www.MegaLab.it

[KillerPenguin]

mi sono infettato, assolutamente da solo, da un exe che credevo un falso positivo. questo è quello che ha rilevato Panda
inoltre sono disposto a mandare il file contaminato, ovviamente tramite messaggio privato, per maggiori informazioni.

i sintomi: all'avvio di windows viene visualizzata una finestra che mi indica la chiusura di explorer (probabilmente causata dal virus) ma che però viene riaperto subito dopo (forse da window 7)

avete delle soluzioni per ovviare a questo problema? ho cercato di capire se ci sono processi strani che si avviano con l'OS ma non mi è sembrato di trovarne nessuno.

P.s. non è un vero e proprio problema, più che altro è un fastidio.

[eugenio19911]

puoi provare così:
scansioni il pc con hitman pro molto veloce e becca parecchie cose.
una volta terminata la scansione e nel caso in cui rilevi la minaccia puoi procedere in 2 modi:
nel primo quello classico rimuovi la minaccia ma devi attivare una licenza di 30 giorni al termine dei quali non potrai più eliminane i virus con hitman pro.
nel secondo caso esamini chi rileva la minaccia: se ikatus o emsisoft puoi usare emsisoft antimalware free se vuoi tenerlo installato o emsisoft emergensy kit; nel caso invece la minaccia fossa rilevata da dr. web usa dr web cure it ( ti consiglio la versione 7 beta decisamente più veloce della p recente) e anche in questo caso non verrà installato alcun software

[hashcat]

Inviami il campione.

Già che ci sei, posta il log di DDS.

[KillerPenguin]

stavo pensando di agire da Kaspersky Rescue Disk 10 che ne dite?

[KillerPenguin]

Inviami il campione.

Già che ci sei, posta il log di DDS.

ecco qui i log:

DDS.txt
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.1
Run by Utente at 18:47:49 on 2012-06-19
Microsoft Windows 7 Professional 6.1.7601.1.1252.39.1040.18.2047.955 [GMT 2:00]
.
AV: Panda Cloud Antivirus *Enabled/Updated* {86971480-9989-6750-B122-681A86518D59}
SP: Panda Cloud Antivirus *Enabled/Updated* {3DF6F564-BFB3-68DE-8B92-5368FDD6C7E4}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\BlueStacks\HD-LogRotatorService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Nuance\dgnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version7\TeamViewer.exe
C:\Program Files\TeamViewer\Version7\tv_w32.exe
C:\Windows\Philips\SPC220NC\Monitor.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DAP\DAP.exe
C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
C:\Program Files\Philips\Philips SPC220NC Webcam\TrayMin220.exe
C:\Users\Public\Documents\AppData\PoApp\PService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
C:\Users\Utente\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Utente\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Utente\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Utente\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Utente\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Utente\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Utente\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Utente\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Utente\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Utente\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskhost.exe
C:\Users\Utente\Desktop\rescue2usb\rescue2usb.exe
C:\Users\Utente\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Utente\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://search.findeer.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://search.findeer.com
uInternet Settings,ProxyServer = 77.43.119.187:3128
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://start.facemoods.com/?a=ddrnw&s={searchTerms}&f=4
uURLSearchHooks: MyAshampoo Toolbar: {a1e75a0e-4397-4ba8-bb50-e19fb66890f4} - c:\program files\myashampoo\tbMyAs.dll
mURLSearchHooks: MyAshampoo Toolbar: {a1e75a0e-4397-4ba8-bb50-e19fb66890f4} - c:\program files\myashampoo\tbMyAs.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: PowerOffer: {3543619c-d563-43f7-95ea-4da7e1cc396a} - c:\users\public\documents\poweroffer\PowerOfferBHO.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: MyAshampoo Toolbar: {a1e75a0e-4397-4ba8-bb50-e19fb66890f4} - c:\program files\myashampoo\tbMyAs.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
BHO: BHO_TIMELINEREMOVE.Bho: {e7b9b609-19ad-40a4-a288-b300a3087465} - mscoree.dll
TB: MyAshampoo Toolbar: {a1e75a0e-4397-4ba8-bb50-e19fb66890f4} - c:\program files\myashampoo\tbMyAs.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\utente\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [PoService]
uRun: [MediaSearch] c:\users\utente\appdata\local\mediasearch\search.exe
uRun: [Facebook Update] "c:\users\utente\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [DownloadAccelerator] "c:\program files\dap\DAP.EXE" /STARTUP
uRun: [ISUSPM] c:\programdata\flexnet\connect\11\ISUSPM.exe -scheduler
mRun: [Monitor] c:\windows\philips\spc220nc\Monitor.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [PosService] c:\users\public\documents\appdata\poapp\PLauncher.exe
mRun: [B2C_AGENT] c:\programdata\lgmobileax\b2c_client\B2CNotiAgent.exe
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking11\ereg\ereg.exe" -r "c:\programdata\nuance\naturallyspeaking11\Ereg.ini"
StartupFolder: c:\users\utente\appdata\local\windows\winhelp.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\traymi~1.lnk - c:\program files\philips\philips spc220nc webcam\TrayMin220.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&sporta in Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: SmarThru4 Acquisisci selezione - c:\program files\smarthru 4\WebCapture.dll2.htm
IE: SmarThru4 Capture Selection - c:\program files\smarthru 4\WebCapture.dll2.htm
IE: SmarThru4 Salva come HTML - c:\program files\smarthru 4\WebCapture.dll1.htm
IE: SmarThru4 Salva testo selezionato - c:\program files\smarthru 4\WebCapture.dll.htm
IE: SmarThru4 Save as HTML - c:\program files\smarthru 4\WebCapture.dll1.htm
IE: SmarThru4 Save Selected Text - c:\program files\smarthru 4\WebCapture.dll.htm
IE: SmarThru4 Web Capture - c:\program files\smarthru 4\WebCapture.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
TCP: DhcpNameServer = 193.70.152.15 212.52.97.15
TCP: Interfaces\{B056FF82-C43E-4C0A-9994-087398B0AB7A} : NameServer = 176.31.229.24,176.31.229.25
TCP: Interfaces\{B40B3FC8-D83C-48E6-8B4F-F5328C6B6CBF} : NameServer = 176.31.229.24,176.31.229.25
TCP: Interfaces\{B672A1A7-6442-4259-A4E4-E7DB4733DF82} : NameServer = 176.31.229.24,176.31.229.25
TCP: Interfaces\{B672A1A7-6442-4259-A4E4-E7DB4733DF82} : DhcpNameServer = 193.70.152.15 212.52.97.15
TCP: Interfaces\{C1448F7B-F33B-4528-970C-50B4A6EDA537} : NameServer = 176.31.229.24,176.31.229.25
TCP: Interfaces\{e29ac6c2-7037-11de-816d-806e6f6e6963} : NameServer = 176.31.229.24,176.31.229.25
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\utente\appdata\roaming\mozilla\firefox\profiles\cwx208eo.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.blurum.it/Web/
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\users\utente\appdata\local\facebook\messenger\2.1.4520.0\npFbDesktopPlugin.dll
FF - plugin: c:\users\utente\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_257.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2011-11-23 126216]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-9-8 176128]
R2 BstHdDrv;BlueStacks Hypervisor;c:\program files\bluestacks\HD-Hypervisor-x86.sys [2012-4-10 66912]
R2 BstHdLogRotatorSvc;BlueStacks Log Rotator Service;c:\program files\bluestacks\HD-LogRotatorService.exe [2012-4-10 385376]
R2 DragonSvc;Dragon Service;c:\program files\common files\nuance\dgnsvc.exe [2010-11-23 296808]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2011-4-28 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2012-1-5 144136]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2011-4-28 99400]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2011-4-28 111176]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2011-11-30 112904]
R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2011-10-19 5120]
R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-3-19 2666880]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-9-8 8606208]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-9-8 248832]
R3 Atc002;Driver miniport NDIS per controller Atheros L2 Fast Ethernet;c:\windows\system32\drivers\l260x86.sys [2009-6-10 29184]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-6-7 211984]
R3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\drivers\lgbtport.sys [2009-9-29 12160]
R3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\drivers\lgbtbus.sys [2009-9-29 10496]
R3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\drivers\lgvmodem.sys [2009-9-29 12928]
R3 SPC220NC;Philips SPC220NC Webcam;c:\windows\system32\drivers\SPC220NC.SYS [2007-5-16 507648]
S2 Apache2.2;Apache2.2;"c:\users\utente\desktop\xampp\apache\bin\httpd.exe" -k runservice c:\users\utente\desktop\xampp\apache\bin\httpd.exe
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 metasploitPostgreSQL-1;metasploitPostgreSQL-1;C:/METASP~2/POSTGR~1/bin/pg_ctl.exe runservice -N "metasploitPostgreSQL-1" -D "C:/METASP~2/POSTGR~1/data" C:/METASP~2/POSTGR~1/bin/pg_ctl.exe runservice -N metasploitPostgreSQL-1
S2 metasploitPostgreSQL;metasploitPostgreSQL;C:/METASP~1/POSTGR~1/bin/pg_ctl.exe runservice -N "metasploitPostgreSQL" -D "C:/METASP~1/POSTGR~1/data" C:/METASP~1/POSTGR~1/bin/pg_ctl.exe runservice -N metasploitPostgreSQL
S2 PowerOffer Service;Pos Service;c:\users\utente\appdata\local\posservice\Pos.exe [2011-12-12 164352]
S2 ServUpdater;Serv Updater;c:\users\utente\appdata\local\servupdater\ServiceUpd.exe [2011-12-12 156160]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856]
S2 WCMVCAM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\wcmvcam.sys [2011-6-23 1068216]
S2 XAMPP;XAMPP Service;c:\users\utente\desktop\xampp\service.exe c:\users\utente\desktop\xampp\service.exe
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-3 257224]
S3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\drivers\lgandbus.sys [2012-4-26 14336]
S3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\drivers\lganddiag.sys [2012-4-26 20736]
S3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\drivers\lgandgps.sys [2012-4-26 20096]
S3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\drivers\lgandmodem.sys [2012-4-26 25088]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\lgandadb.sys [2012-4-26 25728]
S3 Apowersoft_AudioDevice;Apowersoft_AudioDevice;c:\windows\system32\drivers\Apowersoft_AudioDevice.sys [2011-11-18 16640]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 BstHdAndroidSvc;BlueStacks Android Service;c:\program files\bluestacks\HD-Service.exe [2012-4-10 401760]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\drivers\mcvidrv.sys [2012-1-11 32000]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [2012-2-22 22400]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-12 129976]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-12-1 34384]
S3 StorSvc;Servizio di archiviazione;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-10-11 52224]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2012-4-3 82736]
S3 WatAdminSvc;Servizio Windows Activation Technologies;c:\windows\system32\wat\WatAdminSvc.exe [2011-10-11 1343400]
S4 MSSQLServerADHelper100;Servizio SQL Server Active Directory Helper;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-21 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2012-06-19 15:05:07 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{847dbff2-515c-4587-9ac8-9e4afdcb113d}\offreg.dll
2012-06-18 12:49:29 -------- d-----w- c:\users\utente\appdata\local\photoOptimizeHistoryDataBase
2012-06-18 12:49:27 -------- d-----w- c:\users\utente\appdata\local\Ashampoo Photo Optimizer 3
2012-06-17 17:05:44 -------- d-----w- c:\program files\Hunting Unlimited 2008
2012-06-17 16:32:47 -------- d--h--w- c:\users\utente\appdata\local\Windows
2012-06-17 16:32:45 -------- d--h--w- c:\users\utente\appdata\local\Server
2012-06-17 13:01:36 -------- d-----w- c:\users\utente\appdata\roaming\Enplase
2012-06-16 17:50:41 303616 ----a-w- c:\windows\IsUninst.exe
2012-06-16 17:44:19 -------- d-----w- c:\program files\Intelore
2012-06-16 07:23:07 6737808 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{847dbff2-515c-4587-9ac8-9e4afdcb113d}\mpengine.dll
2012-06-16 07:21:36 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-06-16 07:21:33 2342400 ----a-w- c:\windows\system32\msi.dll
2012-06-16 07:21:25 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-16 07:21:25 1158656 ----a-w- c:\windows\system32\crypt32.dll
2012-06-16 07:21:25 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-16 07:21:08 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-06-13 13:03:18 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-13 13:02:51 2343936 ----a-w- c:\windows\system32\win32k.sys
2012-06-13 13:02:36 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-13 13:02:36 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-13 13:02:36 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-13 04:51:45 -------- d-----w- c:\users\utente\appdata\local\Macromedia
2012-06-04 10:51:50 -------- d-----w- c:\program files\Windows Imaging
2012-06-04 10:51:27 -------- d-----w- c:\program files\Windows AIK
2012-06-02 15:34:27 -------- d-----w- c:\users\utente\appdata\roaming\Nuance
2012-06-02 15:34:27 -------- d-----w- c:\users\utente\appdata\roaming\FLEXnet
2012-06-02 15:31:28 -------- d-----w- c:\program files\common files\IVA
2012-06-02 15:31:02 -------- d-----w- c:\program files\common files\Nuance
2012-06-02 15:29:17 -------- d-----w- c:\programdata\Nuance
2012-06-02 15:29:17 -------- d-----w- c:\program files\Nuance
2012-06-02 07:48:06 -------- d-----w- c:\users\utente\appdata\local\Oleksandr_Reminnyi
2012-06-02 07:47:26 -------- d-----w- c:\program files\StepShot
2012-06-01 06:59:57 -------- d-----w- c:\programdata\SpeedBit
2012-06-01 06:59:55 -------- d-----w- c:\program files\common files\SpeedBit
2012-06-01 06:59:54 84480 ----a-w- c:\windows\system32\EasyHook32.dll
2012-06-01 06:59:54 109216 ----a-w- c:\windows\system32\EasyHook64.dll
2012-06-01 06:59:53 -------- d-----w- c:\program files\DAP
2012-06-01 06:59:13 172032 ----a-w- c:\windows\system32\AniGIF.ocx
2012-05-31 13:07:41 -------- d-----w- c:\program files\AVS4YOU
2012-05-29 11:22:21 -------- d-----w- c:\users\utente\appdata\local\assembly
2012-05-29 09:35:45 -------- d-----w- c:\users\utente\appdata\local\Geckofx
2012-05-29 09:09:38 -------- d-----w- C:\xulrunner
2012-05-27 22:14:48 -------- d-----w- c:\users\utente\appdata\roaming\TheKillerPenguin
2012-05-26 16:24:35 163048 ----a-w- c:\programdata\microsoft\windows\sqm\manifest\Sqm10141.bin
2012-05-25 16:58:02 -------- d-----w- c:\users\utente\.gimp-2.8
2012-05-24 17:47:32 -------- d-----w- c:\users\utente\appdata\local\fontconfig
2012-05-24 17:47:30 -------- d-----w- c:\users\utente\appdata\local\gegl-0.2
2012-05-22 14:59:25 -------- d-----w- c:\users\utente\appdata\roaming\TweakNow HD-Analyzer
2012-05-22 14:59:25 -------- d-----w- c:\program files\TweakNow HD-Analyzer
.
==================== Find3M ====================
.
2012-06-12 06:21:25 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-12 06:21:25 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-28 13:43:45 3337840 ----a-w- C:\setup.exe
2012-04-04 16:47:08 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-04-04 16:47:02 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-03 12:47:54 91952 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2012-04-03 12:47:54 82736 ----a-w- c:\windows\system32\drivers\VBoxUSB.sys
2012-04-03 12:47:54 158512 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2012-04-03 12:47:54 116016 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
2012-04-03 12:47:54 104752 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2012-04-03 12:47:52 135472 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
2012-03-31 04:39:37 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-31 04:39:37 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-30 10:23:11 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
============= FINISH: 18:49:18,08 ===============

attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/10/2011 09:44:06
System Uptime: 19/06/2012 16:11:00 (2 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P5LD2-X/1333
Processor: Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz | LGA 775 | 2664/333mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 233 GiB total, 79,977 GiB free.
D: is CDROM ()
E: is Removable
F: is FIXED (NTFS) - 466 GiB total, 321,896 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}
Description: Tastiera PS/2 standard
Device ID: ACPI\PNP0303\4&2E2B2FDC&0
Manufacturer: (Tastiere standard)
Name: Tastiera PS/2 standard
PNP Device ID: ACPI\PNP0303\4&2E2B2FDC&0
Service: i8042prt
.
Class GUID:
Description: WD SES Device USB Device
Device ID: USBSTOR\OTHER&VEN_WD&PROD_SES_DEVICE&REV_1003\575848314536314552434E35&1
Manufacturer:
Name: WD SES Device USB Device
PNP Device ID: USBSTOR\OTHER&VEN_WD&PROD_SES_DEVICE&REV_1003\575848314536314552434E35&1
Service:
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: CSN5PDTS82 NDIS Protocol Driver
Device ID: ROOT\LEGACY_CSN5PDTS82\0000
Manufacturer:
Name: CSN5PDTS82 NDIS Protocol Driver
PNP Device ID: ROOT\LEGACY_CSN5PDTS82\0000
Service: CSN5PDTS82
.
==== System Restore Points ===================
.
RP176: 07/06/2012 18:49:09 - Windows Update
RP177: 12/06/2012 18:14:09 - Windows Update
RP178: 13/06/2012 15:03:26 - Windows Update
RP179: 16/06/2012 09:21:47 - Windows Update
RP180: 19/06/2012 15:50:37 - Operazione di ripristino
.
==== Installed Programs ======================
.
123 Free Solitaire 2011 v8.0
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.3) - Italiano
Aiseesoft DVD Ripper 6.2.26
Aiseesoft Total Media Converter 6.2.18
AMD APP SDK Runtime
AMD Catalyst Install Manager
AMD Drag and Drop Transcoding
AMD Media Foundation Decoders
Android SDK Tools
Apple Application Support
Apple Software Update
Ashampoo Snap 4 v.4.3.1
µTorrent
Audio Record Wizard
AVS Update Manager 1.0
AVS4YOU Software Navigator 1.4
BlueStacks (beta-1)
BurnAware Free 4.9
Camtasia Studio 7
Catalyst Control Center
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
ccc-utility
CCC Help English
CCleaner
Cheat Engine 6.1
Conduit Engine
Download Accelerator Plus (DAP)
Dragon NaturallySpeaking 11
Dropbox
EzGenerator 4.0
Facebook Messenger 2.1.4520.0
File di supporto installazione di Microsoft SQL Server 2008
FileZilla Client 3.5.3
Get Smart 1 Student's Disk
GIMP 2.8.0
Glary Utilities Pro 2.41.0.1358
Google Chrome
Hunting Unlimited 2008 1.0
Incomedia WebSite X5 v9 - Evolution
Java Auto Updater
Java SE Development Kit 7 Update 4
Java(TM) 6 Update 31
Java(TM) 7 Update 4
JavaFX 2.1.0
JavaFX 2.1.0 SDK
JDownloader 0.9
Language Pack del Visualizzatore della Guida Microsoft 1.0 - ITA
LG Bluetooth Drivers
LG SP USB Driver
LG United Mobile Driver
LinuxLive USB Creator
Max Payne 2
MediaFire Express (beta)
mediAvatar Video to DVD Converter
MFZ0 codec (Remove Only)
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile - Language Pack (ITA)
Microsoft .NET Framework 4 Client Profile ITA Language Pack
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Extended - Language Pack (ITA)
Microsoft .NET Framework 4 Extended ITA Language Pack
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Application Error Reporting
Microsoft Fix it Center
Microsoft Help Viewer 1.0
Microsoft Help Viewer 1.0 Language Pack - ITA
Microsoft Office Access MUI (Italian) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (Italian) 2007
Microsoft Office Groove MUI (Italian) 2007
Microsoft Office InfoPath MUI (Italian) 2007
Microsoft Office OneNote MUI (Italian) 2007
Microsoft Office Outlook MUI (Italian) 2007
Microsoft Office PowerPoint MUI (Italian) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Italian) 2007
Microsoft Office Proofing (Italian) 2007
Microsoft Office Publisher MUI (Italian) 2007
Microsoft Office Shared MUI (Italian) 2007
Microsoft Office Word MUI (Italian) 2007
Microsoft Silverlight
Microsoft Speech SDK 5.1
Microsoft SQL Server 2008
Microsoft SQL Server 2008 Browser
Microsoft SQL Server 2008 Common Files
Microsoft SQL Server 2008 Database Engine Services
Microsoft SQL Server 2008 Database Engine Shared
Microsoft SQL Server 2008 Native Client
Microsoft SQL Server 2008 R2 Management Objects
Microsoft SQL Server 2008 RsFx Driver
Microsoft SQL Server Compact 3.5 SP2 ITA
Microsoft SQL Server System CLR Types
Microsoft SQL Server VSS Writer
Microsoft Visual Basic 2010 Express - ITA
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
Mozilla Firefox 12.0 (x86 it)
Mozilla Maintenance Service
Mozilla Thunderbird 12.0.1 (x86 it)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB973685)
MyAshampoo Toolbar
Notepad++
Oracle VM VirtualBox 4.1.12
Panda Cloud Antivirus
Philips SPC220NC Webcam
PowerOffer 2.0
Readiris Pro 10
Resource Hacker Version 3.6.0
Samsung SCX-4200 Series
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Service Pack 1 per SQL Server 2008 (KB968369)
Skype Click to Call
Skype™ 5.8
Smart File Advisor 1.1.1
SmarThru 4
Sound Editor Pro v5.5.1
Sql Server Customer Experience Improvement Program
StepShot
TeamViewer 7
Text-To-Speech-Runtime
TimeLineRemove 0.5
TweakNow HD-Analyzer
Universal Extractor 1.6.1
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
VC 9.0 Runtime
Visual C++ 9.0 Runtime for Dragon NaturallySpeaking
Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ITA
VLC media player 1.1.11
Webcam Video Viewer
Windows Automated Installation Kit
Windows Media Encoder 9 Series
Windows Media Player Firefox Plugin
WinHTTrack Website Copier 3.45-3
WinRAR 4.10 beta 5 (32-bit)
.
==== End Of File ===========================

ho fatto bene ad usare una memo?

[crazy.cat]

ho fatto bene ad usare una memo?

Il memo si, il memo più code no.

Spazzatura di vario genere.
uStart Page = hxxp://search.findeer.com
mStart Page = hxxp://search.findeer.com
mSearchAssistant = hxxp://start.facemoods.com/?a=ddrnw&s={searchTerms}&f=4
BHO: PowerOffer: {3543619c-d563-43f7-95ea-4da7e1cc396a} - c:\users\public\documents\poweroffer\PowerOfferBHO.dll
BHO: BHO_TIMELINEREMOVE.Bho: {e7b9b609-19ad-40a4-a288-b300a3087465} - mscoree.dll (strana questa dll, mi sembra sia di Net framework)
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [PoService]
uRun: [MediaSearch] c:\users\utente\appdata\local\mediasearch\search.exe
mRun: [PosService] c:\users\public\documents\appdata\poapp\PLauncher.exe

[KillerPenguin]

Ho fatto la scansione con Kaspersky Rescue Disk 10 e per il momento, mi sembra d'aver risolto il problema... ma potrò costatare meglio tra qualche riavvio della macchina. ho notato che mi sono stati rilevati dei trojan i quali nomi mi hanno fatto un po' rabbrividire.

ho salvato 2 log, non chiedetemi perché, mi sembrano diversi quindi li posto entrambi. Questa volkta però seguirò il consiglio di Crazy ed utilizzerò solo la memo
log 1

Objects Scan: completed 1 minute ago (events: 37, objects: 1686547, time: 04:23:23)
6/19/12 10:24 PM Detected: Trojan.Win32.Menti.gena /mnt/MountedDevices/PD-EB6BEB6B-0000000006500000/Users/Utente/AppData/Local/Windows/winhelp.exe/UPX
6/19/12 10:24 PM Untreated: Trojan.Win32.Menti.gena C:/Users/Utente/AppData/Local/Windows/winhelp.exe/UPX Postponed
6/19/12 10:24 PM Detected: Trojan.Win32.Menti.gena C:/Users/Utente/AppData/Local/Windows/winhelp.exe/UPX
6/19/12 10:20 PM Untreated: HEUR:Trojan.Script.Generic C:/metasploit/msf3/modules/exploits/windows/browser/.svn/text-base/java_docbase_bof.rb.svn-base Postponed
6/19/12 10:20 PM Detected: HEUR:Trojan.Script.Generic C:/metasploit/msf3/modules/exploits/windows/browser/.svn/text-base/java_docbase_bof.rb.svn-base
6/19/12 10:20 PM Untreated: HEUR:Trojan.Script.Generic C:/metasploit/msf3/modules/exploits/windows/browser/java_docbase_bof.rb Postponed
6/19/12 10:20 PM Detected: HEUR:Trojan.Script.Generic C:/metasploit/msf3/modules/exploits/windows/browser/java_docbase_bof.rb
6/19/12 10:13 PM Untreated: Trojan.Win32.Menti.gena /mnt/MountedDevices/PD-EB6BEB6B-0000000006500000/Users/Utente/AppData/Local/Windows/winhelp.exe/UPX Postponed
6/19/12 10:13 PM Detected: Trojan.Win32.Menti.gena /mnt/MountedDevices/PD-EB6BEB6B-0000000006500000/Users/Utente/AppData/Local/Windows/winhelp.exe/UPX
6/19/12 9:51 PM Untreated: Trojan.Win32.Menti.gena /mnt/MountedDevices/PD-EB6BEB6B-0000000006500000/Users/Utente/AppData/Local/Windows/winhelp.exe/UPX Postponed
6/19/12 9:51 PM Detected: Trojan.Win32.Menti.gena /mnt/MountedDevices/PD-EB6BEB6B-0000000006500000/Users/Utente/AppData/Local/Windows/winhelp.exe/UPX
6/19/12 9:12 PM Untreated: Trojan.Win32.Menti.gena /mnt/MountedDevices/PD-EB6BEB6B-0000000006500000/Users/Utente/AppData/Local/Windows/winhelp.exe/UPX Postponed
6/19/12 9:12 PM Detected: Trojan.Win32.Menti.gena /mnt/MountedDevices/PD-EB6BEB6B-0000000006500000/Users/Utente/AppData/Local/Windows/winhelp.exe/UPX
6/19/12 8:49 PM Untreated: Trojan.Win32.Menti.gena C:/Users/Utente/AppData/Local/Windows/winhelp.exe/UPX Postponed
6/19/12 8:49 PM Detected: Trojan.Win32.Menti.gena C:/Users/Utente/AppData/Local/Windows/winhelp.exe/UPX
6/19/12 7:13 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$R7OWMFT/K-Oyunİndir-Hunting Unlimited 2010 Full Indir/data/data.exe Read error
6/19/12 7:13 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$R7OWMFT/K-Oyunİndir-Hunting Unlimited 2010 Full Indir/data/data.exe/data0003 Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/NetFXx86.exe/data0016.res/netfx.msi Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/NetFXx86.exe/data0016.res/netfx.msi/_13017_URTM_STD_ENU_X86_IXP.MSM Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/WinPE.cab Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/WinPE.cab/F1_WINPE.WIM Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/wAIKX86.msi Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/wAIKX86.msi/x86.cab Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/wAIKX86.msi/x86AIK.cab Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/NetFXamd64.exe/data0016.res/netfx.msi/_13598_watsonamd64.msm Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/NetFXamd64.exe/data0016.res/netfx.msi/_13598_watsonamd64.msm/dwdcw20.dll_0001.F0DF3458_A845_11D3_8D0A_0050046416B9 Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/wAIKAMD64.msi Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/wAIKAMD64.msi/amd64.cab Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/wAIKAMD64.msi/amd64AIK.cab Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/Neutral.cab Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/Neutral.cab/F_WINPEOC_X86__WINPE_FONTSUPPORT_ZH_CN.CAB Read error
6/19/12 7:11 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$R7OWMFT/K-Oyunİndir-Hunting Unlimited 2010 Full Indir/data/data.exe/data0001/data0000/UPX/PRE Read error
6/19/12 7:07 PM Task started
6/19/12 11:30 PM Detected: HEUR:Trojan.Script.Generic C:/metasploit/msf3/modules/exploits/windows/browser/.svn/text-base/java_docbase_bof.rb.svn-base
6/19/12 11:30 PM Deleted: Trojan.Win32.Menti.gena /mnt/MountedDevices/PD-EB6BEB6B-0000000006500000/Users/Utente/AppData/Local/Windows/winhelp.exe
6/19/12 11:31 PM Detected: HEUR:Trojan.Script.Generic C:/metasploit/msf3/modules/exploits/windows/browser/java_docbase_bof.rb
6/19/12 11:31 PM Task completed

log 2

Objects Scan: completed 2 minutes ago (events: 37, objects: 1686547, time: 04:23:23)
6/19/12 7:07 PM Task started
6/19/12 7:11 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$R7OWMFT/K-Oyunİndir-Hunting Unlimited 2010 Full Indir/data/data.exe/data0001/data0000/UPX/PRE Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/Neutral.cab/F_WINPEOC_X86__WINPE_FONTSUPPORT_ZH_CN.CAB Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/Neutral.cab Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/wAIKAMD64.msi/amd64AIK.cab Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/wAIKAMD64.msi/amd64.cab Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/wAIKAMD64.msi Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/NetFXamd64.exe/data0016.res/netfx.msi/_13598_watsonamd64.msm/dwdcw20.dll_0001.F0DF3458_A845_11D3_8D0A_0050046416B9 Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/NetFXamd64.exe/data0016.res/netfx.msi/_13598_watsonamd64.msm Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/wAIKX86.msi/x86AIK.cab Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/wAIKX86.msi/x86.cab Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/wAIKX86.msi Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/WinPE.cab/F1_WINPE.WIM Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/WinPE.cab Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/NetFXx86.exe/data0016.res/netfx.msi/_13017_URTM_STD_ENU_X86_IXP.MSM Read error
6/19/12 7:12 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$RZKZIG8/NetFXx86.exe/data0016.res/netfx.msi Read error
6/19/12 7:13 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$R7OWMFT/K-Oyunİndir-Hunting Unlimited 2010 Full Indir/data/data.exe/data0003 Read error
6/19/12 7:13 PM Processing error C:/$Recycle.Bin/S-1-5-21-3553558978-4142946716-712529495-1000/$R7OWMFT/K-Oyunİndir-Hunting Unlimited 2010 Full Indir/data/data.exe Read error
6/19/12 8:49 PM Detected: Trojan.Win32.Menti.gena C:/Users/Utente/AppData/Local/Windows/winhelp.exe/UPX
6/19/12 8:49 PM Untreated: Trojan.Win32.Menti.gena C:/Users/Utente/AppData/Local/Windows/winhelp.exe/UPX Postponed
6/19/12 9:12 PM Detected: Trojan.Win32.Menti.gena /mnt/MountedDevices/PD-EB6BEB6B-0000000006500000/Users/Utente/AppData/Local/Windows/winhelp.exe/UPX
6/19/12 9:12 PM Untreated: Trojan.Win32.Menti.gena /mnt/MountedDevices/PD-EB6BEB6B-0000000006500000/Users/Utente/AppData/Local/Windows/winhelp.exe/UPX Postponed
6/19/12 9:51 PM Detected: Trojan.Win32.Menti.gena /mnt/MountedDevices/PD-EB6BEB6B-0000000006500000/Users/Utente/AppData/Local/Windows/winhelp.exe/UPX
6/19/12 9:51 PM Untreated: Trojan.Win32.Menti.gena /mnt/MountedDevices/PD-EB6BEB6B-0000000006500000/Users/Utente/AppData/Local/Windows/winhelp.exe/UPX Postponed
6/19/12 10:13 PM Detected: Trojan.Win32.Menti.gena /mnt/MountedDevices/PD-EB6BEB6B-0000000006500000/Users/Utente/AppData/Local/Windows/winhelp.exe/UPX
6/19/12 10:13 PM Untreated: Trojan.Win32.Menti.gena /mnt/MountedDevices/PD-EB6BEB6B-0000000006500000/Users/Utente/AppData/Local/Windows/winhelp.exe/UPX Postponed
6/19/12 10:20 PM Detected: HEUR:Trojan.Script.Generic C:/metasploit/msf3/modules/exploits/windows/browser/java_docbase_bof.rb
6/19/12 10:20 PM Untreated: HEUR:Trojan.Script.Generic C:/metasploit/msf3/modules/exploits/windows/browser/java_docbase_bof.rb Postponed
6/19/12 10:20 PM Detected: HEUR:Trojan.Script.Generic C:/metasploit/msf3/modules/exploits/windows/browser/.svn/text-base/java_docbase_bof.rb.svn-base
6/19/12 10:20 PM Untreated: HEUR:Trojan.Script.Generic C:/metasploit/msf3/modules/exploits/windows/browser/.svn/text-base/java_docbase_bof.rb.svn-base Postponed
6/19/12 10:24 PM Detected: Trojan.Win32.Menti.gena C:/Users/Utente/AppData/Local/Windows/winhelp.exe/UPX
6/19/12 10:24 PM Untreated: Trojan.Win32.Menti.gena C:/Users/Utente/AppData/Local/Windows/winhelp.exe/UPX Postponed
6/19/12 10:24 PM Detected: Trojan.Win32.Menti.gena /mnt/MountedDevices/PD-EB6BEB6B-0000000006500000/Users/Utente/AppData/Local/Windows/winhelp.exe/UPX
6/19/12 11:30 PM Deleted: Trojan.Win32.Menti.gena /mnt/MountedDevices/PD-EB6BEB6B-0000000006500000/Users/Utente/AppData/Local/Windows/winhelp.exe
6/19/12 11:30 PM Detected: HEUR:Trojan.Script.Generic C:/metasploit/msf3/modules/exploits/windows/browser/.svn/text-base/java_docbase_bof.rb.svn-base
6/19/12 11:31 PM Detected: HEUR:Trojan.Script.Generic C:/metasploit/msf3/modules/exploits/windows/browser/java_docbase_bof.rb
6/19/12 11:31 PM Task completed

[hashcat]

Se ce la faccio, stasera cerchercò di creare un apposito script di disinfezione per la minaccia e di analizzare i log.

P.S.: Avevi installato tu Metasploit?

[KillerPenguin]

Ci stavo pensando pure io, nn l'ho mai intallato

[Andy97]

Azz, metàsploit è un famoso software usato dagli hacker per creare degli exploit ed entrare nei pc delle vittime sfruttandone le vulnerabilità

[sampei.nihira]

Killer secondo me dovresti rivedere la tua configurazione di sicurezza lato prevenzione.

[Andy97]

Ecco quanto scritto sul sito di panda

Exploiting vulnerabilities with the intervention of the user: exploiting vulnerabilities in file formats or applications. To exploit them successfully it needs the intervention of the user: opening files, viewing malicious web pages, reading emails, etc.

[KillerPenguin]

Killer secondo me dovresti rivedere la tua configurazione di sicurezza lato prevenzione.

Mi sa che hai ragione...

[Andy97]

Panda non è che mi piaccia molto, infatti sto passando a Kaspersky

[KillerPenguin]

comunque con Kaspersky Rescue Disk 10 credo di aver rimosso tutto

[Sabbb]

Metasploit può essere utilizzato dagli amministratori per testare le vulnerabilità dei loro sistemi per poterli così proteggere LINK

Poi dipende chi e perché lo ha installato. Quoto anche io sam

[farbix89]

killer puoi provare avast! come nuovo AV (la famosa palla che gira,sabbb lo sa bene :D)

[Sabbb]

http://yfrog.com/f2ashampoosnap2012062023hp

..è meglio NitroPDF (ci sono più speranze )

[Close OT se no so dolori ]

[hashcat]

Purtroppo si è rotto il NetBook. Vedo cosa riesco a fare da cellulare.

[hashcat]

Come prima cosa (più importante) posto le istruzioni per rimuovere tutte le componenti della minaccia e ripristinare le modifiche da essa apportate.

1. Scarica The Avenger 2 da qui
2. Eseguilo
3. Deseleziona l'opzione Scan for rootkits
4. Inserisci il seguente script nella casella di testo
   
   

   Codice: Seleziona tutto

   Files to delete:
C:\Users\Public\Documents\dll
C:\WINDOWS\system32\dll
C:\WINDOWS\system32\w.dll
C:\WINDOWS\Temp\explorer.dat
C:\WINDOWS\Temp\winlogon.dat

   
   
5. Premi Execute
6. Autorizza The Avenger 2 a riavviare il computer
7. Inserisci nel prossimo messaggio il log generato da The Avenger 2 (C:\Avenger.txt)

A questo punto, apri il blocco note, copia ed incolla la stringa riportata a seguire. Salva il file come .reg (selezionando come tipo di file, tutti)

Codice: Seleziona tutto

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] DisableSR = 0x00000001

Esegui il file salvato.

Effettua una copia del file hosts (si trova in C:\Windows\System32\drivers\etc) ed inseriscine il contenuto nel tuo prossimo messaggio.

Impartisci dal prompt dei comandi (con privilegi d'amministratore) il comando:

Codice: Seleziona tutto

sfc /Purgecache

Infine effettua una veloce pulizia del computer con OTL:

1. Disattiva o termina tutte le protezioni in tempo reale di programmi anti-spyware, antivirus, anti-malware, che possono influenzare OTL
2. Avvia OTL mediante doppio click
3. Inserisci questo script nella casella Custom Scans/Fixes di OTL e clicca Run Fix
   
   

   Codice: Seleziona tutto

   :Files
ipconfig /flushdns /c

:commands
[PURITY]
[RESETHOSTS]
[EMPTYTEMP]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]



   
   
4. Al termine dell'operazione il computer sarà riavviato.
5. Posta il log di OTL (presente in C:\_OTL)

In breve (cosa fa il malware): il malware crea vari files, modifica il file hosts (credo per dirottare le ricerche), disabilita il ripristino di sistema.

P.S.: hai installato tu apache?