www.MegaLab.it

[salin77]

Salve, sono nuovo del forum e come prima cosa volevo precisare che ho usato il comando cerca per vedere se già questo problema è stato trattato.

Vi descrivo qui il mio problema, da un po' di giorni ho notato che, nel mio server, nel file di log del vsualizzatore eventi di sicurezza ha delle chiamate in ripetizione di logon/logoff. Pensado che è un virus ho cercato di fare una scansione con degli antivirus on-line scanner ma con esito negativo (alcuni non carica neanche il programma). Quindi ho dovuto acquistare un antivirus per risolvere il problema. L'antivirus è riuscito ha trovare il virus/malware e l'ha rimosso. Purtroppo vedo nel visualizzatore eventi di sicurezza il problema è rimasto. Quindi ho fatto altre ricerche, e con il programma gmer ho scovato una cartella intel\web\xstarter\xstarter.exe che credo sia il problema, e non riesco ad eliminarla, o meglio da gmer la elimina ma poi si ricrea. Mi hanno consigliato di chiedere su questa comunità in quanto molto disponibile e competente. L'antivirus che ho ora è l'eset endpoint security 5. I virus che è riuscito a rimuovere sono surfguard.exe safesurf.exe prtest.exe residenti proprio nella cartella intel\web\xstarter.
La cartella c:\intel\web\xstarter non viene visualizzata ne dal prompt dei comandi ne da esplora risorse con spunta della visualizzazione dei file nascosti e visualizza file di sistema. Allego anche un file di log di hijackthis per capire se oltre a questo risiede qualche altro problema. Ringranziado in anticipo tutti, per l'impegno che ognuno di noi riesce a dare per risolvere il problema.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 16.35.18, on 04/02/2013
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\sys\csrss.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\IBM\SQLLIB\BIN\db2jds.exe
C:\Programmi\IBM\SQLLIB\BIN\db2sec.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\Programmi\ESET\ESET Endpoint Security\ekrn.exe
C:\WINDOWS\system32\IBMIASRW.EXE
C:\WINDOWS\System32\ismserv.exe
C:\Programmi\Java\jre7\bin\jqs.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system\services.exe
C:\MYGDS\MoviInServer.exe
C:\Windows\sys\csrss.exe
C:\Programmi\IBM\SQLLIB\bin\db2dasstm.exe
C:\Programmi\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\system32\SKEYSRVC.exe
C:\Programmi\TeamViewer\Version7\TeamViewer_Service.exe
C:\Programmi\IBM\SQLLIB\bin\db2fmp.exe
C:\WINDOWS\system32\lserver.exe
C:\VEXPLite\viritsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\programmi\teamviewer\version7\TeamViewer.exe
C:\Programmi\TeamViewer\Version7\tv_w32.exe
C:\Programmi\IBM\SQLLIB\BIN\db2systray.exe
C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\CNAP2LAK.EXE
C:\VEXPLite\MONLITE.EXE
C:\Programmi\File comuni\Java\Java Update\jusched.exe
C:\Programmi\ESET\ESET Endpoint Security\egui.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\CNAC8SWK.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Zebra Technologies\Status Monitor\Status Monitor\StatusMonitor.exe
C:\Programmi\UltraVNC\WinVNC.exe
C:\Programmi\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\IBM\SQLLIB\BIN\db2systray.exe
C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\CNAP2LAK.EXE
C:\VEXPLite\MONLITE.EXE
C:\Programmi\File comuni\Java\Java Update\jusched.exe
C:\Programmi\ESET\ESET Endpoint Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\CNAC8SWK.EXE
C:\Programmi\IBM\SQLLIB\bin\db2fmp.exe
C:\WINDOWS\System32\rundll32.exe

C:\Documents and Settings\Administrator\Documenti\Download\qnmk69qi.exe
c:\programmi\teamviewer\version7\TeamViewer_Desktop.exe
C:\Documents and Settings\Administrator\Documenti\Download\qnmk69qi.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\sys\waagent.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: VirIT eXplorer Antivirus - {373BCD12-5B7A-4c09-897B-6B42EC48B0F8} - C:\VEXPLite\viritie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre7\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [db2systray.exe DB2] "C:\Programmi\IBM\SQLLIB\BIN\db2systray.exe" DB2
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [CNAP2 Launcher] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\CNAP2LAK.EXE
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLite\MONLITE.EXE
O4 - HKLM\..\Run: [ShutdownEventCheck] %systemroot%\system32\dumprep 0 -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\File comuni\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Programmi\ESET\ESET Endpoint Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CNAP2 Launcher] "C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\CNAP2LAK.EXE"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-21-2549221278-2589017462-1932852471-1006\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'db2admin')
O4 - HKUS\S-1-5-21-2549221278-2589017462-1932852471-1131\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'stefania')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_5_502_146_Plugin.exe -update plugin (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_5_502_146_Plugin.exe -update plugin (User 'Default user')
O4 - Global Startup: Zebra Status Monitor.lnk = C:\Programmi\Zebra Technologies\Status Monitor\Status Monitor\StatusMonitor.exe
O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti destinazione link in PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti in PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti link selezionati in PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti selezione a PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - ESC Trusted IP range: http://x.x.x.x
O15 - ESC Trusted IP range: http://x.x.x.x
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.5.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8884937515
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/f ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pippo.it
O17 - HKLM\Software\..\Telephony: DomainName = pippo.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{06111D25-5458-41FB-876B-E38F3451382C}: NameServer = 212.216.172.222,x.x.x.x
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pippo.it
O17 - HKLM\System\CS1\Services\Tcpip\..\{06111D25-5458-41FB-876B-E38F3451382C}: NameServer = 212.216.172.222,x.x.x.x
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pippo.it
O17 - HKLM\System\CS2\Services\Tcpip\..\{06111D25-5458-41FB-876B-E38F3451382C}: NameServer = 212.216.172.222,x.x.x.x
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DB2 - DB2 (DB2) - International Business Machines Corporation - C:\Programmi\IBM\SQLLIB\bin\db2syscs.exe
O23 - Service: DB2DAS - DB2DAS00 (DB2DAS00) - International Business Machines Corporation - C:\Programmi\IBM\SQLLIB\\bin\db2dasrrm.exe
O23 - Service: DB2 Governor (DB2GOVERNOR) - International Business Machines Corporation - C:\Programmi\IBM\SQLLIB\BIN\db2govds.exe
O23 - Service: Server applet DB2 JDBC (DB2JDS) - International Business Machines Corporation - C:\Programmi\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 License Server (DB2LICD) - International Business Machines Corporation - C:\Programmi\IBM\SQLLIB\BIN\db2licd.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Programmi\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Programmi\ESET\ESET Endpoint Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Programmi\ESET\ESET Endpoint Security\ekrn.exe
O23 - Service: ESET SHA Service (ESHASRV) - ESET - C:\Programmi\ESET\ESET Endpoint Security\EShaSrv.exe
O23 - Service: FSPro Filter Service (fsproflt) - Unknown owner - C:\WINDOWS\system32\fsproflt.exe (file missing)
O23 - Service: Host Generic Process for Win32 Services (Host Generic Process) - Unknown owner - C:\WINDOWS\system32\drivers\svchost.exe (file missing)
O23 - Service: IBM Automatic Server Restart Service for IPMI (ibmiasrw) - IBM Corporation - C:\WINDOWS\system32\IBMIASRW.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Programmi\Java\jre7\bin\jqs.exe
O23 - Service: Microsoft .NET Runtime Optimization Service 2.0.50737 - Unknown owner - C:\WINDOWS\system\services.exe
O23 - Service: MovInServer - Unknown owner - C:\MYGDS\MoviInServer.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Programmi\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: MySQL - Unknown owner - C:\Programmi\MySQL\MySQL.exe (file missing)
O23 - Service: SmartKey Multilan Service - Eutronsec - C:\WINDOWS\system32\SKEYSRVC.exe
O23 - Service: SQLPep - Unknown owner - C:\WINDOWS\system32\sqlpep.exe
O23 - Service: TeamViewer 7 (TeamViewer7) - TeamViewer GmbH - C:\Programmi\TeamViewer\Version7\TeamViewer_Service.exe
O23 - Service: uvnc_service - UltraVNC - C:\Programmi\UltraVNC\WinVNC.exe
O23 - Service: VirIT eXplorer Lite (viritsvclite) - TG Soft Sas http://www.tgsoft.it - C:\VEXPLite\viritsvc.exe
O23 - Service: Windows Task Scheduller (xStarter) - Unknown owner - C:\Intel\web\xStarter\services.exe (file missing)

--
End of file - 12183 bytes

Edit by Andy94: i log si allegano con il tag MEMO come indicato dal regolamento.

[crazy.cat]

Non uso windows 2003 da qualche secolo, quindi questi file potrebbero essere buoni, ma li potresti analizzare sul sito www.virustotal.com e vedere di cosa si tratta.

C:\WINDOWS\sys\csrss.exe
C:\WINDOWS\system\services.exe
C:\Windows\sys\csrss.exe
C:\Documents and Settings\Administrator\Documenti\Download\qnmk69qi.exe (è gmer per caso????)
C:\Documents and Settings\Administrator\Documenti\Download\qnmk69qi.exe (è gmer per caso????)
C:\WINDOWS\sys\waagent.exe

I percorsi mi suonano molto strano.

[salin77]

Si è gmer quella applicazione quando ho eseguito il log era attivo. Ora verifico i file evidenziatemi. Grazie.

[mattley_77]

In rete ho trovato il file "xstarter" ed è un programma vero e proprio, una breve descrizione del programma

<<xStarter is a utility to automate routine computer tasks. You can create complex tasks that are triggered by a file system event, on a schedule, conditional or run manually. The program can archive data, run windows applications, copy files and folders, display message dialogs, send emails, perform routine backups, restart the computer and also start/stop NT services. In addition, you can trigger events across a network, automatically upload/download files via FTP, synchronize folders and more. Creating automated tasks does not require any scripting, however, advanced users can extend the functionality and create additional plug-ins. xStarter can run as NT service.>>

Se non lo hai installato tu il programma qualcuno l'ha fatto creando quei logon/logoff che hai rilevato. Purtroppo il programma non lo conosco. Spero di esserti stato utile.

[salin77]

ciao crazy.cat ho appena analizzato i file in questione e volevo dirti prima dei responsi che la cartella c:\windows\sys mi risulta non vedibile e inaccessibile da dos. Grazie al gmer e alla sua funzione di copia sono riuscito a salvare i file e farli esaminare da virustotal. Questi i responsi:
waagent.exe 25/46
sys\csrss.exe 20/46
services.exe 2/46

[crazy.cat]

A questo punto direi di far analizzare pure xstarter (giusto per curiosità) e poi una bella scansione da cdrom http://www.MegaLab.it/7628/kaspersky-re ... -su-cd-rom e ammazzi tutto quello che trova.

[salin77]

Per curiositа il file xstarter.exe analizzato da virustotal e' di 1/46.
L'antivirus che l'ha rilevato come infetto e' trendmicrohousecall.
Al momento sto facendo una scansione on-line di trendmicrohousecall.

Un altra cosa se premo sulla tastiera la "e" accentanta me la da in cirillico vedi "и". Sai eventualmente come e' possibile?
Se noti ora devo scrivere la "e" con l'apostrofo.

[salin77]

Ciao grazy.cat, per caso conosci un po' di russo? Il perché guarda l'allegato immagine.

[crazy.cat]

Ciao grazy.cat, per caso conosci un po' di russo? Il perché guarda l'allegato immagine.

No. Niente russo.
Cosa vuol dire l'immagine?

Usa il cd di kaspersky se vuoi fare vera pulizia, le scansioni online non credo risolvano.

[salin77]

Speravo che tu mi sapessi dire di piu'. Comunque sono riuscito a fare la scansione con kaspersky cd live aggiornato alle definizioni virali del 07-02-2013, questo il responso:

Status: Deleted (events: 4)
2/7/13 10:27 PM Deleted malicious application HackTool.Win32.BruteForce.xl C:/Programmi/Mozilla Firefox/DBR/DUBrute.exe Medium
2/7/13 10:27 PM Deleted malicious application HackTool.Win32.BruteForce.xl C:/Documents and Settings/Administrator/Impostazioni locali/Temp/HouseCall/log/0B20B665-CD7F-4393-AF5F-3276566B3667/backup/25 Medium
2/7/13 10:27 PM Deleted malicious application HackTool.Win32.BruteForce.xl C:/Documents and Settings/Administrator/Impostazioni locali/Temp/HouseCall/log/0B20B665-CD7F-4393-AF5F-3276566B3667/backup/25//PE-Crypt.XorPE Medium
2/7/13 10:27 PM Deleted malicious application HackTool.Win32.BruteForce.xl C:/Documents and Settings/Administrator/Impostazioni locali/Temp/HouseCall/log/0B20B665-CD7F-4393-AF5F-3276566B3667/backup/25//PE-Crypt.XorPE//DBR/DUBrute.exe Medium

[mattley_77]

Un altra cosa se premo sulla tastiera la "e" accentanta me la da in cirillico vedi "и". Sai eventualmente come e' possibile?
Se noti ora devo scrivere la "e" con l'apostrofo.

Questo post può esserti utile

http://www.MegaLab.it/7464/cambiare-il- ... a-tastiera

[salin77]

Rieccomi. Ho fatto la scansione del cd live di kaspersky. Il risultato eccolo

Status: Deleted (events: 4)
2/7/13 10:27 PM Deleted malicious application HackTool.Win32.BruteForce.xl C:/Programmi/Mozilla Firefox/DBR/DUBrute.exe Medium
2/7/13 10:27 PM Deleted malicious application HackTool.Win32.BruteForce.xl C:/Documents and Settings/Administrator/Impostazioni locali/Temp/HouseCall/log/0B20B665-CD7F-4393-AF5F-3276566B3667/backup/25 Medium
2/7/13 10:27 PM Deleted malicious application HackTool.Win32.BruteForce.xl C:/Documents and Settings/Administrator/Impostazioni locali/Temp/HouseCall/log/0B20B665-CD7F-4393-AF5F-3276566B3667/backup/25//PE-Crypt.XorPE Medium
2/7/13 10:27 PM Deleted malicious application HackTool.Win32.BruteForce.xl C:/Documents and Settings/Administrator/Impostazioni locali/Temp/HouseCall/log/0B20B665-CD7F-4393-AF5F-3276566B3667/backup/25//PE-Crypt.XorPE//DBR/DUBrute.exe Medium

Ma niente da fare il problema rimane.

Tramite l'antivirus on-line f-secure fino ad ora è l'unico che mi rileva la cartella nascosta come il gmer, ma non riesce a rimuoverla.

Installando malwarebytes sulla macchina non si riesce ad eseguire il programma in quanto viene bloccato l'eseguibile mbam.exe anche in modalità provvisoria e non si riesce più neanche a cancellarlo.

Ho trovato anche la versione portable del malwarebytes ma non parte anchessa dalla macchina, però l'eseguibile non viene bloccato. Se invece la eseguo dalla rete lan riesce a partire ma non trova niente.

Ho trovato un live cd di bit defender, che è un altro antivirus che tramite la scansione on-line rileva delle minacce. Devo ancora provare.

Qui il log di f-secure antivirus malware che ho fatto.

Scanning Report
Saturday, February 16, 2013 00:02:52 - 00:55:17
Computer name: SERVER
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\


--------------------------------------------------------------------------------

63 malware found
http://cgi.f-secure.com/cgi-bin/websear ... &#39;disk&#39; (spyware)
System (Disinfected)
Gen:Variant.Graftor.Elzob (spyware)
System (Disinfected)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\MSVCM80.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\ACCESSIBLEMARSHAL.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\D3DCOMPILER_43.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\D3DX9_43.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\FREEBL3.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\GKMEDIAS.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\IA2MARSHAL.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\JS.EXE (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\LIBEGL.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\LIBGLESV2.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\MOZALLOC.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\MOZGLUE.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\MOZJS.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\MOZSQLITE3.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\MSVCP80.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\MSVCR80.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\NSPR4.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\NSS3.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\NSSCKBI.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\NSSDBM3.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\NSSUTIL3.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\PLC4.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\PLDS4.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\PLUGIN-CONTAINER.EXE (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\PLUGINS\NPSWF32_11_3_300_262.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\REDIT.EXE (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\SMIME3.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\SOFTOKN3.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\SSL3.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\XPCOM.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\XPCSHELL.EXE (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\1\XUL.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\JET.EXE (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\SFA.BIN (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\F\UPCACHE (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\MICROSOFT\SKYBOUND.GECKO.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\LIBEAY32.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\SSLEAY32.DLL (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\TASKLOGS\C--ABUSA.XLG (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\TASKLOGS\C--DELGUARD.XLG (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\TASKLOGS\C--FGUARD.XLG (Not cleaned)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\TASKLOGS\C--GGUARD.XLG (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\TASKLOGS\C--GUARD.XLG (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\TASKLOGS\C--REGGUARD.XLG (Not cleaned)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\TASKLOGS\C--RESTART.XLG (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\TASKLOGS\C--RUN.XLG (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\TASKLOGS\C--RUNGUARD.XLG (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\TASKLOGS\C--SERVICES.XLG (Not cleaned)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\WEB\INDEX.HTM (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\WEB\OPERATION.HTM (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\WEB\SECTIONS.HTM (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\WEB\SWEB.BAT (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\WEB\SYS.BAT (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\WEB\TASKS.HTM (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\XPREFS.EXE (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\XSTARTER.EXE (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\XSTARTER.INI (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\XSTARTER.XLG (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\XSTARTUI.EXE (Not cleaned & Submitted)
Stealth_file (virus)
C:\INTEL\WEB\XSTARTER\YAHOOAUTH.DLL (Not cleaned & Submitted)
Gen:Variant.Graftor.Elzob.203 (virus)
C:\WINDOWS\SYSTEM32\SQLPEP.EXE (Not cleaned)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 53831
System: 3265
Not scanned: 19
Actions:
Disinfected: 2
Renamed: 0
Deleted: 0
Not cleaned: 61
Submitted: 57
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\TEMP\IB2
C:\WINDOWS\TEMP\IB3
C:\WINDOWS\TEMP\IB4
C:\WINDOWS\TEMP\IB5
C:\WINDOWS\TEMP\IB6
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\PROGRAMMI\MALWAREBYTES' ANTI-MALWARE\MBAM.EXE
C:\MALWAREBYTES' ANTI-MALWARE\MBAM.EXE
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\IMPOSTAZIONI LOCALI\TEMP\~DFB341.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\IMPOSTAZIONI LOCALI\TEMP\~DFC198.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\IMPOSTAZIONI LOCALI\TEMP\~DFF735.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\IMPOSTAZIONI LOCALI\TEMP\HSPERFDATA_ADMINISTRATOR\6348
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\IMPOSTAZIONI LOCALI\TEMP\HSPERFDATA_ADMINISTRATOR\7148
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\DESKTOP\DATA\MALWAREBYTES ANTI-MALWARE\LOCAL\STUBEXE\0X668D5FABFD11966E\MBAM.EXE

--------------------------------------------------------------------------------

Options
Scanning engines:
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR TMP
Use advanced heuristics