Olimpo Informatico

daborina · Mortale pio Registrato: 10/01/08 16:25 Messaggi: 16

Ciao Ragazzi,

ho lo stesso problema anche io.... Sad

Ora sono a lavoro, ma stasera vi posto il log di HijackThis (anche se dopo averlo passato nel log analyzer mi sembra non ci sia niente di sospetto)

Io come antivirus ho FSECURE ma la bestiolina è entrata lo stesso.

Gli effetti sono stati

- 2 messaggi all'avvio che sono

a) c'è un file in c:\windows\system32\cfmon.exe infetto che viene rinominato da FSECURE

b) c'è un file in c:\windows\system32\GEEDC.exe infetto che viene ELIMINATO da FSECURE

- nell'avvio non vedo piu nella barra delle applicazioni l'icona di FSECURE e se lo lancio (visto che invece è attivo e mi blocca i 2 file sopra) non mi fa la scansione del disco.

Ho provato con ad-aware ma non trova niente.

Allora ho fatto la seguente cosa:

- ho disabilitato il ripristino di configurazione di sistema

- ho avviato in modalità provvisoria

- ho cancellato i file e riavviato.

All'inizio il messaggio non appariva piu, nonostante non ci fosse lo stesso l'icona di FSECURE ma dopo aver navigato e usato un po il pc sto schifoso riappare ancora!!!!

CHE FACCIO??????????

AIUTOOOOOOOOOOOOOOOOOO

bdoriano

Ciao daborina, Ciao

Una cortesia, non accodarti ai thread degli altri utenti. Così evitiamo che i logs e, soprattutto, le istruzioni di rimozione si accavallino. Grazie per la collaborazione.

Portiamoci avanti con il lavoro...
Dopo aver postato il log di hijackthis, segui le istruzioni di questo topic per postare il log di combofix.

Fai la Scansione con FindAWF

Fai queste scansioni con GMER e posta i logs su FreeFileHosting come indicato qui.

PS: se vuoi, puoi presentarti qui

daborina · Mortale pio Registrato: 10/01/08 16:25 Messaggi: 16

Ok!

Combofix mi dice stack overflow....non so cosa significa.... poi mi da un errore sulla memoria che non poteva essere read.

Ecco il log HijackThis

ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 0.23.25, on 11/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Programmi\Gizmo Project\mDNSResponder.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\File comuni\EPSON\eEBAPI\eEBSVC.exe
C:\Programmi\File comuni\EPSON\eEBAPI\SAgent2.exe
C:\Programmi\F-Secure\Anti-Virus\fsgk32st.exe
C:\Programmi\F-Secure\Anti-Virus\FSGK32.EXE
C:\Programmi\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Programmi\F-Secure\Anti-Virus\fssm32.exe
C:\Programmi\F-Secure\Common\FSMA32.EXE
C:\Programmi\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Programmi\F-Secure\Common\FCH32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Programmi\F-Secure\Common\FAMEH32.EXE
C:\Programmi\F-Secure\Anti-Virus\fsqh.exe
C:\Programmi\F-Secure\Anti-Virus\fsrw.exe
C:\Programmi\F-Secure\Anti-Virus\fsav32.exe
C:\Programmi\F-Secure\Common\FNRB32.EXE
C:\Programmi\F-Secure\Common\FIH32.EXE
C:\Programmi\F-Secure\FWES\Program\fsdfwd.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Mario\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dduniverse.net/ita/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Barradell'Accessibilità - {11352A67-0178-46B1-8855-D50B2F81C054} - C:\Programmi\WAT_IT\Accessibility_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar4.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programmi\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programmi\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [a03144f8] rundll32.exe "C:\WINDOWS\system32\wlbdperj.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Programmi\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O8 - Extra context menu item: &Block this popup - C:\Programmi\F-Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programmi\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programmi\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://www.pixdiscount.it/clients/uploader_v2.2.0.6.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE30C0C3-D1C5-4105-AE05-B2086DFD2921}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Programmi\Gizmo Project\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmi\File comuni\EPSON\eEBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\eEBAPI\SAgent2.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Programmi\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programmi\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programmi\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programmi\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programmi\F-Secure\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: UPnPService - Magix AG - C:\Programmi\File comuni\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 9955 bytes

Attendo un vostro aiuto su come proseguire....

daborina · Mortale pio Registrato: 10/01/08 16:25 Messaggi: 16

Ecco il log di FIND AWF (credo).... però non capisco perchè abbia fatto la scansione del 2° hard disk....

Find AWF report by noahdfear ©2006
Version 1.40

bak folders found
~~~~~~~~~~~

Il volume nell'unit? H ? DISCO LOCAL
Numero di serie del volume: 415B-1BB9

Directory di H:\FILM-3~1\MAME\DA097-~2\ROBA8E~1.MCS\WCOMBAK

1996-12-24 23:32 8,192 nvram.u39
1 File 8,192 byte
2 Directory 14,766,145,536 byte disponibili

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

8192 24 Dec 1996 "H:\Film - 30 GB\MAME\da 097 - 119\ROMS - MAME 0.115 (update from 0.114) - AxelF6.MCSTeam\boxingm\nvram.u39"
8192 24 Dec 1996 "H:\Film - 30 GB\MAME\da 097 - 119\ROMS - MAME 0.115 (update from 0.114) - AxelF6.MCSTeam\gticlub2\nvram.u39"
8192 24 Dec 1996 "H:\Film - 30 GB\MAME\da 097 - 119\ROMS - MAME 0.115 (update from 0.114) - AxelF6.MCSTeam\jpark3\nvram.u39"
8192 24 Dec 1996 "H:\Film - 30 GB\MAME\da 097 - 119\ROMS - MAME 0.115 (update from 0.114) - AxelF6.MCSTeam\mfightc\nvram.u39"
8192 24 Dec 1996 "H:\Film - 30 GB\MAME\da 097 - 119\ROMS - MAME 0.115 (update from 0.114) - AxelF6.MCSTeam\mocapb\nvram.u39"
8192 24 Dec 1996 "H:\Film - 30 GB\MAME\da 097 - 119\ROMS - MAME 0.115 (update from 0.114) - AxelF6.MCSTeam\mocapbj\nvram.u39"
8192 24 Dec 1996 "H:\Film - 30 GB\MAME\da 097 - 119\ROMS - MAME 0.115 (update from 0.114) - AxelF6.MCSTeam\p911\nvram.u39"
8192 24 Dec 1996 "H:\Film - 30 GB\MAME\da 097 - 119\ROMS - MAME 0.115 (update from 0.114) - AxelF6.MCSTeam\p911j\nvram.u39"
8192 24 Dec 1996 "H:\Film - 30 GB\MAME\da 097 - 119\ROMS - MAME 0.115 (update from 0.114) - AxelF6.MCSTeam\sogeki\nvram.u39"
8192 24 Dec 1996 "H:\Film - 30 GB\MAME\da 097 - 119\ROMS - MAME 0.115 (update from 0.114) - AxelF6.MCSTeam\sscopex\nvram.u39"
8192 24 Dec 1996 "H:\Film - 30 GB\MAME\da 097 - 119\ROMS - MAME 0.115 (update from 0.114) - AxelF6.MCSTeam\thrild2\nvram.u39"
8192 24 Dec 1996 "H:\Film - 30 GB\MAME\da 097 - 119\ROMS - MAME 0.115 (update from 0.114) - AxelF6.MCSTeam\thrild2a\nvram.u39"
8192 24 Dec 1996 "H:\Film - 30 GB\MAME\da 097 - 119\ROMS - MAME 0.115 (update from 0.114) - AxelF6.MCSTeam\tsurugi\nvram.u39"
8192 24 Dec 1996 "H:\Film - 30 GB\MAME\da 097 - 119\ROMS - MAME 0.115 (update from 0.114) - AxelF6.MCSTeam\wcombaj\nvram.u39"
8192 24 Dec 1996 "H:\Film - 30 GB\MAME\da 097 - 119\ROMS - MAME 0.115 (update from 0.114) - AxelF6.MCSTeam\wcombak\nvram.u39"
8192 24 Dec 1996 "H:\Film - 30 GB\MAME\da 097 - 119\ROMS - MAME 0.115 (update from 0.114) - AxelF6.MCSTeam\wcombat\nvram.u39"
8192 24 Dec 1996 "H:\Film - 30 GB\MAME\da 097 - 119\ROMS - MAME 0.115 (update from 0.114) - AxelF6.MCSTeam\xtrial\nvram.u39"

end of report

daborina · Mortale pio Registrato: 10/01/08 16:25 Messaggi: 16

Ecco la prima delle 2 scansioni con GMER

primo.txt

daborina · Mortale pio Registrato: 10/01/08 16:25 Messaggi: 16

Ecco la seconda scansione:

link

Vi prego aiutatemiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii

daborina · Mortale pio Registrato: 10/01/08 16:25 Messaggi: 16

Sig...nessuno che mi aiuta??? Sad

bdoriano

Ritenta con le istruzioni di questo topic per postare il log di combofix.
Non arrenderti alla prima difficoltà e, soprattutto, sii paziente.
Ogni tanto ci tocca anche lavorare. Wink

edit: hai installato un programma chiamato MyOpinion (o roba simile)?

daborina · Mortale pio Registrato: 10/01/08 16:25 Messaggi: 16

Scusami Bdoriano...hai ragione..era solo la fretta di sistemare il problema...

Chiedo umilmente perdono Crying or Very sad

Comunque per COMBOFIX ho seguito proprio le istruzioni di quel post e dopo un po mi scrive stack overflow...sembra si blocchi e
poi mi da un errore sulla memoria che non poteva essere read...

Avevo installato un bar opionion tempo fa non mi ha mai dato problemi e qualche tempo fa l'ho rimossa...serviva per fare sondaggi.... non credo fosse quella...

GRAZIE per ora!

bdoriano

Scarica avenger e scompattalo in una sua cartella non temporanea e non sul desktop

Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:

daborina · Mortale pio Registrato: 10/01/08 16:25 Messaggi: 16

Ciao bdoriano,

allora ho fatto tutti con AVENGER, il pc si è riavviato ma il risultato dove lo trovo?

Nella cartella che ho creato non ha scritto niente!

Questo è il log di HijackThi

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:11, on 2008-01-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Programmi\Gizmo Project\mDNSResponder.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\File comuni\EPSON\eEBAPI\eEBSVC.exe
C:\Programmi\File comuni\EPSON\eEBAPI\SAgent2.exe
C:\Programmi\F-Secure\Anti-Virus\fsgk32st.exe
C:\Programmi\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Programmi\F-Secure\Anti-Virus\FSGK32.EXE
C:\Programmi\F-Secure\Anti-Virus\fssm32.exe
C:\Programmi\F-Secure\Common\FSMA32.EXE
C:\Programmi\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Programmi\F-Secure\Common\FCH32.EXE
C:\Programmi\F-Secure\Common\FAMEH32.EXE
C:\Programmi\F-Secure\Anti-Virus\fsqh.exe
C:\Programmi\F-Secure\Anti-Virus\fsrw.exe
C:\Programmi\F-Secure\Common\FNRB32.EXE
C:\Programmi\F-Secure\Common\FIH32.EXE
C:\Programmi\F-Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\F-Secure\Anti-Virus\fsav32.exe
C:\Documents and Settings\Mario\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dduniverse.net/ita/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BEB8FE09-95AA-4BA0-9B9F-0DDCF361E9F3} - C:\WINDOWS\system32\geedc.dll (file missing)
O3 - Toolbar: &Barradell'Accessibilità - {11352A67-0178-46B1-8855-D50B2F81C054} - C:\Programmi\WAT_IT\Accessibility_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar4.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programmi\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programmi\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Programmi\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O8 - Extra context menu item: &Block this popup - C:\Programmi\F-Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programmi\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programmi\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://www.pixdiscount.it/clients/uploader_v2.2.0.6.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE30C0C3-D1C5-4105-AE05-B2086DFD2921}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Programmi\Gizmo Project\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmi\File comuni\EPSON\eEBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\eEBAPI\SAgent2.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Programmi\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programmi\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programmi\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programmi\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programmi\F-Secure\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: UPnPService - Magix AG - C:\Programmi\File comuni\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 10606 bytes

Grazie per ogni aiuto che mi darei...sei gentilissimo...

PS il mio pc è diventato lentissimo e si aprono finestre in continuazione!

Se dovessi backuppare per formattare rischio di portarmi il virus dietro?????

bdoriano

daborina · Mortale pio Registrato: 10/01/08 16:25 Messaggi: 16

Ecco Avenger (intanto faccio quello che mi hai scritto) Smile

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not create zip file.
Error code: 1813

//////////////////////////////////////////

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wwcdgsgl

*******************

Script file located at: \??\C:\WINDOWS\system32\whtgjenf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\Downloaded Program Files\gbieh.dll not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\gbieh.dll failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\gbieh.dll
Status: 0xc0000034

File C:\WINDOWS\system32\wlbdperj.dll not found!
Deletion of file C:\WINDOWS\system32\wlbdperj.dll failed!

Could not process line:
C:\WINDOWS\system32\wlbdperj.dll
Status: 0xc0000034

File C:\WINDOWS\system32\hggddcb.dll not found!
Deletion of file C:\WINDOWS\system32\hggddcb.dll failed!

Could not process line:
C:\WINDOWS\system32\hggddcb.dll
Status: 0xc0000034

File C:\WINDOWS\system32\geedc.dll not found!
Deletion of file C:\WINDOWS\system32\geedc.dll failed!

Could not process line:
C:\WINDOWS\system32\geedc.dll
Status: 0xc0000034

File C:\WINDOWS\system32\xfhdcucu.dll not found!
Deletion of file C:\WINDOWS\system32\xfhdcucu.dll failed!

Could not process line:
C:\WINDOWS\system32\xfhdcucu.dll
Status: 0xc0000034

Could not open file C:\Programmi\Opinionbar\MyIEMonitor.dll for deletion
Deletion of file C:\Programmi\Opinionbar\MyIEMonitor.dll failed!

Could not process line:
C:\Programmi\Opinionbar\MyIEMonitor.dll
Status: 0xc000003a

Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0BD15805-96AF-4BFC-ACA8-1E43579A8250} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0BD15805-96AF-4BFC-ACA8-1E43579A8250} failed!
Status: 0xc0000034

Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5118DC72-BFD4-44AC-A0A9-421C191DBE39} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5118DC72-BFD4-44AC-A0A9-421C191DBE39} failed!
Status: 0xc0000034

Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6607C683-AE7C-11D4-ACD7-0050DAC291A2} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6607C683-AE7C-11D4-ACD7-0050DAC291A2} failed!
Status: 0xc0000034

Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C41A1C0E-EA6C-11D4-B1B8-444553540000} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C41A1C0E-EA6C-11D4-B1B8-444553540000} failed!
Status: 0xc0000034

Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0966b09-8911-4966-bc95-97276193f3c1} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0966b09-8911-4966-bc95-97276193f3c1} failed!
Status: 0xc0000034

Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hggddcb not found!
Deletion of registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hggddcb failed!
Status: 0xc0000034

Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\netmsg32 not found!
Deletion of registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\netmsg32 failed!
Status: 0xc0000034

Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|a03144f8
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|a03144f8 failed!
Status: 0xc0000034

Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{E37CB5F0-51F5-4395-A808-5FA49E399F83}
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{E37CB5F0-51F5-4395-A808-5FA49E399F83} failed!
Status: 0xc0000034

Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{5118DC72-BFD4-44AC-A0A9-421C191DBE39}
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{5118DC72-BFD4-44AC-A0A9-421C191DBE39} failed!
Status: 0xc0000034

Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{E37CB5F0-51F5-4395-A808-5FA49E399F83}
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{E37CB5F0-51F5-4395-A808-5FA49E399F83} failed!
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

daborina · Mortale pio Registrato: 10/01/08 16:25 Messaggi: 16

Ecco il log di HijackThis dopo le tue istruzioni. Procedo con l'antivirus on line.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:41, on 2008-01-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Programmi\Gizmo Project\mDNSResponder.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\File comuni\EPSON\eEBAPI\eEBSVC.exe
C:\Programmi\File comuni\EPSON\eEBAPI\SAgent2.exe
C:\Programmi\F-Secure\Anti-Virus\fsgk32st.exe
C:\Programmi\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Programmi\F-Secure\Anti-Virus\FSGK32.EXE
C:\Programmi\F-Secure\Common\FSMA32.EXE
C:\Programmi\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmi\F-Secure\Common\FSMB32.EXE
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\F-Secure\Common\FCH32.EXE
C:\Programmi\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Programmi\F-Secure\Common\FAMEH32.EXE
C:\Programmi\F-Secure\Anti-Virus\fsqh.exe
C:\Programmi\F-Secure\Anti-Virus\fsrw.exe
C:\Programmi\F-Secure\Common\FNRB32.EXE
C:\Programmi\F-Secure\Common\FIH32.EXE
C:\Programmi\F-Secure\FWES\Program\fsdfwd.exe
C:\Documents and Settings\Mario\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\F-Secure\Anti-Virus\fsav32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dduniverse.net/ita/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Barradell'Accessibilità - {11352A67-0178-46B1-8855-D50B2F81C054} - C:\Programmi\WAT_IT\Accessibility_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar4.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programmi\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programmi\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Programmi\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O8 - Extra context menu item: &Block this popup - C:\Programmi\F-Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programmi\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programmi\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://www.pixdiscount.it/clients/uploader_v2.2.0.6.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE30C0C3-D1C5-4105-AE05-B2086DFD2921}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Programmi\Gizmo Project\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmi\File comuni\EPSON\eEBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\eEBAPI\SAgent2.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Programmi\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programmi\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programmi\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programmi\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programmi\F-Secure\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: UPnPService - Magix AG - C:\Programmi\File comuni\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 10360 bytes

bdoriano

Avenger non ha lavorato come doveva. Confused

Probabilmente ho sbagliato diagnosi. Think

Fai questi passaggi:

Scarica VundoFix e VirtumundoBegone e salvali sul desktop.
Avvia VundoFix
Seleziona Scan for Vundo e a scansione terminata scegli Remove Vundo.
Clicca Yes e alla richiesta di riavviare il Pc rispondi Ok.
Al riavvio dovrebbe comparire il blocco-note con dentro il log, copia e posta sul forum il contenuto.
Ora avvia in modalità provvisoria
Avvia VirtumundoBeGone e segui le indicazioni a video.
riavvia il Pc in modalità normale e posta il log.

edit: dimenticavo, quando avvii combofix, disabiliti il tuo antivirus?

daborina · Mortale pio Registrato: 10/01/08 16:25 Messaggi: 16

Allora:

- non disabilito l'antivirus perchè sto virus me lo ha fatto sparire dalla barra e non so come disabilitarlo....inoltre ho il terrore che disabilitandolo non mi rinomini i file infetti quando partono.... (come fa ora) anche se il problema rimane...
Non ricordo se te l'ho detto ma ovviamente questo trojan mi impedisce la scansione del disco da FSECURE (non funziona).

Faro quella cosa per VUNDO ma volevi dirti che Kasper sta lavorando (io sono con il mio portatile di lavoro) e spessissimo esce l'avviso a Monitor che il trojan infetta dei file (sopratutto dei programmi) e Fsecure provvede a rinominare i file... sta facendo un casino secondo te?

Scansione al 22% in circa 1 ora e 10 e con 3 virus trovati e 6 oggetti infetti....attendo la fine e posterò il log domani a questo punto.

Credo ci risentiremo domani...tuo lavoro permettendo (io sto a casa Smile

)

Grazie per ora e speriamo di risolvere anche se la vedo durissima!!

bdoriano

Diciamo che così è come lottare con i mulini a vento.
Il virus e il tuo antivirus stanno remando contro ogni operazione che possiamo fare. Rolling Eyes

I programmi che sto cercando di farti utilizzare servono a rimuovere il virus, il tuo antivirus potrebbe riconoscerli come pericolosi e non farli funzionare.

daborina · Mortale pio Registrato: 10/01/08 16:25 Messaggi: 16

Allora:

questo è il link della scansione di KASPER

infezione.html.

Credo che tutti i file che vedrai (mi riferisco agli eseguibili) siano stati rinominati da FSECURE, ho scoperto come disabilitarlo e se vuoi rifaccio una scansione, anche se ci ha messo 5 ore!

Vundofix non ha trovato niente quindi non ho pulito.

Questo è il log di VirtumundoBeGone:

[01/12/2008, 10:51:54] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Mario\Desktop\VirtumundoBeGone.exe" )
[01/12/2008, 10:52:00] - Detected System Information:
[01/12/2008, 10:52:00] - Windows Version: 5.1.2600, Service Pack 2
[01/12/2008, 10:52:00] - Current Username: Mario (Admin)
[01/12/2008, 10:52:00] - Windows is in SAFE mode with Networking.
[01/12/2008, 10:52:00] - Searching for Browser Helper Objects:
[01/12/2008, 10:52:00] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Supporto di collegamento per Adobe PDF Reader)
[01/12/2008, 10:52:00] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/12/2008, 10:52:00] - BHO 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[01/12/2008, 10:52:00] - BHO 4: {AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)
[01/12/2008, 10:52:00] - BHO 5: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[01/12/2008, 10:52:00] - Finished Searching Browser Helper Objects
[01/12/2008, 10:52:00] - Finishing up...
[01/12/2008, 10:52:00] - Nothing found! Exiting...

Inoltre finalmente, dopo aver disattivato l'antivirus, è partito Combofix!!!

eccoti il suo log:

ComboFix 08-01-09.2 - Mario 2008-01-12 10:56:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.523 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Mario\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cdeeg.ini2
C:\WINDOWS\system32\jrepdblw.ini

.
((((((((((((((((((((((((( Files Creati Da 2007-12-12 al 2008-01-12 )))))))))))))))))))))))))))))))))))
.

2008-01-12 10:07 . 2008-01-12 10:07 <DIR> d-------- C:\VundoFix Backups
2008-01-11 22:45 . 2008-01-11 22:45 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-11 22:45 . 2008-01-11 22:45 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab
2008-01-11 22:08 . 2008-01-11 22:08 1,080 --a------ C:\bdwykxyy.bat
2008-01-11 22:07 . 2008-01-11 22:07 60,416 --a------ C:\WINDOWS\system32\drivers\cgyketvh.sys
2008-01-11 22:00 . 2008-01-11 22:00 126,976 --a------ C:\zip.exe
2008-01-11 22:00 . 2008-01-11 22:00 60,416 --a------ C:\WINDOWS\system32\drivers\aoxk^xnk.sys
2008-01-11 22:00 . 2008-01-11 22:07 3,148 --a------ C:\avexport.bat
2008-01-11 22:00 . 2008-01-11 22:00 1,080 --a------ C:\wapmlmnb.bat
2008-01-11 00:24 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-11 00:13 . 2008-01-11 18:07 340,480 --------- C:\WINDOWS\system32\GEEDC.0XE
2008-01-10 22:16 . 2008-01-10 22:16 <DIR> d-------- C:\Programmi\File comuni\EZB Systems
2008-01-10 01:06 . 2008-01-10 01:17 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-10 00:50 . 2008-01-10 00:50 <DIR> d-------- C:\Documents and Settings\Mario\Dati applicazioni\Lavasoft
2008-01-09 22:59 . 2008-01-10 00:12 <DIR> d-------- C:\Programmi\Romain's Software
2007-12-13 22:32 . 2007-12-13 22:32 302 --a------ C:\colorcart1.dat
2007-12-13 22:32 . 2007-12-13 22:32 178 --a------ C:\separa.dat
2007-12-13 22:32 . 2007-12-13 22:32 162 --a------ C:\datasetv.dat
2007-12-13 22:32 . 2007-12-13 22:32 94 --a------ C:\dataset.dat
2007-12-13 22:32 . 2007-12-13 22:32 0 --a------ C:\datacolor.dat
2007-12-13 22:32 . 2007-12-13 22:32 0 --a------ C:\bingo1.dat
2007-12-12 08:56 . 2007-12-12 08:56 <DIR> d-------- C:\Programmi\PC Connectivity Solution
2007-12-12 03:01 . 2008-01-09 19:50 1,355 --a------ C:\WINDOWS\imsins.BAK

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 21:35 --------- d-----w C:\Documents and Settings\Mario\Dati applicazioni\Skype
2008-01-11 21:00 --------- d-----w C:\Documents and Settings\Mario\Dati applicazioni\Azureus
2008-01-11 17:40 --------- d-----w C:\Programmi\eMule
2008-01-10 21:16 --------- d-----w C:\Programmi\UltraISO
2008-01-10 07:35 --------- d-----w C:\Programmi\hi
2008-01-09 23:50 --------- d-----w C:\Programmi\Lavasoft
2008-01-09 23:10 --------- d-----w C:\Programmi\QuickTime
2008-01-09 22:03 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-01-07 23:48 --------- d-----w C:\Programmi\Azureus
2008-01-04 12:49 --------- d-----w C:\Programmi\UltraFXP
2008-01-02 15:59 --------- d-----w C:\Programmi\Sfoglia Giornale
2008-01-02 15:54 --------- d-----w C:\Programmi\Jasc Software Inc
2008-01-02 15:52 --------- d-----w C:\Programmi\Nokia
2008-01-02 15:51 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Installations
2008-01-02 15:40 --------- d-----w C:\Programmi\ArcSoft
2007-12-17 23:43 --------- d-----w C:\Programmi\Messenger Plus! Live
2007-12-15 19:30 --------- d-----w C:\Documents and Settings\Mario\Dati applicazioni\Nokia
2007-12-12 07:57 --------- d-----w C:\Programmi\Nokian73
2007-12-12 07:57 --------- d-----w C:\Programmi\File comuni\PCSuite
2007-12-12 07:57 --------- d-----w C:\Programmi\File comuni\Nokia
2007-11-29 21:45 --------- d-----w C:\Programmi\CDCheck
2007-11-24 13:27 --------- d-----w C:\Programmi\WAT_IT
2007-11-23 13:45 --------- d-----w C:\Documents and Settings\Mario\Dati applicazioni\AdobeUM
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-25 09:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-08-27 20:15 20 ---h--w C:\Documents and Settings\All Users\Dati applicazioni\PKP_DLbz.DAT
2006-11-23 22:30 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [ ]
"swg"="C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"PC Suite Tray"="C:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 07:16 5058560]
"nwiz"="nwiz.exe" [2003-10-06 07:16 741376 C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 16:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"Jet Detection"="C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe" [ ]
"EPSON Stylus CX3200"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [ ]
"F-Secure Manager"="C:\Programmi\F-Secure\Common\FSM32.exe" [ ]
"F-Secure TNB"="C:\Programmi\F-Secure\TNB\TNBUtil.exe" [ ]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"CloneCDTray"="C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" [ ]
"ISUSScheduler"="C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" [ ]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [ ]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [ ]
"Microsoft Update"="lsac.exe" []
"Nokia.PCSync"="C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
BTTray.lnk - C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe [2003-08-29 16:33:24]
F-Secure Automatic Update.lnk - C:\Programmi\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe [2006-05-22 20:55:20]

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2005-06-21 16:32]
R1 XPROTECTOR;XPROTECTOR;C:\WINDOWS\system32\drivers\Oreans.sys [2006-03-09 19:41]
R2 ACEDRV09;ACEDRV09;C:\WINDOWS\system32\drivers\ACEDRV09.sys [2007-10-02 18:20]
R2 BackWeb Plug-in - 7681197;F-Secure Automatic Update;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [2006-05-22 20:55]
R2 F-Secure Filter;F-Secure File System Filter;C:\Programmi\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2004-09-10 16:14]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Programmi\F-Secure\Anti-Virus\Win2K\FSgk.sys [2005-02-16 16:49]
R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Programmi\F-Secure\Anti-Virus\Win2K\FSrec.sys [2004-12-17 10:34]
R3 st324bus;st324bus;C:\WINDOWS\system32\DRIVERS\st324bus.sys [2002-11-11 00:31]
R3 st324kj;st324kj;C:\WINDOWS\system32\DRIVERS\st324kj.sys [2002-11-13 17:43]
S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys []
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys []
S3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);C:\WINDOWS\system32\DRIVERS\webc3vid.sys [2000-09-14 13:00]
S3 S6U12BScanner;Trust Compact Scan USB 19200 Still Image Device Service;C:\WINDOWS\system32\drivers\usbscan.sys [2004-08-03 21:58]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 21:41]
S3 UPnPService;UPnPService;C:\Programmi\File comuni\MAGIX Shared\UPnPService\UPnPService.exe [2006-12-14 15:00]

.
Contenuto della cartella 'Scheduled Tasks'
"2008-01-04 15:28:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 11:04:59
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-01-12 11:10:40 - machine was rebooted [Mario]
ComboFix-quarantined-files.txt 2008-01-12 10:10:37
.
2008-01-09 18:51:50 --- E O F ---link link

Ora sono nelle tue mani.....

Aspetto tue notizie!

Grazie ancora

bdoriano

Bene! Combofix ha eliminato qualcosina. Razz

Si intravede qualcos'altro, scarica ATF-Cleaner.
Avvia ATF-Cleaner (serve a eliminare i files temporanei)
Metti il segno di spunta a Select All
(se vuoi conservare i files del cestino, togli il segno di spunta a Recycle bin)
Clicca su Empty selected
Segui le stesse operazioni anche per Opera e Firefox (se li usi)

Fai una scansione online con Bitdefender.
Fai una scansione online con Panda Active Scan.
Fai una scansione online con Eset.

Al termine, fai questa scansione con SystemScan e posta il log su FreeFileHosting come indicato qui.

PS: so che sono operazioni lunghe, ma servono per eliminare in automatico tutto l'eliminabile e avere un quadro definitivo della situazione. Wink

daborina · Mortale pio Registrato: 10/01/08 16:25 Messaggi: 16

Allora, dopo innumerevoli ore perse (circa 14 ore di scansioni varie) e la ferma volontà di non arrendermi a questo maledetto virus ti aggiorno sulla situazione.

Lanciato ATF per IE e Mozilla.

Fatte le scansioni con bitdefender, panda (di queste 2 ho il log) e Eset che non la lascia il log.

Ovviamente tutte dicono che sono pieno di virus (da 3 a 7) con diversi file infetti sopratutto nella cartella programmi e temporanei (nonstante siano state pulite).

Ogni volta che faccio le scansioni e gli antivirus passano sul file ovviamente Fsecure mi avverte, si accende e rinomina i file (mica dovevo spegnerlo anche stavolta?).

Non riesco a scaricare Systemscan perchè il sito non va....

Sono di nuovo nelle tue mani....

Grazie ancora...

PS IO NON VOGLIO FORMATTARE PER PRINCIPIO! Very Happy