www.MegaLab.it

da **giuseppe67** » mer feb 24, 2010 10:04 am

ok rifo la scansione con malwarebytes e poi uso il programma findykill.exe
x le chiavette usb adesso so pure infette????????????????????
come fo adesso x disinfetarle senza perdere il contenuto??????????????? [grazie]

da **stevens** » mer feb 24, 2010 10:10 am

esegui la scansione con findykill e NON INSERIRLE NEL PC per ora

dopo controlleremo anche le chiavette

da **giuseppe67** » mer feb 24, 2010 10:14 am

stevens mi a detto: disattiva il ripristino e tienilo disattivato fino alla soluzione del problema?????
sarebbe il riavvio del pc dopo la scansione con malwarebytes????????o altro? [8)]

da **stevens** » mer feb 24, 2010 10:20 am

si dopo che malwarebytes ti avra' eliminato le infezioni, disattivalo

Per disattivare il ripristino di sistema vai su :
Start/tasto destro del mouse su risorse del computer/proprietà/Ripristino configurazione del sistema/e metti la spunta su "disattiva ripristino configurazione del sistema"

da **giuseppe67** » mer feb 24, 2010 10:35 am

quando a finito la scansionedi malwarebytes se mi dice di riavviareil pc devo riavviare o no??????????????? [8)]

da **stevens** » mer feb 24, 2010 10:42 am

quando a finito la scansionedi malwarebytes se mi dice di riavviareil pc devo riavviare o no???????????????

certo che devi

da **giuseppe67** » mer feb 24, 2010 11:29 am

o fatto tutto ecco il log di findykill:
Ndisuio - # Type of startup = 3

EapHost - # Type of startup = 2

Ip6Fw - # Type of startup = 2

SharedAccess - # Type of startup = 2

wuauserv - # Type of startup = 2

wscsvc - # Type of startup = 2

\\\\\\\\\\\\\\\\\\ [ Cleaning Removable drives ] ///////////////////

# Informations :

C: - Unit… fissa

F: - Unit… fissa

# deleting files :

\\\\\\\\\\\\\\\\\\ [ Registry / Mountpoint2 ] ///////////////////

-> Not found !

\\\\\\\\\\\\\\\\\\ [ Searching Other Infections ] ///////////////////

\\\\\\\\\\\\\\\\\\ [ Searching Cracks / Keygen ] ///////////////////

C:\Documents and Settings\user\Dati applicazioni\uTorrent\Epocware Handy Tools Pro v1.01 SymbianOS S60v3 incl keygen-TSRH.torrent
C:\Documents and Settings\user\Desktop\francesco\Cell n70\Altro\Infinite.Dreams.Superminers.320x240.v1.07.S60v3.SymbianOS9.1.Cracked-BiNPDA.sisx
C:\Documents and Settings\user\Desktop\francesco\Cell n70\Programmi\Bluetooth\IM+_Bluetooth_v1.06_S60_OS8_Cracked_SMPDA.sis
C:\Documents and Settings\user\Desktop\francesco\Cell n70\SIS 2nd\Emulatori\emulatori\emulador snes Vampent.vSun.v1.0.S60.SymbianOS.Cracked-oWnPDA.rar
C:\Documents and Settings\user\Desktop\francesco\Cell n70\SIS 2nd\Emulatori\emulatori\Nokia N-gage - GoBoy.Plus.v1.40.(3650.7650)_Incl.Keygen Gameboy emulator.zip
C:\Documents and Settings\user\Desktop\francesco\Cell n70\SIS 2nd\Emulatori\emulatori\Vampent.vSun.v1.1.S60.SymbianOS.Cracked-HeXPDA.rar
C:\Documents and Settings\user\Desktop\francesco\Cell n70\SIS 2nd\MGS\Crack Key
C:\Documents and Settings\user\Desktop\francesco\Cell n70\SIS 2nd\MGS\MGS.v2.0.NGAGE-Cracked-ANiMeX.sis
C:\Documents and Settings\user\Desktop\francesco\Cell n70\SIS 2nd\MGS\Crack Key\cobra.exe
C:\Documents and Settings\user\Desktop\francesco\Cell n70\SIS 2nd\MGS\Crack Key\jewels.exe
C:\Documents and Settings\user\Desktop\francesco\Cell n70\SIS 2nd\MGS\Crack Key\MGS Steel Warrior 1.0.exe
C:\Documents and Settings\user\Desktop\francesco\Cell n70\SIS 2nd\MGS\Crack Key\MGSKarting-MGSKartingv11Keygen-30181117.exe
C:\Documents and Settings\user\Desktop\francesco\Cell n70\SIS 2nd\MGS\Crack Key\ml pool.exe
C:\Documents and Settings\user\Desktop\francesco\Cell n70\SIS 2nd\MGS\Crack Key\Noumena The Five - v1[1].00.exe
C:\Documents and Settings\user\Desktop\francesco\Cell n70\SIS 2nd\MGS\Crack Key\ostelo.exe
C:\Documents and Settings\user\Desktop\francesco\Cell n70\SIS 2nd\MGS\Crack Key\silber bal.exe
C:\Documents and Settings\user\Desktop\francesco\Cell n70\SIS 2nd\Multi via BT\AGILEFIGHTERV10CRACKED.SIS
C:\Documents and Settings\user\Desktop\francesco\Cell n70\SIS 2nd\Multi via BT\BoomsLang_HoverZone_v1.0_CRACKED_SMPDA.sis
C:\Documents and Settings\user\Desktop\francesco\Cell n70\SIS 2nd\Multi via BT\CaveBlaster_1.0_S60_CRACKED_SMPDA.sis
C:\Documents and Settings\user\Desktop\francesco\Cell n70\SIS 2nd\Multi via BT\Thyamis.The.Match.v2.1.S60.SymbianOS.Cracked.HunterX.BWOPDA.sis
C:\Documents and Settings\user\Desktop\francesco\Cell n70\SIS 2nd\Multi via BT\WacKoo.Valentine.Games.2005.v3.02.S60.SymbianOS.Retail.Cracked-SMPDA.sis

################## [ ! End of report # FindyKill V4.714 ! ]
[boh]

da **stevens** » mer feb 24, 2010 12:01 pm

non ha trovato nulla, probabilmente lo hai preso nella fase iniziale

continuiamo con la pulizia

scarica combofix

(non installare la recovery console)
Lascia lavorare il programma senza interferire
Allega il rapporto C:\ComboFix.txt nella tua risposta.

non usare il pc durante la scansione, nemmeno il mouse!

NOTA:

devi eliminare tutti quei crack se vuoi che il pc sia a posto

da **Berga95** » mer feb 24, 2010 12:05 pm

Tralasciando la "valanga" di crack & keygen trovati, potresti vedere se trovi i file nominati in questi articoli nel tuo computer? ( [search]

)
http://www.MegaLab.it/3724/2/il-worm-ba ... -rimozione
http://www.MegaLab.it/2657/bagle-un-wor ... -antivirus
tipo srosa.sys, hldrrr.exe, i vari componenti di Bagle.

EDIT: Mi raccomando, non cancellarli. E come dice stevens DEVI cancellare tutti i crack

da **giuseppe67** » mer feb 24, 2010 12:12 pm

scusate la mia ignoranza ma che significa :(non installare la recovery console) [grazie]

da **Uomo_Senza_Sonno** » mer feb 24, 2010 12:21 pm

giuseppe67 ha scritto:scusate la mia ignoranza ma che significa :(non installare la recovery console)

Combofix chiede di installare una console di ripristino prima di effettuare la scansione, tu dovrai scegliere NO.

da **giuseppe67** » mer feb 24, 2010 3:51 pm

come mi e stato detto o fatto sia la rimozione dei kra, e sia la scansione con combifix vi allego tutte e 2 i log sia di findykill e sia di combifix:ComboFix 10-02-23.04 - user 24/02/2010 15.41.01.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.1023.620 [GMT 1:00]
Eseguito da: c:\documents and settings\user\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_H8SRTd.sys
-------\Service_H8SRTd.sys

((((((((((((((((((((((((( Files Creati Da 2010-01-24 al 2010-02-24 )))))))))))))))))))))))))))))))))))
.

2010-02-24 10:06 . 2010-02-24 14:07 -------- d-----w- c:\programmi\FindyKill
2010-02-23 13:51 . 2010-02-23 13:51 388096 ----a-r- c:\documents and settings\user\Dati applicazioni\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-23 13:51 . 2010-02-23 13:51 -------- d-----w- c:\programmi\TrendMicro
2010-02-22 19:09 . 2010-02-22 19:09 -------- d-----w- c:\documents and settings\user\Impostazioni locali\Dati applicazioni\Conduit
2010-02-22 19:09 . 2010-02-22 19:09 -------- d-----w- c:\programmi\Conduit
2010-02-22 19:09 . 2010-02-23 08:15 -------- d-----w- c:\documents and settings\user\Impostazioni locali\Dati applicazioni\Softonic_Italia
2010-02-22 19:09 . 2010-02-22 20:55 -------- d-----w- c:\programmi\Softonic_Italia
2010-02-22 19:07 . 2010-02-23 08:04 -------- d-----w- c:\programmi\JDownloader
2010-02-14 22:31 . 2006-08-29 14:56 32377 ----a-w- c:\windows\system32\drivers\prodigy.sys
2010-02-14 22:31 . 2010-02-14 23:29 -------- d-----w- c:\programmi\NSS
2010-02-14 22:31 . 2009-01-16 13:46 2486848 ----a-w- c:\documents and settings\user\Dati applicazioni\Simply Super Software\Trojan Remover\fbx72.exe
2010-02-14 14:35 . 2010-02-14 14:35 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-14 14:07 . 2010-02-14 14:08 -------- d-----w- C:\Returnil
2010-02-14 14:07 . 2010-02-14 14:07 -------- d-----w- c:\windows\system32\Returnil
2010-02-14 14:07 . 2010-02-14 14:07 -------- d-----w- c:\programmi\Returnil
2010-02-14 08:59 . 2010-02-14 08:59 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\vlc
2010-02-11 13:51 . 2010-02-11 13:51 24419312 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\NokiaSoftwareUpdaterSetup_it[1].exe
2010-02-11 11:44 . 2008-03-21 12:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-02-11 11:40 . 2009-03-19 13:48 8320 ----a-w- c:\windows\system32\drivers\nmwcdnsuc.sys
2010-02-11 11:40 . 2009-03-19 13:48 136704 ----a-w- c:\windows\system32\drivers\nmwcdnsu.sys
2010-02-11 11:40 . 2009-02-09 07:37 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2010-02-11 11:40 . 2009-02-09 07:37 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2010-02-11 11:40 . 2009-02-09 07:37 659968 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-02-11 11:40 . 2009-02-09 07:37 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2010-02-11 11:40 . 2009-02-09 07:32 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2010-02-11 11:38 . 2010-02-11 11:31 24419312 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\NokiaSoftwareUpdaterSetup_it.exe
2010-02-11 11:35 . 2010-02-11 11:35 3351812 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\msxml6Exec.exe
2010-02-11 11:35 . 2010-02-11 11:35 36864 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\Sleep.exe
2010-02-11 11:35 . 2010-02-11 11:35 3203453 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\vcredistExec.exe
2010-02-11 11:23 . 2010-02-11 11:23 -------- d-----w- c:\documents and settings\Fra\Dati applicazioni\Avant Profiles
2010-02-11 08:05 . 2010-02-11 08:10 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-24 14:47 . 2009-01-11 08:37 107552 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-02-24 14:47 . 2009-01-11 08:37 3343904 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-02-24 14:42 . 2009-01-11 08:37 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-02-24 14:39 . 2009-01-11 08:37 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab
2010-02-24 14:31 . 2009-11-18 15:51 -------- d-----w- c:\programmi\Avant Browser
2010-02-24 13:50 . 2009-01-11 08:37 316340 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-02-24 11:45 . 2009-01-11 10:12 -------- d-----w- c:\documents and settings\user\Dati applicazioni\uTorrent
2010-02-24 10:21 . 2004-08-19 12:00 84996 ----a-w- c:\windows\system32\perfc010.dat
2010-02-24 10:21 . 2004-08-19 12:00 491438 ----a-w- c:\windows\system32\perfh010.dat
2010-02-18 21:37 . 2009-01-16 05:50 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2010-02-15 19:56 . 2009-04-04 20:41 -------- d-----w- c:\documents and settings\user\Dati applicazioni\Datalayer
2010-02-14 22:31 . 2009-01-11 07:41 -------- d---a-w- c:\documents and settings\All Users\Dati applicazioni\TEMP
2010-02-14 08:38 . 2009-09-14 14:53 -------- d-----w- c:\programmi\Bandoo
2010-02-11 11:44 . 2010-02-11 11:44 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-02-11 11:44 . 2010-02-11 11:44 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-02-11 11:40 . 2009-04-07 18:06 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Installations
2010-02-11 11:40 . 2009-04-04 20:36 -------- d-----w- c:\programmi\Nokia
2010-02-11 11:39 . 2009-04-04 20:37 -------- d-----w- c:\programmi\File comuni\Nokia
2010-02-11 11:23 . 2009-01-12 19:47 116424 -c--a-w- c:\documents and settings\Fra\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-02-11 07:53 . 2009-04-04 20:37 -------- d-----w- c:\documents and settings\user\Dati applicazioni\PC Suite
2010-02-10 11:18 . 2009-01-10 23:17 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Microsoft Help
2010-01-23 18:35 . 2009-06-06 09:13 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Electronic Arts
2010-01-23 18:34 . 2010-01-23 18:34 -------- d-----w- c:\programmi\File comuni\Adobe AIR
2010-01-23 18:34 . 2010-01-23 18:34 38784 ----a-w- c:\documents and settings\Default User\Dati applicazioni\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-17 14:20 . 2009-01-11 07:41 -------- d-----w- c:\documents and settings\user\Dati applicazioni\Any DVD Converter Professional
2010-01-11 09:49 . 2009-04-12 18:08 -------- d-----w- c:\documents and settings\user\Dati applicazioni\U3
2010-01-06 21:46 . 2010-01-06 21:44 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Bandoo
2010-01-06 21:44 . 2010-01-06 21:44 -------- d-----w- c:\documents and settings\user\Dati applicazioni\Bandoo
2010-01-06 21:42 . 2009-06-06 13:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-04 19:59 . 2009-04-08 11:47 -------- d-----w- c:\documents and settings\user\Dati applicazioni\Nokia Multimedia Player
2010-01-01 19:39 . 2009-01-14 14:00 -------- d-----w- c:\programmi\Electronic Arts
2009-12-31 16:50 . 2004-08-19 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-29 18:27 . 2009-01-10 20:48 -------- d--h--w- c:\programmi\InstallShield Installation Information
2009-12-27 13:45 . 2009-01-24 21:52 -------- d-----w- c:\documents and settings\user\Dati applicazioni\My The Lord of the Rings, The Rise of the Witch-king Files
2009-12-27 13:13 . 2009-08-29 19:23 -------- d-----w- c:\documents and settings\user\Dati applicazioni\File de La Battaglia per la Terra di Mezzo™ II
2009-12-27 13:11 . 2009-06-30 20:35 -------- d-----w- c:\programmi\Imperivm Civitas
2009-12-22 05:08 . 2004-08-19 12:00 669696 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:08 . 2004-08-19 12:00 81920 -c--a-w- c:\windows\system32\ieencode.dll
2009-12-17 07:40 . 2009-01-10 20:34 346112 -c--a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-19 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 10:07 . 2004-08-19 12:00 2148864 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-09 10:07 . 2004-08-19 15:34 2027520 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-19 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:12 . 2004-08-19 12:00 1296896 -c--a-w- c:\windows\system32\quartz.dll
2009-11-27 17:12 . 2004-08-19 15:39 17920 -c--a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2001-08-30 23:08 8704 -c--a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-19 15:39 48128 -c--a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07 . 2004-08-19 12:00 85504 -c--a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-19 12:00 28672 -c--a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2004-08-19 12:00 11264 -c--a-w- c:\windows\system32\msrle32.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB5CEE80-030A-4ED8-8E20-454E9C68380F}]
2009-09-29 07:24 1863616 ----a-w- c:\programmi\Bandoo\Plugins\IE\ieplugin.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\programmi\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"L09IXLRD_1560406"="c:\programmi\Microsoft Student\Microsoft Encarta 2009 - Premium + Student DVD\EDICT.EXE" [2009-03-02 351000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\user\Menu Avvio\Programmi\Esecuzione automatica\
Ritaglio schermata e avvio di OneNote 2007.lnk - c:\programmi\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Reader Synchronizer.lnk - c:\programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Avvio rapido di HP Image Zone.lnk - c:\programmi\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Avvio veloce di Adobe Reader.lnk - c:\programmi\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\All Users\\Dati applicazioni\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\Italian\\setup.exe"=
"c:\\Documents and Settings\\user\\Desktop\\[Mondololloso-Script] v2.0.1\\[Mondololloso Script] v2.0.1.exe"=
"c:\\Documents and Settings\\user\\Desktop\\PoWeR-Script.0.2.1\\mIRC.exe"=
"c:\\Programmi\\Electronic Arts\\L'Ascesa del Re Stregone\\lotrbfme2ep1.exe"=
"c:\\Programmi\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\avp.exe"=
"c:\\Programmi\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Programmi\\File comuni\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Vuze\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Documents and Settings\\user\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\xdccMule\\mIRC.exe"=
"c:\\Programmi\\Java\\jre1.6.0_07\\bin\\javaw.exe"=

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [13/12/2007 13.28.40 24592]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/01/2009 0.26.06 685816]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\programmi\MAGIX\Common\Database\bin\fbserver.exe [11/10/2009 16.43.27 1527900]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [11/02/2010 12.40.42 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [11/02/2010 12.40.43 8320]
S3 PRODIGY;PRODIGY;c:\windows\system32\drivers\prodigy.sys [14/02/2010 23.31.55 32377]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Connection Wizard,ShellNext = iexplore
IE: Aggiungi ad Anti-Banner - c:\programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {45DC4DE7-2584-4638-8886-1B223360BF58} = 192.168.1.1
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

WebBrowser-{4EDD5C14-2D22-4D7A-9748-C975A7FD933B} - (no file)
AddRemove-HijackThis - c:\documents and settings\user\Desktop\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-24 15:47
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-117609710-688789844-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*s*c*f* \OpenWithList]
@Class="Shell"
"a"="WORDPAD.EXE"
"MRUList"="ba"
"b"="NOTEPAD.EXE"

[HKEY_USERS\S-1-5-21-117609710-688789844-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*s*c*f* \OpenWithProgids]
"scf”_auto_file"=hex(0):

[HKEY_USERS\S-1-5-21-117609710-688789844-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3DDAF073-4544-42D2-9CE2-AF2140346445}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oalpggdoiiifkngjmbdfafhagggcbf"=hex:64,61,69,6a,6c,6f,70,64,00,85
"oahpokphhbhfmmjijgkfbcdpaolmae"=hex:6b,61,6c,6a,66,6a,6d,70,6e,6a,69,69,62,63,
66,68,6d,6a,70,66,67,64,00,7c
"nanoehbldjnoekdiacgdgiicahaj"=hex:6b,61,6c,6a,66,6a,6d,70,6e,6a,69,69,62,63,
66,68,6d,6a,70,66,67,64,00,7c
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(908)
c:\programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(964)
c:\programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll
c:\programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll

- - - - - - - > 'explorer.exe'(2208)
c:\programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll
c:\programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\scrchpg.dll
c:\windows\system32\msi.dll
.
Ora fine scansione: 2010-02-24 15:52:46
ComboFix-quarantined-files.txt 2010-02-24 14:52

Pre-Run: 79.726.899.200 byte disponibili
Post-Run: 79.692.918.784 byte disponibili

- - End Of File - - 51661EE78F4F10C0F3825C38824E7521

###################### [ FindyKill V4.714 ]

# User : user - USER-3998A13E66
# Executed from : C:\Programmi\FindyKill
# Update on 19/01/09 by Chiquitine29
# Start at 14:51:18 the 24/02/2010
# Windows XP - Internet Explorer 6.0.2900.5512

# [ FindyKill V4.714 - Deleting ] ###############

\\\\\\\\\\\\\\\\\\ [ Active Processes ] ///////////////////

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Nero\Nero BackItUp 4\NBService.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\userinit.exe

\\\\\\\\\\\\\\\\\\ [ Infected Files / Folders ] ///////////////////

################## [ C:\ ]

################## [ C:\WINDOWS ]

################## [ C:\WINDOWS\Prefetch ]

################## [ C:\WINDOWS\system32 ]

################## [ C:\WINDOWS\system32\drivers ]

################## [ C:\Documents and Settings\user\Dati applicazioni ]

################## [ C:\DOCUME~1\user\IMPOST~1\Temp ]

################## [ C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5 ]

\\\\\\\\\\\\\\\\\\ [ Registry / Infected keys ] ///////////////////

\\\\\\\\\\\\\\\\\\ [ States / Restarting of services ] ///////////////////

# Services : [ Auto=2 / Request=3 / Disable=4 ]

Ndisuio - # Type of startup = 3

EapHost - # Type of startup = 2

Ip6Fw - # Type of startup = 2

SharedAccess - # Type of startup = 2

wuauserv - # Type of startup = 2

wscsvc - # Type of startup = 2

\\\\\\\\\\\\\\\\\\ [ Cleaning Removable drives ] ///////////////////

# Informations :

C: - Unit… fissa

F: - Unit… fissa

# deleting files :

\\\\\\\\\\\\\\\\\\ [ Registry / Mountpoint2 ] ///////////////////

-> Not found !

\\\\\\\\\\\\\\\\\\ [ Searching Other Infections ] ///////////////////

\\\\\\\\\\\\\\\\\\ [ Searching Cracks / Keygen ] ///////////////////

################## [ ! End of report # FindyKill V4.714 ! ] [grazie]

da **stevens** » mer feb 24, 2010 4:17 pm

del bagle nemmeno l'ombra.......evidentemente erano delle infezioni prese all'inizio quelle rilevate da malwarebytes

fai un po' di pulizia e manutenzione mentre finisco di controllare combofix

scarica ccleaner

1) per il download dell'ultima versione clicca a destra in alto sotto la freccia verde
2) installalo (senza la toolbar aggiuntiva)
3) clicca su "avvia pulizia", ripeti il procedimento 2 volte

usa anche questo pulitore

Avvialo con un doppio click

1.1) seleziona la casella Select All
2.1) clicca sul pulsante Empty selected
3.1) aspetta l'avviso Done Cleaning
(se usi opera o firefox,spunta anche le loro sezioni)

esegui una deframmentazione del disco come qui descritto

Scarica e installa l'ultima versione di Adobe Reader

Finite queste operazioni controlla se il pc presenta sempre quel rallentamento che riscontri

da **giuseppe67** » mer feb 24, 2010 6:41 pm

pare che va meglio,x il riavvio del sistema devo togliere la spunta su disattiva ripristino configurazione del sistema,o devo lascia stare?
x le chiavette usb che o messo nel pc,cosa fo? [grazie]

da **stevens** » mer feb 24, 2010 7:43 pm

per ora lascia il ripristino disattivato, lo riattiviamo alla fine

per le chievette usb usa ninja

inseriscile nel pc una alla volta come spiegato QUI

Riavvia il computer in modalità provvisoria:

all'avvio del pc, prima che inizi a caricare Windows, premi ripetutamente F8. Uscirà la finestra del menu Opzioni avanzate di Windows => scegli modalità provvisoria (usa il tasto freccia ^)

scarica questo programmino

trovi il download in fondo alla pagina

Assicurati che la casella Eliminar Ficheros Automaticamente sia spuntata e clicca su Explorar
Posta il log C:\InfoSat.txt

sempre da provvisoria fai una scansione con virit

aggiorna il programma e fai na scansione completa

alla fine posta il log che rilascia

da **giuseppe67** » mer feb 24, 2010 10:19 pm

o fatto le due scansione e questi sono i log:Stato: File TROVATO

251 - 24/2/2010 - 22:23:56
36
{52B87208-9CCF-42C9-B88E-069281105805}
C:\PROGRA~1\TROJAN~1\Trshlex.dll
Stato: File TROVATO

252 - 24/2/2010 - 22:23:56
36
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Programmi\WinRAR\rarext.dll
Stato: File TROVATO

253 - 24/2/2010 - 22:23:56
36
{6C467336-8281-4E60-8204-430CED96822D}
C:\Programmi\Microsoft Office\Office12\GrooveShellExtensions.dll
Stato: File TROVATO

254 - 24/2/2010 - 22:23:56
26
000000000001
C:\WINDOWS\System32\mswsock.dll
Stato: File TROVATO

255 - 24/2/2010 - 22:23:56
26
000000000002
C:\WINDOWS\System32\winrnr.dll
Stato: File TROVATO

256 - 24/2/2010 - 22:23:56
26
000000000003
C:\WINDOWS\System32\mswsock.dll
Stato: File TROVATO

257 - 24/2/2010 - 22:23:56
26
000000000004
C:\WINDOWS\system32\wshbth.dll
Stato: File TROVATO

258 - 24/2/2010 - 22:23:56
28
AtiExtEvent
Ati2evxx.dll
Stato: File TROVATO

259 - 24/2/2010 - 22:23:56
28
crypt32chain
crypt32.dll
Stato: File TROVATO

260 - 24/2/2010 - 22:23:56
28
cryptnet
cryptnet.dll
Stato: File TROVATO

261 - 24/2/2010 - 22:23:56
28
cscdll
cscdll.dll
Stato: File TROVATO

262 - 24/2/2010 - 22:23:56
28
dimsntfy
C:\WINDOWS\System32\dimsntfy.dll
Stato: File TROVATO

263 - 24/2/2010 - 22:23:56
28
klogon
C:\WINDOWS\system32\klogon.dll
Stato: File TROVATO

264 - 24/2/2010 - 22:23:56
28
ScCertProp
wlnotify.dll
Stato: File TROVATO

265 - 24/2/2010 - 22:23:56
28
Schedule
wlnotify.dll
Stato: File TROVATO

266 - 24/2/2010 - 22:23:56
28
sclgntfy
sclgntfy.dll
Stato: File TROVATO

267 - 24/2/2010 - 22:23:56
28
SensLogn
WlNotify.dll
Stato: File TROVATO

268 - 24/2/2010 - 22:23:56
28
termsrv
wlnotify.dll
Stato: File TROVATO

269 - 24/2/2010 - 22:23:56
28
wlballoon
wlnotify.dll
Stato: File TROVATO

270 - 24/2/2010 - 22:23:56
55
Your Image File Name Here without a path
ntsd -d
Stato: File NON trovato

271 - 24/2/2010 - 22:24:23
5
SpybotSD TeaTimer
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
Stato: File TROVATO

272 - 24/2/2010 - 22:24:23
5
L09IXLRD_1560406
"C:\Programmi\Microsoft Student\Microsoft Encarta 2009 - Premium + Student DVD\EDICT.EXE" -m
Stato: File TROVATO

273 - 24/2/2010 - 22:24:23
5
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
Stato: File TROVATO

(24-2-2010 19:50:9)
EliBagle v13.60 (c)2010 S.G.H. / Satinfo S.L. (Actualizado el 22 de Febrero del 2010)
----------------------------------------------
Lista de Acciones (por Acción Directa):

(24-2-2010 19:50:38)
EliBagle v13.60 (c)2010 S.G.H. / Satinfo S.L. (Actualizado el 22 de Febrero del 2010)
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando "C:\"

(24-2-2010 20:4:54)
EliBagle v13.60 (c)2010 S.G.H. / Satinfo S.L. (Actualizado el 22 de Febrero del 2010)
----------------------------------------------
Lista de Acciones (por Acción Directa):

(24-2-2010 20:4:57)
EliBagle v13.60 (c)2010 S.G.H. / Satinfo S.L. (Actualizado el 22 de Febrero del 2010)
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando "C:\"
[uhm]

da **giuseppe67** » mer feb 24, 2010 10:55 pm

scusa ma l'altro log e questo:VirIT eXplorer Lite Log

[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
24/02/2010 - 21:12:15

[SCANSIONE DEL REGISTRO]
{FE063DB9-4EC0-403e-8DD8-394C54984B2C} Infetto da BHO.Ask.A
* * * RIMOSSO * * *

[C:\Programmi]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

C:\Programmi\WinRAR\Uninstall.Exe Infetto da Backdoor.PoeBot.D
* * * RIMOSSO * * *

Chiavi Registro infette: 1.
Files Infetti: 1.
Files Sospetti: 0.
Files Analizzati: 44639.
Files Totali: 44639.
Chiavi Registro rimosse: 1.
Virus Rimossi: 1.

--------------------------------------------------------
24/02/2010 - 21:35:45

[SCANSIONE DEL REGISTRO]
OK

[D:]

Chiavi Registro infette: 0.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 0.
Files Totali: 0.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.

--------------------------------------------------------
24/02/2010 - 21:35:54

[SCANSIONE DEL REGISTRO]
OK

[E:]

Chiavi Registro infette: 0.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 0.
Files Totali: 0.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.

--------------------------------------------------------
24/02/2010 - 21:36:07

[SCANSIONE DEL REGISTRO]
OK

[F:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

Chiavi Registro infette: 0.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 52.
Files Totali: 52.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.

--------------------------------------------------------
24/02/2010 - 21:36:25

[SCANSIONE DEL REGISTRO]
OK

[F:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

Chiavi Registro infette: 0.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 52.
Files Totali: 52.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.

--------------------------------------------------------
24/02/2010 - 21:36:38

[SCANSIONE DEL REGISTRO]
OK

[G:]

Chiavi Registro infette: 0.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 0.
Files Totali: 0.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.

--------------------------------------------------------
24/02/2010 - 21:36:51

[SCANSIONE DEL REGISTRO]
OK

[A:]
BOOT SECTOR: OK

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

Chiavi Registro infette: 0.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 817.
Files Totali: 817.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.

[SCANSIONE DELLA MEMORIA]
[SCANSIONE DELLA MEMORIA]
OK
[SCANSIONE DELLA MEMORIA]
OK

da **stevens** » gio feb 25, 2010 10:51 am

abbiamo ''spremuto'' per bene il pc, sembra che e' stato pulito abbastanza, a parte questo che non mi convince

C:\PROGRA~1\TROJAN~1\Trshlex.dll

prova ad analizzarlo QUI

per eliminare i vari tool usati scaricati questo programmino

eseguilo
Clicca su CleanUp.
Alla richiesta di riavvio clicca SI

vai in Disco Locale C: ed elimina la cartella QooBox

elimina l'eventuale cartella che avevi creato sul Desktop in cui avevi posizionato Combofix.

da **giuseppe67** » gio feb 25, 2010 12:10 pm

o messo il file nel programmino e mi da questo risultato:File Trshlex.dll ricevuto il 2009.12.03 04:12:38 (UTC)
Stato corrente: finito

Risultato: 2/41 (4.88%)
Formattato Stampa risultati
Antivirus Versione Ultimo aggiornamento Risultato
a-squared 4.5.0.43 2009.12.03 -
AhnLab-V3 5.0.0.2 2009.12.03 -
AntiVir 7.9.1.92 2009.12.02 -
Antiy-AVL 2.0.3.7 2009.12.02 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.03 Win32:Delf-MZG
AVG 8.5.0.426 2009.12.02 -
BitDefender 7.2 2009.12.03 -
CAT-QuickHeal 10.00 2009.12.02 -
ClamAV 0.94.1 2009.12.03 -
Comodo 3103 2009.12.01 -
DrWeb 5.0.0.12182 2009.12.03 -
eSafe 7.0.17.0 2009.12.02 -
eTrust-Vet 35.1.7153 2009.12.02 -
F-Prot 4.5.1.85 2009.12.02 -
F-Secure 9.0.15370.0 2009.12.03 -
Fortinet 4.0.14.0 2009.12.03 -
GData 19 2009.12.03 Win32:Delf-MZG
Ikarus T3.1.1.74.0 2009.12.03 -
Jiangmin 13.0.900 2009.12.02 -
K7AntiVirus 7.10.910 2009.12.02 -
Kaspersky 7.0.0.125 2009.12.03 -
McAfee 5819 2009.12.01 -
McAfee+Artemis 5819 2009.12.01 -
McAfee-GW-Edition 6.8.5 2009.12.03 -
Microsoft 1.5302 2009.12.02 -
NOD32 4656 2009.12.02 -
Norman 6.03.02 2009.12.02 -
nProtect 2009.1.8.0 2009.12.02 -
Panda 10.0.2.2 2009.12.03 -
PCTools 7.0.3.5 2009.12.03 -
Prevx 3.0 2009.12.03 -
Rising 22.24.03.01 2009.12.03 -
Sophos 4.48.0 2009.12.03 -
Sunbelt 3.2.1858.2 2009.12.03 -
Symantec 1.4.4.12 2009.12.03 -
TheHacker 6.5.0.2.083 2009.12.01 -
TrendMicro 9.100.0.1001 2009.12.03 -
VBA32 3.12.12.0 2009.12.02 -
ViRobot 2009.12.2.2068 2009.12.02 -
VirusBuster 5.0.21.0 2009.12.02 -
Informazioni addizionali
File size: 467552 bytes
MD5 : b76fdc3cdb2580405fe8100d248b4821
SHA1 : 074665572523c7787f4bc3914568c04fafc4ec55
SHA256: 5e8d904ff8000d3e676e9d8ef48d162db216dc82a0731fad1080c452ec4a9112
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x60B50
timedatestamp.....: 0x2A425E19 (Sat Jun 20 00:22:17 1992)
machinetype.......: 0x14C (Intel I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x5FB68 0x5FC00 6.54 9db468a8209b5526fcce4c888108d3f5
DATA 0x61000 0x12C0 0x1400 4.09 35382a9ac62d5e1c39cb6cda7bed5c84
BSS 0x63000 0xC6D 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x64000 0x2678 0x2800 4.84 e25c0659b5df7b9c2cd611719dab0f94
.edata 0x67000 0xA4 0x200 1.93 dee1197c4fb9a92d91005d8055d7d826
.reloc 0x68000 0x6CA8 0x6E00 6.68 869533f9ecc0fd3f4fd0b3ec0902b0e0
.rsrc 0x6F000 0x6400 0x6400 4.13 a8bc95df671d8e313d641dcc1e17bad3

( 0 imports )

( 0 exports )

TrID : File type identification
Windows OCX File (80.8%)
Win32 Executable Delphi generic (9.6%)
Win32 Executable Generic (5.5%)
Win16/32 Executable Delphi generic (1.3%)
Generic Win/DOS Executable (1.3%)
ssdeep: 6144:kmflcAwTacg6vFCJmoZuU/1i4YvPlU7E14hjzAfCFigz5ql2ieL3n7xeuQgOAjRk:k+lcAWg6vF4my0+HEKg8pQMOAjVkDWs
PEiD : -
RDS : NSRL Reference Data Set

[8)]

da **giuseppe67** » gio feb 25, 2010 12:37 pm

n o usato il programmino e o riavviato ma in disco locale c non ce nessuna cartella con il nome qoobox?????????? [boh]

www.MegaLab.it

HELP!

Re: HELP!

Re: HELP!

Re: HELP!

Re: HELP!

Re: HELP!

Re: HELP!

Re: HELP!

Re: HELP!

Re: HELP!

Re: HELP!

Re: HELP!

Re: HELP!

Re: HELP!

Re: HELP!

Re: HELP!

Re: HELP!

Re: HELP!

Re: HELP!

Re: HELP!

Re: HELP!

Chi c’è in linea