- Home
- Categorie
- Gaming, Hardware e Software
- Sicurezza Informatica & Privacy
- [Risolto] ancora virtumonde
-
anche perchè se non ho capito male, dal log mi sembra che uno dei due file da cancellare non sia andato a buon fine
per questo ti ho consigliato di usare dr web cureit comunque se ritieni di proseguire con l'altra procedura NO PROBLEM
-
maniac,
ho scaricato a scansito con Dr Web: dopo una pulita + quarantena di 5 virus nella scansione express, in quella completa si è soffermato tipo 30-40 min su C\doc e settings\user\impostazioni locali\temp\drw....temp . Mi è sembrato un po' esagerato come se trovasse intoppi (avevo già cancellato con Ccleaner) ma quello che è più strano è che quando sono tornato il programma si era chiuso e quindi non so se se avesse finito o si fosse auto-chiuso per problemi.
Aspetto vostre notizie !! grazie
-
maniac,
ho scaricato a scansito con Dr Web: dopo una pulita + quarantena di 5 virus nella scansione express, in quella completa si è soffermato tipo 30-40 min su C\doc e settings\user\impostazioni locali\temp\drw....temp . Mi è sembrato un po' esagerato come se trovasse intoppi (avevo già cancellato con Ccleaner) ma quello che è più strano è che quando sono tornato il programma si era chiuso e quindi non so se se avesse finito o si fosse auto-chiuso per problemi.no no tranquillo sicuramente il programma si e' bloccato (succede)
fai una nuova scansione con hijackthis e posta il log
-
si è richiuso (come prima non so se ha finito o è bloccato)
cmq ecco il log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11.25.25, on 23/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEE.EXE
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\user\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {42BFABD3-B070-4053-9485-30D7E000D3D3} - C:\WINDOWS\system32\nnnlmjGw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [EPSON Stylus DX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEE.EXE /P26 "EPSON Stylus DX4200 Series" /O6 "USB001" /M "Stylus DX4200"
O4 - HKLM..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM..\Run: [C:\WINDOWS\system32\kdzyc.exe] C:\WINDOWS\system32\kdzyc.exe
O4 - HKCU..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU..\Run: [CTSyncU.exe] "C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip..{6CE55B15-B60B-4DFA-ACCF-0C55F2B1ADC3}: NameServer = 85.37.17.46 85.38.28.84
O20 - Winlogon Notify: nnnlmjGw - C:\WINDOWS\SYSTEM32\nnnlmjGw.dll
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exeEnd of file - 3528 bytes
ciao
grazie
-
sembra che dr web abbia ripulito per bene\ controlla questa voce con VIRUSTOTAL
C:\WINDOWS\system32\nnnlmjGw.dll
-
mi dà questa risposta: non ha inviato nulla credo
0 bytes size received / Se ha recibido un archivo vacio
-
l'ho analizzato con Nod e trova che è infettato da virtumonde> opzione disinfetta> ma mi dice che non può perchè il file è in esecuzione> riavviare> ok > ma come ben sai, si rigenera all'accensione
-
abbandonato?
-
abbandonato?
no, bannato!!
posta un log di hijackthis
-
Prima del log sempre con avenger esegui questo:
**
Files to delete:
C:\WINDOWS\system32\nnnlmjGw.dllFiles to replace with dummy:
C:\WINDOWS\system32\nnnlmjGw.dll **Premi execute, fai riavviare il pc e posta il log avenger seguito da quello hijackthis.
-
grazie per il vostro conforto!
ok eseguito il comando,forse qualcosa non è andato a buon fine MA al riavvio non mi viene più visualizzato l'avviso di presenza di virtumonde dal Nod . Battaglia vinta?
Logfile of The Avenger Version 2.0, (c) by Swandog46
Platform: Windows XP
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "C:\WINDOWS\system32\nnnlmjGw.dll" deleted successfully.
Error: file "C:\WINDOWS\system32\nnnlmjGw.dll" not found!
Replacement with dummy of file "C:\WINDOWS\system32\nnnlmjGw.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not existCompleted script processing.
Finished! Terminate.
e
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15.12.33, on 02/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Eset\nod32kui.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEE.EXE
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\user\Desktop\logs\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {42BFABD3-B070-4053-9485-30D7E000D3D3} - C:\WINDOWS\system32\nnnlmjGw.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [EPSON Stylus DX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEE.EXE /P26 "EPSON Stylus DX4200 Series" /O6 "USB001" /M "Stylus DX4200"
O4 - HKLM..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM..\Run: [C:\WINDOWS\system32\kdzyc.exe] C:\WINDOWS\system32\kdzyc.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU..\Run: [CTSyncU.exe] "C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip..{6CE55B15-B60B-4DFA-ACCF-0C55F2B1ADC3}: NameServer = 85.37.17.46 85.38.28.84
O20 - Winlogon Notify: nnnlmjGw - nnnlmjGw.dll (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exeEnd of file - 3637 bytes
-
manca mezzo log (e' tagliato)
-
Per quanto riguarda avenger, ha eliminato con successo il file.
L'errore di file not found è capitato poichè ho ripetuto lo script due volte per lo stesso file ma con comandi diversi in modo che se il primo falliva probabilmente il secondo avrebbe avuto effetto;)Per quanto riguarda hijackthis il log è completo, fixa queste voci:
O2 - BHO: (no name) - {42BFABD3-B070-4053-9485-30D7E000D3D3} - C:\WINDOWS\system32\nnnlmjGw.dll (file missing)
O20 - Winlogon Notify: nnnlmjGw - nnnlmjGw.dll (file missing)
Poi dovresti essere a posto:)
-
ok fixato!
questo è il log. confermo che no esce più l'avviso di presenza virtumonde, poi domani magari rifaccio una scansione con nod.
grazie tante !! , direi che sono a posto con virtumonde no?Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23.22.29, on 02/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Eset\nod32kui.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEE.EXE
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\user\Desktop\logs\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [EPSON Stylus DX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEE.EXE /P26 "EPSON Stylus DX4200 Series" /O6 "USB001" /M "Stylus DX4200"
O4 - HKLM..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM..\Run: [C:\WINDOWS\system32\kdzyc.exe] C:\WINDOWS\system32\kdzyc.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU..\Run: [CTSyncU.exe] "C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip..{6CE55B15-B60B-4DFA-ACCF-0C55F2B1ADC3}: NameServer = 85.37.17.46 85.38.28.84
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exeEnd of file - 3473 bytes
-
Direi che è tutto a posto.
Grazie ad avenger abbiamo rimosso virtumonde;)
Se vuoi per sicurezza effettua una scansione con nod e se trova qualcosa facci sapere:)
-
come suggerito ho fatto la scansione che vi allego: non ho capito se è rimasto un "tentativo" di reinstallarsi su System Volume information. secondo voi ? posto anche Hijack
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18.44.36, on 03/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\ESET\nod32kui.exe
C:\Programmi\ESET\nod32.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\user\Desktop\logs\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [EPSON Stylus DX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEE.EXE /P26 "EPSON Stylus DX4200 Series" /O6 "USB001" /M "Stylus DX4200"
O4 - HKLM..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM..\Run: [C:\WINDOWS\system32\kdzyc.exe] C:\WINDOWS\system32\kdzyc.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [68c35433] rundll32.exe "C:\WINDOWS\system32\asdpjrqd.dll",b
O4 - HKLM..\Run: [BM6bf067af] Rundll32.exe "C:\WINDOWS\system32\hxkferxv.dll",s
O4 - HKCU..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU..\Run: [CTSyncU.exe] "C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip..{6CE55B15-B60B-4DFA-ACCF-0C55F2B1ADC3}: NameServer = 85.37.17.46 85.38.28.84
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exeEnd of file - 3710 bytes
non riesco ad allegare il messaggio del nod. provo dopo
-
Si è rinfettato:?
Da hijackthis fixa:
O4 - HKLM..\Run: [68c35433] rundll32.exe "C:\WINDOWS\system32\asdpjrqd.dll",b
O4 - HKLM..\Run: [BM6bf067af] Rundll32.exe "C:\WINDOWS\system32\hxkferxv.dll",sCon avenger esegui questo script:
**
Files to delete:
C:\WINDOWS\system32\asdpjrqd.dll
C:\WINDOWS\system32\hxkferxv.dll**Premi execute, fai riavviare il pc e salva il log.
Poi scarica combofix http://subs.geekstogo.com/ComboFix.exe disconnettiti da internet e chiudi tutte le applicazioni disattivando l'antivirus (attenzione Nod potrebbe rilevare Combofix come infetto, è un errore)
Avvia combofix, segui le istruzioni a video e fagli cominciare la scansione (non preoccuparti se durante la scansione succedono cose strane)..
Alla fine posta il log avenger che hai salvato in precedenza, il log di combofix e un nuovo log hijackthis creato dopo aver utilizzato combofix.
Fai i passaggi in ordine.
-
Ok Giò grazie! eseguito tutto come indicato: non ho capito granchè, ma ComboFix mi sembra veramente una BOMBA!! ecco i log :
Logfile of The Avenger Version 2.0, (c) by Swandog46
Platform: Windows XP
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "C:\WINDOWS\system32\nnnlmjGw.dll" deleted successfully.
Error: file "C:\WINDOWS\system32\nnnlmjGw.dll" not found!
Replacement with dummy of file "C:\WINDOWS\system32\nnnlmjGw.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not existCompleted script processing.
Finished! Terminate.
Logfile of The Avenger Version 2.0, (c) by Swandog46
Platform: Windows XP
Error: Script file not found!
Could not open script file! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Abort!Logfile of The Avenger Version 2.0, (c) by Swandog46
Platform: Windows XP
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "C:\WINDOWS\system32\asdpjrqd.dll" deleted successfully.
File "C:\WINDOWS\system32\hxkferxv.dll" deleted successfully.
Completed script processing.
Finished! Terminate.
e
ComboFix 08-09-01.05 - user 2008-09-03 23.17.24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.607 [GMT 2:00]
Eseguito da: C:\Documents and Settings\user\Desktop\logs\ComboFix.exe- Creato nuovo punto di ripristino
- Resident AV is active
ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
.
/wow section non completata
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\user\file.exe
C:\WINDOWS\BM6bf067af.txt
C:\WINDOWS\BM6bf067af.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\awtrQjkj.dll
C:\WINDOWS\system32\awtrQkKD.dll
C:\WINDOWS\system32\awtsQICT.dll
C:\WINDOWS\system32\awtsRlIx.dll
C:\WINDOWS\system32\cbXnmLDU.dll
C:\WINDOWS\system32\cbXOIbya.dll
C:\WINDOWS\system32\cbXRJBuV.dll
C:\WINDOWS\system32\cmvfoyrb.dll
C:\WINDOWS\system32\ddcARiHx.dll
C:\WINDOWS\system32\ddcawxXo.dll
C:\WINDOWS\system32\ddcCVMfd.dll
C:\WINDOWS\system32\ddcDvsSk.dll
C:\WINDOWS\system32\ddcyyvuv.dll
C:\WINDOWS\system32\dftukojm.dll
C:\WINDOWS\system32\dqrjpdsa.ini
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\efcaWMda.dll
C:\WINDOWS\system32\fabdhqpc.ini
C:\WINDOWS\system32\fccawvtQ.dll
C:\WINDOWS\system32\fccaXpNf.dll
C:\WINDOWS\system32\fccbXnNe.dll
C:\WINDOWS\system32\fccccabY.dll
C:\WINDOWS\system32\fznyjb.dll
C:\WINDOWS\system32\geBqPGYs.dll
C:\WINDOWS\system32\geBqRife.dll
C:\WINDOWS\system32\geBRhggE.dll
C:\WINDOWS\system32\geBrpnND.dll
C:\WINDOWS\system32\geBsrOFx.dll
C:\WINDOWS\system32\geBssRLf.dll
C:\WINDOWS\system32\geBtUMEV.dll
C:\WINDOWS\system32\geBuVOHx.dll
C:\WINDOWS\system32\goauleqb.dll
C:\WINDOWS\system32\hgGwWnMD.dll
C:\WINDOWS\system32\hgGxWqpO.dll
C:\WINDOWS\system32\hoasjf.dll
C:\WINDOWS\system32\iifecaAp.dll
C:\WINDOWS\system32\iiffgFxV.dll
C:\WINDOWS\system32\iifGwtRK.dll
C:\WINDOWS\system32\iyghilwc.dll
C:\WINDOWS\system32\jkkKayVL.dll
C:\WINDOWS\system32\kdzyc.exe
C:\WINDOWS\system32\khfCvSLf.dll
C:\WINDOWS\system32\khfEXrOg.dll
C:\WINDOWS\system32\khfGaxxU.dll
C:\WINDOWS\system32\kjesadac.dll
C:\WINDOWS\system32\litmfgqt.dll
C:\WINDOWS\system32\ljJARkLd.dll
C:\WINDOWS\system32\ljJATnon.dll
C:\WINDOWS\system32\ljJBUmkj.dll
C:\WINDOWS\system32\ljJCsttt.dll
C:\WINDOWS\system32\ljJCvWmn.dll
C:\WINDOWS\system32\ljJDSLDV.dll
C:\WINDOWS\system32\ljJYOhIY.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlJBSkjj.dll
C:\WINDOWS\system32\mlJYomKE.dll
C:\WINDOWS\system32\mlJYpnLf.dll
C:\WINDOWS\system32\nnnkhiGx.dll
C:\WINDOWS\system32\nnnkIbaw.dll
C:\WINDOWS\system32\nnnljkHA.dll
C:\WINDOWS\system32\nnnMcDTL.dll
C:\WINDOWS\system32\nnnoOiHX.dll
C:\WINDOWS\system32\nnnoPHXp.dll
C:\WINDOWS\system32\nonTAJjl.ini
C:\WINDOWS\system32\nonTAJjl.ini2
C:\WINDOWS\system32\omicxsur.ini
C:\WINDOWS\system32\opnlJYsp.dll
C:\WINDOWS\system32\opnnklmn.dll
C:\WINDOWS\system32\pmnkIyWQ.dll
C:\WINDOWS\system32\pmnliiHY.dll
C:\WINDOWS\system32\pmnnOghe.dll
C:\WINDOWS\system32\ptdxnesl.dll
C:\WINDOWS\system32\qoMcaaAR.dll
C:\WINDOWS\system32\qoMcayVL.dll
C:\WINDOWS\system32\qoMeBssr.dll
C:\WINDOWS\system32\qoMeEVpm.dll
C:\WINDOWS\system32\rqRIaxVo.dll
C:\WINDOWS\system32\rqRJDuSk.dll
C:\WINDOWS\system32\rqRKETmN.dll
C:\WINDOWS\system32\ssqNdeFv.dll
C:\WINDOWS\system32\ssqNfDVN.dll
C:\WINDOWS\system32\ssqPjHAp.dll
C:\WINDOWS\system32\tuvVLdeb.dll
C:\WINDOWS\system32\tuvVPGvU.dll
C:\WINDOWS\system32\twclrehd.ini
C:\WINDOWS\system32\urqoNHAq.dll
C:\WINDOWS\system32\urqPiIab.dll
C:\WINDOWS\system32\urqQgefd.dll
C:\WINDOWS\system32\urqRKAPF.dll
C:\WINDOWS\system32\vtUmNdDS.dll
C:\WINDOWS\system32\wiqqosto.dll
C:\WINDOWS\system32\wvUnMGXq.dll
C:\WINDOWS\system32\xxyaaXQk.dll
C:\WINDOWS\system32\xxyayXqo.dll
C:\WINDOWS\system32\xxyvvUKa.dll
C:\WINDOWS\system32\xxywVnom.dll
C:\WINDOWS\system32\xxyyYQKB.dll
C:\WINDOWS\system32\yadKnnnn.ini
C:\WINDOWS\system32\yadKnnnn.ini2
C:\WINDOWS\system32\yayvWMFU.dll
C:\WINDOWS\system32\yayxvVmj.dll
C:\WINDOWS\system32\yayxvVNG.dll
C:\WINDOWS\system32\ymchqxsp.ini
C:\WINDOWS\winupdt.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_{DEF85C80-216A-43AB-AF70-1665EDBE2780}
-------\Service_{DEF85C80-216A-43ab-AF70-1665EDBE2780}((((((((((((((((((((((((( Files Creati Da 2008-08-03 al 2008-09-03 )))))))))))))))))))))))))))))))))))
.
2008-09-03 11:23 . 2008-09-03 11:23 <DIR> d-------- C:\Program Files
2008-08-26 20:50 . 2008-08-26 20:50 <DIR> d-------- C:\Documents and Settings\user\Contacts
2008-08-26 18:31 . 2008-08-26 18:31 268 --ah----- C:\sqmdata10.sqm
2008-08-26 18:31 . 2008-08-26 18:31 244 --ah----- C:\sqmnoopt10.sqm
2008-08-22 01:04 . 2008-08-22 01:04 <DIR> d-------- C:\Documents and Settings\user\DoctorWeb
2008-08-19 23:50 . 2008-08-19 23:50 <DIR> d-------- C:\Programmi\CCleaner
2008-08-19 14:28 . 2008-08-19 14:28 <DIR> d-------- C:\Documents and Settings\user\Dati applicazioni\Apple Computer
2008-08-18 22:56 . 2008-08-19 15:26 <DIR> d-------- C:\Programmi\Winamp
2008-08-18 22:56 . 2008-08-19 15:14 <DIR> d-------- C:\Documents and Settings\user\Dati applicazioni\Winamp
2008-08-18 20:08 . 2008-08-18 22:55 <DIR> d-------- C:\Documents and Settings\user\Dati applicazioni\Winamp(3)
2008-08-17 12:42 . 2008-08-17 12:43 1,501,522 ---hs---- C:\WINDOWS\system32\ndvfmyva.tmp
2008-08-12 22:39 . 2008-08-18 22:56 <DIR> d-------- C:\Programmi\Winamp(2)
2008-08-12 22:39 . 2008-08-18 22:56 <DIR> d-------- C:\Documents and Settings\user\Dati applicazioni\Winamp(2)
2008-08-09 17:23 . 2008-08-18 22:58 <DIR> d-------- C:\Programmi\iPhoto Plus 4
2008-08-06 17:54 . 2008-08-06 17:54 268 --ah----- C:\sqmdata09.sqm
2008-08-06 17:54 . 2008-08-06 17:54 244 --ah----- C:\sqmnoopt09.sqm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-02 20:10 --------- d-----w C:\Programmi\ESET
2008-09-02 19:01 --------- d-----w C:\Programmi\eMule
2008-08-20 10:35 6,952 ----a-w C:\WINDOWS\Sysvxd.exe
2008-08-18 20:57 --------- d-----w C:\Programmi\SlySoft
2008-08-18 20:57 --------- d-----w C:\Programmi\Elaborate Bytes
2008-08-18 20:54 --------- d-----w C:\Programmi\CyberLink
2008-07-28 17:08 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\GRETECH
2008-07-28 17:07 --------- d-----w C:\Programmi\GRETECH
2008-07-28 17:07 --------- d-----w C:\Documents and Settings\user\Dati applicazioni\GRETECH
2008-07-28 15:48 --------- d-----w C:\Documents and Settings\user\Dati applicazioni\DivX
2008-07-27 17:49 --------- d-----w C:\Documents and Settings\user\Dati applicazioni\Creative
2008-07-27 17:47 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-07-27 14:31 --------- d-----w C:\Programmi\Creative
2008-07-27 14:27 --------- d-----w C:\Programmi\File comuni\InstallShield
2008-07-27 14:05 --------- d-----w C:\Documents and Settings\user\Dati applicazioni\Nero
2008-07-27 13:39 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Elaborate Bytes
2008-07-27 13:38 --------- d-----w C:\Documents and Settings\user\Dati applicazioni\CyberLink
2008-07-27 13:38 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\CyberLink
2008-07-27 13:35 --------- d-----w C:\Programmi\epson
2008-07-27 13:24 --------- d-----w C:\Programmi\Motive
2008-07-27 13:24 --------- d-----w C:\Programmi\File comuni\Motive
2008-07-27 13:24 --------- d-----w C:\Programmi\Common Files
2008-07-27 13:24 --------- d-----w C:\Programmi\Alice ti aiuta
2008-07-27 13:24 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Motive
2008-07-27 13:23 155,995 ----a-w C:\WINDOWS\java\Packages\DJH3VVRR.ZIP
2008-07-27 13:22 --------- d-----w C:\Programmi\Telecom Italia
2008-07-25 15:26 --------- d-----w C:\Programmi\RegCleaner
2008-07-25 15:16 --------- d-----w C:\Programmi\Microsoft.NET
2008-07-25 15:15 --------- d-----w C:\Programmi\File comuni\Adobe
2008-07-25 15:14 --------- d-----w C:\Programmi\Nero
2008-07-25 15:14 --------- d-----w C:\Programmi\File comuni\Nero
2008-07-25 15:14 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Nero
2008-07-25 15:13 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\SlySoft
2008-07-25 15:12 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-07-25 15:12 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-07-25 15:12 --------- d-----w C:\Programmi\Windows Live
2008-07-25 15:12 --------- d-----w C:\Programmi\Java
2008-07-25 15:12 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE
2008-07-25 15:11 --------- d-----w C:\Programmi\Xvid
2008-07-25 15:11 --------- d-----w C:\Programmi\Real Alternative
2008-07-25 15:11 --------- d-----w C:\Programmi\QuickTime
2008-07-25 15:11 --------- d-----w C:\Programmi\File comuni\Java
2008-07-25 15:10 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Apple Computer
2008-07-25 15:04 --------- d-----w C:\Programmi\DivX
2008-07-25 15:03 --------- d-----w C:\Programmi\AC3Filter
2008-07-25 13:51 --------- d-----w C:\Programmi\microsoft frontpage
2008-07-25 13:50 --------- d-----w C:\Programmi\Windows Media Connect
2008-07-25 13:47 --------- d-----w C:\Programmi\Windows Journal Viewer
2008-07-25 13:47 --------- d-----w C:\Programmi\HighMAT CD Writing Wizard
2008-07-25 13:43 --------- d-----w C:\Programmi\Servizi in linea
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Nota i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2005-02-13 1694208]
"CTSyncU.exe"="C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-28 700416]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Programmi\Eset\nod32kui.exe" [2008-07-25 949376]
"Motive SmartBridge"="C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe" [2006-04-21 438359]
"EPSON Stylus DX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEE.EXE" [2005-03-07 98304]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2008-05-27 413696]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 15360]
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica
Alice ti aiuta.lnk - C:\Programmi\Alice ti aiuta\bin\matcli.exe [2008-07-27 217088]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"msacm.divxa32"= msaud32_divx.acm
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"=
"C:\Programmi\CyberLink\PowerDVD\PowerDVD.exe"=
"C:\Programmi\Windows Live\Messenger\msnmsgr.exe"=
"C:\Programmi\Windows Live\Messenger\livecall.exe"=
"C:\Programmi\eMule\emule.exe"=
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 9216]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 17920]
R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2007-07-11 714240]
S2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Programmi\CyberLink\PowerDVD*0*00.fcl [ ]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{0695f23c-5e20-11dd-b0c6-00e04d529329}]
\shell\verb1\command - desktop.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{7e9cc744-5e32-11dd-b0c7-00e04d529329}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.-
-
-
- ORFÇOS REMOVIDOS - - - -
HKLM-Run-C:\WINDOWS\system32\kdzyc.exe - C:\WINDOWS\system32\kdzyc.exe
HKLM-Run-BM6bf067af - C:\WINDOWS\system32\hxkferxv.dll
- ORFÇOS REMOVIDOS - - - -
-
-
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://.google.it/
R1 -: HKCU-Internet Settings,ProxyOverride = 127.0.0.1
O8 -: E&sporta in Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 -: Microsoft XML Parser for Java -C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-09-03 23:39:41
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\WINDOWS\system32\kdzyc.exe"="C:\WINDOWS\system32\kdzyc.exe"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="??\C:\Programmi\CyberLink\PowerDVD*0*00.fcl"
.
--------------------- DLLs Carregadas Sob os Processos em Execu‡Æo ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Programmi\Eset\pr_imon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Programmi\ESET\nod32krn.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
.
Ora fine scansione: 2008-09-03 23:40:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-03 21:40:50
Pre-Run: 73,993,883,648 byte disponibili
Post-Run: 74,904,076,288 byte disponibili
278
e
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23.43.52, on 03/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Eset\nod32kui.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEE.EXE
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\user\Desktop\logs\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [EPSON Stylus DX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEE.EXE /P26 "EPSON Stylus DX4200 Series" /O6 "USB001" /M "Stylus DX4200"
O4 - HKLM..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKCU..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU..\Run: [CTSyncU.exe] "C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exeEnd of file - 3434 bytes
grazie davvero, sono curioso di capire nel limite delle mie infime conoscenze , che kakkio ha pulito.
-
Direi che adesso il pc è realmente pulito, avevi un mucchio di virus che non si vedevano con hijackthis e che combofix ha eliminato.
(tutti i file eliminati li vedi nel log alla voce altre eliminazioni).
Se vuoi un ulteriore controllo scarica systemscan www.suspectfile.com/systemscan avvialo accetta il contratto disattiva AV (che anche in questo caso potrebbe rilevartelo come infetto) e inizia la scansione del sistema assicurandoti che tutte le caselle siano selezionate.
Alla fine postaci il report facendo l'upload su www.sendmefile.com e dandoci il lin che comparirà.
Altrimenti se non vuoi usare systemscan per me sei a posto (è solo per un ulteriore controllo)
-
grazie infinite giò! ora il pc viaggia alla grande !!!
una cosa volevo chiederti cioè dopo la cura..la prevenzione: questo pc viene usato al 80% da una ragazzina di 13 anni che potete immaginare che tipo di navigazione faccia : scaricare filmati da Utube, frequentazioni blogspot di cantanti , scaricare foto cantanti, msn.. insomma il meglio del peggio, ed infatti i risultati sono stati quelli che sono stati. Ora, non potendo/volendo impedirle di fare tutto ciò e temendo una prossima infezione, volevo sapere
1)se il Nod e CCleaner bastano per una difesa "normale"
2) se ,all' occorenza posso rilanciare, brutalmente, Combofix soprattutto per non disturbarvi più di tanto.
3) sono costretto a chiedervi aiuto.
grazie ancora !!file link: sendmefile.com/00646951
aggiungo l'ultimo log HJ in cui compare all'ultima riga un file di un programma che rimosso (file missing). Ho provato a fixarlo,ma rimane. E' il caso di cancellarlo (con Avenger ?) oppure può stare lì?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16.33.54, on 04/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEE.EXE
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\Programmi\ESET\nod32kui.exe
C:\Documents and Settings\user\Desktop\logs\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [EPSON Stylus DX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEE.EXE /P26 "EPSON Stylus DX4200 Series" /O6 "USB001" /M "Stylus DX4200"
O4 - HKLM..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKCU..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU..\Run: [CTSyncU.exe] "C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exe (file missing)End of file - 3446 bytes