Pagina 1 di 1

Sospetto Virus

MessaggioInviato: mer set 09, 2009 11:28 am
da Pciccio
Ciao, a tutti, ieri mio fratello inavvertitamente e non so come, usando il mio pc ha scaricato un programma chiamato "Personal Antivirus" o "Personal AV" descritto nei processi come PAV.exe, e si presenta con l'icona di uno scudo giallo. Non conosco questo software e mi sembra che sia un virus perché è successo un po' di casino sul pc. Innanzitutto non sono riuscito a disinstallarlo con il file Uninstall che non funzionava, poi nell'installazione applicazioni di Windows non era elencato. A questo punto ho avviato la scansione con Antivir che ha rilevato e rimosso un file infetto di cui non ricordo il nome, poi ho disattivato l'esecuzione automatica con CCleaner, ho rimosso i file del programma manualmente e infine ho fatto la pulizia con CCleaner. Ora però, all'avvio della sessione Windows, mi viene un messaggio di errore (figura sotto) che fa riferimento al file NetFilter.exe . Cosa devo fare? Si tratta di un virus?
Immagine

Re: Sospetto Virus

MessaggioInviato: mer set 09, 2009 12:05 pm
da riise90
Mi puzza tanto di rogue software. Prova a fare una scansione con Malwarebytes e Combofix e vediamo se trova qualcosa.

Re: Sospetto Virus

MessaggioInviato: mer set 09, 2009 12:10 pm
da lorenaino
ciao è sicuramente un rogue software.
[^]

Re: Sospetto Virus

MessaggioInviato: mer set 09, 2009 5:03 pm
da Max01
Fai una bella passata con malwarebytes e superantispyware, dovrebbero bastare.

Re: Sospetto Virus

MessaggioInviato: mer set 09, 2009 5:16 pm
da Pciccio
Ho fatto una passata con combofix vi posto il log, grazie per l'interessamento

ComboFix 09-09-08.09 - Admin 09/09/2009 17.56.45.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.1023.505 [GMT 2:00]
Eseguito da: c:\documents and settings\Admin.PROFESSI-LK0MPN\Documenti\Download\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {00000002-0002-0000-7C25-9E7C08000A00}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-790525478-343818398-839522115-1004
c:\windxp\Downloaded Program Files\popcaploader.dll
c:\windxp\Downloaded Program Files\popcaploader.inf
c:\windxp\Fonts\sanssb__.ttf
c:\windxp\Fonts\sansso__.ttf
c:\windxp\Fonts\stylu.ttf
c:\windxp\OnSpcLCK.exe
c:\windxp\system\Winaspi.dll
c:\windxp\system\Wowpost.exe
c:\windxp\system32\ban_list.txt
c:\windxp\system32\drivers\ndisrd.sys
c:\windxp\system32\msxmlm.dll
c:\windxp\system32\ndisapi.dll
c:\windxp\system32\NetFilter.exe

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_NDISRD
-------\Service_Iprip
-------\Service_NDISRD


((((((((((((((((((((((((( Files Creati Da 2009-08-09 al 2009-09-09 )))))))))))))))))))))))))))))))))))
.

2009-09-09 10:10 . 2009-06-21 21:47 153088 -c----w- c:\windxp\system32\dllcache\triedit.dll
2009-09-08 17:46 . 2009-09-08 17:46 -------- d-----w- c:\documents and settings\Francesco\Dati applicazioni\Lavasoft
2009-09-08 13:55 . 2009-09-08 13:55 -------- d-----w- c:\programmi\File comuni\Uninstall
2009-09-06 14:54 . 2009-09-06 14:56 -------- d-----w- c:\documents and settings\Admin.PROFESSI-LK0MPN\dwhelper
2009-08-25 11:27 . 2009-08-25 11:27 -------- d-----w- c:\documents and settings\Admin.PROFESSI-LK0MPN\Dati applicazioni\GARMIN
2009-08-25 11:27 . 2009-08-25 11:27 -------- d-----w- c:\programmi\Garmin GPS Plugin
2009-08-25 11:27 . 2009-08-25 11:27 -------- d-----w- c:\programmi\DIFX
2009-08-25 11:27 . 2009-08-25 11:27 -------- d-----w- c:\programmi\Garmin
2009-08-20 12:10 . 2009-08-20 12:10 -------- d-----w- c:\documents and settings\All Users.WINDXP\Dati applicazioni\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-20 12:09 . 2009-08-20 12:09 -------- d-----w- c:\programmi\Bonjour
2009-08-20 12:07 . 2009-07-09 10:16 39424 ----a-w- c:\windxp\system32\drivers\usbaapl.sys
2009-08-20 12:07 . 2009-07-09 10:16 2060288 ----a-w- c:\windxp\system32\usbaaplrc.dll
2009-08-17 14:53 . 2009-08-17 14:53 -------- d-----w- C:\a989281fed9fe70f51a8
2009-08-17 13:54 . 2009-07-10 13:26 1315328 -c----w- c:\windxp\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-09 16:12 . 2007-10-03 17:57 -------- d-----w- c:\programmi\Mozilla Thunderbird
2009-09-02 11:18 . 2009-02-04 18:01 2971 ----a-w- c:\documents and settings\Admin.PROFESSI-LK0MPN\Dati applicazioni\mdbu.bin
2009-09-01 08:04 . 2007-10-01 18:06 111256 ----a-w- c:\documents and settings\Francesco\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-08-20 12:16 . 2005-01-18 11:14 111256 ----a-w- c:\documents and settings\Admin.PROFESSI-LK0MPN\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-08-20 12:10 . 2007-06-01 15:58 -------- d-----w- c:\programmi\iTunes
2009-08-20 12:10 . 2007-12-28 22:42 -------- d-----w- c:\programmi\File comuni\Apple
2009-08-20 11:39 . 2009-05-10 12:39 55656 ----a-w- c:\windxp\system32\drivers\avgntflt.sys
2009-08-17 14:56 . 2003-04-08 12:00 81700 ----a-w- c:\windxp\system32\perfc010.dat
2009-08-17 14:56 . 2003-04-08 12:00 484164 ----a-w- c:\windxp\system32\perfh010.dat
2009-08-06 11:17 . 2009-08-06 11:08 -------- d-----w- c:\programmi\FreePOPs
2009-08-05 08:59 . 2005-01-14 19:23 205312 ----a-w- c:\windxp\system32\mswebdvd.dll
2009-07-31 17:41 . 2006-08-24 10:19 -------- d-----w- c:\documents and settings\Admin.PROFESSI-LK0MPN\Dati applicazioni\Skype
2009-07-31 17:40 . 2008-11-08 14:13 -------- d-----w- c:\documents and settings\Admin.PROFESSI-LK0MPN\Dati applicazioni\skypePM
2009-07-17 19:01 . 2003-04-08 12:00 58880 ----a-w- c:\windxp\system32\atl.dll
2009-07-13 21:43 . 2005-01-17 16:43 286208 ----a-w- c:\windxp\system32\wmpdxm.dll
2009-06-16 14:36 . 2003-04-08 12:00 81920 ----a-w- c:\windxp\system32\fontsub.dll
2009-06-16 14:36 . 2003-04-08 12:00 119808 ----a-w- c:\windxp\system32\t2embed.dll
2009-06-15 10:43 . 2003-04-08 12:00 78336 ----a-w- c:\windxp\system32\telnet.exe
2008-06-07 21:21 . 2008-06-07 21:13 24 --sh--w- c:\windxp\S0A7E8EDD.tmp
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"REGSHAVE"="c:\programmi\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"NvCplDaemon"="c:\windxp\system32\NvCpl.dll" [2006-10-22 7700480]
"Thunderbird"="c:\programmi\Mozilla Thunderbird\thunderbird.exe" [2009-09-02 8318056]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\programmi\K-Lite Codec Pack\QuickTime\qttask.exe" [2009-05-26 413696]
"MyGarminAgent"="c:\programmi\Garmin\MyGarminAgent.exe" [2009-05-07 335872]
"PtiuPbmd"="ptipbm.dll" - c:\windxp\system32\ptipbm.dll [2003-01-15 24576]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windxp\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windxp\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users.WINDXP\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma Loader.lnk - c:\programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2004-4-23 113664]
BTTray.lnk - c:\programmi\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-13 561213]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\programmi\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Outlook Express\\msimn.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Sony\\Media Manager for WALKMAN\\MediaManager.exe"=
"c:\\Programmi\\BitTorrent\\bittorrent.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDXP\\system32\\fxsclnt.exe"=
"c:\\Programmi\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3587:TCP"= 3587:TCP:Gruppi peer-to-peer Windows
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 viasraid;viasraid;c:\windxp\system32\drivers\viasraid.sys [14/01/2005 21.06.23 77312]
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windxp\system32\SupportAppXL\cdrom_mon.exe [20/05/2009 12.34.45 81920]
R2 sbbotdi;sbbotdi;c:\progra~1\SPEEDB~1\sbbotdi.sys [02/03/2008 23.16.24 35584]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
S2 PCAutoPowerOnService;Auto Power-on & Shut-down Service;c:\programmi\Auto Power-on\PCAutoPowerOnService.exe [14/02/2006 14.09.30 484864]
S3 axsaki;axsaki;c:\windxp\system32\drivers\axsaki.sys [30/03/2003 22.38.18 102624]
S3 axskbus;axskbus;c:\windxp\system32\drivers\axskbus.sys [28/03/2003 12.58.42 8640]
S3 HwIOctl;HwIOctl; [x]
S3 ONDAusbmdm6k;ONDA Proprietary USB Driver;c:\windxp\system32\drivers\ONDAusbmdm6k.sys [20/05/2009 12.35.14 104960]
S3 ONDAusbnet;ONDA USB-NDIS miniport;c:\windxp\system32\drivers\ONDAusbnet.sys [20/05/2009 12.35.14 110080]
S3 ONDAusbnmea;ONDA NMEA Port;c:\windxp\system32\drivers\ONDAusbnmea.sys [20/05/2009 12.35.14 104960]
S3 ONDAusbser6k;ONDA Diagnostic Port;c:\windxp\system32\drivers\ONDAusbser6k.sys [20/05/2009 12.35.14 104960]
S3 PortTalk;PortTalk;c:\windxp\system32\Drivers\PortTalk.sys --> c:\windxp\system32\Drivers\PortTalk.sys [?]
S3 RGFILERW;RGFILERW;c:\windxp\system32\drivers\RGFILERW.SYS [02/04/2007 19.38.50 3984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contenuto della cartella 'Scheduled Tasks'

2009-06-11 c:\windxp\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.repubblica.it/
uInternet Settings,ProxyOverride = *.local
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Invia a periferica &Bluetooth... - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {FC1E3BCA-5F84-4185-A159-7494ED3EA773} = 192.168.1.1,151.99.125.1
DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} - file://e:\content\include\XPPatchInstaller.CAB
FF - ProfilePath - c:\documents and settings\Admin.PROFESSI-LK0MPN\Dati applicazioni\Mozilla\Firefox\Profiles\y27748jg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.repubblica.it/
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\programmi\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\programmi\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\programmi\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\programmi\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\programmi\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\programmi\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: c:\programmi\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: c:\programmi\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windxp\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)
SafeBoot-AVG Anti-Spyware Driver
AddRemove-Easy-PhotoPrint - c:\windxp\ISUN0410.EXE -fc:\programmi\Canon\Easy-PhotoPrint\Uninst.isu
AddRemove-Heroes of Might and Magic IV - c:\windxp\IsUn0410.exe -fc:\programmi\3DO\Heroes of Might and Magic IV\Heroes of Might and Magic IV.isu
AddRemove-L&H Power Translator Pro 7.0 - c:\windxp\ISUN0410.EXE -fc:\programmi\LHSP\L&H Power Translator Pro\Uninst.isu
AddRemove-OnSpec Regen - c:\windxp\ISUN0410.EXE -fREGENUNINST.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-09 18:11
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(404)
c:\windxp\system32\btmmhook.dll
c:\progra~1\WINDOW~2\wmpband.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\programmi\Avira\AntiVir Desktop\sched.exe
c:\programmi\Avira\AntiVir Desktop\avguard.exe
c:\programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\programmi\GRISOFT\AVG Anti-Spyware 7.5\guard.exe
c:\programmi\Bonjour\mDNSResponder.exe
c:\windxp\system32\drivers\CDAC11BA.EXE
c:\programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
c:\windxp\system32\nvsvc32.exe
c:\windxp\system32\tcpsvcs.exe
c:\windxp\system32\snmp.exe
c:\programmi\SpeedBit Video Accelerator\VideoAcceleratorService.exe
c:\windxp\system32\wbem\wmiapsrv.exe
c:\programmi\SpeedBit Video Accelerator\VideoAcceleratorEngine.exe
c:\windxp\system32\rundll32.exe
c:\programmi\iPod\bin\iPodService.exe
.
**************************************************************************
.
Ora fine scansione: 2009-09-09 18.17.16 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-09-09 16:16

Pre-Run: 20.286.701.568 byte disponibili
Post-Run: 21.222.920.192 byte disponibili

210 --- E O F --- 2009-09-09 11:28


fatemi sapere...

P.S. : ho notato però che combofix ha "scarnito" un po' troppo a fondo perché mi ha tolto robe che mi servivano...

Re: Sospetto Virus

MessaggioInviato: mer set 09, 2009 5:19 pm
da crazy.cat
Alcune cose sono state eliminate, se non hai ancora risolto vai con malwarebytes.

Re: Sospetto Virus

MessaggioInviato: gio set 10, 2009 12:02 pm
da Pciccio
Credo che la pulizia sia riuscita, però adesso non funzionano più i link cliccabili, se ci clicco non succede niente mentre prima partiva automaticamente il browser...quale impostazione c'è da sistemare?