Olimpo Informatico

[arathorn]

salve a tutti.
Sonon nuovissimo, e vi ho trovato tramite google.
Mi sono registrato perchè ho visto che rispondete in modo completo, ed anche velocemente.
Vi spiego il mio problema:
Da quando ho lanciato un exe ho riscontrato parecchi problemi.
La cronologia di quel che mi è successo è la seguente:

Pagina di Google- cercando una qualsiasi parola, usciva un messaggio che diceva che un malware cercava di comunicare col sito, e quindi venivo bloccato. digitando un codice (tipo quello che bisogna inserire qui per iscriversi) venivo sbloccato. Dopo un passaggio con Adaware, Spybot, Avast ed eTrust, questo problema si è risolto.

Task manager- Noto con dispiacere che nella TM compaiono molte voci, la maggior parte da me sconosciute perchè sono un niubbo, ebbene si lo ametto. Però mi risulta evidente che un IExplorer aperto che mi succhia 2640Kb, non dovrebbe esserci, per il semplice fatto che NON ho explorer aperto. Inoltre se clicco termina programma, riapare un secondo dopo.

TUTTI i programmi antivir, spy, trojan etc. non sono serviti a niente, perchè non trovano una bata cippa.
Allora ho fatto uno scan log con hijack, sperando che voi possiate vedere qualcosa che a me niubbo sfugge, e magari aiutarmi a debellare sta roba assurda che mi ha impestato.

Ah, dimenticavo.
A volte all'avvio, seriamente più lento del solito, appare un messaggio di protezione Microsoft che dice che Esplora Risorse verrà chiuso per non danneggiare il sistema, ed il Pc è inutilizzabile. NON va niente, mi tocca spegnere fisicamente dal bottone. Al riavvio tutto ok, ma ripeto, la lentezza è costante.
Il pc è nuovissimo, 3 mesi di vita.
E' un MEDION con processore Intel a 2,93Gh, con 1Gh di ram, scheda video Nvidia Geforce 6200se.
ora vi allego il report:

Logfile of HijackThis v1.99.1
Scan saved at 5.34.35, on 21/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Programmi\MessengerPlus! 3\MsgPlus.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\HP\Digital Imaging\bin\hpqimzone.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\CA\eTrust Antivirus\InoRpc.exe
C:\Programmi\CA\eTrust Antivirus\InoRT.exe
C:\Programmi\CA\eTrust Antivirus\InoTask.exe
C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\UAService7.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Opera\Opera.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Kalle\Impostazioni locali\Temp\wz604e\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fastweb.it/myfastpage/res/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AntivirusRegistration] C:\Programmi\CA\Etrust Antivirus\Register.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programmi\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programmi\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio rapido di HP Image Zone.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.it/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138622527406
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138622663031
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Programmi\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wincqt32 - wincqt32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Programmi\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Programmi\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Programmi\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: MSSQL$PINNACLESYS - Unknown owner - C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - C:\Programmi\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe


Vi posto anche l'immagine della task manager:
link

[Smjert]

O20 - Winlogon Notify: wincqt32 - wincqt32.dll (file missing)

Da questa voce si evince che avevi (o hai ancora) un trojan backdoor, precisamente Trojan.Win32.Agent.qt.
Questo trojan viene riconosciuto da Kaspersky quindi quello che ti consiglio di fare è:

Avvia HijackThis, premi Do a system scan only spunta quella voce e poi premi Fix Checked.

Poi fa una scansione online con Kaspersky, con database esteso (dopo che ha scaricato gli aggiornamenti appare il pulsante Next, premilo poi premi Scan Settings e spunta la voce Extended, dai ok e inizia la scansione scegliendo My Computer).
Alla fine salva il report (appare il pulsante Save Report As) e posta il suo contenuto.

[arathorn]

ecco i report sia di kasper che di altri.
Ps.
ho fatto tutto quello che mi hai detto...

AntiVir PersonalEdition Classic
Report file date: sabato 21 ottobre 2006 06:16


Jobname: 'Manual Selection'

Scanning for 370940 virus strains and unwanted programs.

Licensed to: AntiVir PersonalEdition Classic
Serial number: 0000149996-WURGE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: Kalle
Computer name: CLAUDIO

Version informations:
AVSCAN.EXE : 7.0.0.35 540712 21/04/2006 12:47:04
AVSCAN.DLL : 7.0.0.34 41000 05/04/2006 11:03:57
LUKE.DLL : 7.0.0.34 114728 05/04/2006 11:03:58
LUKERES.DLL : 7.0.0.34 25640 05/04/2006 11:03:58
ANTIVIR0.VDF : 6.32.0.60 4323840 02/05/2006 08:29:08
ANTIVIR1.VDF : 6.34.0.209 1930240 02/05/2006 08:29:09
ANTIVIR2.VDF : 6.34.1.1 89600 01/05/2006 17:17:55
ANTIVIR3.VDF : 6.34.1.26 48128 01/05/2006 17:17:55
AVEWIN32.DLL : 7.0.0.8 1171968 21/04/2006 15:40:14
AVPREF.DLL : 6.34.0.0 38440 18/01/2006 12:06:00
AVREP.DLL : 6.34.1.20 2371624 01/05/2006 17:17:56
AVPACK32.DLL : 7.0.0.4 335912 29/03/2006 09:44:25
AVREG.DLL : 6.31.0.90 27688 28/07/2005 10:06:36
NETNT.DLL : 6.32.0.0 6696 27/09/2005 07:56:49
NETNW.DLL : 6.32.0.0 9768 27/09/2005 07:56:49


Start of the scan: sabato 21 ottobre 2006 06:16


Start scanning boot sectors:

Boot sector 'C:'
[NOTE] No virus was found!
Boot sector 'D:'
[NOTE] No virus was found!
Boot sector 'E:'
[NOTE] No virus was found!
Boot sector 'G:'
[NOTE] In the drive 'G:' no data medium is inserted!
Boot sector 'H:'
[NOTE] In the drive 'H:' no data medium is inserted!
Boot sector 'I:'
[NOTE] In the drive 'I:' no data medium is inserted!

Starting to scan the registry.

The registry was scanned ( 46 files ).


Starting the file scan:

C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Kalle\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\Kalle\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\master.mdf
[WARNING] The file could not be opened!
C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\mastlog.ldf
[WARNING] The file could not be opened!
C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\model.mdf
[WARNING] The file could not be opened!
C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\modellog.ldf
[WARNING] The file could not be opened!
C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\PinnacleSys_GlobalContext.mdf
[WARNING] The file could not be opened!
C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\PinnacleSys_GlobalContext_log.LDF
[WARNING] The file could not be opened!
C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\tempdb.mdf
[WARNING] The file could not be opened!
C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\templog.ldf
[WARNING] The file could not be opened!
C:\WINDOWS\system32\winstart.exe
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\default
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\default.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SAM
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SAM.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SECURITY
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SECURITY.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\software
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\software.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\system
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\system.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\dtscsi.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\sptd2845.sys
[WARNING] The file could not be opened!
C:\WINDOWS\Temp\Perflib_Perfdata_46c.dat
[WARNING] The file could not be opened!
C:\WINDOWS\Temp\Perflib_Perfdata_4b8.dat
[WARNING] The file could not be opened!
C:\WINDOWS\Temp\_avast4_\Webshlock.txt
[WARNING] The file could not be opened!
The path F:\ could not be found!
Periferica non pronta.

The path G:\ could not be found!
Periferica non pronta.

The path H:\ could not be found!
Periferica non pronta.

The path I:\ could not be found!
Periferica non pronta.

The path M:\ could not be found!
Periferica non pronta.



End of the scan: sabato 21 ottobre 2006 07:21
Used time: 1:04:50 min

The scan has been done completely.

6405 Scanning directories
241748 Files were scanned
0 viruses and/or unwanted programs was found
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
8657 Archives were scanned
39 Warnings
0 Notes

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, October 21, 2006 6:12:31 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 21/10/2006
Kaspersky Anti-Virus database records: 233626
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
K:\
L:\
M:\
N:\

Scan Statistics:
Total number of scanned objects: 81951
Number of viruses found: 4
Number of infected objects: 9 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:24:51

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Kalle\.housecall6.6\Quarantine\iddC14.tmp.exe.bac_a00432 Infected: not-a-virus:Porn-Dialer.Win32.IDialer.m skipped
C:\Documents and Settings\Kalle\.housecall6.6\Quarantine\win4D.tmp.exe.bac_a00432 Infected: not-a-virus:Dialer.Win32.PlayGames.l skipped
C:\Documents and Settings\Kalle\.housecall6.6\Quarantine\win503.tmp.exe.bac_a00432 Infected: not-a-virus:Dialer.Win32.PlayGames.l skipped
C:\Documents and Settings\Kalle\.housecall6.6\Quarantine\win50A.tmp.exe.bac_a00432 Infected: not-a-virus:Dialer.Win32.PlayGames.l skipped
C:\Documents and Settings\Kalle\.housecall6.6\Quarantine\winBB1.tmp.exe.bac_a00432 Infected: not-a-virus:Dialer.Win32.PlayGames.l skipped
C:\Documents and Settings\Kalle\.housecall6.6\Quarantine\winC12.tmp.exe.bac_a00432 Infected: Trojan-Dropper.Win32.Small.art skipped
C:\Documents and Settings\Kalle\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kalle\Dati applicazioni\Opera\Opera\mail\indexer\indexer.dat Object is locked skipped
C:\Documents and Settings\Kalle\Dati applicazioni\Opera\Opera\mail\indexer\indexer_64.dat Object is locked skipped
C:\Documents and Settings\Kalle\Dati applicazioni\Opera\Opera\mail\lexicon\lexicon.dat Object is locked skipped
C:\Documents and Settings\Kalle\Dati applicazioni\Opera\Opera\mail\mailbase.dat Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Cronologia\History.IE5\MSHist012006102120061022\index.dat Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\ApplicationHistory\hpqimzone.exe.fd734169.ini.inuse Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Temp\hsperfdata_Kalle\1248 Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Temp\~DF62F6.tmp Object is locked skipped
C:\Documents and Settings\Kalle\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kalle\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kalle\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programmi\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Programmi\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Programmi\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Programmi\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Programmi\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Programmi\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Programmi\Alwil Software\Avast4\DATA\report\Protezione residente.txt Object is locked skipped
C:\Programmi\CA\Etrust Antivirus\DB\rtmaster.dbf Object is locked skipped
C:\Programmi\CA\Etrust Antivirus\DB\rtmaster.ntx Object is locked skipped
C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\master.mdf Object is locked skipped
C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\mastlog.ldf Object is locked skipped
C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\model.mdf Object is locked skipped
C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\modellog.ldf Object is locked skipped
C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\PinnacleSys_GlobalContext.mdf Object is locked skipped
C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\PinnacleSys_GlobalContext_log.LDF Object is locked skipped
C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\tempdb.mdf Object is locked skipped
C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\templog.ldf Object is locked skipped
C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\LOG\ERRORLOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F9EEC614-A505-4353-BDD1-8AD2EE63F2DC}\RP138\A0033476.exe/irsetup.dat Infected: Trojan-Dropper.Win32.Peerad.a skipped
C:\System Volume Information\_restore{F9EEC614-A505-4353-BDD1-8AD2EE63F2DC}\RP138\A0033476.exe SetupFactory: infected - 1 skipped
C:\System Volume Information\_restore{F9EEC614-A505-4353-BDD1-8AD2EE63F2DC}\RP138\A0033476.exe NSPack: infected - 1 skipped
C:\System Volume Information\_restore{F9EEC614-A505-4353-BDD1-8AD2EE63F2DC}\RP145\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd2845.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\winstart.exe Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_36c.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_530.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{F9EEC614-A505-4353-BDD1-8AD2EE63F2DC}\RP145\change.log Object is locked skipped
E:\System Volume Information\_restore{F9EEC614-A505-4353-BDD1-8AD2EE63F2DC}\RP145\change.log Object is locked skipped

Scan process completed.

[Smjert]

[arathorn]

ok, stanotte lo faccio.
Intanto ti posto lo screen della quarantena di un altro antivir che ho usato.

http://img193.imageshack.us/my.php?image=asquaredkg4.png

[Smjert]

Allora pare che tu abbia un Hijacker (IGetNet.v4)
Controlla di non avere questa dll rsp.dll in C:\Windows\System e in C:\Windows\System32.

Se le hai trovate (anche solo una) vai sulla barra di avvio->Start->Esegui->digita cmd e poi dai invio

Poi scrivi regsvr32 /u path\rsp.dll (al posto di path metti il percorso dove l'hai trovata) e dai invio.

Dopodichè cancella quella/le dll e controlla di non avere un altro file eseguibile che si chiami winstart.exe.

[arathorn]

quel dll non ce l'ho.
e questo è il rapporto di panda dopo che ho riavviato senza il punto so ripristino, come mi hai detto.

Incidente Stato Percorso

Spyware:Cookie/Xiti Non Disinfettato C:\Documents and Settings\Kalle\Cookies\kalle@xiti[1].txt

Nel caso in cui non dovessimo venirne a capo, pensi che un formattone possa guarire il mio povero pc nuovo?
Vorrei evitare perchè sarebbe anche il mio primo format, ma la task manager aumenta a dismisura...porca miseria.
sigh

[arathorn]

allora.
ho inserito il disco di rispristino ed ho rimesso tutto da zero.
questo è lo scan di hijackthis.
Puoi dirmi se vedi ancora qlc di strano??

Logfile of HijackThis v1.99.1
Scan saved at 20.11.55, on 22/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\HP\Digital Imaging\bin\hpqimzone.exe
C:\Programmi\CA\eTrust Antivirus\InoRpc.exe
C:\Programmi\CA\eTrust Antivirus\InoRT.exe
C:\Programmi\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmi\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\Programmi\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\Programmi\Opera\Opera.exe
C:\PROGRA~1\TVAnts\Tvants.exe
C:\Documents and Settings\Claudio Callegari\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fastweb.it/myfastpage/res/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AntivirusRegistration] C:\Programmi\CA\Etrust Antivirus\Register.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programmi\MessengerPlus! 3\MsgPlus.exe"
O4 - Global Startup: Avvio rapido di HP Image Zone.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.it/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138622527406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138622663031
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Programmi\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Programmi\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Programmi\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Programmi\CA\eTrust Antivirus\InoTask.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

[Smjert]

è a posto.. ma anche prima lo era!
Non c'era bisogno di ripristinare, se hai fatto come ti ho detto per il punto di ripristino e non hai trovato quella dll eri a posto.
Poi per il fatto della Task Manager... è normale che tu abbia così tanti processi (sono tutti legittimi), hai in avvio un bel po' di programmi/utility (che hai installato tu).

[arathorn]

sei stato utilissimo e gentilissimo.
grazie di cuore.
ciao

[Smjert]

[chemicalbit]

[Smjert]

penso abbia usato il floppy ASR, (Automated System Recovery).
Porta il registro allo stato in cui è stato creato il floppy (un po' come il punto di ripristino).

[arathorn]

prima ho formattato la partizione da cui era partita l'infezione.
poi ho inserito il cd di ripristino e ho riavviato.
Mi ha messo tutto nuovo.
ora sto rimettendo tutto daccapo.

in pratica si, ho formattato

[chemicalbit]

[Smjert]

[arathorn]

esatto. il cd è quello.
Il mio si chiama Application&Support cd.
Riporta il computer alle impostazioni di fabbrica.
metti il cd e riavvii. Il resto lo fa lui, entra da solo nel bios, basta che scegli l'opzione carica da cd, che comunque non devi andare a cercare perchè esce da sola.