www.MegaLab.it

da **Luke_1** » ven gen 25, 2008 1:56 pm

Ciao ragazzi di MEGAFORUM, è la prima volta che scrivo, e ahimè credo prorio di avere un virus, spero mi possiate dare una mano.
Il processo IEXPLORE.EXE mi si apre anche se non uso internet explorer (uso solo mozzilla ff) ed è gia nel task all'accensione, se provo a chiudere il processo me lo riapre all'istante. Ovviamente a parte rallentarmi tutto il pc, mi apre popup in continuazione...
Ho già letto molto a rigurado ma non riesco proprio a liberarmene. Fino ad ora ho usato: kaspersky, nod 32, a-squared, superantispyware ed ad-aware, ho fatto tutte le scansioni in mod. provvisoria ma nessuno mi trova il virus, mi hanno trovato solo dei cookie.
Vi ringrazio in anticipo per le risposte, e spero possiate aiutarmi, visto che non so più che fare.
Ciao, a presto.

da **ste_95** » ven gen 25, 2008 1:58 pm

Posta un log di hijackthis:

Scarica HijackThis
Salvalo in una cartella (non aprirlo direttamente, sennò non farà i backup!)
Apri l'eseguibile
Clicca quindi su "Do a System Scan and Save a Logfile"
Attendi che finisca la scansione
Quindi copia il contenuto del blocco note qui sul forum.

da **Luke_1** » ven gen 25, 2008 2:15 pm

Ok, grazie ste_95, solo una cosa volevo chiederti il log lo faccio in mod. provvisoria??

da **ste_95** » ven gen 25, 2008 2:31 pm

No, modalità normale.

da **Luke_1** » ven gen 25, 2008 3:48 pm

Ecco il log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 15.46.54, on 25/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\Acronis\TrueImage\TrueImageMonitor.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Multimedia Card Reader\shwicon2k.exe
C:\Programmi\ASUS\AI Gear\GearHelp.exe
C:\Programmi\Logitech\iTouch\iTouch.exe
C:\Programmi\Logitech\MouseWare\system\em_exec.exe
C:\Programmi\ATI Technologies\ATI.ACE\CLI.EXE
C:\Programmi\Analog Devices\SoundMAX\SMax4.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Prisma Firewall\prisma.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\Programmi\SEC\Natural Color\NaturalColorLoad.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Antonino\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fastweb.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Programmi\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Programmi\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Ai Gear Help] "C:\Programmi\ASUS\AI Gear\GearHelp.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmi\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Programmi\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\SMax4.exe" /tray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Prisma Firewall] C:\Programmi\Prisma Firewall\prisma.exe
O4 - HKLM\..\Run: [AVP] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Iso barb] ^\phonebib\internet itch.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmi\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Apri in nuova scheda in primo piano - res://C:\Programmi\Windows Live Toolbar\Components\it-it\msntabres.dll.mui/230?b0f3a049c59e43a1aa3c7cf25238922e
O8 - Extra context menu item: Apri in nuova scheda in secondo piano - res://C:\Programmi\Windows Live Toolbar\Components\it-it\msntabres.dll.mui/229?b0f3a049c59e43a1aa3c7cf25238922e
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\reflection.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-U ... E_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe

--
End of file - 10106 bytes

da **crazy.cat** » ven gen 25, 2008 4:01 pm

Hai idea di cosa sia questo?
O4 - HKCU\..\Run: [Iso barb] ^\phonebib\internet itch.exe

da **Luke_1** » ven gen 25, 2008 4:42 pm

no, ho provato anche a fare una ricerca ma nn mi trova nulla....

da **crazy.cat** » ven gen 25, 2008 4:46 pm

Prova con gmer e vedi se all'apertura ti segnala delle voci in rosso o attività rootkit

da **Luke_1** » ven gen 25, 2008 5:16 pm

Non mi ha trovato nessuna voce in rosso, ma mi sa che qualcosa lo ha trovato, ecco uno screen:

da **ste_95** » ven gen 25, 2008 6:48 pm

Con GMER è tutto a posto, in hijackthis seleziona questa voce e premi fix checked in basso:

O4 - HKCU\..\Run: [Iso barb] ^\phonebib\internet itch.exe

da **Luke_1** » ven gen 25, 2008 7:02 pm

Ok, fatto ma sul task il processo c'è ancora....

da **ste_95** » ven gen 25, 2008 7:32 pm

Il log è pulito, IEXPLORE.exe è al suo posto.

da **Luke_1** » ven gen 25, 2008 8:32 pm

Ho notato che però appena parte il pc non appare il processo, ma circa dopo 10 minuti, ovviamente non apro explorer, come è possibile?
E come se nn bastasse questi maledetti popupmi hanno rotto le scatole.... [:(!]

da **ste_95** » ven gen 25, 2008 8:33 pm

I pop-up a che genere di sito portano? Prova a fare una scansione con combofix.

da **Luke_1** » ven gen 25, 2008 8:44 pm

Mah...in genere vanno dalle chat ai centri commerciali....pero noto che molte volte prima dell'url portano la scritta "CiD", cosa un po' strana non ti pare?
Ora comunque faccio una scansione con combofix.

da **ste_95** » ven gen 25, 2008 8:47 pm

Poi cerca anche nel computer il file internet itch.exe

da **Luke_1** » ven gen 25, 2008 9:10 pm

Ecco il log:

ComboFix 08-01-23.1C - Antonino 2008-01-25 20.54.05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.1389 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Antonino\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Creati Da 2007-12-25 al 2008-01-25 )))))))))))))))))))))))))))))))))))
.

2008-01-25 20:52 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-25 17:02 . 2008-01-25 20:51 250 --a------ C:\WINDOWS\gmer.ini
2008-01-23 22:34 . 2008-01-23 22:34 <DIR> d-------- C:\Programmi\Kaspersky Lab
2008-01-23 22:34 . 2008-01-25 20:59 3,385,120 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-23 22:34 . 2008-01-23 23:19 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-23 22:34 . 2008-01-23 23:19 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-23 22:34 . 2008-01-25 20:59 48,584 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-23 22:34 . 2008-01-25 21:01 25,376 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-23 22:34 . 2008-01-25 20:59 4,472 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-23 22:11 . 2008-01-23 22:11 <DIR> d-------- C:\phonebib
2008-01-21 21:59 . 2008-01-23 13:41 <DIR> d-------- C:\VEXPLITE
2008-01-21 21:59 . 2007-10-10 09:00 36,096 --a------ C:\WINDOWS\system32\drivers\VIRAGTLT.SYS
2008-01-21 14:01 . 2008-01-23 22:00 356 --a------ C:\WINDOWS\system32\drivers\prismaa.dat
2008-01-21 01:04 . 2008-01-21 01:04 <DIR> d-------- C:\Programmi\CCleaner
2008-01-21 00:51 . 2008-01-21 00:51 312 --a------ C:\WINDOWS\system32\drivers\prisma.dat
2008-01-21 00:50 . 2008-01-21 13:02 <DIR> d-------- C:\Programmi\Prisma Firewall
2008-01-21 00:50 . 2008-01-21 00:50 115,712 --a------ C:\WINDOWS\system32\reflection.dll
2008-01-21 00:50 . 2007-02-26 13:09 13,952 --a------ C:\WINDOWS\system32\drivers\difraction.sys
2008-01-21 00:50 . 2007-02-26 13:09 12,288 --a------ C:\WINDOWS\system32\drivers\refraction.sys
2008-01-19 14:20 . 2007-12-04 15:44 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-01-19 13:18 . 2008-01-19 13:18 <DIR> d-------- C:\Programmi\Lavasoft
2008-01-18 22:40 . 2008-01-18 22:40 49 --a------ C:\WINDOWS\bsclient.INI
2008-01-18 20:54 . 2008-01-18 21:44 <DIR> d-------- C:\Programmi\Startup Inspector for Windows
2008-01-18 20:42 . 2008-01-18 22:40 <DIR> d-------- C:\Programmi\SensiveGuard
2008-01-18 20:37 . 2008-01-25 19:46 97 --a------ C:\WINDOWS\system32\drivers\prismat.dat
2008-01-18 18:07 . 2008-01-21 00:05 <DIR> d-------- C:\Programmi\SUPERAntiSpyware
2008-01-18 18:07 . 2008-01-21 00:05 <DIR> d-------- C:\Programmi\File comuni\Wise Installation Wizard
2008-01-18 17:49 . 2008-01-21 00:07 <DIR> d-------- C:\Programmi\a-squared Free
2008-01-18 15:28 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-18 15:25 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\mjrijnpbdtrw.sys
2008-01-18 15:14 . 2008-01-20 19:35 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-18 15:14 . 2008-01-20 19:35 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-16 14:01 . 2008-01-16 14:01 <DIR> d-------- C:\Programmi\phonebib
2007-12-27 17:44 . 2008-01-23 21:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-27 17:44 . 2007-12-27 17:44 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 18:27 --------- d-----w C:\Programmi\AdunanzA
2008-01-20 18:37 --------- d-----w C:\Programmi\MSN Messenger
2008-01-20 18:37 --------- d-----w C:\Programmi\Messenger Plus! Live
2008-01-20 02:26 --------- d-----w C:\Programmi\Windows Live Toolbar
2008-01-20 02:18 --------- d-----w C:\Programmi\QuickTime
2008-01-20 02:17 --------- d-----w C:\Programmi\Multimedia Card Reader
2008-01-20 02:14 --------- d-----w C:\Programmi\iTunes
2008-01-20 02:07 --------- d-----w C:\Programmi\DAEMON Tools
2008-01-19 11:42 --------- d-----w C:\Programmi\Circle Developement
2007-12-24 10:58 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-13 19:45 --------- d-----w C:\Programmi\Electronic Arts
2007-12-07 16:26 --------- d-----w C:\Programmi\File comuni\Adobe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:39 15360]
"DAEMON Tools"="C:\Programmi\DAEMON Tools\daemon.exe" [2007-04-03 23:29 165784]
"Iso barb"="^\phonebib\internet itch.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"TrueImageMonitor.exe"="C:\Programmi\Acronis\TrueImage\TrueImageMonitor.exe" [2005-10-25 22:48 988565]
"Acronis Scheduler2 Service"="C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe" [2005-10-25 22:48 118784]
"RemoteControl"="C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-30 02:04 32768]
"Sunkist2k"="C:\Programmi\Multimedia Card Reader\shwicon2k.exe" [2005-02-25 16:54 131072]
"Ai Gear Help"="C:\Programmi\ASUS\AI Gear\GearHelp.exe" [2006-07-27 20:39 415744]
"zBrowser Launcher"="C:\Programmi\Logitech\iTouch\iTouch.exe" [2002-11-23 02:15 631362]
"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 10:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"amd_dc_opt"="C:\Programmi\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 16:49 77824]
"ATICCC"="C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]
"muBlinder"="C:\Documents and Settings\Antonino\Desktop\Mublinder - Rimuove Copia Non Autentica Windows XP\muBlinder_31\muBlinder.exe" [ ]
"SoundMAX"="C:\Programmi\Analog Devices\SoundMAX\SMax4.exe" [2006-07-13 06:12 729088]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2007-03-14 18:05 257088]
"SoundMAXPnP"="C:\Programmi\Analog Devices\Core\smax4pnp.exe" [2006-12-18 20:34 868352]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2007-04-27 08:41 282624]
"Prisma Firewall"="C:\Programmi\Prisma Firewall\prisma.exe" [2008-01-21 00:50 966656]
"AVP"="C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 15:39 15360]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
NaturalColorLoad.lnk - C:\Programmi\SEC\Natural Color\NaturalColorLoad.exe [2007-01-29 20:02:09 155715]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

R0 pe3ah4nc;DiRT Environment Driver (pe3ah4nc);C:\WINDOWS\system32\drivers\pe3ah4nc.sys [2007-05-18 20:53]
R0 ps6ah4nc;DiRT Synchronization Driver (ps6ah4nc);C:\WINDOWS\system32\drivers\ps6ah4nc.sys [2007-05-18 20:52]
R1 PrismaNDIS;PrismaNDIS;C:\WINDOWS\system32\DRIVERS\difraction.sys [2007-02-26 13:09]
R1 PrismaNDISFilter;PrismaNDISFilter;C:\WINDOWS\system32\DRIVERS\refraction.sys [2007-02-26 13:09]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S2 pr2ah4nc;DiRT Drivers Auto Removal (pr2ah4nc);C:\WINDOWS\system32\pr2ah4nc.exe svc []

.
Contenuto della cartella 'Scheduled Tasks'
"2008-01-25 19:00:00 C:\WINDOWS\Tasks\AF09DEF2918A4EEA.job"
- c:\docume~1\antonino\datiap~1\phonebib\meal readme open.exe
"2008-01-05 11:48:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
"2008-01-25 19:53:00 C:\WINDOWS\Tasks\Verifica aggiornamenti per Windows Live Toolbar.job"
- C:\Programmi\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 21:02:18
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-01-25 21:08:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-25 20:08:45
.
2008-01-09 00:03:34 --- E O F ---

da **ste_95** » ven gen 25, 2008 9:13 pm

Vediamo cosa riusciamo a fare... Le cose le ho viste... Intanto però dovresti cercare il file segnalato nel computer. Sei sicuro di aver fixato la voce che avevamo detto?

da **Luke_1** » ven gen 25, 2008 9:18 pm

Si, ho fixato la voce di prima e ho anche cercato il file, me ne ha trovato uno in C:\phonebib e un'altro (INTERNET ITCH.EXE-17A99705.Pf) in C:\Prefetch.

Ps: ma perche c'è quella scritta in rosso che dice che non è istallata la "RECOVERY CONSOLE"?

da **ste_95** » ven gen 25, 2008 9:19 pm

Phonebib lo conosci? lo hai installato tu?

www.MegaLab.it

IEXPLORE.EXE

IEXPLORE.EXE

Chi c’è in linea