Punto informatico Network
Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

virus

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

virus

Messaggioda fedebertola » mar gen 20, 2009 10:34 am

Ciao a tutti,
ho uno strano problema, da quando ho formattato (formattazione rapida) il pc ogni volta che lo avvio i miei antivirus rilevano la presenza di un virus. Anche se lo rimuovo o lo metto in quarantena il virus si riforma. Ho nuovamente formattato con formattazione non rapida ma il problema si ripresenta.
Il virus viene individuato in C:\WINDOWS\system32\sbfg.exe.
E' possibile che ci sia qualche tabella che non venga eliminata dalla formattazione? esiste un comando che la possa eliminare?
Cosa altro poteri fare per rimuovere l'infezione del mi pc?
Avatar utente
fedebertola
Aficionado
Aficionado
 
Messaggi: 30
Iscritto il: dom mar 23, 2008 2:48 pm

Re: virus

Messaggioda crazy.cat » mar gen 20, 2009 10:59 am

Di che virus stiamo parlando?
perché dici "I miei antivirus"?

Se il virus originale fosse nei settori di boot del disco allora ricreerebbe il file infetto ad ogni avvio del pc.

Potresti fare analizzare il file sbfg.exe sul sito http://www.threatexpert.com/submit.aspx di basta inserire un indirizzo email valido e poi riceverai nel giro di pochi minuti un report delle azioni fatte da questo virus.
Posta poi qui il link che trovi nella mail in modo che possiamo anche noi capire qualcosa di più.
Quando i molti governano, pensano solo a contentar sé stessi, si ha allora la tirannia più balorda e più odiosa: la tirannia mascherata da libertà.
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Re: virus

Messaggioda fedebertola » mar gen 20, 2009 11:54 am

Ho scritto i miei antivirus perché ne ho 2 installati sul pc.
Il virus viene rilevato come trojan e mi crea diversi file eseguibili infetti che allertano gli antivirus.
ecco il report fatto su uno di questi file da threatexpert
Submission Summary:
Submission details:
Submission received: 20 January 2009, 09:36:32 PM
Processing time: 6 min 3 sec
Submitted sample:
File MD5: 0x54A338E95408F25B086564DCAE2466C1
Filesize: 6,616 bytes



Technical Details:


File System Modifications

The following file was created in the system:
# Filename(s) File Size File MD5
1 [file and pathname of the sample #1] 6,616 bytes 0x54A338E95408F25B086564DCAE2466C1





Come posso "guarire" il mio pc?
Grazie ancora
Avatar utente
fedebertola
Aficionado
Aficionado
 
Messaggi: 30
Iscritto il: dom mar 23, 2008 2:48 pm


Re: virus

Messaggioda Amantide » mar gen 20, 2009 1:45 pm

Scarica ComboFix ed esegui la scansione seguendo queste istruzioni (giù in fondo). Al termine della scansione verrà creato il file di report C:\combofix.txt, copia qui il suo contenuto inserendolo tra i tag LOG.
Poi scarica mbr.exe e salvalo nella directory C:\
Dopo vai su Start>> Esegui e digita c:\mbr.exe
Mbr.exe metterà qualche secondo a fare la scansione. Fatto ciò postami qui il contenuto del log creato che troverai in c:\mbr.log
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Re: virus

Messaggioda fedebertola » mar gen 20, 2009 2:12 pm

Combofix:

ComboFix 09-01-19.05 - EddyFede 2009-01-20 14.06.31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.1023.607 [GMT 1:00]
Eseguito da: c:\documents and settings\EddyFede\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programmi\gPhotoShow Toolbar\v3.2.0.0\gPhotoShow_Toolbar.dll
c:\windows\system32\AutoRun.inf
c:\windows\system32\csrcs.exe
L:\autorun.inf

.
((((((((((((((((((((((((( Files Creati Da 2008-12-20 al 2009-01-20 )))))))))))))))))))))))))))))))))))
.

2009-01-20 13:10 . 2009-01-18 16:51 <DIR> d--h----- c:\documents and settings\Administrator\Risorse di stampa
2009-01-20 13:10 . 2009-01-18 16:51 <DIR> d--h----- c:\documents and settings\Administrator\Risorse di rete
2009-01-20 13:10 . 2009-01-18 16:51 <DIR> d-------- c:\documents and settings\Administrator\Preferiti
2009-01-20 13:10 . 2009-01-18 16:00 <DIR> d--h----- c:\documents and settings\Administrator\Modelli
2009-01-20 13:10 . 2009-01-18 16:51 <DIR> dr------- c:\documents and settings\Administrator\Menu Avvio
2009-01-20 13:10 . 2009-01-20 14:07 <DIR> d--h----- c:\documents and settings\Administrator\Impostazioni locali
2009-01-20 13:10 . 2009-01-18 16:51 <DIR> d-------- c:\documents and settings\Administrator\Documenti
2009-01-20 13:10 . 2009-01-18 16:51 <DIR> dr-h----- c:\documents and settings\Administrator\Dati applicazioni
2009-01-20 13:10 . 2009-01-20 13:10 <DIR> d-------- c:\documents and settings\Administrator
2009-01-20 13:04 . 2009-01-20 10:44 66,048 --a------ C:\mbr.exe
2009-01-20 12:58 . 2009-01-20 12:58 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Dati applicazioni\Office Genuine Advantage
2009-01-20 11:30 . 2009-01-20 11:30 6,616 --a------ C:\hlvthhm.exe
2009-01-20 11:30 . 2009-01-20 11:30 0 --a------ C:\pvbjtljq.exe
2009-01-20 11:29 . 2009-01-20 11:29 16,901 --a------ C:\wpthn.exe
2009-01-20 11:28 . 2009-01-20 11:28 9,728 --a------ c:\windows\system32\sd4.exe
2009-01-19 14:24 . 2009-01-19 14:24 <DIR> d--h----- c:\programmi\InstallShield Installation Information
2009-01-19 14:24 . 2009-01-19 14:24 <DIR> d-------- c:\programmi\File comuni\InstallShield
2009-01-18 22:17 . 2009-01-20 10:23 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-18 19:21 . 2009-01-18 22:14 <DIR> d-------- c:\windows\system32\Lang
2009-01-18 19:21 . 2009-01-18 19:21 64 --a------ c:\windows\RTHDCPL_DB.dbt
2009-01-18 18:51 . 2009-01-18 18:56 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-18 18:47 . 2009-01-18 18:47 <DIR> d-------- c:\programmi\Sun
2009-01-18 18:47 . 2009-01-18 18:47 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-18 18:47 . 2009-01-18 18:47 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-18 18:46 . 2009-01-18 18:47 <DIR> d-------- c:\programmi\Java
2009-01-18 18:44 . 2009-01-19 14:24 <DIR> d-------- C:\pnp
2009-01-18 18:44 . 2008-04-13 20:19 146,048 --a------ c:\windows\system32\drivers\portcls.sys
2009-01-18 18:44 . 2008-04-13 20:19 146,048 --a--c--- c:\windows\system32\dllcache\portcls.sys
2009-01-18 18:44 . 2008-04-13 19:45 60,160 --a------ c:\windows\system32\drivers\drmk.sys
2009-01-18 18:44 . 2008-04-13 19:45 60,160 --a--c--- c:\windows\system32\dllcache\drmk.sys
2009-01-18 18:44 . 2009-01-18 18:44 0 -rahs---- C:\khq
2009-01-18 18:24 . 2009-01-18 18:24 <DIR> d-------- c:\programmi\CDBurnerXP
2009-01-18 18:24 . 2009-01-18 18:24 <DIR> d-------- c:\documents and settings\EddyFede\Dati applicazioni\Canneverbe_Limited
2009-01-18 18:22 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-01-18 18:20 . 2009-01-18 18:22 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-18 18:20 . 2009-01-18 18:20 <DIR> d-------- c:\programmi\Reference Assemblies
2009-01-18 18:20 . 2009-01-18 18:20 <DIR> d-------- c:\programmi\MSBuild
2009-01-18 18:20 . 2009-01-18 18:20 218 --a------ c:\windows\system32\spupdsvc.inf
2009-01-18 18:19 . 2009-01-18 18:20 <DIR> d-------- C:\9cc5b775a9ea79d8a158c8d5a5
2009-01-18 18:19 . 2008-07-06 13:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-01-18 18:19 . 2008-07-06 13:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2009-01-18 18:19 . 2008-07-06 11:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-01-18 18:19 . 2008-07-06 13:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-01-18 18:19 . 2008-07-06 13:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2009-01-18 18:19 . 2008-07-06 13:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-01-18 18:19 . 2008-07-06 13:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-01-18 18:06 . 2009-01-18 18:06 <DIR> d-------- c:\windows\system32\it
2009-01-18 18:06 . 2009-01-18 18:06 <DIR> d-------- c:\windows\system32\bits
2009-01-18 18:06 . 2009-01-18 18:06 <DIR> d-------- c:\windows\l2schemas
2009-01-18 18:03 . 2009-01-18 18:06 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-18 17:35 . 2004-08-03 22:29 1,897,408 --------- c:\windows\system32\drivers\nv4_mini.sys
2009-01-18 17:30 . 2009-01-18 17:30 <DIR> d-------- c:\programmi\MSXML 6.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 13:04 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\Skype
2009-01-18 15:56 --------- d-----w c:\programmi\NOS
2009-01-18 15:56 --------- d-----w c:\programmi\Avira
2009-01-18 15:56 --------- d-----w c:\documents and settings\All Users.WINDOWS\Dati applicazioni\NOS
2009-01-18 15:56 --------- d-----w c:\documents and settings\All Users.WINDOWS\Dati applicazioni\Avira
2009-01-18 15:49 --------- d-----w c:\programmi\MSECache
2009-01-18 15:49 --------- d-----w c:\programmi\File comuni\Adobe
2009-01-18 15:46 --------- d-----w c:\programmi\Microsoft Works
2009-01-18 15:46 --------- d-----w c:\documents and settings\All Users.WINDOWS\Dati applicazioni\Microsoft Help
2009-01-18 15:39 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\AVGTOOLBAR
2009-01-18 15:36 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\DAEMON Tools Lite
2009-01-18 15:33 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\DAEMON Tools Pro
2009-01-18 15:33 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\DAEMON Tools
2009-01-18 15:33 --------- d-----w c:\documents and settings\All Users.WINDOWS\Dati applicazioni\DAEMON Tools Lite
2009-01-18 15:32 --------- d-----w c:\programmi\DAEMON Tools Lite
2009-01-18 15:30 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\vlc
2009-01-18 15:28 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-01-18 15:28 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-18 15:28 12,552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-01-18 15:28 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-18 15:28 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-18 15:28 --------- d-----w c:\programmi\VideoLAN
2009-01-18 15:26 --------- d-----w c:\programmi\eMule AdunanzA
2009-01-18 15:26 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\eMule AdunanzA
2009-01-18 15:25 --------- d-----w c:\documents and settings\All Users.WINDOWS\Dati applicazioni\avg8
2009-01-18 15:19 231,193 ----a-w c:\windows\gPhotoShow_Toolbar_Uninstaller_5093.exe
2009-01-18 15:19 --------- d-----w c:\programmi\WallpaperSS
2009-01-18 15:19 --------- d-----w c:\programmi\Skype
2009-01-18 15:19 --------- d-----w c:\programmi\gPhotoShow Toolbar
2009-01-18 15:19 --------- d-----w c:\programmi\File comuni\Skype
2009-01-18 15:19 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\WallpaperSS
2009-01-18 15:19 --------- d-----w c:\documents and settings\All Users.WINDOWS\Dati applicazioni\Skype
2009-01-18 15:14 --------- d-----w c:\programmi\AVG
2009-01-18 15:05 --------- d-----w c:\programmi\microsoft frontpage
2009-01-18 15:03 --------- d-----w c:\programmi\Servizi in linea
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WallpaperSS"="c:\programmi\WallpaperSS\WallpaperSS.exe" [2007-03-12 430080]
"DAEMON Tools Lite"="c:\programmi\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-18 1601304]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"avgnt"="c:\programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-01-18 136600]
"SoundMan"="SOUNDMAN.EXE" [2005-06-21 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-06-29 c:\windows\ALCWZRD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-18 16:28 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Programmi\\eMule AdunanzA\\eMule_AdnzA.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-01-18 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-18 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-18 107272]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-18 903960]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-18 298264]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKLM-Explorer_Run-csrcs - c:\windows\system32\csrcs.exe


.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.enelenergia.it/
FF - ProfilePath - c:\documents and settings\EddyFede\Dati applicazioni\Mozilla\Firefox\Profiles\vwbh6vhx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 14:07:51
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\windows\system32\Ati2evxx.dll
.
Ora fine scansione: 2009-01-20 14.08.46
ComboFix-quarantined-files.txt 2009-01-20 13:08:44

Pre-Run: 190.142.111.744 byte disponibili
Post-Run: 190,192,152,576 byte disponibili

WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

179 --- E O F --- 2009-01-19 13:20:02

mbr.exe:

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
Avatar utente
fedebertola
Aficionado
Aficionado
 
Messaggi: 30
Iscritto il: dom mar 23, 2008 2:48 pm

Re: virus

Messaggioda Amantide » mar gen 20, 2009 2:38 pm

Quasi sicuramente il virus che hai scoperto dopo aver formattato, ti sei preso da qualche periferica di archiviazione estraibile come hard disk esterno o la chiavetta USB.
Collega al pc tutte le periferiche esterne di archiviazione e poi copia ed incolla il seguente testo su blocconote e salva il file su desktop con il nome CFScript.txt.

Codice: Seleziona tutto
File::
C:\hlvthhm.exe
C:\pvbjtljq.exe
C:\wpthn.exe
c:\windows\system32\d3d9caps.dat
c:\windows\RTHDCPL_DB.dbt
C:\khq
c:\windows\system32\spupdsvc.inf


Ora trascina il file CFScript.txt sull'icona di Combofix.exe ed aspetta il termine della scansione. Posta il nuovo log di Combofix.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Re: virus

Messaggioda dario-vr » mar gen 20, 2009 2:52 pm

Amantide ha scritto:Quasi sicuramente il virus che hai scoperto dopo aver formattato, ti sei preso da qualche periferica di archiviazione estraibile come hard disk esterno o la chiavetta USB.
Collega al pc tutte le periferiche esterne di archiviazione e poi copia ed incolla il seguente testo su blocconote e salva il file su desktop con il nome CFScript.txt.

Codice: Seleziona tutto
File::
C:\hlvthhm.exe
C:\pvbjtljq.exe
C:\wpthn.exe
c:\windows\system32\d3d9caps.dat
c:\windows\RTHDCPL_DB.dbt
C:\khq
c:\windows\system32\spupdsvc.inf




Ora trascina il file CFScript.txt sull'icona di Combofix.exe ed aspetta il termine della scansione. Posta il nuovo log di Combofix.


e togli uno dei due antivirus: due antivirus residenti in memoria fanno a pugni tra loro
[B)]
Si impara dagli errori degli altri: non si può vivere cosi' a lungo per farli tutti.
Avatar utente
dario-vr
Senior Member
Senior Member
 
Messaggi: 160
Iscritto il: gio gen 08, 2009 9:59 am
Località: Verona

Re: virus

Messaggioda fedebertola » mar gen 20, 2009 3:14 pm

ecco il log di combofix:

ComboFix 09-01-19.05 - EddyFede 2009-01-20 15.07.21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.1023.519 [GMT 1:00]
Eseguito da: c:\documents and settings\EddyFede\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\EddyFede\Desktop\CFScript.txt.txt
AV: AVG Anti-Virus *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Creato nuovo punto di ripristino

FILE ::
C:\hlvhhm.exe
C:\khq
C:\pvbjtljq.exe
c:\windows\RTHDCPL_DB.dbt
c:\windows\system32\d3d9caps.dat
c:\windows\system32\spupdsvc.inf
C:\wpthn.exe
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\khq
c:\windows\RTHDCPL_DB.dbt
c:\windows\system32\d3d9caps.dat
c:\windows\system32\spupdsvc.inf

.
((((((((((((((((((((((((( Files Creati Da 2008-12-20 al 2009-01-20 )))))))))))))))))))))))))))))))))))
.

2009-01-20 13:10 . 2009-01-18 16:51 <DIR> d--h----- c:\documents and settings\Administrator\Risorse di stampa
2009-01-20 13:10 . 2009-01-18 16:51 <DIR> d--h----- c:\documents and settings\Administrator\Risorse di rete
2009-01-20 13:10 . 2009-01-18 16:51 <DIR> d-------- c:\documents and settings\Administrator\Preferiti
2009-01-20 13:10 . 2009-01-18 16:00 <DIR> d--h----- c:\documents and settings\Administrator\Modelli
2009-01-20 13:10 . 2009-01-18 16:51 <DIR> dr------- c:\documents and settings\Administrator\Menu Avvio
2009-01-20 13:10 . 2009-01-20 15:08 <DIR> d--h----- c:\documents and settings\Administrator\Impostazioni locali
2009-01-20 13:10 . 2009-01-18 16:51 <DIR> d-------- c:\documents and settings\Administrator\Documenti
2009-01-20 13:10 . 2009-01-18 16:51 <DIR> dr-h----- c:\documents and settings\Administrator\Dati applicazioni
2009-01-20 13:10 . 2009-01-20 13:10 <DIR> d-------- c:\documents and settings\Administrator
2009-01-20 13:04 . 2009-01-20 10:44 66,048 --a------ C:\mbr.exe
2009-01-20 12:58 . 2009-01-20 12:58 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Dati applicazioni\Office Genuine Advantage
2009-01-19 14:24 . 2009-01-19 14:24 <DIR> d--h----- c:\programmi\InstallShield Installation Information
2009-01-19 14:24 . 2009-01-19 14:24 <DIR> d-------- c:\programmi\File comuni\InstallShield
2009-01-18 22:17 . 2009-01-20 10:23 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-18 19:21 . 2009-01-18 22:14 <DIR> d-------- c:\windows\system32\Lang
2009-01-18 18:47 . 2009-01-18 18:47 <DIR> d-------- c:\programmi\Sun
2009-01-18 18:47 . 2009-01-18 18:47 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-18 18:47 . 2009-01-18 18:47 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-18 18:46 . 2009-01-18 18:47 <DIR> d-------- c:\programmi\Java
2009-01-18 18:44 . 2009-01-19 14:24 <DIR> d-------- C:\pnp
2009-01-18 18:44 . 2008-04-13 20:19 146,048 --a------ c:\windows\system32\drivers\portcls.sys
2009-01-18 18:44 . 2008-04-13 20:19 146,048 --a--c--- c:\windows\system32\dllcache\portcls.sys
2009-01-18 18:44 . 2008-04-13 19:45 60,160 --a------ c:\windows\system32\drivers\drmk.sys
2009-01-18 18:44 . 2008-04-13 19:45 60,160 --a--c--- c:\windows\system32\dllcache\drmk.sys
2009-01-18 18:24 . 2009-01-18 18:24 <DIR> d-------- c:\programmi\CDBurnerXP
2009-01-18 18:24 . 2009-01-18 18:24 <DIR> d-------- c:\documents and settings\EddyFede\Dati applicazioni\Canneverbe_Limited
2009-01-18 18:22 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-01-18 18:20 . 2009-01-18 18:22 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-18 18:20 . 2009-01-18 18:20 <DIR> d-------- c:\programmi\Reference Assemblies
2009-01-18 18:20 . 2009-01-18 18:20 <DIR> d-------- c:\programmi\MSBuild
2009-01-18 18:19 . 2009-01-18 18:20 <DIR> d-------- C:\9cc5b775a9ea79d8a158c8d5a5
2009-01-18 18:19 . 2008-07-06 13:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-01-18 18:19 . 2008-07-06 13:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2009-01-18 18:19 . 2008-07-06 11:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-01-18 18:19 . 2008-07-06 13:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-01-18 18:19 . 2008-07-06 13:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2009-01-18 18:19 . 2008-07-06 13:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-01-18 18:19 . 2008-07-06 13:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-01-18 18:06 . 2009-01-18 18:06 <DIR> d-------- c:\windows\system32\it
2009-01-18 18:06 . 2009-01-18 18:06 <DIR> d-------- c:\windows\system32\bits
2009-01-18 18:06 . 2009-01-18 18:06 <DIR> d-------- c:\windows\l2schemas
2009-01-18 18:03 . 2009-01-18 18:06 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-18 17:35 . 2004-08-03 22:29 1,897,408 --------- c:\windows\system32\drivers\nv4_mini.sys
2009-01-18 17:30 . 2009-01-18 17:30 <DIR> d-------- c:\programmi\MSXML 6.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 13:04 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\Skype
2009-01-18 15:56 --------- d-----w c:\programmi\NOS
2009-01-18 15:56 --------- d-----w c:\programmi\Avira
2009-01-18 15:56 --------- d-----w c:\documents and settings\All Users.WINDOWS\Dati applicazioni\NOS
2009-01-18 15:56 --------- d-----w c:\documents and settings\All Users.WINDOWS\Dati applicazioni\Avira
2009-01-18 15:49 --------- d-----w c:\programmi\MSECache
2009-01-18 15:49 --------- d-----w c:\programmi\File comuni\Adobe
2009-01-18 15:46 --------- d-----w c:\programmi\Microsoft Works
2009-01-18 15:46 --------- d-----w c:\documents and settings\All Users.WINDOWS\Dati applicazioni\Microsoft Help
2009-01-18 15:39 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\AVGTOOLBAR
2009-01-18 15:36 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\DAEMON Tools Lite
2009-01-18 15:33 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\DAEMON Tools Pro
2009-01-18 15:33 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\DAEMON Tools
2009-01-18 15:33 --------- d-----w c:\documents and settings\All Users.WINDOWS\Dati applicazioni\DAEMON Tools Lite
2009-01-18 15:32 --------- d-----w c:\programmi\DAEMON Tools Lite
2009-01-18 15:30 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\vlc
2009-01-18 15:28 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-01-18 15:28 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-18 15:28 12,552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-01-18 15:28 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-18 15:28 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-18 15:28 --------- d-----w c:\programmi\VideoLAN
2009-01-18 15:26 --------- d-----w c:\programmi\eMule AdunanzA
2009-01-18 15:26 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\eMule AdunanzA
2009-01-18 15:25 --------- d-----w c:\documents and settings\All Users.WINDOWS\Dati applicazioni\avg8
2009-01-18 15:19 231,193 ----a-w c:\windows\gPhotoShow_Toolbar_Uninstaller_5093.exe
2009-01-18 15:19 --------- d-----w c:\programmi\WallpaperSS
2009-01-18 15:19 --------- d-----w c:\programmi\Skype
2009-01-18 15:19 --------- d-----w c:\programmi\gPhotoShow Toolbar
2009-01-18 15:19 --------- d-----w c:\programmi\File comuni\Skype
2009-01-18 15:19 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\WallpaperSS
2009-01-18 15:19 --------- d-----w c:\documents and settings\All Users.WINDOWS\Dati applicazioni\Skype
2009-01-18 15:14 --------- d-----w c:\programmi\AVG
2009-01-18 15:05 --------- d-----w c:\programmi\microsoft frontpage
2009-01-18 15:03 --------- d-----w c:\programmi\Servizi in linea
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WallpaperSS"="c:\programmi\WallpaperSS\WallpaperSS.exe" [2007-03-12 430080]
"DAEMON Tools Lite"="c:\programmi\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-18 1601304]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"avgnt"="c:\programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-01-18 136600]
"SoundMan"="SOUNDMAN.EXE" [2005-06-21 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-06-29 c:\windows\ALCWZRD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-18 16:28 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Programmi\\eMule AdunanzA\\eMule_AdnzA.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-01-18 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-18 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-18 107272]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-18 903960]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-18 298264]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.enelenergia.it/
FF - ProfilePath - c:\documents and settings\EddyFede\Dati applicazioni\Mozilla\Firefox\Profiles\vwbh6vhx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 15:08:34
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\windows\system32\Ati2evxx.dll
.
Ora fine scansione: 2009-01-20 15.09.28
ComboFix-quarantined-files.txt 2009-01-20 14:09:26
ComboFix2.txt 2009-01-20 13:08:47

Pre-Run: 189.116.514.304 byte disponibili
Post-Run: 189,102,723,072 byte disponibili

172 --- E O F --- 2009-01-19 13:20:02


Grazie
Avatar utente
fedebertola
Aficionado
Aficionado
 
Messaggi: 30
Iscritto il: dom mar 23, 2008 2:48 pm

Re: virus

Messaggioda fedebertola » mar gen 20, 2009 3:15 pm

urka ho scordato di attacare la chiavetta, ora rifaccio
Avatar utente
fedebertola
Aficionado
Aficionado
 
Messaggi: 30
Iscritto il: dom mar 23, 2008 2:48 pm

Re: virus

Messaggioda Amantide » mar gen 20, 2009 3:22 pm

Allora già che ci sei fai anche la scansione completa del sistema con le chiavette attaccate con Malwarebytes Anti-malware.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Re: virus

Messaggioda fedebertola » mar gen 20, 2009 3:26 pm

intanto ecco combofix:

ComboFix 09-01-19.05 - EddyFede 2009-01-20 15.22.14.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.1023.533 [GMT 1:00]
Eseguito da: c:\documents and settings\EddyFede\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\EddyFede\Desktop\CFScript.txt.txt
AV: AVG Anti-Virus *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
* Creato nuovo punto di ripristino

FILE ::
C:\hlvthhm.exe
C:\khq
C:\pvbjtljq.exe
c:\windows\RTHDCPL_DB.dbt
c:\windows\system32\d3d9caps.dat
c:\windows\system32\spupdsvc.inf
C:\wpthn.exe
.

((((((((((((((((((((((((( Files Creati Da 2008-12-20 al 2009-01-20 )))))))))))))))))))))))))))))))))))
.

2009-01-20 13:10 . 2009-01-18 16:51 <DIR> d--h----- c:\documents and settings\Administrator\Risorse di stampa
2009-01-20 13:10 . 2009-01-18 16:51 <DIR> d--h----- c:\documents and settings\Administrator\Risorse di rete
2009-01-20 13:10 . 2009-01-18 16:51 <DIR> d-------- c:\documents and settings\Administrator\Preferiti
2009-01-20 13:10 . 2009-01-18 16:00 <DIR> d--h----- c:\documents and settings\Administrator\Modelli
2009-01-20 13:10 . 2009-01-18 16:51 <DIR> dr------- c:\documents and settings\Administrator\Menu Avvio
2009-01-20 13:10 . 2009-01-20 15:23 <DIR> d--h----- c:\documents and settings\Administrator\Impostazioni locali
2009-01-20 13:10 . 2009-01-18 16:51 <DIR> d-------- c:\documents and settings\Administrator\Documenti
2009-01-20 13:10 . 2009-01-18 16:51 <DIR> dr-h----- c:\documents and settings\Administrator\Dati applicazioni
2009-01-20 13:10 . 2009-01-20 13:10 <DIR> d-------- c:\documents and settings\Administrator
2009-01-20 13:04 . 2009-01-20 10:44 66,048 --a------ C:\mbr.exe
2009-01-20 12:58 . 2009-01-20 12:58 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Dati applicazioni\Office Genuine Advantage
2009-01-19 14:24 . 2009-01-19 14:24 <DIR> d--h----- c:\programmi\InstallShield Installation Information
2009-01-19 14:24 . 2009-01-19 14:24 <DIR> d-------- c:\programmi\File comuni\InstallShield
2009-01-18 22:17 . 2009-01-20 10:23 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-18 19:21 . 2009-01-18 22:14 <DIR> d-------- c:\windows\system32\Lang
2009-01-18 18:47 . 2009-01-18 18:47 <DIR> d-------- c:\programmi\Sun
2009-01-18 18:47 . 2009-01-18 18:47 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-18 18:47 . 2009-01-18 18:47 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-18 18:46 . 2009-01-18 18:47 <DIR> d-------- c:\programmi\Java
2009-01-18 18:44 . 2009-01-19 14:24 <DIR> d-------- C:\pnp
2009-01-18 18:44 . 2008-04-13 20:19 146,048 --a------ c:\windows\system32\drivers\portcls.sys
2009-01-18 18:44 . 2008-04-13 20:19 146,048 --a--c--- c:\windows\system32\dllcache\portcls.sys
2009-01-18 18:44 . 2008-04-13 19:45 60,160 --a------ c:\windows\system32\drivers\drmk.sys
2009-01-18 18:44 . 2008-04-13 19:45 60,160 --a--c--- c:\windows\system32\dllcache\drmk.sys
2009-01-18 18:24 . 2009-01-18 18:24 <DIR> d-------- c:\programmi\CDBurnerXP
2009-01-18 18:24 . 2009-01-18 18:24 <DIR> d-------- c:\documents and settings\EddyFede\Dati applicazioni\Canneverbe_Limited
2009-01-18 18:22 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-01-18 18:20 . 2009-01-18 18:22 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-18 18:20 . 2009-01-18 18:20 <DIR> d-------- c:\programmi\Reference Assemblies
2009-01-18 18:20 . 2009-01-18 18:20 <DIR> d-------- c:\programmi\MSBuild
2009-01-18 18:19 . 2009-01-18 18:20 <DIR> d-------- C:\9cc5b775a9ea79d8a158c8d5a5
2009-01-18 18:19 . 2008-07-06 13:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-01-18 18:19 . 2008-07-06 13:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2009-01-18 18:19 . 2008-07-06 11:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-01-18 18:19 . 2008-07-06 13:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-01-18 18:19 . 2008-07-06 13:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2009-01-18 18:19 . 2008-07-06 13:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-01-18 18:19 . 2008-07-06 13:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-01-18 18:06 . 2009-01-18 18:06 <DIR> d-------- c:\windows\system32\it
2009-01-18 18:06 . 2009-01-18 18:06 <DIR> d-------- c:\windows\system32\bits
2009-01-18 18:06 . 2009-01-18 18:06 <DIR> d-------- c:\windows\l2schemas
2009-01-18 18:03 . 2009-01-18 18:06 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-18 17:35 . 2004-08-03 22:29 1,897,408 --------- c:\windows\system32\drivers\nv4_mini.sys
2009-01-18 17:30 . 2009-01-18 17:30 <DIR> d-------- c:\programmi\MSXML 6.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 13:04 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\Skype
2009-01-18 15:56 --------- d-----w c:\programmi\NOS
2009-01-18 15:56 --------- d-----w c:\programmi\Avira
2009-01-18 15:56 --------- d-----w c:\documents and settings\All Users.WINDOWS\Dati applicazioni\NOS
2009-01-18 15:56 --------- d-----w c:\documents and settings\All Users.WINDOWS\Dati applicazioni\Avira
2009-01-18 15:49 --------- d-----w c:\programmi\MSECache
2009-01-18 15:49 --------- d-----w c:\programmi\File comuni\Adobe
2009-01-18 15:46 --------- d-----w c:\programmi\Microsoft Works
2009-01-18 15:46 --------- d-----w c:\documents and settings\All Users.WINDOWS\Dati applicazioni\Microsoft Help
2009-01-18 15:39 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\AVGTOOLBAR
2009-01-18 15:36 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\DAEMON Tools Lite
2009-01-18 15:33 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\DAEMON Tools Pro
2009-01-18 15:33 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\DAEMON Tools
2009-01-18 15:33 --------- d-----w c:\documents and settings\All Users.WINDOWS\Dati applicazioni\DAEMON Tools Lite
2009-01-18 15:32 --------- d-----w c:\programmi\DAEMON Tools Lite
2009-01-18 15:30 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\vlc
2009-01-18 15:28 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-01-18 15:28 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-18 15:28 12,552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-01-18 15:28 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-18 15:28 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-18 15:28 --------- d-----w c:\programmi\VideoLAN
2009-01-18 15:26 --------- d-----w c:\programmi\eMule AdunanzA
2009-01-18 15:26 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\eMule AdunanzA
2009-01-18 15:25 --------- d-----w c:\documents and settings\All Users.WINDOWS\Dati applicazioni\avg8
2009-01-18 15:19 231,193 ----a-w c:\windows\gPhotoShow_Toolbar_Uninstaller_5093.exe
2009-01-18 15:19 --------- d-----w c:\programmi\WallpaperSS
2009-01-18 15:19 --------- d-----w c:\programmi\Skype
2009-01-18 15:19 --------- d-----w c:\programmi\gPhotoShow Toolbar
2009-01-18 15:19 --------- d-----w c:\programmi\File comuni\Skype
2009-01-18 15:19 --------- d-----w c:\documents and settings\EddyFede\Dati applicazioni\WallpaperSS
2009-01-18 15:19 --------- d-----w c:\documents and settings\All Users.WINDOWS\Dati applicazioni\Skype
2009-01-18 15:14 --------- d-----w c:\programmi\AVG
2009-01-18 15:05 --------- d-----w c:\programmi\microsoft frontpage
2009-01-18 15:03 --------- d-----w c:\programmi\Servizi in linea
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WallpaperSS"="c:\programmi\WallpaperSS\WallpaperSS.exe" [2007-03-12 430080]
"DAEMON Tools Lite"="c:\programmi\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-18 1601304]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"avgnt"="c:\programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-01-18 136600]
"SoundMan"="SOUNDMAN.EXE" [2005-06-21 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-06-29 c:\windows\ALCWZRD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-18 16:28 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Programmi\\eMule AdunanzA\\eMule_AdnzA.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-01-18 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-18 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-18 107272]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-18 903960]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-18 298264]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.enelenergia.it/
FF - ProfilePath - c:\documents and settings\EddyFede\Dati applicazioni\Mozilla\Firefox\Profiles\vwbh6vhx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 15:23:08
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\windows\system32\Ati2evxx.dll
.
Ora fine scansione: 2009-01-20 15.24.00
ComboFix-quarantined-files.txt 2009-01-20 14:23:57
ComboFix2.txt 2009-01-20 14:09:29
ComboFix3.txt 2009-01-20 13:08:47

Pre-Run: 189.128.429.568 byte disponibili
Post-Run: 189,115,252,736 byte disponibili

166 --- E O F --- 2009-01-19 13:20:02
Avatar utente
fedebertola
Aficionado
Aficionado
 
Messaggi: 30
Iscritto il: dom mar 23, 2008 2:48 pm

Re: virus

Messaggioda fedebertola » mar gen 20, 2009 4:05 pm

ecco il log di malawarebytes:

Malwarebytes' Anti-Malware 1.33
Versione del database: 1670
Windows 5.1.2600 Service Pack 3

20/01/2009 16.07.58
mbam-log-2009-01-20 (16-07-55).txt

Tipo di scansione: Scansione completa (B:\|C:\|D:\|L:\|)
Elementi scansionati: 102058
Tempo trascorso: 36 minute(s), 7 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 1

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
C:\System Volume Information\_restore{D3563D78-059F-4C99-9049-B526999F9665}\RP22\A0004929.exe (Trojan.Agent) -> No action taken.
Avatar utente
fedebertola
Aficionado
Aficionado
 
Messaggi: 30
Iscritto il: dom mar 23, 2008 2:48 pm

Re: virus

Messaggioda fedebertola » mer gen 21, 2009 9:59 am

Cosa emerge dai due log? Il pc è infetto? e la chiavetta?
Avatar utente
fedebertola
Aficionado
Aficionado
 
Messaggi: 30
Iscritto il: dom mar 23, 2008 2:48 pm

Re: virus

Messaggioda Amantide » mer gen 21, 2009 3:01 pm

Nel log non si vede nient'altro di sospetto, devi solo permettere al Malwarebytes di eliminare quel file infetto che è stato intrappolato nel punto di ripristino.
Se noti delle anomalie - facci sapere [^]
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Re: virus

Messaggioda fedebertola » gio gen 22, 2009 10:57 am

grazie mille :)
Avatar utente
fedebertola
Aficionado
Aficionado
 
Messaggi: 30
Iscritto il: dom mar 23, 2008 2:48 pm


Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Nessuno e 6 ospiti

Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising