alemiraglia

Controllo Log

Iniziato da alemiraglia,

5 messaggi in questa discussione

Inviato (modificato)

Ciao a tutti, il computer del mio ragazzo presenta un problemino: lanciando MBAM viene trovato un rootkit, che antivir non trova, ma con MBAM non riesco ad eliminarlo.

posto il log di hjt:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 20:17:03, on 22/02/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Programmi\Avira\AntiVir Desktop\sched.exe

C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe

C:\Programmi\Avira\AntiVir Desktop\avgnt.exe

C:\Programmi\PC Tools Firewall Plus\FirewallGUI.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Programmi\Synaptics\SynTP\SynTPEnh.exe

C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programmi\WIDCOMM\Bluetooth Software\BTTray.exe

C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\DOCUME~1\fabio.f\IMPOST~1\Temp\RtkBtMnt.exe

C:\Programmi\Avira\AntiVir Desktop\avguard.exe

C:\Programmi\File comuni\Nero\Nero BackItUp 4\NBService.exe

C:\Programmi\PC Tools Firewall Plus\FWService.exe

C:\Programmi\Spyware Terminator\sp_rsser.exe

C:\WINDOWS\system32\svchost.exe

C:\Programmi\TomTom HOME 2\TomTomHOMEService.exe

C:\Programmi\Avira\AntiVir Desktop\avscan.exe

C:\Programmi\Internet Explorer\iexplore.exe

C:\Programmi\Internet Explorer\iexplore.exe

C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe

C:\Programmi\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\msiexec.exe

C:\Programmi\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.a...&tbid=60347

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti

R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\Programmi\Crawler\Toolbar\ctbr.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\Programmi\Crawler\Toolbar\ctbr.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programmi\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: CSrchBHO - {DFC29618-7A64-4F20-83D1-6E538E7FC57D} - C:\Documents and Settings\All Users\Dati applicazioni\srcheng\srcheng.dll

O3 - Toolbar: Toolbar &Crawler - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Programmi\Crawler\Toolbar\ctbr.dll

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min /nosplash

O4 - HKLM\..\Run: [00PCTFW] "C:\Programmi\PC Tools Firewall Plus\FirewallGUI.exe" -s

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [AzMixerSel] C:\Programmi\Realtek\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [spywareTerminator] "C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: BTTray.lnk = ?

O8 - Extra context menu item: Crawler Search - tbr:iemenu

O8 - Extra context menu item: Invia a Bluetooth - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O8 - Extra context menu item: Invia a periferica &Bluetooth... - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://webcam.next.it/activex/AMC.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programmi\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\Programmi\Crawler\Toolbar\ctbr.dll

O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Programmi\File comuni\Nero\Nero BackItUp 4\NBService.exe

O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - Unknown owner - C:\Programmi\PC Tools Firewall Plus\FWService.exe

O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programmi\Spyware Terminator\sp_rsser.exe

O23 - Service: TomTomHOMEService - TomTom - C:\Programmi\TomTom HOME 2\TomTomHOMEService.exe

--

End of file - 8329 bytes

grazie :)

Modificato da ale80

Condividi questo messaggio

Link di questo messaggio
Condividi su altri siti

Inviato

Ciao Ale,

riporta il nome del file che viene segnalato da Malwarebytes insieme alla directory

Esegui combofix ed allega il report

Con tutte le applicazioni chiuse e disconnesso da internet

Avvia Hijackthis e clicca su "do a system scan only"

Metti la spunta a queste voci e clicca su "fix checked"

O2 - BHO: CSrchBHO - {DFC29618-7A64-4F20-83D1-6E538E7FC57D} - C:\Documents and Settings\All Users\Dati applicazioni\srcheng\srcheng.dll

:P:)

Condividi questo messaggio

Link di questo messaggio
Condividi su altri siti

Inviato

Ciao angy!

Grazie mille, abbiamo fatto tutto. Qui c'è il log di MBAM:

Malwarebytes' Anti-Malware 1.44

Versione del database: 3777

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

23/02/2010 18:30:40

mbam-log-2010-02-23 (18-30-36).txt

ciao angy, questo è il log di MBAM<.

Tipo di scansione: Scansione rapida

Elementi scansionati: 114694

Tempo trascorso: 4 minute(s), 51 second(s)

Processi delle memoria infetti: 0

Moduli della memoria infetti: 0

Chiavi di registro infette: 1

Valori di registro infetti: 0

Elementi dato del registro infetti: 0

Cartelle infette: 0

File infetti: 0

Processi delle memoria infetti:

(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:

(Nessun elemento malevolo rilevato)

Chiavi di registro infette:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\asc3550p (Rootkit.Agent) -> No action taken.

Valori di registro infetti:

(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:

(Nessun elemento malevolo rilevato)

Cartelle infette:

(Nessun elemento malevolo rilevato)

File infetti:

(Nessun elemento malevolo rilevato)

questo è il log di CF:

ComboFix 10-02-22.07 - fabio.f 23/02/2010 21:03:31.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1014.675 [GMT 1:00]

Eseguito da: F:\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {00000002-0002-0000-7C25-9E7C08000A00}

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-6C25-9E7C08000A00}

FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!

.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat

c:\windows\system32\config\42728916.Evt

----- BITS: Possibili siti infetti -----

hxxp://au.download.windowsupdatej+|Cv+@J:NGD_DQ{zGD_DQ{zGD_DQ{zGD_DQ{z+@J:Nj+|Cv040-7B44-A93000000001},S-1-5-21-796845957-651377827-725345543-1003XtD$?~

.

((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ASC3550P

-------\Service_asc3550p

((((((((((((((((((((((((( Files Creati Da 2010-01-23 al 2010-02-23 )))))))))))))))))))))))))))))))))))

.

2010-02-22 19:15 . 2010-02-22 19:15 388096 ----a-r- c:\documents and settings\fabio.f\Dati applicazioni\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe

2010-02-22 19:15 . 2010-02-22 19:15 -------- d-----w- c:\programmi\TrendMicro

2010-02-21 19:30 . 2010-02-21 19:30 -------- d-----w- c:\programmi\ScanTool.net_win

2010-02-07 07:40 . 2010-02-07 07:40 -------- d-----w- c:\programmi\DAEMON Tools Lite

2010-02-07 07:26 . 2010-02-18 22:25 -------- d-----w- c:\documents and settings\fabio.f\Dati applicazioni\vlc

2010-02-04 18:52 . 2009-11-21 15:54 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2010-02-04 17:33 . 2009-10-21 05:38 75776 -c----w- c:\windows\system32\dllcache\strmfilt.dll

2010-02-04 17:33 . 2009-10-21 05:38 25088 -c----w- c:\windows\system32\dllcache\httpapi.dll

2010-02-04 17:33 . 2009-10-20 16:20 265728 -c----w- c:\windows\system32\dllcache\http.sys

2010-02-04 17:09 . 2009-10-12 13:38 79872 -c----w- c:\windows\system32\dllcache\raschap.dll

2010-02-04 17:09 . 2009-10-12 13:38 150016 -c----w- c:\windows\system32\dllcache\rastls.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-23 20:10 . 2009-08-16 18:22 -------- d---a-w- c:\documents and settings\All Users\Dati applicazioni\TEMP

2010-02-23 16:32 . 2009-08-17 08:28 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Spyware Terminator

2010-02-23 16:32 . 2009-08-17 08:28 -------- d-----w- c:\programmi\Spyware Terminator

2010-02-23 16:28 . 2009-08-17 08:30 -------- d-----w- c:\documents and settings\fabio.f\Dati applicazioni\Spyware Terminator

2010-02-22 20:33 . 2009-08-16 18:10 69224 ----a-w- c:\documents and settings\fabio.f\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT

2010-02-15 21:49 . 2009-08-16 17:54 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Microsoft Help

2010-02-15 21:45 . 2009-08-16 17:58 -------- d-----w- c:\programmi\Microsoft Works

2010-02-07 07:40 . 2009-08-16 17:20 691696 ----a-w- c:\windows\system32\drivers\sptd.sys

2010-02-07 07:40 . 2009-08-16 17:21 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\DAEMON Tools Lite

2010-02-05 17:03 . 2001-08-31 15:00 80688 ----a-w- c:\windows\system32\perfc010.dat

2010-02-05 17:03 . 2001-08-31 15:00 482274 ----a-w- c:\windows\system32\perfh010.dat

2010-01-22 18:41 . 2009-08-16 18:07 -------- d-----w- c:\programmi\File comuni\Adobe

2010-01-13 21:37 . 2009-08-16 18:14 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware

2010-01-13 21:36 . 2009-09-19 11:22 5115824 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-01-13 20:00 . 2009-08-31 17:47 -------- d-----w- c:\documents and settings\fabio.f\Dati applicazioni\dvdcss

2010-01-07 15:07 . 2009-08-16 18:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 15:07 . 2009-08-16 18:14 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-31 16:50 . 2004-08-03 21:14 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:06 . 2004-08-19 13:39 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-17 07:40 . 2009-08-16 17:05 346112 ----a-w- c:\windows\system32\mspaint.exe

2009-12-16 14:36 . 2009-12-16 14:36 112128 ----a-w- c:\documents and settings\All Users\Dati applicazioni\srcheng\srcheng.dll

2009-12-14 17:37 . 2009-12-14 17:37 40960 ----a-w- c:\windows\system32\vtm.dll

2009-12-14 17:37 . 2009-12-14 17:37 36864 ----a-w- c:\windows\system32\vbth.dll

2009-12-14 17:37 . 2009-12-14 17:37 32768 ----a-w- c:\windows\system32\vcom.dll

2009-12-14 17:37 . 2009-12-14 17:37 1871872 ----a-w- c:\windows\system32\VERes1.dll

2009-12-14 17:37 . 2009-08-25 22:06 389120 ----a-w- c:\windows\system32\chartfx.lite.dll

2009-12-14 07:08 . 2004-08-19 13:39 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-13 14:35 . 2009-08-16 18:21 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-12-09 10:07 . 2004-08-19 13:34 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-09 10:07 . 2004-08-19 15:34 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2004-08-03 21:15 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-11-27 17:12 . 2004-08-19 13:39 1296896 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 17:12 . 2004-08-19 15:39 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 16:07 . 2001-08-30 23:08 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:07 . 2004-08-19 15:39 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:07 . 2004-08-19 13:39 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:07 . 2004-08-19 13:39 85504 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:07 . 2001-08-31 15:00 28672 ----a-w- c:\windows\system32\msvidc32.dll

.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* i valori vuoti & legittimi/default non sono visualizzati.

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DFC29618-7A64-4F20-83D1-6E538E7FC57D}]

2009-12-16 14:36 112128 ----a-w- c:\documents and settings\All Users\Dati applicazioni\srcheng\srcheng.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GrooveMonitor"="c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"00PCTFW"="c:\programmi\PC Tools Firewall Plus\FirewallGUI.exe" [2009-02-23 2652056]

"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]

"AzMixerSel"="c:\programmi\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 53248]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]

"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]

"SpywareTerminator"="c:\programmi\Spyware Terminator\SpywareTerminatorShield.exe" [2009-08-17 2171904]

"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\

BTTray.lnk - c:\programmi\WIDCOMM\Bluetooth Software\BTTray.exe [2008-4-14 596584]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^BlueSoleil.lnk]

path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\BlueSoleil.lnk

backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-12-22 00:57 35760 ----a-w- c:\programmi\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2009-07-26 15:44 3883856 ----a-w- c:\programmi\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

2006-05-16 16:04 2879488 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]

2009-11-13 11:31 247144 ----a-w- c:\programmi\TomTom HOME 2\TomTomHOMERunner.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Documents and Settings\\fabio.f\\Desktop\\vXdownloader.exe"=

"c:\\Programmi\\Lphant\\eLePhantClient.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [16/08/2009 18:20 691696]

R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [16/08/2009 19:22 159600]

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [17/08/2009 09:30 142592]

R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [16/08/2009 19:22 73840]

R2 TomTomHOMEService;TomTomHOMEService;c:\programmi\TomTom HOME 2\TomTomHOMEService.exe [13/11/2009 12:31 92008]

R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [16/08/2009 19:22 95640]

S3 TpUsb;TpUsb Driver (TpUsb.sys);c:\windows\system32\Drivers\TpUsb.sys --> c:\windows\system32\Drivers\TpUsb.sys [?]

.

Contenuto della cartella 'Scheduled Tasks'

2010-02-23 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 13:07]

2010-02-23 c:\windows\Tasks\User_Feed_Synchronization-{FF1B1195-327A-4F37-87E6-2A59348A863E}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]

.

.

------- Scansione supplementare -------

.

uStart Page = hxxp://www.libero.it/

IE: Crawler Search - tbr:iemenu

IE: Invia a Bluetooth - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm

IE: Invia a periferica &Bluetooth... - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\programmi\Crawler\Toolbar\ctbr.dll

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://webcam.next.it/activex/AMC.cab

.

- - - - CHIAVI ORFANE RIMOSSE - - - -

MSConfigStartUp-DAEMON Tools Lite - c:\programmi\DAEMON Tools Lite\daemon.exe

MSConfigStartUp-PC Suite Tray - c:\programmi\Nokia\Nokia PC Suite 7\PCSuite.exe

**************************************************************************

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo

Files nascosti:

**************************************************************************

.

--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10e_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10e_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(5652)

c:\windows\system32\WININET.dll

c:\windows\system32\btmmhook.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Altri processi in esecuzione ------------------------

.

c:\programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\programmi\Avira\AntiVir Desktop\sched.exe

c:\programmi\Avira\AntiVir Desktop\avguard.exe

c:\programmi\File comuni\Nero\Nero BackItUp 4\NBService.exe

c:\programmi\PC Tools Firewall Plus\FWService.exe

c:\programmi\Spyware Terminator\sp_rsser.exe

c:\windows\RTHDCPL.EXE

c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

c:\docume~1\fabio.f\IMPOST~1\Temp\RtkBtMnt.exe

.

**************************************************************************

.

Ora fine scansione: 2010-02-23 21:13:58 - Il pc è stato riavviato

ComboFix-quarantined-files.txt 2010-02-23 20:13

Pre-Run: 61.838.778.368 byte disponibili

Post-Run: 61.824.081.920 byte disponibili

- - End Of File - - F4F734544C2BACB1C69EFE63A34D8439

e questo il log di hjt dopo il fix:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 21:16:32, on 23/02/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programmi\Avira\AntiVir Desktop\sched.exe

C:\Programmi\Avira\AntiVir Desktop\avguard.exe

C:\Programmi\File comuni\Nero\Nero BackItUp 4\NBService.exe

C:\Programmi\PC Tools Firewall Plus\FWService.exe

C:\Programmi\Spyware Terminator\sp_rsser.exe

C:\WINDOWS\system32\svchost.exe

C:\Programmi\TomTom HOME 2\TomTomHOMEService.exe

C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe

C:\Programmi\Avira\AntiVir Desktop\avgnt.exe

C:\Programmi\PC Tools Firewall Plus\FirewallGUI.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Programmi\Synaptics\SynTP\SynTPEnh.exe

C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe

C:\Programmi\WIDCOMM\Bluetooth Software\BTTray.exe

C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\DOCUME~1\fabio.f\IMPOST~1\Temp\RtkBtMnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Programmi\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti

R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\Programmi\Crawler\Toolbar\ctbr.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\Programmi\Crawler\Toolbar\ctbr.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programmi\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Toolbar &Crawler - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Programmi\Crawler\Toolbar\ctbr.dll

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min /nosplash

O4 - HKLM\..\Run: [00PCTFW] "C:\Programmi\PC Tools Firewall Plus\FirewallGUI.exe" -s

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [AzMixerSel] C:\Programmi\Realtek\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [spywareTerminator] "C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: BTTray.lnk = ?

O8 - Extra context menu item: Crawler Search - tbr:iemenu

O8 - Extra context menu item: Invia a Bluetooth - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O8 - Extra context menu item: Invia a periferica &Bluetooth... - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://webcam.next.it/activex/AMC.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programmi\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\Programmi\Crawler\Toolbar\ctbr.dll

O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Programmi\File comuni\Nero\Nero BackItUp 4\NBService.exe

O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - Unknown owner - C:\Programmi\PC Tools Firewall Plus\FWService.exe

O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programmi\Spyware Terminator\sp_rsser.exe

O23 - Service: TomTomHOMEService - TomTom - C:\Programmi\TomTom HOME 2\TomTomHOMEService.exe

--

End of file - 7534 bytes

Grazie ancora, aspettiamo istruzioni!

:)

Condividi questo messaggio

Link di questo messaggio
Condividi su altri siti

Inviato

Ciao Ale,

combofix ha eliminaro il driver/servizio del rootkit

Se avete ancora problemi usate SDFix

:P:)

Condividi questo messaggio

Link di questo messaggio
Condividi su altri siti

Inviato

ciao angy, grazie!

dopo le varie pulizie abbiamo fatto una scansione con MBAM e in effetti diceva che era tutto pulito :P

grazie mille :P

:)

Condividi questo messaggio

Link di questo messaggio
Condividi su altri siti

Crea un account o accedi per lasciare un commento

Devi essere un utente registrato per partecipare

Crea un account

Iscriviti per un nuovo account nella nostra community. È facile!


Registra un nuovo account

Accedi

Sei già registrato? Accedi qui.


Accedi Ora
Vai alla lista Discussioni HiJackThis - Posta qui i Log