus
2008-06-17 16:19 . 2008-06-17 16:19 399 --a------ C:\WINDOWS\vtplus32.ini
2008-06-17 16:18 . 2008-06-17 16:18 <DIR> d-------- C:\Program Files\Common Files\IviSDK
2008-06-17 16:17 . 2008-06-17 16:18 <DIR> d-------- C:\WINDOWS\System32\hauppauge
2008-06-17 16:17 . 2008-06-18 19:34 <DIR> d-------- C:\Program Files\WinTV
2008-06-17 16:15 . 2008-02-28 00:46 418,304 --a------ C:\WINDOWS\System32\drivers\hcw66xxx.sys
2008-06-15 19:15 . 2008-06-15 19:15 <DIR> d-------- C:\Program Files\Real
2008-06-15 19:15 . 2008-06-15 19:15 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-06-15 19:14 . 2008-06-15 19:15 <DIR> d-------- C:\Program Files\Common Files\Real
2008-06-14 22:16 . 2008-04-23 06:42 428,544 --a------ C:\WINDOWS\System32\EncDec.dll
2008-06-14 22:16 . 2008-04-23 06:42 293,376 --a------ C:\WINDOWS\System32\psisdecd.dll
2008-06-14 22:16 . 2008-04-23 06:41 218,624 --a------ C:\WINDOWS\System32\psisrndr.ax
2008-06-14 22:16 . 2008-01-19 09:33 80,896 --a------ C:\WINDOWS\System32\MSNP.ax
2008-06-14 22:16 . 2008-01-19 09:33 69,632 --a------ C:\WINDOWS\System32\Mpeg2Data.ax
2008-06-14 22:16 . 2008-04-23 06:41 57,856 --a------ C:\WINDOWS\System32\MSDvbNP.ax
2008-06-14 15:17 . 2008-06-14 15:19 <DIR> d-------- C:\Users\All Users\Microsoft Help
2008-06-14 15:17 . 2008-06-14 15:19 <DIR> d-------- C:\ProgramData\Microsoft Help
2008-06-14 15:17 . 2008-06-14 15:17 <DIR> dr-h----- C:\MSOCache
2008-06-14 12:59 . 2008-06-14 12:59 <DIR> d-------- C:\Program Files\CCleaner
2008-06-13 16:01 . 2007-11-14 15:18 553 --a------ C:\WINDOWS\USetup.iss
2008-06-13 16:00 . 2008-01-15 11:26 4,874,240 --a------ C:\WINDOWS\RtHDVCpl.exe
2008-06-13 16:00 . 2008-01-07 19:30 2,156,544 --a------ C:\WINDOWS\System32\RtkAPO.dll
2008-06-13 16:00 . 2008-01-15 19:19 2,047,576 --a------ C:\WINDOWS\System32\drivers\RTKVHDA.sys
2008-06-13 16:00 . 2007-11-07 17:31 1,191,936 --a------ C:\WINDOWS\RtlUpd.exe
2008-06-13 16:00 . 2008-01-09 18:52 636,416 --a------ C:\WINDOWS\System32\RtkPgExt.dll
2008-06-13 16:00 . 2007-11-13 12:35 532,480 --a------ C:\WINDOWS\System32\RTSndMgr.cpl
2008-06-13 16:00 . 2008-01-14 16:18 29,696 --a------ C:\WINDOWS\System32\RtkCoInst.dll
2008-06-13 15:57 . 2008-06-13 15:57 <DIR> d-------- C:\Users\Alessandro\AppData\Roaming\WinBatch
2008-06-13 15:15 . 2008-06-13 15:15 <DIR> d-------- C:\Users\Alessandro\AppData\Roaming\vlc
2008-06-13 15:14 . 2008-06-13 15:14 <DIR> d-------- C:\Program Files\VideoLAN
2008-06-13 15:11 . 2008-06-13 15:12 <DIR> d-------- C:\Users\All Users\WinZip
2008-06-13 15:11 . 2008-06-13 15:12 <DIR> d-------- C:\ProgramData\WinZip
2008-06-13 14:49 . 2008-06-13 14:49 <DIR> d-------- C:\Program Files\SopCast
2008-06-13 14:18 . 2008-06-13 14:18 <DIR> d-------- C:\Program Files\Soulseek
2008-06-12 15:46 . 2008-04-25 04:12 1,383,424 --a------ C:\WINDOWS\System32\mshtml.tlb
2008-06-12 15:46 . 2008-04-26 10:08 1,314,816 --a------ C:\WINDOWS\System32\quartz.dll
2008-06-12 15:46 . 2008-04-25 06:35 826,880 --a------ C:\WINDOWS\System32\wininet.dll
2008-06-12 15:46 . 2008-05-10 03:33 113,664 --a------ C:\WINDOWS\System32\drivers\rmcast.sys
2008-06-10 18:42 . 2008-06-10 18:42 <DIR> d-------- C:\Program Files\FLVPlayer
2008-06-10 16:43 . 2008-06-10 16:59 <DIR> d-------- C:\Users\Alessandro\AppData\Roaming\Creative
2008-06-10 16:38 . 2008-06-10 16:38 <DIR> d-------- C:\Users\All Users\Creative
2008-06-10 16:38 . 2008-06-10 16:38 <DIR> d-------- C:\ProgramData\Creative
2008-06-10 16:38 . 2008-06-10 16:56 <DIR> d--h----- C:\Program Files\Creative Installation Information
2008-06-10 16:38 . 2008-06-10 16:38 <DIR> d-------- C:\Program Files\Common Files\Creative
2008-06-10 15:22 . 2008-06-10 15:22 <DIR> d-------- C:\WINDOWS\PCHEALTH
2008-06-10 15:19 . 2008-06-10 15:24 <DIR> d-------- C:\Program Files\Windows Live
2008-06-10 15:19 . 2008-06-10 15:22 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-10 15:18 . 2008-06-10 15:18 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-06-10 15:18 . 2008-06-10 15:18 <DIR> d-------- C:\ProgramData\WLInstaller
2008-06-08 17:28 . 2008-06-08 17:28 6,656 --a------ C:\WINDOWS\System32\kbd106n.dll
2008-06-08 17:27 . 2008-06-08 17:27 2,032,128 --a------ C:\WINDOWS\System32\win32k.sys
2008-06-08 17:27 . 2008-06-08 17:27 988,216 --a------ C:\WINDOWS\System32\winload.exe
2008-06-08 17:27 . 2008-06-08 17:27 927,288 --a------ C:\WINDOWS\System32\winresume.exe
2008-06-08 17:27 . 2008-06-08 17:27 615,992 --a------ C:\WINDOWS\System32\ci.dll
2008-06-08 17:27 . 2008-06-08 17:27 378,368 --a------ C:\WINDOWS\System32\srcore.dll
2008-06-08 17:27 . 2008-06-08 17:27 318,464 --a------ C:\WINDOWS\System32\rstrui.exe
2008-06-08 17:27 . 2008-06-08 17:27 46,592 --a------ C:\WINDOWS\System32\setbcdlocale.dll
2008-06-08 17:27 . 2008-06-08 17:27 40,960 --a------ C:\WINDOWS\System32\srclient.dll
2008-06-08 17:27 . 2008-06-08 17:27 19,000 --a------ C:\WINDOWS\System32\kd1394.dll
2008-06-08 17:27 . 2008-06-08 17:27 14,848 --a------ C:\WINDOWS\System32\srdelayed.exe
2008-06-08 17:26 . 2008-06-08 17:26 295,936 --a------ C:\WINDOWS\System32\gdi32.dll
2008-06-08 17:25 . 2008-06-08 17:25 4,240,384 --a------ C:\WINDOWS\System32\GameUXLegacyGDFs.dll
2008-06-08 17:25 . 2008-06-08 17:25 1,695,744 --a------ C:\WINDOWS\System32\gameux.dll
2008-06-06 15:40 . 2008-06-06 15:40 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-28 18:12 . 2008-05-28 18:12 <DIR> d-------- C:\Users\Alessandro\AppData\Roaming\WildTangent
2008-05-28 17:00 . 2008-05-28 17:00 33,846 --a------ C:\WINDOWS\System32\SpoonUninstall-dBpoweramp WavPack Codec.bmp
2008-05-28 17:00 . 2008-05-28 17:00 33,846 --a------ C:\WINDOWS\System32\SpoonUninstall-dBpoweramp Ogg Vorbis Codec.bmp
2008-05-28 17:00 . 2008-05-28 17:00 33,846 --a------ C:\WINDOWS\System32\SpoonUninstall-dBpoweramp mp3 (Fraunhofer IIS) Codec.bmp
2008-05-28 17:00 . 2008-05-28 16:59 33,846 --a------ C:\WINDOWS\System32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.bmp
2008-05-28 17:00 . 2008-05-28 17:00 3,117 --a------ C:\WINDOWS\System32\SpoonUninstall-dBpoweramp mp3 (Fraunhofer IIS) Codec.dat
2008-05-28 17:00 . 2008-05-28 17:00 3,107 --a------ C:\WINDOWS\System32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.dat
2008-05-28 17:00 . 2008-05-28 17:00 3,030 --a------ C:\WINDOWS\System32\SpoonUninstall-dBpoweramp Ogg Vorbis Codec.dat
2008-05-28 17:00 . 2008-05-28 17:00 3,007 --a------ C:\WINDOWS\System32\SpoonUninstall-dBpoweramp WavPack Codec.dat
2008-05-28 16:59 . 2008-05-28 16:59 <DIR> d-------- C:\Program Files\Illustrate

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-24 13:18 --------- d-----w C:\Program Files\Java
2008-06-24 12:33 --------- d-----w C:\ProgramData\NVIDIA
2008-06-24 12:09 174 --sha-w C:\Program Files\desktop.ini
2008-06-24 12:02 --------- d-----w C:\Program Files\Windows Sidebar
2008-06-24 12:02 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-06-24 12:02 --------- d-----w C:\Program Files\Windows Mail
2008-06-24 12:02 --------- d-----w C:\Program Files\Windows Journal
2008-06-24 12:02 --------- d-----w C:\Program Files\Windows Defender
2008-06-24 12:02 --------- d-----w C:\Program Files\Windows Collaboration
2008-06-24 12:02 --------- d-----w C:\Program Files\Windows Calendar
2008-06-24 11:46 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-06-24 11:46 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-06-23 12:58 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-17 14:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-13 14:00 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-06-08 15:25 540,672 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-06-08 15:25 458,752 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-06-08 15:25 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-06-08 15:25 2,153,984 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-06-08 15:25 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-05-28 16:12 --------- d-----w C:\ProgramData\WildTangent
2008-05-28 14:15 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-28 14:13 --------- d-----w C:\ProgramData\Symantec
2008-05-28 13:27 --------- d-----w C:\ProgramData\Hewlett-Packard
2008-05-28 13:19 --------- d-sh--w C:\ProgramData\Preferiti
2008-05-28 13:19 --------- d-sh--w C:\ProgramData\Modelli
2008-05-28 13:19 --------- d-sh--w C:\ProgramData\Menu Avvio
2008-05-28 13:19 --------- d-sh--w C:\ProgramData\Documenti
2008-05-28 13:19 --------- d-sh--w C:\ProgramData\Desktop
2008-05-28 13:19 --------- d-sh--w C:\ProgramData\Dati applicazioni
2008-05-28 13:19 --------- d-sh--w C:\Program Files\File comuni
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 09:33 1233920]
"HPAdvisor"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-03 19:02 1783136]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 09:33 125952]
"Uniblue SpeedUpMyPC"="" []
"RunSpySweeperScheduleAtStartup"="C:\Windows\system32\msfeedssync.exe" [2008-01-19 09:33 12800]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 17:01 65536]
"KBD"="C:\HP\KBD\KbdStub.EXE" [2006-12-08 18:16 65536]
"OsdMaestro"="C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 13:59 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 11:26 4874240 C:\WINDOWS\RtHDVCpl.exe]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06 40048]
"SunJavaUpdateReg"="C:\Windows\system32\jureg.exe" [2007-04-07 03:56 54936]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 17:24 54840]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-15 19:14 185896]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2008-01-10 19:57 92704]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-01-10 19:57 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-01-10 19:57 88608]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-06-23 14:58:46 113664]
AutoStart IR.lnk - C:\Program Files\WinTV\Ir.exe [2008-06-17 16:18:12 110647]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{50C1B2A9-C83F-4BE8-8617-5B41653F8FFE}"= c:\Program Files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{34E49C2D-1DC1-4E88-B102-AEE12055C4CD}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{ED577DE3-AF5B-4935-AEF4-89F972FD7E52}C:\\program files\\soulseek\\slsk.exe"= UDP:C:\program files\soulseek\slsk.exe:SoulSeek
"UDP Query User{60EB974F-C71A-40BB-8C4D-297A1CCB9FAC}C:\\program files\\soulseek\\slsk.exe"= TCP:C:\program files\soulseek\slsk.exe:SoulSeek
"TCP Query User{74F4E215-C044-49BD-9E8C-6071E70A72B0}C:\\program files\\sopcast\\adv\\sopadver.exe"= UDP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"UDP Query User{7BC9059F-31BE-4D60-9D38-6F640C2F726F}C:\\program files\\sopcast\\adv\\sopadver.exe"= TCP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"TCP Query User{3B1C058B-BED9-4BDE-BF7D-B5C097947AC4}C:\\program files\\sopcast\\sopcast.exe"= UDP:C:\program files\sopcast\sopcast.exe:SopCast Main Application
"UDP Query User{3E0BBC6A-5449-423A-B1BA-B5B285DDB504}C:\\program files\\sopcast\\sopcast.exe"= TCP:C:\program files\sopcast\sopcast.exe:SopCast Main Application
"TCP Query User{0F18AF6D-3190-4473-9069-4F3C1D2EFC39}C:\\program files\\vuze\\azureus.exe"= UDP:C:\program files\vuze\azureus.exe:Azureus
"UDP Query User{9E1CEDCF-A926-47F6-B1CB-06FF0B574C67}C:\\program files\\vuze\\azureus.exe"= TCP:C:\program files\vuze\azureus.exe:Azureus

R2 EPGService;EPGService;C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe [2006-07-19 12:00]
S3 GameConsoleService;GameConsoleService;"C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe" [2007-07-24 01:33]
S3 hcw66xxx;WinTV HVR-900H;C:\Windows\system32\Drivers\hcw66xxx.sys [2008-02-28 00:46]

*Newly Created Service* - CATCHME
*Newly Created Service* - IKFILESEC
*Newly Created Service* - IKSYSFLT
*Newly Created Service* - IKSYSSEC
*Newly Created Service* - MCHINJDRV
*Newly Created Service* - SASENUM
.
Contenuto della cartella 'Scheduled Tasks'
"2008-06-24 17:57:54 C:\Windows\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-06-24 14:10:47 C:\Windows\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-06-24 14:02:27 C:\Windows\Tasks\User_Feed_Synchronization-{032392B8-A493-45E0-A9EB-43902E1BEA34}.job"
- C:\Windows\system32\msfeedssync.exe
"2008-06-24 18:42:20 C:\Windows\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-24 23:25:29
Windows 6.0.6001 Service Pack 1 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-06-24 23.26.36
ComboFix-quarantined-files.txt 2008-06-24 21:26:30

7 Directory 264,542,507,008 byte disponibili
15 Directory 264,592,498,688 byte disponibili

263 --- E O F --- 2008-06-24 12:43:22


-----------------------------------------

Vi ringrazio fin da ora per ogni di forma di aiuto che riuscirete a darmi.

Alessandro.

[bdoriano]

Ciao Alexbrg e benvenuto,

Effettivamente qualcosa hijackthis lo fa vedere.
Stranamente, però, combofix non sembra rilevarlo...

Ma procediamo per gradi:

1. Disinstalla SpySweeper (non lo conosco e non saprei come fartelo usare, vedo che è una versione trial)
   
2. Fai questa scansione con Norman Malware Scanner
   
3. Segui le istruzioni di questo topic per usare MBAM.
   Carica il log che verrà generato su WikiSend e posta il Forum Link che ti viene assegnato.
   
4. Fai questa scansione con SystemScan, carica il log su WikiSend e posta il Forum Link che ti viene assegnato.

PS: se vuoi, puoi presentarti qui

[Alexbrg]

Ciao bdoriano e grazie mille per la risposta.

Premetto che con SuperAntiSpyware sono riuscito a rimuovere diverse schifezzuole e infatti noto che il computer funziona piuttosto bene attualmente. Qualcos'altro è stato rimosso dai software che hai suggerito.

Ecco i log:

NFix: NFix_2008-06-25_14-50-34.log

MBAM: http://wikisend.com/download/516086/mbam-log-6-25-2008_(15-37-19).txt

SuspectFile: suspectfile_report.txt

Secondo te c'è qualcos'altro da mettere a posto? Grazie ancora. A.

[Alexbrg]

Ah, un'altra domanda.. In C ho trovato una cartella chiamata QooBox che contiene a quanto pare una sottocartella per gli elementi in quarantena. Qui, sotto "C" ho trovato jusched.exe.vir

Come mi devo comportare?

[bdoriano]

La cartella QooBox è il backup di ComboFix (nel caso cancellasse files legittimi).
La puoi eliminare.
Intanto mi guardo i logs.

edit:
MBAM ha eliminato una chiave di registro
Norman ha eliminato un'altra chiave di registro e un file infetto
Il log di hijckthis allegato a SystemScan non evidenzia più tracce di Vundo, tuttavia c'è una voce strana...

• Avvia nuovamente SystemScan
  
• metti il segno di spunta a I have read and agree. Please let me free to proceed e clicca su Proceed
  
  
• clicca su Removal Script
  
  
• Nel riquadro inserisci il seguente script:
  

  Codice:

  Files to delete: C:\Windows\system32\jureg.exe Registry values to delete: HKLM\Software\Microsoft\Windows\CurrentVersion\Run | SunJavaUpdateReg

  
  e clicca Proceed with removal
  
  
  ******
  Se dovessi ricevere l'errore Please copy and paste a valid script file, una volta incollato lo script in SystemScan (o Avenger), selezioni la prima riga, la cancelli e la ri-digiti. Fatto questo, dovrebbe tornare a funzionare.
  ******
  
  Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
  Al termine dell'operazione, posta qui il contenuto del file C:\Avenger.txt con un log aggiornato di hijackthis.

[Alexbrg]

Dunque, non ti posto il log di Avenger perché da bravo genio che sono l'ho chiuso per sbaglio, ho provato a recuperarlo ma siccome avevo usato Avenger senza estrarlo, per il log WinZip mi chiedeva una password.
In ogni caso dal log risultava che il file e la voce da te indicate erano stati cancellati correttamente.

Questo è il log aggiornato di HJT:

hijackthis_25_06.log

[bdoriano]

Il log sembra a posto.
Ora, per sicurezza, fai queste operazioni:

• Disabilita il tuo antivirus
  
• Collegati a BitDefender (con IE) e fai la scansione completa.
  
• Collegati a Kaspersky on-line scanner e fai la scansione estesa, come indicato qui.
  Salva il risultato della scansione in un file (in formato TXT), carica il file su WikiSend e posta qui il Forum Link che ti viene assegnato.

PS: la scansione con Kaspersky online dovrebbe essere diversa rispetto alle indicazioni fornite.

[Alexbrg]

Perdonami, domani ti posto questi log anche perché BitDefender a quanto pare ci mette parecchio..

Purtroppo ho un altro problema: non avevo mai creato i dischi di ripristino, il computer ha solo poche settimane e avevo scioccamente rinviato questa operazione. Prima mi ero deciso a a farlo, ho inserito il primo dvd ma dopo poco causa un imprevisto sono dovuto uscire e così ho fermato l'operazione e ho arrestato il sistema.

Quando ho riacceso il computer appena tornato a casa circa un'ora fa, ho notato che non solo lo sfondo era sparito, ma che che con esso sembrano essere scomparsi anche tutti gli altri sfondi di Windows.. o meglio, sembrano esserci, ma non c'è modo di visualizzarne alcuna anteprima, né di utilizzarli.

Inoltre sembrano essere sarite diverse icone, in particolare quelle "grandi" e "molto grandi": al loro posto vengono visualizzate quelle "medie", solo con un ingombro maggiore tutt'intorno (non so come spiegarlo..).

A cosa sono dovute queste improvvise sparizioni secondo te, e come faccio a recuperare sfondi e icone perduti? So che non è un problema di quelli che dovrebbero togliere il sonno ma come puoi immaginare dà comunque un certo fastidio.

[Alexbrg]

Aggiornamento: lo scan di BitDefender procede, e finora ha trovato il virus DeepScan:Generic.Zlob.38B68927

Dopo averlo rilevato, mi dice "disinfection failed", quindi "Deleted" e quindi ancora "Update failed"

[Alexbrg]

BitDefender: report_bitdef.html

Kaspersky: kaspersky_scan.html

[bdoriano]

Ciao Alexbrg,

Purtroppo, per i problemi di visualizzazione con Vista, non ti posso aiutare (non ho Vista).

Ti consiglio di aprire un thread apposito nel forum dedicato, al termine delle varie rimozioni virus, ovviamente.

Adesso mi guardo i logs che hai postato e vediamo cos'è rimasto da fare.

[bdoriano]

BitDefender "pensa" che SystemScan contenga un virus... ma è un falso positivo. Nulla di grave.
Se vuoi, puoi cancellare SystemScan.

Ti consiglio di fare queste operazioni di pulizia generale del pc:

1. Pulizia dei files temporanei con ATF-Cleaner e/o CCleaner
   
2. Pulizia del registro con EUsingFreeRegistryCleaner o Wise Registry Cleaner e, infine, una passata con Auslogics Registry Defrag
   
3. Deframmentazione del disco

Fatto questo, direi che puoi rivolgerti ai colleghi del forum Vista per il problema di visualizzazione.

[Alexbrg]

Ok, sto deframmentando.

Ti ringrazio infinitamente di tutto l'aiuto che mi hai dato, sei stato di una gentilezza unica.

Adesso speriamo di risolvere quell'altro problema.. Tre settimane che ho Vista e già lo odio..

[bdoriano]

Prego!

Dimenticavo di farti disinstallare ComboFix...
Ti posto le istruzioni usate per XP, vedi se riesci ad adattarle per (s)Vista.