avviso di zone alarm : ZeuS.Zbot.aoaq

[kayoshin]

ciao a tutti mi serve un aiutino

zonealarm mi segnala sto trojan : ZeuS.Zbot.aoaq

come posso comportarmi???


ringrazio anticipatamente


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9.59.13, on 18/09/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Programmi\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programmi\Unlocker\UnlockerAssistant.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\PROGRA~1\AVG\AVGLS9\avgtray.exe
C:\Programmi\File comuni\Java\Java Update\jusched.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\Programmi\RocketDock\RocketDock.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Update\1.2.183.29\GoogleCrashH andler.exe
C:\Programmi\LSoft Technologies Inc\Active@ Hard Disk Monitor\DiskMonitorService.exe
C:\Programmi\AskBarDis\bar\bin\AskService.exe
C:\Programmi\AVG\AVGLS9\avgwdsvc.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\AVG\AVGLS9\avgnsx.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programmi\Java\jre6\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
c:\programmi\avira\antivir desktop\avcenter.exe
C:\Programmi\Avira\AntiVir Desktop\avscan.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Portable\HiJackThis\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSour...ctid=CT1547340
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Gossiper Toolbar - {0a452a47-c5a8-4854-a237-4b9b06b376f0} - C:\Programmi\Gossiper\tbGos1.dll
R3 - URLSearchHook: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Programmi\ZoneAlarm\tbZone.dll
O2 - BHO: Gossiper Toolbar - {0a452a47-c5a8-4854-a237-4b9b06b376f0} - C:\Programmi\Gossiper\tbGos1.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Programmi\AskBarDis\bar\bin\askBar1.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVGLS9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Programmi\ZoneAlarm\tbZone.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programmi\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Programmi\CheckPoint\ZAForceField\TrustChecker\ bin\TrustCheckerIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugi n.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Programmi\AskBarDis\bar\bin\askBar1.dll
O3 - Toolbar: Gossiper Toolbar - {0a452a47-c5a8-4854-a237-4b9b06b376f0} - C:\Programmi\Gossiper\tbGos1.dll
O3 - Toolbar: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Programmi\ZoneAlarm\tbZone.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Programmi\CheckPoint\ZAForceField\TrustChecker\ bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmi\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVGLS9\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\File comuni\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Programmi\CheckPoint\ZAForceField\ForceField.e xe" /icon="hidden"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Programmi\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: PalTalk.lnk = C:\Programmi\Paltalk Messenger\paltalk.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3CBF61A-66F8-4A18-B716-C3761475384A}: NameServer = 212.216.112.222,212.216.172.162
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programmi\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmi\AVG\AVGLS9\avgpp.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Active@ Disk Monitor - LSoft Technologies Inc - C:\Programmi\LSoft Technologies Inc\Active@ Hard Disk Monitor\DiskMonitorService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: ASKService - Unknown owner - C:\Programmi\AskBarDis\bar\bin\AskService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG LinkScanner®9 WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Programmi\AVG\AVGLS9\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Programmi\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Programmi\Norton Ghost\Agent\VProSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10877 bytes

[menatwork]

ciao kayoshin

per facilitare il compito di rimozione segui questa procedura


disattiva l'antivirus

scarica combofix sul desktop

alla richiesta se vuoi installare la recovery console clicca su NO

esegui ComboFix.exe

segui le instruzioni

finita la scansione portati in C:\ e allega il rapporto C:\ComboFix.txt nella tua risposta.

il rapporto caricalo qui. non incollarlo

come usare correttamente combofix

[kayoshin]

ciao menatwork

visto il mio pochissimo tempo probabilmente riuscirò a fare il tutto prossimamente

intanto ti ringrazio anticipatamente

p.s.= è grave come infezione?

[amvinfe]

in attesa di menatwork ti anticipo che se l'infezione è ancora residente nella tua macchina, la prima cosa che devi fare è quella di sostituire le password d'accesso a siti/forum/servizi di banking-online

Assicurati che ZoneAlarm abbia bloccato il malware prima che il pc venisse infettato

ciao

[kayoshin]

stasera mi assicurerò che Zonealarm abbia bloccato il malware

anche se, quando apro Chrome, dopo qualche minuto mi si aprono due o tre pagine non richieste

mi da quindi l'impressione che Zonealarm non l'abbia bloccato
infatti mi ha proposto di acquistare la versione a pagamento per riuscire a bloccarlo
la prima volta

forse sarà meglio cambiare anche firewall?

[kayoshin]

ho fatto girare combofix
ecco il risultato



ComboFix 10-09-19.04 - Administrator 20/09/2010 18.13.25.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.3583.2963 [GMT 2:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {00000002-0002-0000-7C25-9E7C08000A00}
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) )
.

c:\documents and settings\Administrator\Dati applicazioni\inst.exe

.
((((((((((((((((((((((((( Files Creati Da 2010-08-20 al 2010-09-20 )))))))))))))))))))))))))))))))))))
.

Nessun nuovo file creato in questo arco di tempo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.

------- Sigcheck -------

[-] 2010-02-14 . D24EA301E2B36C4E975FD216CA85D8E7 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2010-02-14 . D24EA301E2B36C4E975FD216CA85D8E7 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0a452a47-c5a8-4854-a237-4b9b06b376f0}"= "c:\programmi\Gossiper\tbGos1.dll" [2010-05-18 2515552]
"{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\programmi\ZoneAlarm\tbZone.dll" [2010-05-09 2517088]

[HKEY_CLASSES_ROOT\clsid\{0a452a47-c5a8-4854-a237-4b9b06b376f0}]

[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0a452a47-c5a8-4854-a237-4b9b06b376f0}]
2010-05-18 22:16 2515552 ----a-w- c:\programmi\Gossiper\tbGos1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-16 17:22 333192 ----a-w- c:\programmi\AskBarDis\bar\bin\askBar1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]
2010-05-09 09:50 2517088 ----a-w- c:\programmi\ZoneAlarm\tbZone.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\programmi\AskBarDis\bar\bin\askBar1.dll" [2008-10-16 333192]
"{0a452a47-c5a8-4854-a237-4b9b06b376f0}"= "c:\programmi\Gossiper\tbGos1.dll" [2010-05-18 2515552]
"{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\programmi\ZoneAlarm\tbZone.dll" [2010-05-09 2517088]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{0a452a47-c5a8-4854-a237-4b9b06b376f0}]

[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\programmi\AskBarDis\bar\bin\askBar1.dll" [2008-10-16 333192]
"{0A452A47-C5A8-4854-A237-4B9B06B376F0}"= "c:\programmi\Gossiper\tbGos1.dll" [2010-05-18 2515552]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{0a452a47-c5a8-4854-a237-4b9b06b376f0}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]
"RocketDock"="c:\programmi\RocketDock\RocketDock.e xe" [2007-09-02 495616]
"Google Update"="c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" [2008-12-17 133104]
"SpybotSD TeaTimer"="c:\programmi\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16380416]
"SkyTel"="SkyTel.EXE" [2007-06-15 1826816]
"GrooveMonitor"="c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"UnlockerAssistant"="c:\programmi\Unlocker\Unlocke rAssistant.exe" [2008-05-02 15872]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"AVG9_TRAY"="c:\progra~1\AVG\AVGLS9\avgtray.ex e" [2010-07-27 2065760]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ZoneAlarm Client"="c:\programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"ISW"="c:\programmi\CheckPoint\ZAForceField\ForceF ield.exe" [2010-05-26 730600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\GIOCHI\\Worms 4 Mayhem\\WORMS 4 MAYHEM.EXE"=
"c:\\Programmi\\GameSpy Arcade\\Aphex.exe"=
"d:\\GIOCHI\\TmNationsForever\\TmForever.exe"=
"c:\\Programmi\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Programmi\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Programmi\\Java\\jre6\\bin\\java.exe"=
"c:\\Programmi\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Programmi\\AVG\\AVGLS9\\avgupd.exe"=
"c:\\Programmi\\AVG\\AVGLS9\\avgnsx.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=


R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-04-22 8704]
R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-04-22 3072]
R4 Vax347b;Vax347b;c:\windows\system32\DRIVERS\Vax347 b.sys [2005-04-25 159616]
S0 Vax347s;Vax347s;c:\windows\System32\Drivers\Vax347 s.sys [2004-04-30 5248]
S1 AvgLdx86;AVG LinkScanner® AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-07-27 134992]
S1 AvgTdiX;AVG LinkScanner® Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-07-27 243024]
S2 Active@ Disk Monitor;Active@ Disk Monitor;c:\programmi\LSoft Technologies Inc\Active@ Hard Disk Monitor\DiskMonitorService.exe [2009-09-02 1127944]
S2 ASKService;ASKService;c:\programmi\AskBarDis\bar\b in\AskService.exe [2008-10-16 464264]
S2 avg9wd;AVG LinkScanner®9 WatchDog;c:\programmi\AVG\AVGLS9\avgwdsvc.exe [2010-07-27 308136]
S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\programmi\CheckPoint\ZAForceField\ISWKL.s ys [2010-05-26 26352]
S2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\programmi\CheckPoint\ZAForceField\IswSvc .exe [2010-05-26 493032]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l151x86.sys [2007-07-03 39424]

.
Contenuto della cartella 'Scheduled Tasks'

2010-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1060284298-725345543-500Core.job
- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2008-12-17 22:55]

2010-09-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1060284298-725345543-500UA.job
- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2008-12-17 22:55]

2010-05-16 c:\windows\Tasks\SmartDefrag.job
- c:\programmi\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-03-11 14:48]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1547340
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {F3CBF61A-66F8-4A18-B716-C3761475384A} = 212.216.112.222,212.216.172.162
DPF: Microsoft XML Parser for Java
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-HijackThis - c:\docume~1\ADMINI~1\IMPOST~1\Temp\Rar$EX00.547\Hi jackThis.exe



************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-20 18:22
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

************************************************** ************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-682003330-1060284298-725345543-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:62,d8,de,e9,09,2b,63,0d,10,32,d5,4a,09,70 ,50,56,e0,8d,24,7d,84,8d,d5,
42,b9,3c,25,8a,7e,ae,22,99,95,42,16,88,47,dd,86,84 ,14,49,da,73,46,a3,59,cf,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33 ,8f,50

[HKEY_USERS\S-1-5-21-682003330-1060284298-725345543-500\Software\SecuROM\License information*]
"datasecu"=hex:de,ce,25,37,87,da,4e,78,dd,f3,d5,d2 ,b4,88,fa,ab,87,8b,02,52,36,
6b,2a,1a,82,6f,79,d1,9c,12,38,4b,03,44,2e,62,3f,6c ,69,d6,c5,bd,61,93,d2,bc,\
"rkeysecu"=hex:9f,34,4d,68,15,81,90,59,4f,ef,39,cb ,f1,5a,3d,2e
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\Ati2evxx.dll
c:\programmi\CheckPoint\ZAForceField\Plugins\ISWSH EX.dll

- - - - - - - > 'lsass.exe'(828)
c:\programmi\CheckPoint\ZAForceField\Plugins\ISWSH EX.dll
.
Ora fine scansione: 2010-09-20 18:24:04
ComboFix-quarantined-files.txt 2010-09-20 16:24

Pre-Run: 25.868.156.928 byte disponibili
Post-Run: 26.071.617.536 byte disponibili

WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - EC2D7B204ABA99034CA09A1DD6DA3549

[kayoshin]

ho caricato anche il file

http://wikisend.com/download/918578/ComboFix.txt

forum link : ComboFix.txt

cos'altro devo fare?

[menatwork]

a parte l'infezione eliminata da combofix non riesco a trovare altro di pericoloso

sembra che l'avviso di zone alarm tratti un falso positivo

ti esce ancora quell'avviso? quello che posso consigliarti e' di togliere zone alarm (molto pesante e obsoleto) e installare pctolls molto leggero e veramente un gran bel firewall

prova ad installarlo e vedi se anche lui lo rileva

[kayoshin]

provvederò al cambio di firewall e poi ti dirò come mi trovo

grazie mille per l'aiuto

[menatwork]

rimuovi combofix con OTC by OldTimer

eseguilo
Clicca su CleanUp.
Alla richiesta di riavvio clicca SI

vai in C:\ e se c'e' ancora la cartella qoobox, eliminala