win.32.vbna.a

**re_net** · 04-03-2010, 10:28

Ho grossi problemi con il virus in oggetto (rilevato da FSecure 8.1)

il verme crea dei files in forma <nomenutente>.exe

il verme da anche problemi sulle pendrive che non si aprono ed esce l'errore: "impossibile trovare il file <nomenutente>.exe verificare che il nome e il percorso siano corretti..." e per aprirle bisogna usare tasto dx + Esplora

cancellando il file non si risolve nulla.

FSecure rinomina o elimina il file ma poi si torna daccapo.

ho provato a cercare su internet informazioni ma non trovo niente che mi convinca.

Ho fatto una scansione anche con il tool di Kaspersky che rileva e cancella ma non risolve.

GMER non da risultati in rosso.

qualcuno ha avuto il problema e magari è riuscito a risolvere?

grazie e ciao

**menatwork** · 04-03-2010, 10:46

buongiorno

scarica rkill

avvialo e lascialo lavorare

scarica combofix

(non installare la recovery console)
Lascia lavorare il programma senza interferire
Allega il rapporto C:\ComboFix.txt nella tua risposta.

**re_net** · 04-03-2010, 12:00

ecco qua (ho sostiutito il nome utente "in chiaro" con <nomeutente> in quanto il PC non è mio e non mi pare il caso):

ComboFix 10-03-03.06 - <nomeutente> 04/03/2010 10.17.12.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.503.307 [GMT 1:00]
Eseguito da: c:\documents and settings\<nomeutente>\Desktop\ComboFix.exe
AV: F-Secure Client Security 8.01 *On-access scanning enabled* (Outdated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) )
.

c:\documents and settings\<nomeutente>\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.da t
c:\documents and settings\<nomeutente>\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.da t
c:\documents and settings\<nomeutente>\<nomeutente>.exe
c:\documents and settings\<nomeutente>\autorun.inf
c:\windows\system32\Cache
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Creati Da 2010-02-04 al 2010-03-04 )))))))))))))))))))))))))))))))))))
.

2010-02-25 09:30 . 2010-02-25 09:33 -------- d-----w- c:\programmi\F-Secure
2010-02-15 07:59 . 2010-02-15 07:59 145408 ----a-w- c:\winnt\unzip.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
2010-02-25 09:34 . 2009-01-29 11:49 30816 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-02-25 09:33 . 2009-01-27 23:20 75828 ----a-w- c:\windows\system32\perfc010.dat
2010-02-25 09:33 . 2009-01-27 23:20 420212 ----a-w- c:\windows\system32\perfh010.dat
2010-02-25 09:33 . 2009-01-29 11:36 -------- d-----w- c:\documents and settings\<nomeutente>\Dati applicazioni\F-Secure
2010-02-25 09:31 . 2009-01-29 11:36 -------- d-----w- c:\documents and settings\<nomeutente>\Dati applicazioni\fssg
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-12-14 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-12-14 118784]
"SoundMan"="SOUNDMAN.EXE" [2003-02-10 47104]
"SynTPLpr"="c:\programmi\Synaptics\SynTP\SynTPLpr. exe" [2003-06-06 110592]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh. exe" [2003-06-06 614400]
"SunJavaUpdateSched"="c:\programmi\Java\j2re1.4.2_ 08\bin\jusched.exe" [2005-03-04 32881]
"F-Secure Manager"="c:\programmi\F-Secure\Common\FSM32.EXE" [2009-03-02 182936]
"F-Secure TNB"="c:\programmi\F-Secure\FSGUI\TNBUtil.exe" [2009-03-02 1182304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

c:\documents and settings\<nomeutente>\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Adobe Reader.lnk - c:\programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [29/01/2009 12.49.37 30816]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\programmi\F-Secure\Anti-Virus\minifilter\fsgk.sys [25/02/2010 10.31.44 83040]
R3 WBFIRDMA;Driver per periferica infrarossi Winbond;c:\windows\system32\drivers\wbfirdma.sys [27/01/2009 17.30.47 35871]
S3 FSORSPClient;F-Secure ORSP Client;c:\programmi\F-Secure\ORSP Client\fsorsp.exe [25/02/2010 10.33.04 55904]
S4 F-Secure Filter;F-Secure File System Filter;c:\programmi\F-Secure\Anti-Virus\win2k\fsfilter.sys [25/02/2010 10.31.45 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\programmi\F-Secure\Anti-Virus\win2k\fsrec.sys [25/02/2010 10.31.45 25184]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - e:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\<nomeutente>\Dati applicazioni\Mozilla\Firefox\Profiles\e9tmhls1.def ault\
FF - plugin: c:\programmi\Java\j2re1.4.2_08\bin\NPJava11.dll
FF - plugin: c:\programmi\Java\j2re1.4.2_08\bin\NPJava12.dll
FF - plugin: c:\programmi\Java\j2re1.4.2_08\bin\NPJava13.dll
FF - plugin: c:\programmi\Java\j2re1.4.2_08\bin\NPJava14.dll
FF - plugin: c:\programmi\Java\j2re1.4.2_08\bin\NPJava32.dll
FF - plugin: c:\programmi\Java\j2re1.4.2_08\bin\NPJPI142_08.dll
FF - plugin: c:\programmi\Java\j2re1.4.2_08\bin\NPOJI610.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-04 10:20
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

************************************************** ************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'lsass.exe'(628)
c:\windows\system32\dfrgsnap.dll
.
Ora fine scansione: 2010-03-04 10:21:44
ComboFix-quarantined-files.txt 2010-03-04 09:21

Pre-Run: 14.301.765.632 byte disponibili
Post-Run: 14.344.675.328 byte disponibili

- - End Of File - - 80B07481C24FBB9036A1EFB4D505735A

grazie e ciao

**menatwork** · 04-03-2010, 12:06

sei sicuro di aver postato il log per intero? ne manca piu' di meta'

**re_net** · 04-03-2010, 12:53

no ... è tutto li.

ho provato anche a rifarlo ma non esce altro.

grazie e ciao

**menatwork** · 04-03-2010, 13:18

ci sono state delle eliminazioni e non credo che sia tutto

controlliamo meglio il sistema

scarica virit

vai in provvisoria

aggiorna virit e lascia che finisca la scansione

**re_net** · 05-03-2010, 08:49

Siccome mi sono accorto di avere il verme anche sul mio pc ti posto i risultati di quanto mi hai detto sopra:

COMBOFIX
ComboFix 10-03-03.06 - re_net 04/03/2010 16.12.10.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.2047.1359 [GMT 1:00] Eseguito da: c:\documents and settings\re_net\Desktop\ComboFix.exe AV: F-Secure Client Security 8.01 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15} FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B} * Resident AV is active ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !! . ((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) ) . c:\documents and settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.da t c:\documents and settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.da t c:\documents and settings\re_net\autorun.inf c:\documents and settings\re_net\re_net.exe c:\programmi\RelevantKnowledge c:\programmi\RelevantKnowledge\rlservice.exe c:\windows\system32\SHELLLNK.TLB ----- BITS: Possibili siti infetti ----- hxxp://armmf.adobe.com . ((((((((((((((((((((((((( Files Creati Da 2010-02-04 al 2010-03-04 ))))))))))))))))))))))))))))))))))) . 2010-03-01 06:37 . 2010-03-01 06:37 -------- d-----w- c:\programmi\MSXML 4.0 2010-02-27 10:58 . 2010-02-27 10:58 -------- d-----w- c:\programmi\SamsungPrinterLiveUpdate 2010-02-27 10:58 . 2009-09-22 01:30 482408 ----a-w- c:\windows\ssndii.exe 2010-02-27 10:58 . 2010-02-27 10:58 -------- d-----w- c:\windows\Samsung 2010-02-27 10:58 . 2008-04-13 10:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys 2010-02-27 10:58 . 2008-04-13 10:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys 2010-02-27 10:58 . 2009-12-09 14:48 82432 ----a-w- c:\windows\system32\msxml4r.dll 2010-02-27 10:58 . 2009-12-09 14:48 81920 ----a-w- c:\windows\system32\ssdevm.dll 2010-02-27 10:58 . 2009-12-09 14:48 49152 ----a-w- c:\windows\system32\ssusbpn.dll 2010-02-27 10:58 . 2009-12-09 14:48 44544 ----a-w- c:\windows\system32\msxml4a.dll 2010-02-27 10:58 . 2009-12-09 14:48 21776 ----a-w- c:\windows\system32\msxml2a.dll 2010-02-27 10:57 . 2008-04-13 10:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys 2010-02-27 10:57 . 2008-04-13 10:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys 2010-02-27 10:57 . 2007-08-14 18:01 22723 ----a-w- c:\windows\system32\sst1cl3.dll 2010-02-27 10:57 . 2007-08-14 18:00 19968 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\sst1cpc. dll 2010-02-27 10:57 . 2007-08-14 17:59 151552 ----a-w- c:\windows\system32\sst1cci.exe 2010-02-27 10:57 . 2007-08-14 17:59 65536 ----a-w- c:\windows\system32\sst1cci.dll 2010-02-27 10:57 . 2010-02-27 10:57 -------- d-----w- c:\programmi\Samsung 2010-02-27 10:57 . 2010-02-27 10:57 -------- d-----w- c:\temp\CLX-3170_Print 2010-02-14 15:00 . 2010-02-14 15:00 -------- d-----w- c:\programmi\FreeTime 2010-02-13 16:28 . 2010-02-13 16:28 -------- d-----w- c:\documents and settings\jarjar\Dati applicazioni\HpUpdate 2010-02-12 13:07 . 2010-02-12 13:07 -------- d-----w- c:\documents and settings\jarjar\Impostazioni locali\Dati applicazioni\Google 2010-02-06 08:54 . 2010-02-06 08:54 -------- d-----w- c:\programmi\Lavalys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ) . 2010-03-01 06:39 . 2009-11-14 09:56 -------- d-----w- c:\programmi\F-Secure 2010-02-27 17:34 . 2010-01-14 17:50 -------- d-----w- c:\documents and settings\jarjar\Dati applicazioni\vlc 2010-02-27 11:07 . 2010-01-01 17:16 -------- d-----w- c:\programmi\Call of Duty 2010-02-26 17:33 . 2009-11-15 16:10 -------- d-----w- c:\documents and settings\re_net\Dati applicazioni\vlc 2010-02-14 21:36 . 2009-12-14 16:50 -------- d-----w- c:\programmi\JDownloader 2010-02-08 14:12 . 2006-03-02 12:00 89034 ----a-w- c:\windows\system32\perfc010.dat 2010-02-08 14:12 . 2006-03-02 12:00 499184 ----a-w- c:\windows\system32\perfh010.dat 2010-02-06 08:41 . 2009-11-29 05:11 171552 ----a-w- c:\windows\system32\guard32.dll 2010-02-06 08:41 . 2009-11-29 05:11 87104 ----a-w- c:\windows\system32\drivers\inspect.sys 2010-02-06 08:41 . 2009-11-29 05:11 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys 2010-02-06 08:41 . 2009-11-29 05:11 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys 2010-01-30 11:09 . 2010-01-30 11:09 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Solidshield 2010-01-30 11:02 . 2010-01-30 11:02 -------- d-----w- c:\programmi\Ubisoft 2010-01-30 11:02 . 2007-12-17 16:48 -------- d--h--w- c:\programmi\InstallShield Installation Information 2010-01-21 16:59 . 2010-01-21 16:57 -------- d-----w- c:\programmi\WebSite X5 v8 - Evolution 2010-01-17 12:34 . 2010-01-17 12:34 -------- d-----w- c:\documents and settings\jarjar\Dati applicazioni\dvdcss 2010-01-17 07:44 . 2010-01-17 07:44 -------- d-----w- c:\programmi\VS Revo Group 2010-01-16 11:45 . 2010-01-16 11:45 -------- d-----w- c:\programmi\BlueVoda Website Builder 2010-01-16 11:45 . 2010-01-16 11:45 737280 ----a-w- c:\windows\iun6002.exe 2010-01-16 09:31 . 2010-01-16 09:31 -------- d-----w- c:\programmi\WebReaper 2010-01-16 09:22 . 2009-12-19 10:29 -------- d-----w- c:\programmi\File comuni\Macromedia 2010-01-16 09:22 . 2009-12-19 10:28 -------- d-----w- c:\programmi\Macromedia 2010-01-09 10:31 . 2010-01-09 10:31 -------- d-----w- c:\documents and settings\re_net\Dati applicazioni\F-Secure 2009-12-31 16:50 . 2006-03-02 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys 2009-12-30 10:20 . 2010-01-17 07:44 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys 2009-12-25 16:12 . 2009-11-30 16:12 72288 ----a-w- c:\documents and settings\jarjar\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT 2009-12-25 06:37 . 2009-11-28 23:06 72288 ----a-w- c:\documents and settings\re_net\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT 2009-12-21 19:06 . 2006-03-02 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2009-12-17 07:40 . 2007-12-17 16:30 346112 ----a-w- c:\windows\system32\mspaint.exe 2009-12-14 07:08 . 2006-03-02 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2009-12-09 10:07 . 2006-03-02 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2009-12-09 10:07 . 2004-08-19 15:34 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe 2009-12-04 18:22 . 2006-03-02 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys . ((((((((((((((((((((((((((((((((((((( Punti Reg Caricati )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* i valori vuoti & legittimi/default non sono visualizzati. REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "DAEMON Tools Lite"="c:\programmi\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "SoundMAXPnP"="c:\programmi\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448] "PTHOSTTR"="c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184] "IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-05-23 677408] "CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSV CC.dll" [2003-12-22 17920] "AccelerometerSysTrayApplet"="c:\windows\system32\ AccelerometerSt.exe" [2007-01-24 124928] "SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh. exe" [2007-06-07 827392] "Cpqset"="c:\programmi\Hewlett-Packard\Default Settings\cpqset.exe" [2007-05-03 57344] "hpWirelessAssistant"="c:\programmi\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776] "QlbCtrl"="c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-02 163840] "WatchDog"="c:\programmi\InterVideo\DVD Check\DVDCheck.exe" [2007-05-23 192512] "Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856] "Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-04-24 888832] "F-Secure Manager"="c:\programmi\F-Secure\Common\FSM32.EXE" [2009-03-02 182936] "F-Secure TNB"="c:\programmi\F-Secure\FSGUI\TNBUtil.exe" [2009-03-02 1182304] "OSSelectorReinstall"="c:\programmi\File comuni\Acronis\Acronis Disk Director\oss_reinstall.exe" [2006-04-12 1261475] "COMODO Internet Security"="c:\programmi\COMODO\COMODO Internet Security\cfp.exe" [2010-02-06 1800464] "Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696] "Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288] "HP Software Update"="c:\programmi\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576] "StartCCC"="c:\programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440] "AdobeCS4ServiceManager"="c:\programmi\File comuni\Adobe\CS4ServiceManager\CS4ServiceManager.e xe" [2008-08-14 611712] "SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\j usched.exe" [2009-10-11 149280] "Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2009-12-09 606208] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360] c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\ BTTray.lnk - c:\programmi\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213] DVD Check.lnk - c:\programmi\InterVideo\DVD Check\DVDCheck.exe [2007-12-17 192512] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP] 2007-04-30 07:19 49152 ----a-w- c:\windows\system32\DeviceNP.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard] 2007-02-07 01:30 74240 ----a-r- c:\programmi\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\APSHook.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa] Notification Packages REG_MULTI_SZ SbHpNp scecli [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\SMINST\\Scheduler.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Programmi\\KONAMI\\Pro Evolution Soccer 2010\\pes2010.exe"= "c:\\Programmi\\File comuni\\Adobe\\CS4ServiceManager\\CS4ServiceManage r.exe"= "c:\\Programmi\\Ubisoft\\James Cameron's AVATAR - IL GIOCO\\bin\\Avatar.exe"= "c:\\Programmi\\Ubisoft\\James Cameron's AVATAR - IL GIOCO\\bin\\AvatarLauncher.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "5353:TCP"= 5353:TCP:Adobe CSI CS4 R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [10/02/2009 9.37.24 33920] R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\Safe Boot.sys [26/04/2007 19.23.06 100095] R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [09/10/2006 13.31.46 44720] R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFs Lock.sys [29/03/2007 16.54.00 13696] R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [14/11/2009 15.38.18 691696] R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [29/11/2009 6.11.26 134344] R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [29/11/2009 6.11.26 25160] R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows \system32\drivers\psd.sys [18/04/2007 20.32.14 39080] R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvloc k.sys [26/04/2007 19.23.36 5808] R2 ASBroker;Operatore della sessione di accesso;c:\windows\System32\svchost.exe -k Cognizance [02/03/2006 13.00.00 14336] R2 ASChannel;Canale di comunicazione locale;c:\windows\System32\svchost.exe -k Cognizance [02/03/2006 13.00.00 14336] R2 HpFkCryptService;Drive Encryption Service;c:\programmi\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [27/04/2007 10.58.58 221184] R2 SWIHPWMI;SWIHPWMI;c:\programmi\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [04/12/2006 16.13.16 292384] R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\programmi\F-Secure\Anti-Virus\minifilter\fsgk.sys [14/11/2009 10.56.11 107104]

(parte1)

**re_net** · 05-03-2010, 08:53

(parte2)

R3 FSORSPClient;F-Secure ORSP Client;c:\programmi\F-Secure\ORSP Client\fsorsp.exe [14/11/2009 10.56.18 55904] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.s ys [17/12/2007 17.58.07 41216] R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [17/12/2007 18.02.53 47616] S2 gupdate;Servizio di Google Update (gupdate);c:\programmi\Google\Update\GoogleUpdate. exe [30/11/2009 22.58.37 135664] S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPO RT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?] S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.s ys [23/04/2007 13.13.44 30008] S3 FLCDLOCK;Controllo/blocco dispositivi HP ProtectTools;c:\windows\system32\flcdlock.exe [30/04/2007 8.28.34 172131] S3 Revoflt;Revoflt;c:\windows\system32\drivers\revofl t.sys [17/01/2010 8.44.56 27064] S4 F-Secure Filter;F-Secure File System Filter;c:\programmi\F-Secure\Anti-Virus\win2k\fsfilter.sys [14/11/2009 10.56.12 39776] S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\programmi\F-Secure\Anti-Virus\win2k\fsrec.sys [14/11/2009 10.56.12 25184] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Cognizance REG_MULTI_SZ ASBroker ASChannel . Contenuto della cartella 'Scheduled Tasks' 2010-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\programmi\Google\Update\GoogleUpdate.exe [2009-11-30 21:58] 2010-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\programmi\Google\Update\GoogleUpdate.exe [2009-11-30 21:58] . . ------- Scansione supplementare ------- . uStart Page = hxxp://www.ask.com/?o=14597&l=dis uInternet Settings,ProxyOverride = local IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Invia a periferica &Bluetooth... - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm FF - ProfilePath - c:\documents and settings\re_net\Dati applicazioni\Mozilla\Firefox\Profiles\xpj0ow4k.def ault\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.mandrakeitalia.org/ FF - prefs.js: keyword.URL - FF - component: c:\documents and settings\re_net\Dati applicazioni\Mozilla\Firefox\Profiles\xpj0ow4k.def ault\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll FF - plugin: c:\documents and settings\re_net\Impostazioni locali\Dati applicazioni\Yahoo!\BrowserPlus\2.4.21\Plugins\npy browserplus_2.4.21.dll FF - plugin: c:\programmi\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\programmi\Google\Update\1.2.183.17\npGoogleOneC lick8.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true.
************************************************** ************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-03-04 16:19 Windows 5.1.2600 Service Pack 3 NTFS scansione processi nascosti ... scansione entrate autostart nascoste ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\programmi\Hewlett-Packard\Default Settings\cpqset.exe? ??????????T??????????????|?M?|?????M?|&?@ Scansione files nascosti ... Scansione completata con successo Files nascosti: 0 ************************************************** ************************ Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys iaStor.sys sprz.sys >>UNKNOWN [0x8A663938]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf74fbf28 \Driver\ACPI -> ACPI.sys @ 0xf7253cb8 \Driver\atapi -> atapi.sys @ 0xf71cab40 \Driver\iaStor -> iaStor.sys @ 0xf7140d30 IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a user & kernel MBR OK ************************************************** ************************ . --------------------- Dlls caricate dai processi in esecuzione --------------------- - - - - - - - > 'winlogon.exe'(1096) c:\windows\system32\Ati2evxx.dll c:\programmi\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll c:\programmi\Hewlett-Packard\IAM\bin\ItMsg.dll c:\programmi\Hewlett-Packard\IAM\Bin\TrayIcon.dll c:\programmi\Hewlett-Packard\IAM\bin\HPBrand.dll c:\programmi\Hewlett-Packard\IAM\bin\ITA\HPBrand.dll c:\programmi\Hewlett-Packard\IAM\bin\ITA\ItMsg.dll c:\programmi\Hewlett-Packard\IAM\Bin\ASChnl.dll c:\programmi\Hewlett-Packard\IAM\Bin\ItDAC.dll c:\programmi\Hewlett-Packard\IAM\Bin\ItReports.DLL c:\programmi\Hewlett-Packard\IAM\Bin\BioAuth.dll c:\programmi\Hewlett-Packard\IAM\bin\ITA\BioAuth.dll c:\programmi\Hewlett-Packard\IAM\Bin\ASBIoAT.dll c:\programmi\Hewlett-Packard\IAM\Bin\ittal.dll c:\programmi\Hewlett-Packard\IAM\Bin\STEngine.dll c:\programmi\Hewlett-Packard\IAM\Bin\ItVCClient.dll c:\programmi\Hewlett-Packard\IAM\Bin\ittalsnap.dll c:\programmi\Hewlett-Packard\IAM\bin\ITA\ittalsnap.dll c:\programmi\Hewlett-Packard\IAM\Bin\AuthWiz.dll c:\programmi\Hewlett-Packard\IAM\bin\ITA\AuthWiz.dll c:\programmi\Hewlett-Packard\IAM\Bin\ItVCard.dll c:\windows\system32\xenroll.dll c:\windows\system32\WININET.dll c:\windows\system32\IFXTSP.dll c:\windows\system32\IfxSpArc.dll c:\windows\system32\msxml6.dll c:\windows\system32\IFXTCSps.dll c:\programmi\Hewlett-Packard\IAM\Bin\TpmAuth.dll c:\programmi\Hewlett-Packard\IAM\bin\ITA\TpmAuth.dll c:\windows\system32\IFXTPMCP.dll c:\programmi\Hewlett-Packard\Embedded Security Software\IfxTRsIT.dll c:\programmi\Hewlett-Packard\Embedded Security Software\IfxTrsMs.dll c:\windows\system32\capicom.dll c:\programmi\Hewlett-Packard\IAM\Bin\TokenAuth.dll c:\programmi\Hewlett-Packard\IAM\bin\ITA\TokenAuth.dll c:\programmi\Hewlett-Packard\IAM\Bin\NetAdmin.dll c:\programmi\Hewlett-Packard\IAM\bin\ITA\NetAdmin.dll c:\windows\SbHpNp.DLL c:\windows\system32\DeviceNP.dll - - - - - - - > 'lsass.exe'(1156) c:\windows\SbHpNp.dll - - - - - - - > 'explorer.exe'(1828) c:\windows\system32\WININET.dll c:\windows\system32\APSHook.dll c:\programmi\Hewlett-Packard\IAM\bin\ItClient.dll c:\windows\system32\btmmhook.dll c:\windows\system32\webcheck.dll . ------------------------ Altri processi in esecuzione ------------------------ . c:\windows\system32\Ati2evxx.exe c:\programmi\COMODO\COMODO Internet Security\cmdagent.exe c:\programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\windows\system32\Ati2evxx.exe c:\windows\System32\SCardSvr.exe c:\programmi\F-Secure\Anti-Virus\fsgk32st.exe c:\programmi\F-Secure\Common\FSMA32.EXE c:\programmi\F-Secure\Anti-Virus\FSGK32.EXE c:\programmi\F-Secure\Common\FSMB32.EXE c:\windows\system32\ifxtcs.exe c:\programmi\File comuni\InterVideo\RegMgr\iviRegMgr.exe c:\programmi\Java\jre6\bin\jqs.exe c:\programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\IfxPsdSv.exe c:\programmi\Hewlett-Packard\Shared\hpqWmiEx.exe c:\programmi\F-Secure\Common\FCH32.EXE c:\programmi\F-Secure\Anti-Virus\fsqh.exe c:\programmi\F-Secure\Common\FAMEH32.EXE c:\programmi\F-Secure\Common\FNRB32.EXE c:\programmi\F-Secure\Anti-Virus\fssm32.exe c:\programmi\F-Secure\Common\FIH32.EXE c:\programmi\F-Secure\FSAUA\program\fsaua.exe c:\windows\system32\wbem\wmiapsrv.exe c:\programmi\Hewlett-Packard\IAM\bin\asghost.exe c:\programmi\F-Secure\FSGUI\fsguidll.exe c:\programmi\Hewlett-Packard\Embedded Security Software\PSDrt.exe c:\programmi\Hewlett-Packard\Shared\HpqToaster.exe c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE c:\programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\programmi\ATI Technologies\ATI.ACE\Core-Static\ccc.exe c:\programmi\F-Secure\Anti-Virus\fsav32.exe . ************************************************** ************************ . Ora fine scansione: 2010-03-04 16:24:12 - Il pc è stato riavviato ComboFix-quarantined-files.txt 2010-03-04 15:24 Pre-Run: 42.382.786.560 byte disponibili Post-Run: 42.735.144.960 byte disponibili - - End Of File - - 701AFE58E292B88EDD6CCC01865004F5

era troppo grande per un solo post.

Aggiungo risultati di RKILL (che ho eseguito per primo)

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as re_net on 04/03/2010 at 15.43.18.

Processes terminated by Rkill or while it was running:

C:\Programmi\F-Secure\Common\FSMA32.EXE
C:\Programmi\F-Secure\Common\FSMB32.EXE
C:\Programmi\F-Secure\Common\FCH32.EXE
C:\Programmi\F-Secure\Anti-Virus\fsqh.exe
C:\Programmi\F-Secure\Common\FAMEH32.EXE
C:\Programmi\F-Secure\Common\FSM32.EXE
C:\Programmi\Hp\HP Software Update\HPWuSchd2.exe
C:\Documents and Settings\re_net\re_net.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Programmi\F-Secure\Common\FNRB32.EXE
C:\Programmi\F-Secure\FSAUA\program\fsaua.exe
C:\Programmi\F-Secure\Common\FIH32.EXE
C:\Programmi\F-Secure\Anti-Virus\fsav32.exe

Rkill completed on 04/03/2010 at 15.43.21.

VirIT negativo.

grazie e ciao

Discussione: win.32.vbna.a

Strumenti discussione

Ricerca discussione

Visualizza

win.32.vbna.a

Permessi di invio