Virus Incancellabile

Dark Angel · December 28, 2008

Salve a tutti,

Da un pò di giorni ho notato che il mio antivirus (Avira AntiVir Personal) ha individuato vari virus e ogni giorno essi cambiavano nome ma tutti con estensione.dll .

Poi ha individuato un virus chiamato freescan[1].htm il quale non riesco a eliminare nè con l 'antivirus nè manualmente..

Riporto qui sotto il logfile id HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
  Scan saved at 15.16.44, on 28/12/2008
  Platform: Windows XP SP3 (WinNT 5.01.2600)
  MSIE: Internet Explorer v7.00 (7.00.6000.16640)
  Boot mode: Normal

  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\csrss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
  C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
  C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
  C:\WINDOWS\system32\svchost.exe
  C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\mdm.exe
  C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
  C:\Programmi\NVIDIA Corporation\nTune\nTuneService.exe
  C:\WINDOWS\system32\nvsvc32.exe
  C:\WINDOWS\system32\IoctlSvc.exe
  C:\WINDOWS\system32\HPZipm12.exe
  C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
  C:\WINDOWS\System32\PAStiSvc.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\system32\Tablet.exe
  C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
  C:\Programmi\File comuni\Acronis\Fomatik\TrueImageTryStartService.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\RTHDCPL.EXE
  C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe
  C:\WINDOWS\Twain_32\NX VEGA 300\SnapTrap.exe
  C:\WINDOWS\system32\RUNDLL32.EXE
  C:\Programmi\Acronis\TrueImageHome\TrueImageMonitor.exe
  C:\Programmi\Acronis\TrueImageHome\TimounterMonitor.exe
  C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe
  C:\WINDOWS\system32\rundll32.exe
  C:\WINDOWS\system32\rundll32.exe
  C:\Programmi\Java\jre1.6.0_06\bin\jusched.exe
  C:\Program Files\D-Link\DSL-200\dslstat.exe
  C:\Program Files\D-Link\DSL-200\dslagent.exe
  C:\WINDOWS\system32\ctfmon.exe
  C:\Programmi\Skype\Phone\Skype.exe
  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe
  C:\documents and settings\katya\impostazioni locali\dati applicazioni\evgwe.exe
  C:\WINDOWS\system32\WTablet\TabUserW.exe
  C:\WINDOWS\System32\alg.exe
  C:\Programmi\Internet Explorer\IEXPLORE.EXE
  C:\WINDOWS\system32\wbem\wmiapsrv.exe
  C:\Programmi\Skype\Plugin Manager\skypePM.exe
  C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
  C:\Programmi\Internet Explorer\IEXPLORE.EXE
  C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
  C:\Programmi\Mozilla Firefox\firefox.exe
  C:\Programmi\Windows Live\Messenger\usnsvc.exe
  C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
  C:\WINDOWS\system32\wbem\wmiprvse.exe

  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.it/
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
  O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
  O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
  O2 - BHO: (no name) - {3c036bca-e7b1-4dca-b756-88d345bc25c0} - C:\WINDOWS\system32\fejuvizo.dll
  O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
  O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_06\bin\ssv.dll
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
  O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
  O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
  O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
  O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
  O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
  O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
  O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
  O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
  O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
  O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
  O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
  O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
  O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
  O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Nero\Lib\NeroCheck.exe
  O4 - HKLM\..\Run: [NBKeyScan] "C:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
  O4 - HKLM\..\Run: [STICAP] C:\WINDOWS\Twain_32\NX VEGA 300\SnapTrap.exe
  O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
  O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
  O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
  O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Programmi\Acronis\TrueImageHome\TrueImageMonitor.exe
  O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Programmi\Acronis\TrueImageHome\TimounterMonitor.exe
  O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe"
  O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
  O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_06\bin\jusched.exe"
  O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
  O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
  O4 - HKLM\..\Run: [CPM6b9d7f1e] Rundll32.exe "c:\windows\system32\kagetika.dll",a
  O4 - HKLM\..\Run: [nofadekugi] Rundll32.exe "C:\WINDOWS\system32\ziwagawu.dll",s
  O4 - HKLM\..\RunOnce: [SpybotDeletingA9512] command /c del "c:\windows\system32\kagetika.dll_old"
  O4 - HKLM\..\RunOnce: [SpybotDeletingC6797] cmd /c del "c:\windows\system32\kagetika.dll_old"
  O4 - HKLM\..\RunOnce: [SpybotDeletingA8386] command /c del "C:\WINDOWS\system32\lasobemo.dll_old"
  O4 - HKLM\..\RunOnce: [SpybotDeletingC7627] cmd /c del "C:\WINDOWS\system32\lasobemo.dll_old"
  O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
  O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Programmi\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
  O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
  O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
  O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "C:\WINDOWS\TEMP\E_SA4.tmp" /EF "HKCU"
  O4 - HKCU\..\Run: [evgwe] "c:\documents and settings\katya\impostazioni locali\dati applicazioni\evgwe.exe" evgwe
  O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Programmi\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
  O4 - HKCU\..\RunOnce: [SpybotDeletingB3252] command /c del "c:\windows\system32\kagetika.dll_old"
  O4 - HKCU\..\RunOnce: [SpybotDeletingD5936] cmd /c del "c:\windows\system32\kagetika.dll_old"
  O4 - HKCU\..\RunOnce: [SpybotDeletingB3527] command /c del "C:\WINDOWS\system32\lasobemo.dll_old"
  O4 - HKCU\..\RunOnce: [SpybotDeletingD7037] cmd /c del "C:\WINDOWS\system32\lasobemo.dll_old"
  O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
  O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
  O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
  O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
  O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
  O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_06\bin\ssv.dll
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_06\bin\ssv.dll
  O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
  O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
  O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
  O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
  O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
  O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
  O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
  O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
  O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1211051045236
  O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1211051284939
  O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
  O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
  O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
  O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
  O17 - HKLM\System\CCS\Services\Tcpip\..\{3E17D006-5CBC-4A9C-90E1-2DFC0A171407}: NameServer = 85.37.17.15 85.38.28.74
  O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
  O20 - AppInit_DLLs: c:\windows\system32\kagetika.dll,C:\WINDOWS\system32\vofehafi.dll
  O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kagetika.dll (file missing)
  O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kagetika.dll (file missing)
  O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
  O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
  O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
  O23 - Service: Cadence License Manager - Unknown owner - C:\OrCAD\license_manager\lmgrd.exe (file missing)
  O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
  O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
  O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
  O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
  O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Programmi\NVIDIA Corporation\nTune\nTuneService.exe
  O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
  O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
  O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\pctsAuxs.exe
  O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\pctsSvc.exe
  O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
  O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
  O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
  O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
  O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Programmi\File comuni\Acronis\Fomatik\TrueImageTryStartService.exe

Ho provato con Spyware Doctor, con Spybot e pure CCleaner per pulire i file temporanei di internet e di Sistema ma il virus rimane anche se cerco di eliminarlo in modalità provvisoria.

Chi mi potrebbe consigliare come eliminarli?

Modificato December 28, 2008 da Dark Angel

virtual bit · December 28, 2008

ciao prova con un'altro antivirus

Luke57 · December 28, 2008

Ciao, segui questa guida dal punto 1 al punto 8:

http://forum.wininizio.it/index.php?showtopic=98111

poi allega i report di combofix e di malwarebytes

Dark Angel · December 28, 2008

ok fatto.

combofix:

ComboFix 08-12-28.01 - Katya 2008-12-28 22:53:01.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1040.18.1022.442 [GMT 1:00]
Eseguito da: c:\documents and settings\Katya\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)

[COLOR=RED][B]ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !![/B][/COLOR]
.
[i] ADS - WINDOWS: deleted 96 bytes in 1 streams. [/i]

(((((((((((((((((((((((((((((((((((((   Altre eliminazioni   )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Katya\Dati applicazioni\inst.exe
c:\documents and settings\Katya\Impostazioni locali\Dati applicazioni\evgwe.dat
c:\documents and settings\Katya\Impostazioni locali\Dati applicazioni\evgwe.exe
c:\documents and settings\Katya\Impostazioni locali\Dati applicazioni\evgwe_nav.dat
c:\documents and settings\Katya\Impostazioni locali\Dati applicazioni\evgwe_navps.dat
c:\programmi\webmediaplayer
c:\programmi\webmediaplayer\resources\wmp_translation_file.xml
c:\programmi\webmediaplayer\skins\classic.skn
c:\programmi\webmediaplayer\sqlite3.dll
c:\programmi\webmediaplayer\WebMediaPlayer.exe
c:\windows\system32\fejuvizo.dll
c:\windows\system32\hekeyapi.dll
c:\windows\system32\hofugubi.dll
c:\windows\system32\ibugufoh.ini
c:\windows\system32\ijenafen.ini
c:\windows\system32\kopavawi.dll
c:\windows\system32\vofehafi.dll
c:\windows\system32\wudigewe.dll
c:\windows\system32\ziwagawu.dll

.
(((((((((((((((((((((((((   Files Creati Da 2008-11-28 al 2008-12-28  )))))))))))))))))))))))))))))))))))
.

2008-12-28 22:48 . 2008-12-28 22:48	<DIR>	d--------	c:\programmi\IObit
2008-12-28 22:48 . 2008-12-28 22:48	<DIR>	d--------	c:\documents and settings\Katya\Dati applicazioni\IObit
2008-12-28 22:44 . 2008-12-28 22:44	<DIR>	d--------	c:\programmi\Malwarebytes' Anti-Malware
2008-12-28 22:44 . 2008-12-28 22:44	<DIR>	d--------	c:\documents and settings\Katya\Dati applicazioni\Malwarebytes
2008-12-28 22:44 . 2008-12-28 22:44	<DIR>	d--------	c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2008-12-28 22:44 . 2008-12-03 19:52	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-28 22:44 . 2008-12-03 19:52	15,504	--a------	c:\windows\system32\drivers\mbam.sys
2008-12-28 15:03 . 2008-12-28 15:06	<DIR>	d--------	c:\programmi\Enigma Software Group
2008-12-27 16:04 . 2008-12-27 19:34	<DIR>	d--------	c:\programmi\Spyware Doctor
2008-12-27 16:04 . 2008-12-27 16:04	<DIR>	d--------	c:\documents and settings\Katya\Dati applicazioni\PC Tools
2008-12-27 16:04 . 2008-08-25 12:36	81,288	--a------	c:\windows\system32\drivers\iksyssec.sys
2008-12-27 16:04 . 2008-08-25 12:36	66,952	--a------	c:\windows\system32\drivers\iksysflt.sys
2008-12-27 16:04 . 2008-08-25 12:36	40,840	--a------	c:\windows\system32\drivers\ikfilesec.sys
2008-12-27 16:04 . 2008-06-02 16:19	29,576	--a------	c:\windows\system32\drivers\kcom.sys
2008-12-27 15:30 . 2008-12-27 15:31	<DIR>	d--------	c:\programmi\CCleaner
2008-12-26 17:25 . 2008-12-26 17:25	<DIR>	d--------	c:\programmi\Trend Micro
2008-12-26 16:49 . 2008-12-26 16:49	<DIR>	d--h-----	c:\windows\system32\GroupPolicy
2008-12-24 20:55 . 2008-12-28 14:47	327	--a------	c:\windows\wininit.ini
2008-12-24 20:21 . 2008-12-24 20:23	<DIR>	d--------	c:\programmi\Spybot - Search & Destroy
2008-12-24 20:21 . 2008-12-28 15:07	<DIR>	d--------	c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-12-24 17:49 . 2008-12-24 18:00	<DIR>	d--------	c:\programmi\IconLover
2008-12-22 18:53 . 2008-12-22 18:53	27	--a------	c:\windows\system32\mcheck.mhf
2008-12-22 18:51 . 2008-12-22 18:51	<DIR>	d--------	c:\documents and settings\Katya\Dati applicazioni\SlySoft
2008-12-22 18:43 . 2008-12-22 18:43	<DIR>	d--------	c:\programmi\MagicDisc
2008-12-22 18:43 . 2008-07-28 17:19	116,736	--a------	c:\windows\system32\drivers\mcdbus.sys
2008-12-22 18:20 . 2008-12-24 17:34	<DIR>	d--------	c:\programmi\UltraISO
2008-12-22 18:10 . 2008-12-22 18:10	<DIR>	d--------	c:\programmi\Alcohol Soft
2008-12-22 18:05 . 2008-12-22 18:05	<DIR>	d--------	c:\programmi\DVD Decrypter
2008-12-21 12:11 . 2008-12-21 12:11	<DIR>	d--------	c:\documents and settings\All Users\Dati applicazioni\wmp
2008-12-13 16:26 . 2008-12-13 16:25	565,248	--a------	c:\windows\system32\alleg42.dll
2008-12-12 19:07 . 2008-12-12 19:07	<DIR>	d--------	c:\programmi\DVDFab 5i
2008-12-12 15:05 . 2008-12-12 15:05	2,560	--a------	c:\windows\_MSRSTRT.EXE
2008-12-04 18:48 . 2008-12-24 17:33	<DIR>	d--------	c:\programmi\MagicISO

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 21:57	---------	d-----w	c:\documents and settings\Katya\Dati applicazioni\skypePM
2008-12-28 21:47	---------	d-----w	c:\documents and settings\Katya\Dati applicazioni\uTorrent
2008-12-28 21:38	---------	d-----w	c:\documents and settings\Katya\Dati applicazioni\Skype
2008-12-28 20:31	---------	d-----w	c:\programmi\TalonRO
2008-12-28 13:51	---------	d---a-w	c:\documents and settings\All Users\Dati applicazioni\TEMP
2008-12-24 16:34	---------	d-----w	c:\programmi\SlySoft
2008-12-22 20:54	---------	d-----w	c:\programmi\eMule
2008-12-22 17:46	---------	d-----w	c:\documents and settings\Katya\Dati applicazioni\Vso
2008-12-13 16:35	---------	d-----w	c:\documents and settings\Katya\Dati applicazioni\dvdcss
2008-12-13 15:18	---------	d-----w	c:\programmi\Zylom Games
2008-12-12 19:54	---------	d-----w	c:\programmi\DVDFab 5
2008-12-12 19:26	---------	d-----w	c:\documents and settings\All Users\Dati applicazioni\DVD Shrink
2008-12-12 18:07	47,360	-c--a-w	c:\documents and settings\Katya\Dati applicazioni\pcouffin.sys
2008-12-12 18:07	47,360	----a-w	c:\windows\system32\drivers\pcouffin.sys
2008-12-04 17:53	---------	d-----w	c:\programmi\File comuni\Adobe
2008-11-22 13:30	---------	d-----w	c:\programmi\MessengerDiscovery
2008-11-20 18:09	---------	d-----w	c:\documents and settings\All Users\Dati applicazioni\WLInstaller
2008-11-20 18:07	---------	d-----w	c:\programmi\Windows Live
2008-11-19 18:23	---------	d-----w	c:\programmi\Microsoft
2008-11-19 18:22	---------	d-----w	c:\programmi\File comuni\Windows Live
2008-11-18 14:29	304,160	----a-w	C:\StiImg.dat
2008-11-15 17:58	717,296	----a-w	c:\windows\system32\drivers\sptd.sys
2008-11-15 17:58	---------	d-----w	c:\documents and settings\Katya\Dati applicazioni\DAEMON Tools
2008-11-15 15:40	---------	d--h--w	c:\programmi\InstallShield Installation Information
2008-11-15 14:17	---------	d-----w	c:\programmi\DVDFab Platinum 3
2008-11-11 18:40	---------	d-----w	c:\documents and settings\Katya\Dati applicazioni\DVDFab
2008-11-11 17:09	43,698	----a-w	c:\windows\system32\xvid-uninstall.exe
2008-11-11 17:09	---------	d-----w	c:\programmi\Gabest
2008-11-11 17:09	---------	d-----w	c:\programmi\AviSynth 2.5
2008-11-11 17:09	---------	d-----w	c:\programmi\AutoGK
2008-11-01 16:13	---------	d-----w	c:\programmi\Elaborate Bytes
2008-11-01 16:01	---------	d-----w	c:\documents and settings\Katya\Dati applicazioni\Pegasys Inc
2008-11-01 15:58	59,488	----a-w	c:\windows\system32\GenSvcInst.exe
2008-11-01 15:58	33,408	----a-w	c:\windows\system32\drivers\CDRBSDRV.SYS
2008-11-01 15:58	145,504	----a-w	c:\windows\system32\bgsvcgen.exe
2008-11-01 15:40	---------	d-----w	c:\documents and settings\Katya\Dati applicazioni\EPSON
2008-10-29 17:48	---------	d-----w	c:\documents and settings\Katya\Dati applicazioni\Windows Live Writer
2008-10-07 16:32	472,576	----a-w	c:\windows\uninstall.exe
2008-09-28 13:55	75,776	--sha-w	c:\windows\system32\zadohilo.dll
2008-08-26 17:05	836	----a-w	c:\documents and settings\Katya\Dati applicazioni\ViewerApp.dat
2008-04-10 18:26	32	-c--a-r	c:\documents and settings\All Users\hash.dat
2008-04-13 17:14	60,416	-csha-w	c:\windows\BricoPacks\SysFiles\80_msimn.exe
.

(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"NVIDIA nTune"="c:\programmi\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2008-09-23 21755688]
"MsnMsgr"="c:\programmi\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"EPSON Stylus DX4400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE" [2007-03-01 180736]
"AlcoholAutomount"="c:\programmi\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-11-23 203720]
"Advanced SystemCare 3"="c:\programmi\IObit\Advanced SystemCare 3\AWC.exe" [2008-12-21 2250256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"avgnt"="c:\programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="c:\programmi\File comuni\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"NBKeyScan"="c:\programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"STICAP"="c:\windows\Twain_32\NX VEGA 300\SnapTrap.exe" [2004-11-05 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"TrueImageMonitor.exe"="c:\programmi\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-03-10 2617808]
"AcronisTimounterMonitor"="c:\programmi\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-03-10 909592]
"Acronis Scheduler2 Service"="c:\programmi\File comuni\Acronis\Schedule2\schedhlp.exe" [2008-03-10 140568]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"DSLSTATEXE"="c:\program files\D-Link\DSL-200\dslstat.exe" [2005-12-12 344064]
"DSLAGENTEXE"="c:\program files\D-Link\DSL-200\dslagent.exe" [2005-08-25 65536]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2008-09-22 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~2\DVDShell.dll" [2004-10-09 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-10-12 18:35 68856 c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"mW[íµˆÖ¾`=µú¾˜v%S8’ÿÙêé>grl>Ý\†Ð=ŸàÛ±Þ"= 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Programmi\\NetMeeting\\conf.exe"=
"c:\\Programmi\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\Giochi\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"d:\\Giochi\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"d:\\Giochi\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"d:\\Giochi\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Programmi\\File comuni\\Acronis\\Schedule2\\schedhlp.exe"=
"c:\\WINDOWS\\ime\\IMJP8_1\\imjpmig.exe"=
"c:\\WINDOWS\\system32\\nvsvc32.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiapsrv.exe"=
"c:\\Programmi\\File comuni\\Acronis\\Schedule2\\schedul2.exe"=
"c:\\Programmi\\Avira\\AntiVir PersonalEdition Classic\\guardgui.exe"=
"c:\\WINDOWS\\system32\\Tablet.exe"=
"c:\\Programmi\\Toshiba\\Bluetooth Toshiba Stack\\TosBtSrv.exe"=
"c:\\WINDOWS\\system32\\cscript.exe"=
"c:\\Program Files\\D-Link\\DSL-200\\DslStat.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

R0 ViBus;ViBus;c:\windows\system32\DRIVERS\ViBus.sys [2008-05-17 16896]
R0 ViPrt;VIA SATA IDE Device Driver;c:\windows\system32\DRIVERS\ViPrt.sys [2008-05-17 53248]
S2 Cadence License Manager;Cadence License Manager;c:\orcad\license_manager\lmgrd.exe []
S3 MaplomL;MaplomL; []
S3 npkycryp;npkycryp;\??\e:\gravity\RagnarokOnline\npkycryp.sys []
S3 PAC207;NX-Vega;c:\windows\system32\DRIVERS\pfc027.sys [2005-01-25 154112]
S3 sdAuxService;PC Tools Auxiliary Service;c:\programmi\Spyware Doctor\pctsAuxs.exe [2008-12-27 356920]
S3 SQTECH930B;NX VEGA 300;c:\windows\system32\Drivers\Capt930b.sys [2008-05-19 247325]
.
Contenuto della cartella 'Scheduled Tasks'

2008-12-28 c:\windows\Tasks\SpeedOptimizer Startup.job
- c:\progra~1\speedo~1\SPO.exe []

2008-12-28 c:\windows\Tasks\User_Feed_Synchronization-{940056F7-76E1-4E8D-A8A3-4F98BCF628F9}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:36]
.
- - - - ORFÃOS REMOVIDOS - - - -

BHO-{3c036bca-e7b1-4dca-b756-88d345bc25c0} - c:\windows\system32\fejuvizo.dll
HKCU-Run-evgwe - c:\documents and settings\katya\impostazioni locali\dati applicazioni\evgwe.exe


.
------- Supplementare di scansione -------
.
uStart Page = www.google.it/
uInternet Settings,ProxyOverride = *.local
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Katya\Dati applicazioni\Mozilla\Firefox\Profiles\n7uorc0n.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\documents and settings\Katya\Dati applicazioni\Mozilla\Firefox\Profiles\n7uorc0n.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\All Users\Dati applicazioni\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npzylomgamesplayer.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 22:56:03
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'lsass.exe'(708)
c:\windows\system32\relog_ap.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\programmi\File comuni\Acronis\Schedule2\schedul2.exe
c:\programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\programmi\File comuni\Microsoft Shared\VS7DEBUG\mdm.exe
c:\programmi\Nero\Nero8\Nero BackItUp\NBService.exe
c:\programmi\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\HPZipm12.exe
c:\programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\PAStiSvc.exe
c:\windows\system32\Tablet.exe
c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\programmi\File comuni\Acronis\Fomatik\TrueImageTryStartService.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\programmi\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Ora fine scansione: 2008-12-28 22:58:33 - macchina è stato riavviato [Katya]
ComboFix-quarantined-files.txt  2008-12-28 21:58:30

Pre-Run: 9,782,681,600 byte disponibili
Post-Run: 9,648,771,072 byte disponibili

268

malwarebytes:

Tempo trascorso: 22 minute(s), 24 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 10

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
C:\Qoobox\Quarantine\C\WINDOWS\system32\hofugubi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wudigewe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Programmi\Trend Micro\HijackThis\backups\backup-20081226-173307-558.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Programmi\Trend Micro\HijackThis\backups\backup-20081226-173345-734.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{29724B55-0B10-413C-B109-CDDECC412885}\RP3\A0000062.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{29724B55-0B10-413C-B109-CDDECC412885}\RP3\A0000067.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kagetika.dll_old (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pumotozi.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bozagudu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zadohilo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Accedi

Virus Incancellabile

4 messaggi in questa discussione

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Crea un account o accedi per lasciare un commento

Crea un account

Accedi

Sezioni principali

Attività