www.MegaLab.it

[Luca84]

Salve, sono nuovo...
Purtroppo , giorni fa,cercando utility free per editare dei filmati, sono incappato nel fatidico file con l'ambulanza e la croce rossa sopra, purtroppo non avevo idea che si trattasse di un virus,anche perché dopo aver fatto analizzare al simpatico Norton internet security l'archivio compresso che contenevail suddetto file, non mi era stato segnalato nessun virus... [:(]
Comunque,dopo aver cliccato sul file, il worm ha "spento" Norton, poi ha reso inutilizzabili Internet Explorer e Firefox...quindi ho disconnesso fisicamente il computer dal router,ho dato un'occhiata al task manager, ed ho trovato che buona parte della mia CPU, era utilizzata dal processo winupgro.exe.....
Con un altro computer ho cercato in rete informazioni su questo processo, e girando vari forum sono arrivato qui, dove ho trovato un post ( http://www.MegaLab.it/2657/bagle-un-wor ... -antivirus ), ed un altrodel quale non ricordo il link, che trattavano praticamente uguali al mio. Essendo poco esperto, e non avendo mai sistemato ne conosciuto le chiavi di sistema i registri e compagnia bella, ho cercatto delle soluzioni alternative: Ho disattivato il ripristino di sistema,ho utilizzato combofix, il quale ha fatto unascansione,ha trovato dei files, e li ha eliminati; poi ho fatto una scansione con Kasperky removal tool, che dopo 6 ore di scansione,ha trovato dei file infetti e li ha cancellati,ho usato anche findykill.Speravo che tutto fosse finito, ma dopo aver reinstallato firefox,non sono riuscito a connettermi.......
Mi spiace essere stato così prolisso, ma volevo rendere un quadro quanto più chiaro possibile della situazione a chiunque sarà così gentile da aiutarmi
Per completare,ho visto che per casi simili al mio è stato richiesto un log di combofix,vi allego il mio:
Anticipatamente grazie

ComboFix 08-12-18.01 - Administrator 2008-12-21 16.58.48.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.1918.1425 [GMT 1:00]
Eseguito da: e:\documents and settings\Administrator\Desktop\ComboFix.exe

ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
.

((((((((((((((((((((((((( Files Creati Da 2008-11-21 al 2008-12-21 )))))))))))))))))))))))))))))))))))
.

2008-12-21 15:18 . 2008-12-21 15:53 <DIR> d-------- e:\programmi\FindyKill
2008-12-20 20:48 . 2008-12-21 15:21 2,725,920 --ahs---- e:\windows\system32\drivers\fidbox.dat
2008-12-20 20:48 . 2008-12-21 15:21 35,108 --ahs---- e:\windows\system32\drivers\fidbox.idx
2008-12-20 01:39 . 2008-12-20 01:39 <DIR> d-------- e:\programmi\Sophos
2008-12-20 01:19 . 2008-12-20 01:19 250 --a------ e:\windows\gmer.ini
2008-12-20 01:05 . 2008-12-20 01:05 <DIR> d-------- e:\programmi\CCleaner
2008-12-18 22:59 . 2008-12-19 11:02 <DIR> d-a------ e:\documents and settings\All Users\Dati applicazioni\TEMP
2008-12-18 01:18 . 2008-12-18 13:42 <DIR> d-------- e:\programmi\ewido anti-spyware 4.0
2008-12-17 22:38 . 2008-12-17 22:38 <DIR> d-------- e:\programmi\Lavasoft
2008-12-17 22:38 . 2008-12-17 22:39 <DIR> d-------- e:\documents and settings\All Users\Dati applicazioni\Lavasoft
2008-12-17 22:37 . 2008-12-17 22:37 <DIR> d-------- e:\programmi\File comuni\Wise Installation Wizard
2008-12-17 11:23 . 2008-12-17 11:23 23 --a------ e:\windows\SWFDecompiler.INI
2008-12-17 11:18 . 2008-12-17 11:18 125 --a------ e:\windows\fd3.INI
2008-12-14 20:52 . 2008-12-17 12:04 <DIR> d-------- e:\programmi\Avidemux 2.4
2008-12-14 20:15 . 2008-12-14 20:15 <DIR> d-------- e:\programmi\bobyte
2008-12-14 19:58 . 2008-12-14 20:02 <DIR> d-------- e:\programmi\File comuni\AVSMedia
2008-12-14 19:58 . 2008-12-14 19:58 <DIR> d-------- e:\documents and settings\All Users\Dati applicazioni\AVS4YOU
2008-12-14 19:58 . 2008-12-14 19:58 <DIR> d-------- e:\documents and settings\Administrator\Dati applicazioni\AVS4YOU
2008-12-14 19:58 . 2008-07-11 11:52 1,700,352 --a------ e:\windows\system32\GdiPlus.dll
2008-12-14 19:58 . 2003-05-21 23:50 24,576 --a------ e:\windows\system32\msxml3a.dll
2008-12-14 17:35 . 2008-12-17 22:38 <DIR> d-------- e:\programmi\Pinnacle
2008-12-14 17:32 . 2008-12-14 17:33 <DIR> d-------- e:\documents and settings\All Users\Dati applicazioni\Pinnacle
2008-12-14 17:19 . 1998-06-26 01:00 644,400 --a------ e:\windows\system32\Mscomct2.ocx
2008-12-14 17:19 . 2007-05-07 12:58 618,496 --a------ e:\windows\system32\MSSTTFTTM.ocx
2008-12-14 17:19 . 2001-11-06 08:57 233,472 --a------ e:\windows\system32\Msdsn.ocx
2008-12-14 17:19 . 2004-11-14 06:27 212,992 --a------ e:\windows\system32\sql.dll
2008-12-14 17:19 . 1998-06-24 01:00 209,192 --a------ e:\windows\system32\tabctl32.ocx
2008-12-14 17:19 . 1998-06-23 18:00 140,096 --a------ e:\windows\system32\comdlg32.ocx
2008-12-14 17:19 . 1998-06-24 01:00 118,064 --a------ e:\windows\system32\MSADODC.ocx
2008-12-14 17:19 . 2006-03-17 14:08 98,304 --a------ e:\windows\system32\Msdxm11.ocx
2008-12-14 16:57 . 2008-12-17 12:05 <DIR> d-------- e:\documents and settings\Administrator\Dati applicazioni\gtk-2.0
2008-12-14 16:57 . 2008-12-14 17:15 <DIR> d-------- e:\documents and settings\Administrator\Dati applicazioni\avidemux
2008-12-13 22:41 . 2008-12-13 22:40 410,984 --a------ e:\windows\system32\deploytk.dll
2008-12-12 11:24 . 2008-12-12 11:24 244 --ah----- E:\sqmnoopt02.sqm
2008-12-12 11:24 . 2008-12-12 11:24 232 --ah----- E:\sqmdata02.sqm
2008-12-05 22:41 . 2008-12-05 22:43 <DIR> d-------- E:\Estrapolazioni
2008-12-05 22:40 . 2008-12-05 22:41 <DIR> d-------- e:\programmi\AoA Audio Extractor
2008-12-03 09:53 . 2008-12-03 09:53 <DIR> d-------- e:\programmi\MSECache
2008-11-30 20:53 . 2008-11-30 20:53 0 --ah----- e:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-11-30 20:53 . 2008-11-30 20:53 0 --ah----- e:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2008-11-30 20:52 . 2008-03-21 13:57 14,640 --------- e:\windows\system32\spmsgXP_2k3.dll
2008-11-30 20:48 . 2008-09-15 08:29 1,112,288 --a------ e:\windows\system32\wdfcoinstaller01007.dll
2008-11-30 20:48 . 2008-09-15 08:56 659,968 --a------ e:\windows\system32\nmwcdcocls.dll
2008-11-30 20:48 . 2008-09-15 08:56 22,016 --a------ e:\windows\system32\drivers\ccdcmbo.sys
2008-11-30 20:48 . 2008-09-15 08:56 17,664 --a------ e:\windows\system32\drivers\ccdcmb.sys
2008-11-30 20:48 . 2008-09-15 08:56 8,064 --a------ e:\windows\system32\drivers\usbser_lowerfltj.sys
2008-11-30 20:48 . 2008-09-15 08:56 8,064 --a------ e:\windows\system32\drivers\usbser_lowerflt.sys
2008-11-28 15:54 . 2008-11-28 15:54 <DIR> d-------- e:\documents and settings\Administrator\Dati applicazioni\ArcSoft
2008-11-26 12:46 . 2008-11-27 00:25 <DIR> d-------- e:\documents and settings\Administrator\Dati applicazioni\FileZilla
2008-11-26 12:44 . 2008-11-26 12:44 <DIR> d-------- e:\programmi\FileZilla Server
2008-11-26 12:40 . 2008-11-26 12:40 <DIR> d-------- e:\documents and settings\All Users\Dati applicazioni\DynDNS
2008-11-26 12:39 . 2008-11-26 12:40 <DIR> d-------- e:\programmi\DynDNS Updater

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 10:49 --------- d-----w e:\programmi\Winamp
2008-12-17 10:31 --------- d-----w e:\programmi\File comuni\Symantec Shared
2008-12-17 09:21 --------- d-----w e:\documents and settings\All Users\Dati applicazioni\Symantec
2008-12-14 16:24 --------- d-----w e:\documents and settings\Administrator\Dati applicazioni\Ahead
2008-12-13 21:40 --------- d-----w e:\programmi\Java
2008-12-05 23:30 --------- d-----w e:\documents and settings\Administrator\Dati applicazioni\Skype
2008-12-05 23:27 --------- d-----w e:\documents and settings\Administrator\Dati applicazioni\skypePM
2008-11-30 19:52 --------- d-----w e:\documents and settings\All Users\Dati applicazioni\Nokia
2008-11-30 19:48 --------- d-----w e:\programmi\Nokia
2008-11-30 19:46 --------- d-----w e:\programmi\File comuni\Nokia
2008-11-30 19:45 --------- d-----w e:\documents and settings\All Users\Dati applicazioni\Installations
2008-11-30 19:41 --------- d-----w e:\documents and settings\Administrator\Dati applicazioni\PC Suite
2008-11-14 09:59 --------- d-----w e:\documents and settings\Administrator\Dati applicazioni\Nokia
2008-11-10 19:09 31,241 ----a-w e:\windows\Sysvxd.exe
2008-11-07 12:09 --------- d-----w e:\programmi\File comuni\PCSuite
2008-11-07 12:07 --------- d-----w e:\documents and settings\All Users\Dati applicazioni\PC Suite
2008-11-03 20:51 --------- d-----w e:\documents and settings\Administrator\Dati applicazioni\vlc
2008-11-02 16:25 --------- d-----w e:\programmi\Finale Performance Assessment
2008-11-02 16:25 --------- d-----w e:\documents and settings\All Users\Dati applicazioni\MakeMusic
2008-10-24 11:21 455,296 ----a-w e:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w e:\windows\system32\gdi32.dll
2008-10-21 21:04 --------- d-----w e:\programmi\Windows Media Connect 2
2008-10-21 07:00 --------- d-----w e:\documents and settings\Administrator\Dati applicazioni\ATI
2008-10-16 20:04 826,368 ----a-w e:\windows\system32\wininet.dll
2008-10-16 13:13 202,776 ----a-w e:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w e:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w e:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w e:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w e:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w e:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w e:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w e:\windows\system32\wups.dll
2008-10-16 13:06 268,648 ----a-w e:\windows\system32\mucltui.dll
2008-10-16 13:06 208,744 ----a-w e:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w e:\windows\system32\strmdll.dll
2008-09-30 15:43 1,286,152 ----a-w e:\windows\system32\msxml4.dll
2007-08-24 19:52 300,400 ----a-w e:\programmi\mozilla firefox\components\coFFPlgn.dll
2008-03-23 19:09 2,516 --sha-w e:\windows\system32\KGyGaAvL.sys
2008-08-27 08:00 32,768 --sha-w e:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\MSHist012008082720080828\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-19_10.51.59.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-20 00:19:23 884,736 ----a-w e:\windows\gmer.dll
+ 2008-04-17 20:13:02 811,008 ----a-w e:\windows\gmer.exe
+ 2008-10-17 00:34:26 3,593,216 -c----w e:\windows\ie7updates\KB960714-IE7\mshtml.dll
+ 2007-03-06 01:48:14 215,776 -c----w e:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:49:24 390,880 -c----w e:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll
- 2008-10-17 00:34:26 3,593,216 -c----w e:\windows\system32\dllcache\mshtml.dll
+ 2008-12-13 06:36:24 3,593,216 -c----w e:\windows\system32\dllcache\mshtml.dll
+ 2008-12-20 00:19:23 85,969 ----a-w e:\windows\system32\drivers\gmer.sys
- 2008-12-04 12:34:58 273,376 ----a-w e:\windows\system32\FNTCACHE.DAT
+ 2008-12-20 00:13:24 268,600 ----a-w e:\windows\system32\FNTCACHE.DAT
- 2008-10-17 00:34:26 3,593,216 ----a-w e:\windows\system32\mshtml.dll
+ 2008-12-13 06:36:24 3,593,216 ----a-w e:\windows\system32\mshtml.dll
- 2008-12-19 08:52:38 59,780 ----a-w e:\windows\system32\perfc009.dat
+ 2008-12-21 14:28:03 59,780 ----a-w e:\windows\system32\perfc009.dat
- 2008-12-19 08:52:38 71,908 ----a-w e:\windows\system32\perfc010.dat
+ 2008-12-21 14:28:03 71,908 ----a-w e:\windows\system32\perfc010.dat
- 2008-12-19 08:52:38 397,560 ----a-w e:\windows\system32\perfh009.dat
+ 2008-12-21 14:28:03 397,560 ----a-w e:\windows\system32\perfh009.dat
- 2008-12-19 08:52:38 443,528 ----a-w e:\windows\system32\perfh010.dat
+ 2008-12-21 14:28:03 443,528 ----a-w e:\windows\system32\perfh010.dat
+ 2008-12-21 14:24:02 16,384 ----atw e:\windows\Temp\Perflib_Perfdata_6fc.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="e:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="e:\programmi\File comuni\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"LogitechSoftwareUpdate"="e:\programmi\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"msnmsgr"="e:\programmi\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"PC Suite Tray"="e:\programmi\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-02 1124352]
"Nokia.PCSync"="e:\programmi\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
"eMuleAutoStart"="c:\programmi\eMule\emule.exe" [2008-08-01 5480448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="e:\programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"iKeyWorks"="e:\progra~1\Keyboard\Ikeymain.exe" [2002-11-22 73728]
"EEventManager"="e:\programmi\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-10-12 102400]
"Easy-PrintToolBox"="e:\programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2006-10-17 398944]
"Sunkist2k"="e:\programmi\Multimedia Card Reader\shwicon2k.exe" [2004-09-03 139264]
"DT LGE"="e:\programmi\Portrait Displays\forteManager\DTHtml.exe" [2007-02-01 285696]
"ISUSPM Startup"="e:\programmi\File comuni\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="e:\programmi\File comuni\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"Adobe Reader Speed Launcher"="e:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ccApp"="e:\programmi\File comuni\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="e:\programmi\Norton Internet Security\osCheck.exe" [2007-08-24 714608]
"SunJavaUpdateSched"="e:\programmi\Java\jre6\bin\jusched.exe" [2008-12-13 136600]
"LVCOMSX"="e:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="e:\programmi\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="e:\programmi\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"!ewido"="e:\programmi\ewido anti-spyware 4.0\ewido.exe" [2006-06-16 6283264]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 e:\windows\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SymLnch"="e:\documents and settings\Familiare\Dati applicazioni\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070828\Support\SymLnch\SymLnch.exe" [2007-08-26 687976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="e:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"e:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"e:\\Programmi\\Skype\\Phone\\Skype.exe"=

R1 eusk2par;EUTRON SmartKey Parallel Driver;\??\e:\windows\system32\Drivers\eusk2par.sys [2008-07-10 30656]
R2 LiveUpdate Notice;LiveUpdate Notice;"e:\programmi\File comuni\Symantec Shared\ccSvcHst.exe" /h ccCommon [2007-08-24 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\e:\programmi\File comuni\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376]
R3 SunkFilt62;Alcor Micro Corp - 6362;\??\e:\windows\System32\Drivers\sunkfilt62.sys [2004-07-23 46536]
S2 Utilità di pianificazione di LiveUpdate automatico;Utilità di pianificazione di LiveUpdate automatico;"e:\programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2007-08-31 243064]
S3 COH_Mon;COH_Mon;\??\e:\windows\system32\Drivers\COH_Mon.sys [2008-03-23 23888]
S3 MEMSWEEP2;MEMSWEEP2;\??\e:\windows\system32\1.tmp []
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;e:\windows\system32\drivers\nmwcdnsu.sys [2008-10-05 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;e:\windows\system32\drivers\nmwcdnsuc.sys [2008-10-05 8320]
S3 SunkFilt6;Alcor Micro Corp - 6360;\??\e:\windows\System32\Drivers\sunkfilt6.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f0e9d04-afef-11dd-96b2-001bfc83a0ad}]
\Shell\Auto\command - G:\auto.exe
\Shell\AutoRun\command - e:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

*Newly Created Service* - COMHOST
*Newly Created Service* - EAPHOST
*Newly Created Service* - IP6FW

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {A75BF1D0-C7C3-CB55-EE17-3225387FD154} /qb
.
Contenuto della cartella 'Scheduled Tasks'

2008-12-15 e:\windows\Tasks\Norton Internet Security - Scansione completa sistema - Familiare.job
- e:\programmi\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 18:19]

2008-12-20 e:\windows\Tasks\OGADaily.job
- e:\windows\system32\OGAVerify.exe [2008-04-08 11:16]

2008-12-21 e:\windows\Tasks\OGALogon.job
- e:\windows\system32\OGAVerify.exe [2008-04-08 11:16]
.
.
------- Supplementare di scansione -------
.
uInternet Connection Wizard,ShellNext = hxxp://g.live.com/9uxp9en-us/hpg_lnk2
IE: E&sporta in Microsoft Excel - e:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {E0C2B805-5035-4605-A841-EF34520AE455} = 85.37.17.50,85.38.28.76
FF - ProfilePath - e:\documents and settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\ylprmz57.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cheapnet.it/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?mkt ... =MICI05&q=
FF - component: e:\documents and settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\ylprmz57.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - component: e:\programmi\Mozilla Firefox\components\coFFPlgn.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: yahoo.homepage.dontask - truee:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.version", 3);
e:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.3.shown", false);
.
.
------- Associazioni di file -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 16:59:34
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\e:\windows\system32\1.tmp"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(688)
e:\windows\system32\Ati2evxx.dll
.
Ora fine scansione: 2008-12-21 17.00.14
ComboFix-quarantined-files.txt 2008-12-21 16:00:08
ComboFix2.txt 2008-12-20 00:04:03
ComboFix3.txt 2008-12-19 09:57:04

Pre-Run: 41.233.416.192 byte disponibili
Post-Run: 41,218,211,840 byte disponibili

247 --- E O F --- 2008-12-19 10:04:21

[crazy.cat]

Utilizzi una connessione Wireless per internet?

ci fai vedere anche il log di findykill?

che firewall utilizzi?

Sei riuscito a reinstallare un antivrus?

[Luca84]

Ciao, purtroppo non sono riuscito a reinstallare un antivirus ( volevo installare antivir ), perché mi ha richiesto una connessione ad internet per completare la procedura di installazione, e purtroppo causa worm, non posso accedere o meglio, msn accede, ma l'ho disconnesso immediatamente non sapendo se il mio sgradito ospite abbia o meno la capacita di inviarsi con msn...
Su quella macchina non uso una connessione wifi, uso una connessione ethernet.
Purtroppo ( col sennodi poi....) usavo Norton internet securitycol suo firewall...
Come richiesto posto il log di findykill :

----------------- FindyKill V4.709 ------------------

* User: Administrator - FAMIGLIA
* Executed from : E:\Programmi\FindyKill
* Update on 10/12/08 by Chiquitine29
* Start at 13:32:45 the 22/12/2008
* Windows XP - Internet Explorer 7.0.5730.13

((((((((((((((((( *** Searching *** ))))))))))))))))))


--------------- [ Active Processes ] ----------------


E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
E:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\RTHDCPL.EXE
E:\PROGRA~1\Keyboard\Ikeymain.exe
E:\Programmi\EPSON\Creativity Suite\Event Manager\EEventManager.exe
E:\Programmi\Multimedia Card Reader\shwicon2k.exe
E:\Programmi\Portrait Displays\forteManager\DTHtml.exe
E:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
E:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
E:\Programmi\Java\jre6\bin\jusched.exe
E:\WINDOWS\system32\LVCOMSX.EXE
E:\Programmi\Logitech\Video\LogiTray.exe
E:\Programmi\ewido anti-spyware 4.0\ewido.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
E:\Programmi\File comuni\Portrait Displays\Shared\HookManager.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Programmi\Windows Live\Messenger\msnmsgr.exe
E:\Programmi\Nokia\Nokia PC Suite 7\PCSuite.exe
E:\Programmi\Nokia\Nokia PC Suite 7\PCSync2.exe
E:\Programmi\Symantec\LiveUpdate\AluSchedulerSvc.exe
E:\Programmi\Logitech\Video\FxSvr2.exe
E:\Programmi\File comuni\Portrait Displays\Shared\DTSRVC.exe
E:\WINDOWS\System32\svchost.exe
E:\Programmi\ewido anti-spyware 4.0\guard.exe
E:\Programmi\FileZilla Server\FileZilla Server.exe
E:\Programmi\Java\jre6\bin\jqs.exe
E:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\WINDOWS\System32\svchost.exe
E:\Programmi\Canon\CAL\CALMAIN.exe
E:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
E:\Programmi\PC Connectivity Solution\ServiceLayer.exe
E:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
E:\Programmi\PC Connectivity Solution\Transports\NclUSBSrv.exe
E:\Programmi\File comuni\Nokia\MPAPI\MPAPI3s.exe
E:\WINDOWS\System32\alg.exe
E:\Programmi\PC Connectivity Solution\Transports\NclRSSrv.exe
E:\PROGRA~1\FILECO~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--------------- [ Infected files / folders ] ----------------


»»»» Presence Files in E:


»»»» Presence Files in E:\WINDOWS


»»»» Presence Files in E:\WINDOWS\Prefetch


»»»» Presence Files in E:\WINDOWS\system32


»»»» Presence Files in E:\WINDOWS\system32\config\systemprofile\AppData\Roaming


»»»» Presence Files in E:\WINDOWS\system32\drivers


»»»» Presence Files in E:\Documents and Settings\Administrator\Dati applicazioni


»»»» Presence Files in E:\DOCUME~1\ADMINI~1\IMPOST~1\Temp


»»»» Presence Files in E:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5


--------------- [ Registry / Startup ] ----------------

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
CTFMON.EXE=E:\WINDOWS\system32\ctfmon.exe
BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}="E:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
LogitechSoftwareUpdate=E:\Programmi\Logitech\Video\ManifestEngine.exe boot
msnmsgr="E:\Programmi\Windows Live\Messenger\msnmsgr.exe" /background
PC Suite Tray="E:\Programmi\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
Nokia.PCSync="E:\Programmi\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog
eMuleAutoStart=C:\Programmi\eMule\emule.exe -AutoStart

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
RTHDCPL=RTHDCPL.EXE
NeroFilterCheck=E:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
iKeyWorks=E:\PROGRA~1\Keyboard\Ikeymain.exe
EEventManager=E:\Programmi\EPSON\Creativity Suite\Event Manager\EEventManager.exe
Easy-PrintToolBox=E:\Programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
Sunkist2k=E:\Programmi\Multimedia Card Reader\shwicon2k.exe
DT LGE=E:\Programmi\Portrait Displays\forteManager\DTHtml.exe -startup_folder
ISUSPM Startup="E:\Programmi\File comuni\InstallShield\UpdateService\isuspm.exe" -startup
ISUSScheduler="E:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
Adobe Reader Speed Launcher="E:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
ccApp="E:\Programmi\File comuni\Symantec Shared\ccApp.exe"
osCheck="E:\Programmi\Norton Internet Security\osCheck.exe"
SunJavaUpdateSched="E:\Programmi\Java\jre6\bin\jusched.exe"
LVCOMSX=E:\WINDOWS\system32\LVCOMSX.EXE
LogitechVideoRepair=E:\Programmi\Logitech\Video\ISStart.exe
LogitechVideoTray=E:\Programmi\Logitech\Video\LogiTray.exe
!ewido="E:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents=
<NO NAME>=
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL=
Installed=1
<NO NAME>=
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI=
NoChange=1
Installed=1
<NO NAME>=
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS=
Installed=1
<NO NAME>=


--------------- [ Registry / Infected keys ] ----------------



--------------- [ States / Services ] ----------------



+- Services : [ Auto=2 / Request=3 / Disable=4 ]

Ndisuio - Type of startup = 3

EapHost - Type of startup = 2

Ip6Fw - Type of startup = 2

SharedAccess - Type of startup = 2

wuauserv - Type of startup = 2

wscsvc - Type of startup = 2



--------------- [ Searching in removable drives ] ----------------


+- Informations :

C: - Unit… fissa

D: - Unit… fissa

E: - Unit… fissa


+- Presence of files :



--------------- [ Registry / Mountpoint2 ] ----------------


-> Not found !


------------------- ! End of report ! --------------------

Grazie per la celerità[:)]

[Luca84]

Ciao, alla fine ho disinsatallato la vecchia versione del norton, e sono riuscito ad installare la versione di prova del Kaspersky internet security 2009. L'antivirus funziona , ed i browser hanno ripreso a funzionare, ergo deduco che non ci siano più problemi, ma se analizzando i log doveste riscontrarne, vi prego di dirmelo
Grazie mille a chi mi ha risposto

Buone feste
Luca