Infezione Rootkit Win32 e Trojan Downloader Delf

[Reira]

Ciao a tutti.
Premetto che ho letto le pagine con i link utili e tutti i procedimenti per la rimozione di malaware, trojan, downloader etc etc, le ho provate tutte e alla fine mi sono decisa ad aprire questo topic.

Ho Windows XP SP2.
Sintomi: mi si aprivano finestre di pop-up facendo ricerche su google, pc lentissimo, impossibilità di accedere a siti e forum con discussioni su sicurezza del pc (la pagina explorer si chiude improvvisamente), impossibilità di usare programmi anti-spyware e hijackthis.

Cosa ho fatto:
-scansione con l'antivirus AVAST che mi rileva il ROOTKIT WIN32: PODNHUA.q Se tento di metterlo nel cestino di avast o di eliminarlo, mi dice accesso negato.
-scansione con SPYWARE DOCTOR: rileva il TROJAN DOWNLOADER DELF ma non riesce mai ad eliminarlo, ricompare ad ogni scansione. (rileva anche due malaware minori, ma credo siano conseguenze del primo anche perchè ogni volta cambiano nome: Adaware.advertizing e Application.TrackingCookies)
-scansione online con AVG, trova anche lui il TROJAN, lo elimina, ma poi ritorna.
-idem come sopra con Kaspersky.
-ho fatto scansioni con tutti gli anti-rootkit, anti linkoptimizer, anti gromozon, rootkit revealer (es. PREVX, FIXLINKOPTIMIZER, etc etc) ma non trovano nessun rootkit sul mio sistema.
-come già anticipato, non riesco ad usare molti programmi perchè se li cerco su internet la pagina del browser si chiude, se me li faccio passare rinominati e camuffati il setup non parte comunque. Alcuni di questi programmi che non posso usare: HIJACKTHIS, VIRIT, CCLEANER, SPYBOT

Note:
-Sia AVAST che SPYWARE DOCTOR identificano una .dll reponsabile di entrambi i virus:
E:\WINDOWS\system32\ccfgnte.dll ma ovviamente non posso rimuoverla perchè è in uso.
-non sono pratica di chiavi di registro, quindi non sono in grado di riconoscere da esse cosa c'è che non va (questo perchè spyware doctor come risultato della scansione oltre alla ccfgnte.dll mi dà anche delle chiavi di registro che suppongo siano infette, e che non possono essere rimosse).

Spero di essere stata il più chiara possibile...c'è qualche speranza?

[bootzenn]

ciao

hai provato a ri-fare qualche scansione in modalità provvisoria? cosi magari qualche file utilizzato dal virus non è attivo è una prova

[Reira]

Ho tentato ma non cambia nulla. I vari anti-rootkit continuano a non vedere i file, i programmi che non funzionano non vanno neanche in modalità provvisoria.
AVAST almeno in modalità provvisoria fa il tentativo di cancellare il file (non mi appare la finestra di accesso negato), ma se poi vado a controllare, risulta che non l'ha cancellato, solo "selezionato in attesa di cancellazione"...e indovina, al riavvio seguente e scansione successiva, ecco il rootkit di nuovo presente. SPYWARE DOCTOR invece non riesce ad eliminarlo come in modalità normale.

[nifriz]

Hai detto che con AVG e AVAST sei riuscita a toglierlo ma riappare.. Prova a disabilitare il RIPRISTINO DI SISTEMA e ritenta!

[Demonios@]

Scaricati Combofix:
http://www.bleepingcomputer.com/comb...o-use-combofix
Salvalo sul desktop.

1. Doppio click su combofix.exe,
2. Digita 1, premi Invio e segui le indicazioni.
3. Al termine, verrà creato un file log chiamato C:\ComboFix.txt.
4. Posta il log creato

[Reira]

Ecco il log di Combofix (grazie dell'aiuto!):

ComboFix 08-05-01.3 - Arianna 2008-05-06 19.21.18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.426 [GMT 2:00]
Eseguito da: E:\Documents and Settings\Arianna\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) )
.

E:\WINDOWS\system32\appcert

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GRANDE48
-------\Service_grande48


((((((((((((((((((((((((( Files Creati Da 2008-04-06 al 2008-05-06 )))))))))))))))))))))))))))))))))))
.

2008-05-06 19:30 . 2008-05-06 19:30 84 --a------ E:\WINDOWS\system32\ikhcore.cfg
2008-05-05 21:45 . 2008-05-05 21:48 <DIR> d-------- E:\Programmi\SUPERAntiSpyware
2008-05-05 21:45 . 2008-05-05 21:45 <DIR> d-------- E:\Documents and Settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2008-05-05 21:42 . 2008-05-05 21:42 <DIR> d-------- E:\Programmi\Sophos
2008-05-05 21:16 . 2008-05-05 21:16 <DIR> dr------- E:\Documents and Settings\NetworkService\Preferiti
2008-05-05 19:09 . 2008-05-05 21:25 <DIR> d-------- E:\Programmi\Spyware Doctor
2008-05-05 19:09 . 2008-05-05 19:09 <DIR> d-------- E:\Documents and Settings\Arianna\Dati applicazioni\PC Tools
2008-05-05 19:09 . 2007-12-10 13:53 81,288 --a------ E:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-05 19:09 . 2007-12-10 13:53 66,952 --a------ E:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-05 19:09 . 2008-02-01 11:55 42,376 --a------ E:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-05 19:09 . 2007-12-10 13:53 29,576 --a------ E:\WINDOWS\system32\drivers\kcom.sys
2008-04-24 15:29 . 2008-04-24 15:29 1,338 --a------ E:\WINDOWS\psmplay.ini
2008-04-24 01:59 . 1999-08-25 15:57 415,504 --a------ E:\WINDOWS\system32\Msrepl35.dll
2008-04-24 01:59 . 1998-05-31 00:00 72,704 --a------ E:\WINDOWS\system32\Odbctl32.dll
2008-04-23 16:46 . 2008-04-23 16:46 <DIR> d-------- E:\Documents and Settings\All Users\Dati applicazioni\NCH Swift Sound
2008-04-23 16:35 . 2008-04-23 16:35 253,952 --------- E:\WINDOWS\Setup1.exe
2008-04-23 16:34 . 2008-04-23 16:35 74,752 --a------ E:\WINDOWS\ST6UNST.EXE
2008-04-15 22:31 . 2008-04-15 22:30 14,348 --a------ E:\WINDOWS\system32\NeroCheck.exe3520721081
2008-04-07 12:54 . 2008-04-07 12:54 <DIR> d-------- E:\Programmi\Nuova cartella
2008-04-07 12:15 . 2008-04-07 13:15 <DIR> d-------- E:\Programmi\p-nand-q.com
2008-04-06 15:52 . 2008-05-06 19:30 <DIR> d-a------ E:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-04-06 15:43 . 2008-04-06 15:43 0 --a------ E:\WINDOWS\nsreg.dat
2008-04-06 11:16 . 2008-04-06 15:29 <DIR> d-------- E:\Documents and Settings\Arianna\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
2008-05-06 12:04 --------- d-----w E:\Programmi\QuickTime
2008-05-05 19:55 --------- d-----w E:\Programmi\Mediacenter
2008-05-05 19:02 --------- d-----w E:\Programmi\eMule
2008-04-24 16:33 --------- d-----w E:\Programmi\NCH Swift Sound
2008-04-23 18:00 --------- d-----w E:\Documents and Settings\Arianna\Dati applicazioni\NCH Swift Sound
2008-04-21 23:12 --------- d-----w E:\Programmi\RADVideo
2008-04-11 15:39 --------- d-----w E:\Programmi\Motive
2008-04-07 10:37 --------- d-----w E:\Programmi\MSN Messenger
2008-04-06 13:32 2,855 ----a-w E:\WINDOWS\PIF\pippo1.PIF
2008-04-06 11:44 --------- d-----w E:\Programmi\Windows Defender
2008-04-06 11:44 --------- d-----w E:\Programmi\DAEMON Tools
2008-04-04 22:18 19,712 ----a-w E:\WINDOWS\system32\drivers\wtmbjwyv.dat
2008-04-01 12:08 14,348 ----a-w E:\WINDOWS\system32\NeroCheck .exe
2008-03-21 16:33 --------- d-----w E:\Documents and Settings\Arianna\Dati applicazioni\Easy Thumbnails
2008-03-21 16:25 --------- d-----w E:\Programmi\Easy Thumbnails
2007-05-03 11:17 92,064 -c--a-w E:\Documents and Settings\Arianna\mqdmmdm.sys
2007-05-03 11:17 9,232 -c--a-w E:\Documents and Settings\Arianna\mqdmmdfl.sys
2007-05-03 11:17 79,328 -c--a-w E:\Documents and Settings\Arianna\mqdmserd.sys
2007-05-03 11:17 66,656 ----a-w E:\Documents and Settings\Arianna\mqdmbus.sys
2007-05-03 11:17 6,208 -c--a-w E:\Documents and Settings\Arianna\mqdmcmnt.sys
2007-05-03 11:17 5,936 -c--a-w E:\Documents and Settings\Arianna\mqdmwhnt.sys
2007-05-03 11:17 4,048 ----a-w E:\Documents and Settings\Arianna\mqdmcr.sys
2007-05-03 11:17 25,600 ----a-w E:\Documents and Settings\Arianna\usbsermptxp.sys
2007-05-03 11:17 22,768 -c--a-w E:\Documents and Settings\Arianna\usbsermpt.sys
.

codice:

<pre>
----a-w            79,224 2007-12-04 13:00:23  E:\Programmi\Alwil Software\Avast4\ashDisp .exe
----a-w            15,360 2004-08-19 13:39:36  E:\WINDOWS\system32\ctfmon .exe
----a-w            14,348 2008-04-01 12:08:11  E:\WINDOWS\system32\NeroCheck .exe
</pre>

((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))) ))))))))
.
----a-r 313,472 2006-03-30 15:45:08 E:\Programmi\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe

----a-w 79,224 2007-12-04 13:00:23 E:\Programmi\Alwil Software\Avast4\bak\ashDisp.exe
----a-w 79,224 2008-03-29 17:37:13 E:\Programmi\Alwil Software\Avast4\ashDisp.exe

----a-w 171,464 2007-09-18 14:16:16 E:\Programmi\DAEMON Tools\bak\daemon.exe

----a-w 132,496 2007-09-25 00:11:35 E:\Programmi\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 155,648 2006-02-03 15:22:37 E:\Programmi\QuickTime\bak\bak\qttask.exe

----a-w 155,648 2006-02-03 15:22:37 E:\Programmi\QuickTime\bak\bak\qttask.exe

----a-w 866,584 2006-11-03 17:20:12 E:\Programmi\Windows Defender\bak\MSASCui.exe

----a-w 4,670,968 2007-03-27 13:22:56 E:\Programmi\Yahoo!\Messenger\bak\YAHOOM~1.EXE

----a-w 15,360 2004-08-19 13:39:36 E:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-19 13:39:36 E:\WINDOWS\system32\ctfmon.exe

----a-w 155,648 2001-07-09 09:50:42 E:\WINDOWS\system32\bak\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9D54F0E3-7302-4022-BFE3-D7E842EDE360}]
2001-08-31 17:00 88064 --a------ E:\WINDOWS\system32\ccfgnte.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Yahoo! Pager"="E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [ ]
"updateMgr"="E:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"DAEMON Tools"="E:\Programmi\DAEMON Tools\daemon.exe" [ ]
"CTFMON.EXE"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:39 15360]
"AlcoholAutomount"="E:\Programmi\Alcohol Soft\Alcohol 120\axcmd.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="E:\Programmi\Windows Defender\MSASCui.exe" [ ]
"QuickTime Task"="E:\Programmi\QuickTime\bak\qttask.exe" [ ]
"NeroFilterCheck"="E:\WINDOWS\system32\NeroCheck.e xe" [ ]
"drvkmsuh"="e:\windows\system32\drvkmsuh.exe" [ ]
"ISTray"="E:\Programmi\Spyware Doctor\pctsTray.exe" [2008-04-10 15:14 1107848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="E:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 15:39 15360]
"ALUAlert"="E:\Programmi\Symantec\LiveUpdate\ALUNo tify.exe" [2002-08-22 11:27 54880]

E:\Documents and Settings\Arianna\Menu Avvio\Programmi\Esecuzione automatica\
TomTom HOME.lnk - E:\Programmi\TomTom HOME\TomTomHOME.exe [2006-05-15 14:57:04 4815016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll
"VIDC.MJPG"= pvmjpg30.dll
"VIDC.PIMJ"= pvljpg20.dll
"VIDC.PVW2"= PVWV220.dll
"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe]
Debugger="e:\windows\system32\nremrvwr.log"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"E:\\Programmi\\eMule\\emule.exe"=
"E:\\Programmi\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"E:\\WINDOWS\\system32\\sessmgr.exe"=
"E:\\Programmi\\BitComet\\BitComet.exe"=
"E:\\Programmi\\Yahoo!\\Messenger\\YServer.exe "=
"E:\\Programmi\\Real\\RealPlayer\\realplay.exe "=
"E:\\Programmi\\Internet Explorer\\IEXPLORE.EXE"=
"E:\\Programmi\\QuickTime\\QuickTimePlayer.exe "=
"E:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"E:\\Programmi\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"16525:UDP"= 16525:UDP:Rosso Alice UDP

R0 pvpxkecz;pvpxkecz;E:\WINDOWS\system32\drivers\wtmb jwyv.dat []
R1 aswSP;avast! Self Protection;E:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;E:\WINDOWS\system32\DRIVERS\aswF sBlk.sys [2008-03-29 19:35]
S3 AMOSK;AMOSK;E:\DOCUME~1\Arianna\IMPOST~1\Temp\AMOS K.exe []
S3 JWPZFFEESTT;JWPZFFEESTT;E:\DOCUME~1\Arianna\IMPOST ~1\Temp\JWPZFFEESTT.exe []
S3 MEMSWEEP2;MEMSWEEP2;E:\WINDOWS\system32\3.tmp []
S3 OVVEWOT;OVVEWOT;E:\DOCUME~1\Arianna\IMPOST~1\Temp\ OVVEWOT.exe []
S3 PAC207;USB PC Cam Plus;E:\WINDOWS\system32\DRIVERS\pfc027.sys [2005-02-24 12:29]
S3 sonypvs1;Sony Digital Imaging Video2;E:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{315ca23a-8485-11dc-a3f9-00036f351123}]
\Shell\AutoRun\command - G:\jones3d.exe

.
Contenuto della cartella 'Scheduled Tasks'
"2008-05-06 17:29:39 E:\WINDOWS\Tasks\aaipy.job"
- e:\windows\system32\drvkmsuh.exe
"2008-05-06 17:29:39 E:\WINDOWS\Tasks\aaobwxkf.job"
- e:\windows\system32\drvkmsuh.exe
"2008-05-06 17:29:39 E:\WINDOWS\Tasks\aasv.job"
- e:\windows\system32\drvkmsuh.exe
"2008-05-06 17:29:39 E:\WINDOWS\Tasks\afdopx.job"
- e:\windows\system32\drvkmsuh.exe
"2008-05-06 17:29:39 E:\WINDOWS\Tasks\amuergm.job"
- e:\windows\system32\drvkmsuh.exe
"2008-05-06 17:29:39 E:\WINDOWS\Tasks\cpixb.job"
- e:\windows\system32\drvkmsuh.exe
"2008-05-06 17:29:39 E:\WINDOWS\Tasks\gxweuogv.job"
- e:\windows\system32\ctfnmgyq.exe
"2008-05-06 17:29:38 E:\WINDOWS\Tasks\ixkln.job"
- e:\windows\system32\ctfnmgyq.exe
"2008-05-06 17:29:38 E:\WINDOWS\Tasks\kxluj.job"
- e:\windows\system32\drvkmsuh.exe
"2008-05-06 17:32:59 E:\WINDOWS\Tasks\MP Scheduled Scan.job"
- E:\Programmi\Windows Defender\MpCmdRun.exe
"2008-05-06 17:29:38 E:\WINDOWS\Tasks\qhtlclv.job"
- e:\windows\system32\ctfnmgyq.exe
"2008-05-06 17:29:58 E:\WINDOWS\Tasks\Symantec NetDetect.job"
- E:\Programmi\Symantec\LiveUpdate\NDETECT.EXE
.
************************************************** ************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 19:31:09
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 101

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\M EMSWEEP2]
"ImagePath"="\??\E:\WINDOWS\system32\3.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\p vpxkecz]
"ImagePath"="system32\drivers\wtmbjwyv.dat"
.
------------------------ Other Running Processes ------------------------
.
E:\Programmi\Windows Defender\MsMpEng.exe
E:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
E:\Programmi\Alwil Software\Avast4\ashServ.exe
E:\Programmi\Spyware Doctor\pctsAuxs.exe
E:\Programmi\Spyware Doctor\pctsSvc.exe
E:\WINDOWS\system32\PAStiSvc.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
E:\Programmi\Alwil Software\Avast4\ashWebSv.exe
E:\WINDOWS\system32\imapi.exe
.
************************************************** ************************
.
Ora fine scansione: 2008-05-06 19:40:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-06 17:40:16

9 Directory 19,000,520,704 byte disponibili
13 Directory 19,949,498,368 byte disponibili

206

[Demonios@]

scollegati da internet
- disattiva l'antivirus
- apri il blocco note copia e salva questo testo (in rosso)

KillAll::
File::

E:\WINDOWS\system32\ccfgnte.dll
E:\WINDOWS\system32\drivers\wtmbjwyv.dat

- salva il documento nella stessa cartella dell'eseguibile combofix.exe e chiamalo CFScript.txt
- col mouse trascina il file CFScript.txt sull'icona rossa di combofix


si avvierà e quando avrà finito farà il reboot (Se così non fosse riavvia tu)
finito verra creato un nuovo log combofix.txt postalo

Svuota completamente queste cartelle:
E:\WINDOWS\temp
E:\WINDOWS\Tasks

Ciao

[Reira]

Le due cartelle che mi hai indicato non riesco a svuotarle. Temp ha un file in uso che non posso eliminare, nell'altra è proprio impossibile cancellare qualcosa, ho solo l'opzione "Apri".

Nuovo log:

ComboFix 08-05-01.3 - Arianna 2008-05-06 19:48:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.513 [GMT 2:00]
Eseguito da: E:\Documents and Settings\Arianna\Desktop\combofi\ComboFix.exe
Command switches used :: E:\Documents and Settings\Arianna\Desktop\combofi\CFScript.txt
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
E:\WINDOWS\system32\ccfgnte.dll
E:\WINDOWS\system32\drivers\wtmbjwyv.dat
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) )
.

E:\WINDOWS\system32\ccfgnte.dll
E:\WINDOWS\system32\drivers\wtmbjwyv.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_pvpxkecz
-------\Service_pvpxkecz


((((((((((((((((((((((((( Files Creati Da 2008-04-06 al 2008-05-06 )))))))))))))))))))))))))))))))))))
.

2008-05-05 21:45 . 2008-05-05 21:48 <DIR> d-------- E:\Programmi\SUPERAntiSpyware
2008-05-05 21:45 . 2008-05-05 21:45 <DIR> d-------- E:\Documents and Settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2008-05-05 21:42 . 2008-05-05 21:42 <DIR> d-------- E:\Programmi\Sophos
2008-05-05 21:16 . 2008-05-05 21:16 <DIR> dr------- E:\Documents and Settings\NetworkService\Preferiti
2008-05-05 19:09 . 2008-05-05 21:25 <DIR> d-------- E:\Programmi\Spyware Doctor
2008-05-05 19:09 . 2008-05-05 19:09 <DIR> d-------- E:\Documents and Settings\Arianna\Dati applicazioni\PC Tools
2008-05-05 19:09 . 2007-12-10 13:53 81,288 --a------ E:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-05 19:09 . 2007-12-10 13:53 66,952 --a------ E:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-05 19:09 . 2008-02-01 11:55 42,376 --a------ E:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-05 19:09 . 2007-12-10 13:53 29,576 --a------ E:\WINDOWS\system32\drivers\kcom.sys
2008-04-24 15:29 . 2008-04-24 15:29 1,338 --a------ E:\WINDOWS\psmplay.ini
2008-04-24 01:59 . 1999-08-25 15:57 415,504 --a------ E:\WINDOWS\system32\Msrepl35.dll
2008-04-24 01:59 . 1998-05-31 00:00 72,704 --a------ E:\WINDOWS\system32\Odbctl32.dll
2008-04-23 16:46 . 2008-04-23 16:46 <DIR> d-------- E:\Documents and Settings\All Users\Dati applicazioni\NCH Swift Sound
2008-04-23 16:35 . 2008-04-23 16:35 253,952 --------- E:\WINDOWS\Setup1.exe
2008-04-23 16:34 . 2008-04-23 16:35 74,752 --a------ E:\WINDOWS\ST6UNST.EXE
2008-04-15 22:31 . 2008-04-15 22:30 14,348 --a------ E:\WINDOWS\system32\NeroCheck.exe3520721081
2008-04-07 12:54 . 2008-04-07 12:54 <DIR> d-------- E:\Programmi\Nuova cartella
2008-04-07 12:15 . 2008-04-07 13:15 <DIR> d-------- E:\Programmi\p-nand-q.com
2008-04-06 15:52 . 2008-05-06 19:32 <DIR> d-a------ E:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-04-06 15:43 . 2008-04-06 15:43 0 --a------ E:\WINDOWS\nsreg.dat
2008-04-06 11:16 . 2008-04-06 15:29 <DIR> d-------- E:\Documents and Settings\Arianna\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
2008-05-06 12:04 --------- d-----w E:\Programmi\QuickTime
2008-05-05 19:55 --------- d-----w E:\Programmi\Mediacenter
2008-05-05 19:02 --------- d-----w E:\Programmi\eMule
2008-04-24 16:33 --------- d-----w E:\Programmi\NCH Swift Sound
2008-04-23 18:00 --------- d-----w E:\Documents and Settings\Arianna\Dati applicazioni\NCH Swift Sound
2008-04-21 23:12 --------- d-----w E:\Programmi\RADVideo
2008-04-11 15:39 --------- d-----w E:\Programmi\Motive
2008-04-07 10:37 --------- d-----w E:\Programmi\MSN Messenger
2008-04-06 13:32 2,855 ----a-w E:\WINDOWS\PIF\pippo1.PIF
2008-04-06 11:44 --------- d-----w E:\Programmi\Windows Defender
2008-04-06 11:44 --------- d-----w E:\Programmi\DAEMON Tools
2008-04-01 12:08 14,348 ----a-w E:\WINDOWS\system32\NeroCheck .exe
2008-03-21 16:33 --------- d-----w E:\Documents and Settings\Arianna\Dati applicazioni\Easy Thumbnails
2008-03-21 16:25 --------- d-----w E:\Programmi\Easy Thumbnails
2007-05-03 11:17 92,064 -c--a-w E:\Documents and Settings\Arianna\mqdmmdm.sys
2007-05-03 11:17 9,232 -c--a-w E:\Documents and Settings\Arianna\mqdmmdfl.sys
2007-05-03 11:17 79,328 -c--a-w E:\Documents and Settings\Arianna\mqdmserd.sys
2007-05-03 11:17 66,656 ----a-w E:\Documents and Settings\Arianna\mqdmbus.sys
2007-05-03 11:17 6,208 -c--a-w E:\Documents and Settings\Arianna\mqdmcmnt.sys
2007-05-03 11:17 5,936 -c--a-w E:\Documents and Settings\Arianna\mqdmwhnt.sys
2007-05-03 11:17 4,048 ----a-w E:\Documents and Settings\Arianna\mqdmcr.sys
2007-05-03 11:17 25,600 ----a-w E:\Documents and Settings\Arianna\usbsermptxp.sys
2007-05-03 11:17 22,768 -c--a-w E:\Documents and Settings\Arianna\usbsermpt.sys
.

codice:

<pre>
----a-w            79,224 2007-12-04 13:00:23  E:\Programmi\Alwil Software\Avast4\ashDisp .exe
----a-w            15,360 2004-08-19 13:39:36  E:\WINDOWS\system32\ctfmon .exe
----a-w            14,348 2008-04-01 12:08:11  E:\WINDOWS\system32\NeroCheck .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-05-06_19.38.28.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-06 17:29:48 16,384 ----atw E:\WINDOWS\Temp\Perflib_Perfdata_700.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))) ))))))))
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Yahoo! Pager"="E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [ ]
"updateMgr"="E:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"DAEMON Tools"="E:\Programmi\DAEMON Tools\daemon.exe" [ ]
"CTFMON.EXE"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:39 15360]
"AlcoholAutomount"="E:\Programmi\Alcohol Soft\Alcohol 120\axcmd.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="E:\Programmi\Windows Defender\MSASCui.exe" [ ]
"QuickTime Task"="E:\Programmi\QuickTime\bak\qttask.exe" [ ]
"NeroFilterCheck"="E:\WINDOWS\system32\NeroCheck.e xe" [ ]
"drvkmsuh"="e:\windows\system32\drvkmsuh.exe" [ ]
"ISTray"="E:\Programmi\Spyware Doctor\pctsTray.exe" [2008-04-10 15:14 1107848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="E:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 15:39 15360]
"ALUAlert"="E:\Programmi\Symantec\LiveUpdate\ALUNo tify.exe" [2002-08-22 11:27 54880]

E:\Documents and Settings\Arianna\Menu Avvio\Programmi\Esecuzione automatica\
TomTom HOME.lnk - E:\Programmi\TomTom HOME\TomTomHOME.exe [2006-05-15 14:57:04 4815016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll
"VIDC.MJPG"= pvmjpg30.dll
"VIDC.PIMJ"= pvljpg20.dll
"VIDC.PVW2"= PVWV220.dll
"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"E:\\Programmi\\eMule\\emule.exe"=
"E:\\Programmi\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"E:\\WINDOWS\\system32\\sessmgr.exe"=
"E:\\Programmi\\BitComet\\BitComet.exe"=
"E:\\Programmi\\Yahoo!\\Messenger\\YServer.exe "=
"E:\\Programmi\\Real\\RealPlayer\\realplay.exe "=
"E:\\Programmi\\Internet Explorer\\IEXPLORE.EXE"=
"E:\\Programmi\\QuickTime\\QuickTimePlayer.exe "=
"E:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"E:\\Programmi\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"16525:UDP"= 16525:UDP:Rosso Alice UDP

R1 aswSP;avast! Self Protection;E:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;E:\WINDOWS\system32\DRIVERS\aswF sBlk.sys [2008-03-29 19:35]
S3 AMOSK;AMOSK;E:\DOCUME~1\Arianna\IMPOST~1\Temp\AMOS K.exe []
S3 JWPZFFEESTT;JWPZFFEESTT;E:\DOCUME~1\Arianna\IMPOST ~1\Temp\JWPZFFEESTT.exe []
S3 MEMSWEEP2;MEMSWEEP2;E:\WINDOWS\system32\3.tmp []
S3 OVVEWOT;OVVEWOT;E:\DOCUME~1\Arianna\IMPOST~1\Temp\ OVVEWOT.exe []
S3 PAC207;USB PC Cam Plus;E:\WINDOWS\system32\DRIVERS\pfc027.sys [2005-02-24 12:29]
S3 sonypvs1;Sony Digital Imaging Video2;E:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{315ca23a-8485-11dc-a3f9-00036f351123}]
\Shell\AutoRun\command - G:\jones3d.exe

.
Contenuto della cartella 'Scheduled Tasks'
"2008-05-06 17:29:39 E:\WINDOWS\Tasks\aaipy.job"
- e:\windows\system32\drvkmsuh.exe
"2008-05-06 17:29:39 E:\WINDOWS\Tasks\aaobwxkf.job"
- e:\windows\system32\drvkmsuh.exe
"2008-05-06 17:29:39 E:\WINDOWS\Tasks\aasv.job"
- e:\windows\system32\drvkmsuh.exe
"2008-05-06 17:29:39 E:\WINDOWS\Tasks\afdopx.job"
- e:\windows\system32\drvkmsuh.exe
"2008-05-06 17:29:39 E:\WINDOWS\Tasks\amuergm.job"
- e:\windows\system32\drvkmsuh.exe
"2008-05-06 17:29:39 E:\WINDOWS\Tasks\cpixb.job"
- e:\windows\system32\drvkmsuh.exe
"2008-05-06 17:29:39 E:\WINDOWS\Tasks\gxweuogv.job"
- e:\windows\system32\ctfnmgyq.exe
"2008-05-06 17:29:38 E:\WINDOWS\Tasks\ixkln.job"
- e:\windows\system32\ctfnmgyq.exe
"2008-05-06 17:29:38 E:\WINDOWS\Tasks\kxluj.job"
- e:\windows\system32\drvkmsuh.exe
"2008-05-06 17:32:56 E:\WINDOWS\Tasks\MP Scheduled Scan.job"
- E:\Programmi\Windows Defender\MpCmdRun.exe
"2008-05-06 17:29:38 E:\WINDOWS\Tasks\qhtlclv.job"
- e:\windows\system32\ctfnmgyq.exe
"2008-05-06 17:30:33 E:\WINDOWS\Tasks\Symantec NetDetect.job"
- E:\Programmi\Symantec\LiveUpdate\NDETECT.EXE
.
************************************************** ************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 19:30:31
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 101

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\M EMSWEEP2]
"ImagePath"="\??\E:\WINDOWS\system32\3.tmp"
.
------------------------ Other Running Processes ------------------------
.
E:\Programmi\Windows Defender\MsMpEng.exe
E:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
E:\Programmi\Alwil Software\Avast4\ashServ.exe
E:\Programmi\Spyware Doctor\pctsAuxs.exe
E:\Programmi\Spyware Doctor\pctsSvc.exe
E:\WINDOWS\system32\PAStiSvc.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
E:\Programmi\Alwil Software\Avast4\ashWebSv.exe
.
************************************************** ************************
.
Ora fine scansione: 2008-05-06 19:38:58 - machine was rebooted [Arianna]
ComboFix-quarantined-files.txt 2008-05-06 17:38:49
ComboFix2.txt 2008-05-06 17:40:35

9 Directory 20,154,220,544 byte disponibili
12 Directory 20,173,025,280 byte disponibili

194

[Demonios@]

Scarica the Avenger
http://swandog46.geekstogo.com/avenger.zip
lo salvi in una cartella, scompatti il file .zip.
avvia avenger.exe

inserisci questo script (blu) nel box bianco

folders to delete:
E:\WINDOWS\temp
E:\WINDOWS\Tasks

Clicca su Execute
Il pc dovrebbe riavviarsi ( se così non fosse, fallo tu)
Posta il log che verrà creato in C:\Avenger

allega anche un log di hijackthis
http://www.trendsecure.com/portal/en...HiJackThis.zip

[Reira]

Ti ringrazio di nuovo tantissimo per l'aiuto che mi hai dato! Avast e Spyware doctor non rilevano più nulla, .dll e cartelle sono state cancellate, riesco ad aprire tutti i programmi (lo dimostra la scansione con Hijackthis che segue ) e anche le pagine su internet.

Il log di Avenger:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at E:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "E:\WINDOWS\temp" deleted successfully.
Folder "E:\WINDOWS\Tasks" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Log di Hijackthis!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15.39.37, on 07/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\Programmi\Windows Defender\MsMpEng.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
E:\Programmi\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Programmi\Spyware Doctor\pctsTray.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
E:\Programmi\TomTom HOME\TomTomHOME.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Programmi\Spyware Doctor\pctsAuxs.exe
E:\Programmi\Spyware Doctor\pctsSvc.exe
E:\WINDOWS\System32\PAStiSvc.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
E:\Programmi\Alwil Software\Avast4\ashWebSv.exe
E:\WINDOWS\System32\alg.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Programmi\internet explorer\iexplore.exe
E:\Documents and Settings\Arianna\Desktop\HiJackThis\HijackThis.exe
E:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://it.rd.yahoo.com/customize/ie/...arch.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: jBrowse Toolbar - {9E5BD40E-6287-11D6-9772-0002A5DD2483} - E:\DOCUME~1\Arianna\DOCUME~1\jBrowse\JBO.dll
O4 - HKLM\..\Run: [Windows Defender] "E:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "E:\Programmi\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [drvkmsuh] "e:\windows\system32\drvkmsuh.exe"
O4 - HKLM\..\Run: [ISTray] "E:\Programmi\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "E:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [DAEMON Tools] "E:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "E:\Programmi\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: TomTom HOME.lnk = E:\Programmi\TomTom HOME\TomTomHOME.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = E:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\PROGRA~1\Yahoo!\Common\yhexbmesit.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\PROGRA~1\Yahoo!\Common\yhexbmesit.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Alice - {792B4D2A-8583-4F4B-AD39-8632A5C67730} - http://gw.aliceadsl.it/alice (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://gw.aliceadsl.it/home
O15 - Trusted Zone: *.rossoalice.it
O15 - Trusted Zone: *.rossoalice.virgilio.it
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7444F079-3BF6-41D5-AC5F-4C08414B889B}: NameServer = 85.37.17.8 85.38.28.73
O23 - Service: AMOSK - Unknown owner - E:\DOCUME~1\Arianna\IMPOST~1\Temp\AMOSK.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: JWPZFFEESTT - Unknown owner - E:\DOCUME~1\Arianna\IMPOST~1\Temp\JWPZFFEESTT.exe (file missing)
O23 - Service: OVVEWOT - Unknown owner - E:\DOCUME~1\Arianna\IMPOST~1\Temp\OVVEWOT.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Programmi\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Programmi\Spyware Doctor\pctsSvc.exe
O23 - Service: STI Simulator - Unknown owner - E:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 6421 bytes