www.MegaLab.it

[Ran85]

Rieccomi qua sempre con lo stesso problema....
Praticamente mi sono presa nuovamente il solito virus... l'antivirus non va così come tutti gli altri programmi di scan e rimozione... le altre volte riuscivo a debellarlo facilmente cancellando manualmente questi file con combofix:

C:\WINDOWS\portsv.exe
C:\WINDOWS\system32\msupdte.exe
C:\WINDOWS\bootstat.dat
C:\WINDOWS\7B478F51120137BA1F6589CAAEFF224.exe
C:\log.udt
C:\Documents and Settings\All Users\Dati applicazioni\Fitn17
C:\WINDOWS\system32\1618
C:\Documents and Settings\Administrator\Links.exe
C:\WINDOWS\system32\dfaaaefdaf.dll
C:\WINDOWS\system32\d1ae6bf2a2fdd47d259b1c5be3f614d7.sys
C:\WINDOWS\system32\drivers\hsieegdm.sys

Ora però questo metodo non funziona più... ComboFix mi si blocca all'inizio quando dice scansione in corso ci vogliono 10 minuti circa.. e da lì non si muove... posso anche aspettare ore...

Riesco ad avviare solo OtMove....

P.S. Sono quasi certa che non sia un bagle

Help

[ste_95]

HijackThis non si avvia?

Esegui la scansione on-line estesa con Kaspersky come descritto qui e postane il log seguendo queste indicazioni.

[Ran85]

Non va nemmeno Kaspersky... come vado sul sito mi chiude explorer...

[ste_95]

Anche in modalità provvisoria?

[Ran85]

Sì stesso problema anche in modalità provvisoria

[ste_95]

Prova ad applicare questo, e riprovare a usare Hijackthis.

[Ran85]

sì ma come si applica?

[ste_95]

Stavo giusto valutando la possibilità di fare un articolo in proposito, vedrò. L'uso è molto semplice: scarichi l'archivio che il sito ti propone, lo estrai in C:\, apri cmd da Esegui, e ti sposti nella directory estratta con il comando cd, infine, lanci il comando start sdtrestore.exe.

Esempio:

Codice: Seleziona tutto

cd C:\sdtrestore
start sdtrestore.exe

Adesso dovresti essere in grado di lanciare hijackthis, gmer, e tutto quello che prima non partiva.

[Ran85]

O faccio qualcosa di sbagliato o qualcosa non mi funge... una volta che metto il percorso C:\SDTrestore mi dice "impossibile trovare il percorso specificato" eppure lì l'ho estratto....

Comunque GMer mi funziona... può servire a qualcosa?

[ste_95]

Scarica GMER, poi segui i seguenti passaggi:

--- 1° passaggio ---
Avviamo gmer
clicchiamo su > > >
Clicchiamo su Autostart
mettiamo il segno di spunta a Show All
clicchiamo su Scan
al termine della scansione, clicchiamo su Copy
Apriamo il blocco note e premiamo CTRL+V (oppure clicchiamo su Modifica e poi su Incolla).
Salviamo il file e postastiamo sul forum il risultato facendo attenzione a queste regole.

--- 2° passaggio ---
Sempre nel programma appena scaricato (gmer),
clicchiamo su Rootkit
clicchiamo su Scan
al termine della scansione, clicchiamo su Copy
Apriamo il blocco note e premiamo CTRL+V (oppure clicchiamo su Modifica e poi su Incolla).
Salviamo il file e postastiamo sul forum il risultato facendo attenzione a queste regole.

[Ran85]

Per quanto riguarda il passaggio 1, mi ha dato un solo file, ovvero:
C:/documents and settings/all users/menù avvio/ programmi/esecuzione automatica hp digital imaging monitor.inc

Per quanto riguarda il passaggio 2 ti allego il log:

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-10-16 22:47:51
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xBA6C00D0]
SSDT sptd.sys ZwEnumerateKey [0xBA6C5E2C]
SSDT sptd.sys ZwEnumerateValueKey [0xBA6C61BA]
SSDT sptd.sys ZwOpenKey [0xBA6C00B0]
SSDT sptd.sys ZwQueryKey [0xBA6C6292]
SSDT sptd.sys ZwQueryValueKey [0xBA6C6112]
SSDT sptd.sys ZwSetValueKey [0xBA6C6324]

Code d1ae6bf2a2fdd47d259b1c5be3f614d7.sys ZwQueryDirectoryFile [0xBA8BB417]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\sptd.sys Impossibile accedere al file. Il file è utilizzato da un altro processo.
? System32\Drivers\aox14gbi.SYS Impossibile trovare il percorso specificato. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6C0AD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6C0C1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6C0B9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6C1748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6C161E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6D5ACA] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A61B1E8

AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )
AttachedDevice \FileSystem\Ntfs \Ntfs InCDrec.SYS (InCD File System Recognizer/Nero AG)

Device \Driver\MTsensor \Device\ATKACPI ASACPI.sys
Device \Driver\usbohci \Device\USBPDO-0 8A4831E8
Device \Driver\usbohci \Device\USBPDO-1 8A4831E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A68E1E8
Device \Driver\dmio \Device\DmControl\DmConfig 8A68E1E8
Device \Driver\dmio \Device\DmControl\DmPnP 8A68E1E8
Device \Driver\dmio \Device\DmControl\DmInfo 8A68E1E8
Device \Driver\usbohci \Device\USBPDO-2 8A4831E8
Device \Driver\PCI_NTPNP1508 \Device\00000047 sptd.sys
Device \Driver\usbohci \Device\USBPDO-3 8A4831E8
Device \Driver\usbohci \Device\USBPDO-4 8A4831E8
Device \Driver\usbehci \Device\USBPDO-5 8A44B1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A61D1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 89B501E8
Device \Driver\NetBT \Device\NetbiosSmb 89B501E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{6A107FB3-B4D5-403A-809C-00BB7C711178} 89B501E8
Device \Driver\Video3D \Device\Video3DDevice Video3D32.sys (ASUS Video3D driver/ASUSTeK COMPUTER INC.)
Device \Driver\usbohci \Device\USBFDO-0 8A4831E8
Device \Driver\usbohci \Device\USBFDO-1 8A4831E8
Device \Driver\usbohci \Device\USBFDO-2 8A4831E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89B4D1E8
Device \Driver\usbohci \Device\USBFDO-3 8A4831E8
Device \Driver\Gpc \Device\Gpc msgpc.sys (MS General Packet Classifier/Microsoft Corporation)
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89B4D1E8
Device \Driver\Ftdisk \Device\FtControl 8A61D1E8
Device \Driver\usbohci \Device\USBFDO-4 8A4831E8
Device \Driver\usbehci \Device\USBFDO-5 8A44B1E8
Device \Driver\asuskbnt \Device\ATK_KBFilter atkkbnt.sys (ASUS Help driver For Keyboard Service./ASUSTeK COMPUTER INC.)
Device \Driver\aox14gbi \Device\Scsi\aox14gbi1 8A4161E8
Device \Driver\aox14gbi \Device\Scsi\aox14gbi1Port4Path0Target0Lun0 8A4161E8
Device \FileSystem\Cdfs \Cdfs 8A0E47A0

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\d1ae6bf2a2fdd47d259b1c5be3f614d7.sys (*** hidden *** ) [BOOT] d1ae6bf2a2fdd47d259b1c5be3f614d7 <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0011b107a2fb
Reg HKLM\SYSTEM\ControlSet002\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7
Reg HKLM\SYSTEM\ControlSet002\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7@c &registry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7&primary_ip=586742989&secondary_ip=586742989&primary_port=7000&secondary_port=7000&download_period=432000&first_download_delay=300&version=1&current_ip=1&name=d1ae6bf2a2fdd47d259b1c5be3f614d7&path=system32\d1ae6bf2a2fdd47d259b1c5be3f614d7.sys&wmid=Dti002&idate=2008-07-03 17:47:30:468&last_download_time=2008-10-15 9:35:13.187
Reg HKLM\SYSTEM\ControlSet002\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7@Tag 6
Reg HKLM\SYSTEM\ControlSet002\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7@ImagePath system32\d1ae6bf2a2fdd47d259b1c5be3f614d7.sys
Reg HKLM\SYSTEM\ControlSet002\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7@DisplayName d1ae6bf2a2fdd47d259b1c5be3f614d7
Reg HKLM\SYSTEM\ControlSet002\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7@Group System Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7\Security
Reg HKLM\SYSTEM\ControlSet002\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programmi\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xEB 0xCC 0x80 0x44 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x94 0xB1 0x39 0xFE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x84 0x63 0xCC 0x9B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0011b107a2fb
Reg HKLM\SYSTEM\CurrentControlSet\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7
Reg HKLM\SYSTEM\CurrentControlSet\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7@c &registry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7&primary_ip=586742989&secondary_ip=586742989&primary_port=7000&secondary_port=7000&download_period=432000&first_download_delay=300&version=1&current_ip=1&name=d1ae6bf2a2fdd47d259b1c5be3f614d7&path=system32\d1ae6bf2a2fdd47d259b1c5be3f614d7.sys&wmid=Dti002&idate=2008-07-03 17:47:30:468&last_download_time=2008-10-15 9:35:13.187
Reg HKLM\SYSTEM\CurrentControlSet\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7@Tag 6
Reg HKLM\SYSTEM\CurrentControlSet\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7@ImagePath system32\d1ae6bf2a2fdd47d259b1c5be3f614d7.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7@DisplayName d1ae6bf2a2fdd47d259b1c5be3f614d7
Reg HKLM\SYSTEM\CurrentControlSet\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7@Group System Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programmi\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xEB 0xCC 0x80 0x44 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x94 0xB1 0x39 0xFE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x84 0x63 0xCC 0x9B ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
@DisplayName ??
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
@DeviceDesc ??
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
@ProviderName ???????
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
@MFG ?????
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
@ReinstallString .10.1000.7
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
@DeviceInstanceIds d:\drivers\chipset\driver\x86_x64\sbdrv\smbus\smbusati.inf
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xB2 0x46 0x9A 0xE2 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x05 0x73 0x21 0xDD ...

---- Files - GMER 1.0.14 ----

File C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\WVJXNZF1\x_to_hide[2].gif 65 bytes
File C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\WVJXNZF1\app_2_12156593665_9425[1].gif 399 bytes
File C:\WINDOWS\system32\d1ae6bf2a2fdd47d259b1c5be3f614d7.sys 36864 bytes <-- ROOTKIT !!!
File C:\WINDOWS\system32\_d1ae6bf2a2fdd47d259b1c5be3f614d7.sys_.vir 36864 bytes

---- EOF - GMER 1.0.14 ----

[ste_95]

Per quanto riguarda il passaggio 1, mi ha dato un solo file, ovvero:
C:/documents and settings/all users/menù avvio/ programmi/esecuzione automatica hp digital imaging monitor.inc

???

Scarica Avenger
Estrailo in una cartella a tua scelta
Esegui il file avenger.exe con la figura di una spada
Ora incolla queste righe nella box bianca che si è aperta:

Codice: Seleziona tutto

Files to delete:
C:\WINDOWS\system32\d1ae6bf2a2fdd47d259b1c5be3f614d7.sys

Registry keys to delete:
HKLM\SYSTEM\ControlSet002\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7
HKLM\SYSTEM\CurrentControlSet\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7

Togli il segno di spunta dalla voce Scan for Rootkits
Premi il pulsante Execute
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà.

Se Avenger riporta un errore, prova a riscrivere manualmente la prima riga (Files to delete:) ricordando i due punti. Se il problema persiste prova con la vecchia versione di Avenger.

In modalità provvisoria, trovi il file C:\WINDOWS\System32\Drivers\aox14gbi.SYS?

[Ran85]

Avenger non va nessuna delle due versioni... stesso problema di hijackthis e antivirus e simili...

Quel file in modalità provvisoria non mi pare ci sia...

[ste_95]

Scarica ComboFix ed esegui una scansione, le istruzioni le trovi in fondo a questo articolo.

[Ran85]

L'avevo già fatta ieri... ti posto il log:

ComboFix 08-10-15.08 - Administrator 2008-10-16 17:46:38.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.1613 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Administrator\Desktop\roba virus\ComboFix.exe
* Creato nuovo punto di ripristino
* Resident AV is active


ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
.

((((((((((((((((((((((((( Files Creati Da 2008-09-16 al 2008-10-16 )))))))))))))))))))))))))))))))))))
.

2008-10-15 15:29 . 2008-10-15 15:29 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\GameHouse
2008-10-15 15:24 . 2008-10-15 15:24 <DIR> d-------- C:\WINDOWS\Delicious Emilys Tea Garden
2008-10-15 15:24 . 2008-10-15 19:05 <DIR> d-------- C:\Programmi\Delicious Emilys Tea Garden
2008-10-15 09:35 . 2008-10-15 09:35 185,360 --a------ C:\WINDOWS\5BF323DE133BEC2BFACD1CAFF5E0ABAF.exe
2008-10-13 14:34 . 2008-10-13 14:34 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Gogii
2008-10-13 14:33 . 2008-10-13 14:33 <DIR> d-------- C:\WINDOWS\The Hidden Object Show Season 2
2008-10-13 14:33 . 2008-10-15 01:06 <DIR> d-------- C:\Programmi\The Hidden Object Show Season 2
2008-10-12 15:50 . 2008-10-12 15:50 <DIR> d-------- C:\WINDOWS\Cake Shop
2008-10-12 15:50 . 2008-10-13 14:30 <DIR> d-------- C:\Programmi\Cake Shop
2008-10-12 15:50 . 2008-10-12 15:50 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\EleFun Games
2008-10-09 17:38 . 2008-10-09 17:38 <DIR> d-------- C:\Programmi\PlayFirst
2008-09-24 01:24 . 2008-09-24 01:24 244 --ah----- C:\sqmnoopt05.sqm
2008-09-24 01:24 . 2008-09-24 01:24 244 --ah----- C:\sqmnoopt04.sqm
2008-09-24 01:24 . 2008-09-24 01:24 232 --ah----- C:\sqmdata05.sqm
2008-09-24 01:24 . 2008-09-24 01:24 232 --ah----- C:\sqmdata04.sqm
2008-09-23 22:11 . 2008-09-23 22:11 244 --ah----- C:\sqmnoopt03.sqm
2008-09-23 22:11 . 2008-09-23 22:11 232 --ah----- C:\sqmdata03.sqm
2008-09-23 22:08 . 2008-09-23 22:08 244 --ah----- C:\sqmnoopt02.sqm
2008-09-23 22:08 . 2008-09-23 22:08 232 --ah----- C:\sqmdata02.sqm
2008-09-23 21:14 . 2008-09-23 21:14 244 --ah----- C:\sqmnoopt01.sqm
2008-09-23 21:14 . 2008-09-23 21:14 232 --ah----- C:\sqmdata01.sqm
2008-09-23 21:13 . 2008-09-23 21:13 244 --ah----- C:\sqmnoopt00.sqm
2008-09-23 21:13 . 2008-09-23 21:13 232 --ah----- C:\sqmdata00.sqm
2008-09-17 13:54 . 2008-09-17 13:54 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-16 15:27 196,608 ----a-w C:\WINDOWS\system32\drivers\nStandard.bin
2008-10-14 23:27 --------- d---a-w C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-10-14 11:33 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\HPAppData
2008-10-13 12:30 --------- d-----w C:\Programmi\Farm Frenzy 2
2008-10-13 10:41 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-10-09 15:39 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\PlayFirst
2008-10-09 15:39 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\PlayFirst
2008-09-24 08:01 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-09-12 23:46 --------- d-----w C:\Programmi\Gravity
2008-09-09 16:37 --------- d-----w C:\Programmi\Eset
2008-09-04 16:27 7,168 ----a-w C:\WINDOWS\CED6976738D05B35835A7C9F194262D.exe
2008-09-04 10:42 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\Jasc
2008-09-02 14:00 512,096 ----a-w C:\WINDOWS\system32\drivers\_mon.s00
2008-09-02 14:00 15,424 ----a-w C:\WINDOWS\system32\drivers\_od32drv.s00
2008-09-02 13:53 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-09-02 13:53 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-09-02 13:53 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-09-02 13:05 --------- d-----w C:\Programmi\EsetOnlineScanner
2008-08-30 16:22 7,168 ----a-w C:\WINDOWS\F59135DD2C94155341E109C7631A66C.exe
2008-08-29 19:14 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-08-29 19:14 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-08-29 19:14 --------- d-----w C:\Programmi\File comuni\xing shared
2008-08-29 19:14 --------- d-----w C:\Programmi\File comuni\Real
2008-08-29 11:01 --------- d-----w C:\Programmi\Photo Story 3 for Windows
2008-08-28 12:41 --------- d-----w C:\Programmi\Pinnacle
2008-08-27 10:13 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Pinnacle VideoSpin
2008-08-27 09:05 --------- d-----w C:\Programmi\Google
2008-08-27 09:03 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\VideoSpin
2008-08-27 09:02 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Pinnacle
2008-08-27 08:51 --------- d-----w C:\Programmi\File comuni\Ulead Systems
2008-08-27 08:51 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Ulead Systems
2008-08-27 08:41 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\Ulead Systems
2008-08-27 07:31 --------- d-----w C:\Programmi\Jasc Software Inc
2008-08-27 07:30 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\InstallShield
2008-08-27 07:29 --------- d-----w C:\Programmi\File comuni\Jasc Software Inc
2008-08-27 07:29 --------- d-----w C:\Programmi\File comuni\InstallShield
2008-08-27 07:28 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\Jasc Software Inc
2008-08-25 20:42 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\FarmFrenzy2
2008-08-25 17:31 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\Gamelab
2008-08-25 17:00 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\Go-Go Gourmet Chef of the Year
2008-08-12 18:54 7,168 ----a-w C:\WINDOWS\DB4794FCE884E976BDE9CF9CC860A8B5.exe
2008-07-31 09:20 7,168 ----a-w C:\WINDOWS\D4ABDBBDCC9F791A8F643AAD36CDF7C.exe
2008-07-26 09:15 7,168 ----a-w C:\WINDOWS\41D2529AB87C20573C474348B7F7C29.exe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"DAEMON Tools"="C:\Programmi\DAEMON Tools\daemon.exe" [2007-04-04 165784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"HP Software Update"="C:\Programmi\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 8466432]
"UnlockerAssistant"="C:\Programmi\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2008-03-28 413696]
"TkBellExe"="C:\Programmi\File comuni\Real\Update_OB\realsched.exe" [2008-08-29 185896]
"nod32kui"="C:\Programmi\Eset\nod32kui.exe" [2008-09-02 949376]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 172032]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
HP Digital Imaging Monitor.lnk - C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fdbbcbeeefebc]
2004-06-07 12:15 313871 C:\WINDOWS\system32\fdbbcbeeefebc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2008-04-14 04:14 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-05-15 15:55 1057328 C:\Programmi\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Programmi\File comuni\Ahead\lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-06-28 18:43 8466432 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-06-28 18:43 81920 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Programmi\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a------ 2007-05-15 15:55 1628208 C:\Programmi\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-07 19:19 15872 C:\Programmi\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 12:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2008-04-14 04:14 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-06-28 18:43 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-04-12 11:33 16132608 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"C:\\Programmi\\iTunes\\iTunes.exe"=
"C:\\Programmi\\eMule AdunanzA\\eMule_AdnzA.exe"=

R3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb.sys [2007-07-12 12416]
R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys [2007-07-12 10752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-swg - C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
HKLM-Run-Microsoft Windows Sound - svshost.exe
HKLM-RunServices-Microsoft Windows Sound - svshost.exe


.
------- Supplementare di scansione -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.it/
R0 -: HKCU-Main,SearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
R0 -: HKCU-Main,Default_Search_URL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
R0 -: HKLM-Main,Search Bar = 687474703a2f2f7777772e676f6f676c652e636f6d2f
R0 -: HKLM-Main,SearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://seriali.nod32.it/
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
R1 -: HKLM-Internet Explorer,SearchURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
O8 -: E&sporta in Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-16 17:49:35
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7]
"ImagePath"="system32\d1ae6bf2a2fdd47d259b1c5be3f614d7.sys"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

PROCESSO: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\fdbbcbeeefebc.dll
-> C:\Programmi\Eset\pr_imon.dll

PROCESSO: C:\WINDOWS\system32\lsass.exe
-> C:\Programmi\Eset\pr_imon.dll
.
Ora fine scansione: 2008-10-16 17:54:34
ComboFix-quarantined-files.txt 2008-10-16 15:53:47

Pre-Run: 71,383,183,360 byte disponibili
Post-Run: 71,417,782,272 byte disponibili

206 --- E O F --- 2008-07-07 23:58:30

[ste_95]

Crea un file CFScript.txt contenente quanto segue:

Codice: Seleziona tutto

File::
C:\WINDOWS\system32\d1ae6bf2a2fdd47d259b1c5be3f614d7.sys

Registry::
[-HKLM\SYSTEM\ControlSet002\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7]
[-HKLM\SYSTEM\CurrentControlSet\Services\d1ae6bf2a2fdd47d259b1c5be3f614d]

Poi, trascinalo sull'icona di combofix.

[Ran85]

Il Nod è riapparso!!!!!!!!!

Grazie mille faccio subito una bella scansione

Comunque visto che è la quarta volta che mi prendo un virus simile... come posso fare per evitarlo??
Eppure sto sempre attenta a ciò che scarico o installo

[Amantide]

Codice: Seleziona tutto

File::
C:\WINDOWS\system32\d1ae6bf2a2fdd47d259b1c5be3f614d7.sys

Registry::
[-HKLM\SYSTEM\ControlSet002\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7]
[-HKLM\SYSTEM\CurrentControlSet\Services\d1ae6bf2a2fdd47d259b1c5be3f614d]

Ci sarebbe anche tanto altro da eliminare.


Visto che hai detto che OtMoveIt si avvia senza problemi, prova a darli in pasto questo script e vedi se riuscirà ad eliminare qualcosa.

Codice: Seleziona tutto

C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\WVJXNZF1\x_to_hide[2].gif
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\WVJXNZF1\app_2_12156593665_9425[1].gif
C:\WINDOWS\system32\d1ae6bf2a2fdd47d259b1c5be3f614d7.sys
C:\WINDOWS\System32\Drivers\aox14gbi.SYS
C:\WINDOWS\system32\fdbbcbeeefebc.dll
C:\WINDOWS\DB4794FCE884E976BDE9CF9CC860A8B5.exe
C:\WINDOWS\D4ABDBBDCC9F791A8F643AAD36CDF7C.exe
C:\WINDOWS\41D2529AB87C20573C474348B7F7C29.exe
C:\WINDOWS\F59135DD2C94155341E109C7631A66C.exe
C:\WINDOWS\CED6976738D05B35835A7C9F194262D.exe
C:\WINDOWS\5BF323DE133BEC2BFACD1CAFF5E0ABAF.exe
C:\Documents and Settings\All Users\Dati applicazioni\TEMP

[Ran85]

Fatto.. ecco il log

< C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\WVJXNZF1\x_to_hide[2].gif >
File/Folder C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\WVJXNZF1\x_to_hide[2].gif not found.
< C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\WVJXNZF1\app_2_12156593665_9425[1].gif >
File/Folder C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\WVJXNZF1\app_2_12156593665_9425[1].gif not found.
File move failed. C:\WINDOWS\system32\d1ae6bf2a2fdd47d259b1c5be3f614d7.sys scheduled to be moved on reboot.
File/Folder C:\WINDOWS\System32\Drivers\aox14gbi.SYS not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\fdbbcbeeefebc.dll
C:\WINDOWS\system32\fdbbcbeeefebc.dll NOT unregistered.
C:\WINDOWS\system32\fdbbcbeeefebc.dll moved successfully.
C:\WINDOWS\DB4794FCE884E976BDE9CF9CC860A8B5.exe moved successfully.
C:\WINDOWS\D4ABDBBDCC9F791A8F643AAD36CDF7C.exe moved successfully.
C:\WINDOWS\41D2529AB87C20573C474348B7F7C29.exe moved successfully.
C:\WINDOWS\F59135DD2C94155341E109C7631A66C.exe moved successfully.
C:\WINDOWS\CED6976738D05B35835A7C9F194262D.exe moved successfully.
C:\WINDOWS\5BF323DE133BEC2BFACD1CAFF5E0ABAF.exe moved successfully.
C:\Documents and Settings\All Users\Dati applicazioni\TEMP moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 10172008_172708

Files moved on Reboot...
File move failed. C:\WINDOWS\system32\d1ae6bf2a2fdd47d259b1c5be3f614d7.sys scheduled to be moved on reboot.

Inoltre avrei altri 2 problemini... non gravi ma fastidiosi...
1) ogni volta che avvio il computer mi esce quest'avviso:
ATKKBService.exe - Errore di applicazione
L'istruzione a "0x77da6f35" ha fatto riferimento alla memoria a "0x00000001". La memoria non poteva essere "read"
Clicca ok per terminare l'applicazione

Clicco ok e poi tutto comunque funziona normalmente

2) Mi è sparito il collegamento a risorse del computer sia dal desktop che da start e non so come rimetterlo...

[Amantide]

Comunque visto che è la quarta volta che mi prendo un virus simile... come posso fare per evitarlo??
Eppure sto sempre attenta a ciò che scarico o installo

Magari cambiando i software di sicurezza? Antivir come antivirus, Comodo Firewall con la funzione Defence++ abilitata oppure Spyware Terminator per sostituire questa funzionalità.

Inoltre avrei altri 2 problemini... non gravi ma fastidiosi...
1) ogni volta che avvio il computer mi esce quest'avviso:
ATKKBService.exe - Errore di applicazione
L'istruzione a "0x77da6f35" ha fatto riferimento alla memoria a "0x00000001". La memoria non poteva essere "read"
Clicca ok per terminare l'applicazione

Clicco ok e poi tutto comunque funziona normalmente

Vedi qui.

2) Mi è sparito il collegamento a risorse del computer sia dal desktop che da start e non so come rimetterlo...

Prova a riabilitarlo con Gargaroz.

Mi posti anche il log della nuova scansione con ComboFix.