attacco malware e alureon.h

**mescite** · 16-09-2010, 22:42

negli ultimi giorni ho subito diversi attacchi che sono comparsi sotto diverse forme:
popup di finti antivirus (l'ultimo di antivirus 2010)
scritte sul desktop : your computer is infected!..
difficoltà a usare i browser
processi che partono e intasano la cpu

prima ho provato la rimozione manuale essendo un neofita.
poi ho iniziato a cercare online e ho seguito la vostra guida.
quindi ho usato ccleaner, spybot, malwarebytes, windows malicious software removal, tdsskiller (perchè l'ultimo virus individuato era alureon.h)
ogni scansione mi rivela e toglie qualcosa ma continuano sempre a ricomparire.
vi ringrazio anticipatamente per l'aiuto e
vi allego il log di hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:23:27, on 16/09/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\system32\taskeng.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\windows\system32\igfxsrvc.exe
C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\Program Files\Samsung\Samsung Update Plus\SUPBackground.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\windows\system32\igfxext.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100828153843.dl l
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.e xe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [C:\windows\TEMP\opeAE14.exe ] C:\windows\TEMP\opeAE14.exe
O4 - HKLM\..\Run: [C:\windows\TEMP\opeBAC0.exe ] C:\windows\TEMP\opeBAC0.exe
O4 - HKLM\..\Run: [lsass] C:\windows\lsass.exe
O4 - HKLM\..\Run: [binfix7080010000.exe] "C:\windows\TEMP\binfix7080010000.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [mainapp7080010000.exe] C:\Users\laura\AppData\Roaming\BB6A6C2A87416983484 2CC9D550A9628\mainapp7080010000.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\laura\AppData\Local\Google\Update\Google Update.exe" /c
O4 - HKCU\..\Run: [SunJavaUpdateSched] C:\Users\laura\AppData\Roaming\jusched.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIZIO DI RETE')
O4 - Startup: Ritaglio schermata e avvio di OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8 574934B26AC4.dll/cmsidewiki.html
O8 - Extra context menu item: Invia immagine alla periferica &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Invia pagina alla periferica &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/res.../wlscctrl2.cab
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Servizio Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Servizio di Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Servizio Personal Firewall (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: Oberon Media Game Console service (OberonGameConsoleService) - Unknown owner - C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe
O23 - Service: Rezip - Unknown owner - C:\windows\SYSTEM32\Rezip.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SwitchBoard - Unknown owner - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (file missing)

--
End of file - 10425 bytes

**menatwork** · 16-09-2010, 22:56

ciao mescite, dobbiamo togliere le infezioni che sono nel pc

segui attentamente questi passaggi

Lancia HiJackThis -> Clicca Do a scan only -> Metti la spunta a fianco della riga che ti segnalo qui sotto -> Clicca su Fix Checked

O4 - HKLM\..\Run: [C:\windows\TEMP\opeAE14.exe ] C:\windows\TEMP\opeAE14.exe

O4 - HKLM\..\Run: [C:\windows\TEMP\opeBAC0.exe ] C:\windows\TEMP\opeBAC0.exe

O4 - HKLM\..\Run: [lsass] C:\windows\lsass.exe

O4 - HKLM\..\Run: [binfix7080010000.exe] "C:\windows\TEMP\binfix7080010000.exe"

O4 - HKCU\..\Run: [mainapp7080010000.exe] C:\Users\laura\AppData\Roaming\BB6A6C2A87416983484 2CC9D550A9628\mainapp708001000 0.exe

non avevo fatto caso che hai gia' usato malwarebytes

disattiva l'antivirus

scarica combofix sul desktop

alla richiesta se vuoi installare la recovery console clicca su NO

esegui ComboFix.exe

segui le instruzioni

finita la scansione portati in C:\ e allega il rapporto C:\ComboFix.txt nella tua risposta.

come usare correttamente combofix

**mescite** · 17-09-2010, 12:56

ecco.
non riesco ad allegare il file quindi lo posto diviso in due perchè è troppo lungo.
scusate ma è la prima volta

ComboFix 10-09-16.04 - laura 17/09/2010 10:30:02.1.2 - x86
Microsoft Windows 7 Starter 6.1.7600.0.1252.39.1040.18.1013.296 [GMT 2:00]
Eseguito da: c:\users\laura\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) )
.

c:\programdata\.wtav
c:\programdata\FullRemove.exe
c:\programdata\Microsoft\Network\Downloader\qmgr0. dat
c:\programdata\Microsoft\Network\Downloader\qmgr1. dat
c:\windows\SEC
c:\windows\SEC\172100logo.bmp
c:\windows\SEC\banner.png
c:\windows\SEC\Computer.png
c:\windows\SEC\Media _S_ Logo.png
c:\windows\SEC\Samsung.png
c:\windows\SEC\Samsung2.png
c:\windows\SEC\SamsungLogo.png
c:\windows\SEC\Thumbs.db
c:\windows\SEC\Wallpapers\Thumbs.db
c:\windows\SEC\Wallpapers\wallpaper.jpg
c:\windows\SEC\Wallpapers\wallpaper1.jpg
c:\windows\SEC\Wallpapers\Wallpaper2.jpg

----- BITS: Possibili siti infetti -----

hxxp://kameraesmer.com
La copia infetta di c:\windows\explorer.exe è stata trovata e disinfettata
ipristinata copia da - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_5228 3b2af41f3691\explorer.exe

La copia infetta di c:\windows\System32\wininit.exe è stata trovata e disinfettata
ipristinata copia da - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90 ef265a43c13\wininit.exe

La copia infetta di c:\windows\explorer.exe è stata trovata e disinfettata
ipristinata copia da - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_5228 3b2af41f3691\explorer.exe
.
((((((((((((((((((((((((( Files Creati Da 2010-08-17 al 2010-09-17 )))))))))))))))))))))))))))))))))))
.

2010-09-17 09:02 . 2010-09-17 09:19 -------- d-----w- c:\users\laura\AppData\Local\temp
2010-09-17 09:02 . 2010-09-17 09:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-17 06:35 . 2010-09-17 06:35 -------- d-sh--w- c:\windows\system32\%APPDATA%
2010-09-16 17:17 . 2010-09-16 17:17 -------- d-----w- c:\program files\Trend Micro
2010-09-16 16:08 . 2010-09-16 16:08 -------- d-----w- C:\TDSSKiller_Quarantine
2010-09-16 15:17 . 2010-09-16 15:17 -------- d-----w- c:\program files\ESET
2010-09-15 23:49 . 2010-09-15 23:49 -------- d-----w- c:\program files\CCleaner
2010-09-15 23:42 . 2010-09-15 23:42 -------- d-----w- c:\users\laura\AppData\Roaming\Pusoki
2010-09-15 23:01 . 2010-09-15 23:01 -------- d-----w- c:\users\laura\AppData\Roaming\Malwarebytes
2010-09-15 23:01 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-15 23:01 . 2010-09-15 23:01 -------- d-----w- c:\programdata\Malwarebytes
2010-09-15 23:01 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-15 23:01 . 2010-09-15 23:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-15 10:08 . 2010-09-16 14:57 -------- d-----w- c:\program files\Windows Live Safety Center
2010-09-15 08:07 . 2010-09-17 09:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-15 08:07 . 2010-09-16 20:59 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-09-14 07:33 . 2010-04-21 19:48 1006104 ----a-w- c:\windows\system32\igxpun.exe
2010-08-28 13:38 . 2010-05-31 18:32 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-08-28 13:38 . 2010-05-31 18:32 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-08-28 13:38 . 2010-05-31 18:32 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2010-08-28 13:38 . 2010-05-31 18:32 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-08-28 13:38 . 2010-05-31 18:32 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-08-28 13:38 . 2010-05-31 18:32 160720 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2010-08-28 13:37 . 2010-05-31 18:32 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-08-28 13:37 . 2010-05-31 18:32 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-08-28 13:37 . 2010-05-31 18:32 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-08-28 13:37 . 2010-05-31 18:32 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-08-28 06:37 . 2010-08-28 06:37 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-08-26 23:00 . 2010-08-26 23:00 0 ----a-w- c:\windows\nsreg.dat
2010-08-26 22:59 . 2010-08-26 22:59 -------- d-----w- c:\users\laura\AppData\Local\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
2010-05-31 18:32 . 2010-08-28 13:38 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb 108c86c\WinMail.exe
.

codice:

<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\AnyPC Client\APLangApp .exe
c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager .exe
c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility .exe
c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\McAfee.com\Agent\mcagent .exe
c:\program files\QuickTime\QTTask                                  .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
</pre>

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Google Update"="c:\users\laura\AppData\Local\Google\Updat e\GoogleUpdate.exe" [N/A]
"SunJavaUpdateSched"="c:\users\laura\AppData\Roami ng\jusched.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask .exe -atboottime" [X]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-11-18 8092192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-02-26 1713448]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.e xe" [N/A]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-30 1193848]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-21 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-21 173592]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2010-04-21 150552]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-08-12 2215064]

c:\users\laura\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\Startup\
Ritaglio schermata e avvio di OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-10-2 795936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\system]
"npddzjfskcgoffjvdrdgTaskMgr"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
c:\users\laura\AppData\Local\Google\Update\GoogleU pdate.exe [N/A]

R2 gupdate;Servizio di Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-21 135664]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-07-01 43944]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [2009-12-07 201168]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [2009-10-12 101120]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-05-31 83496]
R3 netr73;Driver scheda LAN wireless USB RT73 per Vista;c:\windows\system32\DRIVERS\netr73.sys [2009-07-13 545792]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2010-07-29 115008]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-05-31 64304]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-05-31 160720]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.s ys [2010-07-29 136632]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-08-12 810144]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfw wfpr.sys [2010-07-29 96920]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-23 203280]
S2 McMPFSvc;McAfee Servizio Personal Firewall;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-05-31 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-05-31 141792]
S2 OberonGameConsoleService;Oberon Media Game Console service;c:\program files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe [2009-08-13 44312]
S2 Rezip;Rezip;c:\windows\SYSTEM32\Rezip.exe [2009-03-05 311296]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-05-31 55456]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-05-31 312616]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]

**mescite** · 17-09-2010, 12:57

--- Altri Servizi/Drivers In Memoria ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
Akamai REG_MULTI_SZ Akamai
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contenuto della cartella 'Scheduled Tasks'

2010-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-21 10:55]

2010-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-21 10:55]
.
.
------- Scansione supplementare -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8 574934B26AC4.dll/cmsidewiki.html
IE: Invia immagine alla periferica &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Invia pagina alla periferica &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - ProfilePath - c:\users\laura\AppData\Roaming\Mozilla\Firefox\Pro files\1p82iavf.default\
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.d ll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\laura\AppData\Local\Google\Update\1.2.183 .29\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

Toolbar-Locked - (no file)
SafeBoot-klmdb.sys

.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PC W\Security]
@Denied: (Full) (Everyone)
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'Explorer.exe'(4756)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Samsung\Samsung Support Center\SSCKbdHk.exe
c:\program files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\progra~1\samsung\SAMSUN~2\SUPNOT~1.EXE
.
************************************************** ************************
.
Ora fine scansione: 2010-09-17 12:19:09 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-09-17 10:19

Pre-Run: 95.306.817.536 byte disponibili
Post-Run: 95.019.053.056 byte disponibili

- - End Of File - - 47EF946744113A31CD9835CE6585781E

**menatwork** · 17-09-2010, 20:23

analizza questo file sul sito virus total. ci sono pareri discordanti in rete sull'uso

c:\program files\mozilla firefox\components\Scriptff.dll

posta il rapporto che rilascia

apri un file di testo dal blocco note e incollaci questo script, punto e virgola compresi

Windows Registry Editor Version 5.00

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\system]
"npddzjfskcgoffjvdrdgTaskMgr"=-
;

salva il file sul desktop come fix.reg

tutti i file

clicca sul file .reg appena salvato e accetta le modifiche

Scarica e installa e aggiorna malwarebytes.
http://www.malwarebytes.org/
Aggiornalo: clicca sulla scheda "aggiornamenti" => "controlla aggiornamenti"
Esegui una "scansione completa" (seleziona l'opzione)
A scansione completa, fai clic su OK => Mostra i Risultati.
Assicurarti che tutto sia selezionato e clicca clic su Rimuovi selezionati.
Se ti chiede di riavviare, riavvia per completare il processo di pulizia.
Posta il rapporto .

**mescite** · 18-09-2010, 11:03

rapporto virus total

File name: Scriptff.dll
Submission date: 2010-09-17 19:15:18 (UTC)
Current status: queued (#1) queued (#1) analysing finished

Result: 0/ 43 (0.0%)

log malware:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Versione database: 4640

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

18/09/2010 08:19:13
mbam-log-2010-09-18 (08-19-13).txt

Tipo di scansione: Scansione completa (C:\|)
Elementi esaminati: 224252
Tempo trascorso: 10 ore, 44 minuti, 11 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Voci infette nei dati di registro: 0
Cartelle infette: 0
File infetti: 0

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
(Non sono stati rilevati elementi nocivi)

Valori di registro infetti:
(Non sono stati rilevati elementi nocivi)

Voci infette nei dati di registro:
(Non sono stati rilevati elementi nocivi)

Cartelle infette:
(Non sono stati rilevati elementi nocivi)

File infetti:
(Non sono stati rilevati elementi nocivi)

**menatwork** · 18-09-2010, 11:15

mescite divresti rianalizzare il file segnalato e postarmi il rapporto, cosi' non c'e' scritto niente

ora vai in C;\ ed elimina il file di testo combofix.txt e riesegui una nuova scansione

**mescite** · 18-09-2010, 12:35

ecco virus total ora metto su la scansione di combo

File name: Scriptff.dll
Submission date: 2010-09-18 10:31:15 (UTC)
Current status: queued queued analysing finished

Result: 0/ 43 (0.0%)
VT Community

not reviewed
Safety score: -

Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.09.18.00 2010.09.17 -
AntiVir 8.2.4.52 2010.09.17 -
Antiy-AVL 2.0.3.7 2010.09.18 -
Authentium 5.2.0.5 2010.09.18 -
Avast 4.8.1351.0 2010.09.18 -
Avast5 5.0.594.0 2010.09.18 -
AVG 9.0.0.851 2010.09.17 -
BitDefender 7.2 2010.09.18 -
CAT-QuickHeal 11.00 2010.09.18 -
ClamAV 0.96.2.0-git 2010.09.18 -
Comodo 6114 2010.09.17 -
DrWeb 5.0.2.03300 2010.09.18 -
Emsisoft 5.0.0.37 2010.09.18 -
eSafe 7.0.17.0 2010.09.17 -
eTrust-Vet 36.1.7862 2010.09.17 -
F-Prot 4.6.1.107 2010.09.17 -
F-Secure 9.0.15370.0 2010.09.18 -
Fortinet 4.1.143.0 2010.09.18 -
GData 21 2010.09.18 -
Ikarus T3.1.1.88.0 2010.09.18 -
Jiangmin 13.0.900 2010.09.17 -
K7AntiVirus 9.63.2542 2010.09.17 -
Kaspersky 7.0.0.125 2010.09.18 -
McAfee 5.400.0.1158 2010.09.18 -
McAfee-GW-Edition 2010.1C 2010.09.18 -
Microsoft 1.6201 2010.09.18 -
NOD32 5459 2010.09.18 -
Norman 6.06.06 2010.09.18 -
nProtect 2010-09-18.01 2010.09.18 -
Panda 10.0.2.7 2010.09.17 -
PCTools 7.0.3.5 2010.09.18 -
Prevx 3.0 2010.09.18 -
Rising 22.65.05.00 2010.09.18 -
Sophos 4.57.0 2010.09.18 -
Sunbelt 6891 2010.09.18 -
SUPERAntiSpyware 4.40.0.1006 2010.09.18 -
Symantec 20101.1.1.7 2010.09.18 -
TheHacker 6.7.0.0.022 2010.09.17 -
TrendMicro 9.120.0.1004 2010.09.17 -
TrendMicro-HouseCall 9.120.0.1004 2010.09.18 -
VBA32 3.12.14.0 2010.09.17 -
ViRobot 2010.9.18.4048 2010.09.18 -
VirusBuster 12.65.12.0 2010.09.17 -
Additional informationShow all
MD5 : 4f9427511c7b360189db0955e0effed6
SHA1 : ab2647b242e97555b2dc640b4b3eaf0cf639e8ee
SHA256: 6db55d3896d21f6a238ca3730e428e9e743d5663372980c960 bcded3af9cc021
ssdeep: 384:K9qfH0s32vr48scLk8kEk8LV0oA6lHuDmnsGpYJLWqmb36 jh:KO0s3cLk8kL8LWojuubEL2
b3mh
File size : 24376 bytes
First seen: 2010-06-07 19:14:32
Last seen : 2010-09-18 10:31:15
TrID:
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: McAfee, Inc.
copyright....: Copyright(c) 1995-2009 McAfee, Inc. All Rights Reserved.
product......: VSCORE
description..: VSCore Script Scanner
original name: n/a
internal name: n/a
file version.: VSCORE.14.2.0.723.x86
comments.....: n/a
signers......: McAfee, Inc.
VeriSign Class 3 Code Signing 2004 CA
Class 3 Public Primary Certification Authority
signing date.: 9:10 PM 4/23/2010
verified.....: -

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x2488
timedatestamp....: 0x4B437B62 (Tue Jan 05 17:48:18 2010)
machinetype......: 0x14c (I386)

[[ 5 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x1C57, 0x1E00, 6.29, 47c8e44db6ba1405f1c08d8861586606
.rdata, 0x3000, 0x115B, 0x1200, 4.72, 942662c66aa8b3b88ee3d97f0247aaac
.data, 0x5000, 0x77C, 0x400, 6.29, e608dff5d6d8e3e2312ee43724ede68d
.rsrc, 0x6000, 0x3A0, 0x400, 2.95, 11fdf2834b151458660eccb0d7b955d4
.reloc, 0x7000, 0x6D8, 0x800, 3.14, 0e749ee29b48958fe7d352bff91ade19

[[ 6 import(s) ]]
msvcrt.dll: _unlock, _lock, _amsg_exit, __dllonexit, _onexit, _initterm, _XcptFilter, wcscat, free, malloc, _adjust_fdiv, strncmp, wcsrchr, wcscpy, _snwprintf, memset
xpcom.dll: NS_Free
KERNEL32.dll: GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, InterlockedCompareExchange, Sleep, InterlockedExchange, RtlUnwind, GetCurrentProcess, GetModuleHandleW, VirtualProtect, LoadLibraryW, GetProcAddress, FreeLibrary, FindClose, GetModuleFileNameW, FindFirstFileW, GetSystemDirectoryW
USER32.dll: wsprintfW
ADVAPI32.dll: RegOpenKeyExW, RegQueryValueExW, RegCloseKey
ntdll.dll: _strnicmp

[[ 1 export(s) ]]
NSGetModule

**menatwork** · 18-09-2010, 12:37

mescite carica il rapporto su un server

**mescite** · 18-09-2010, 13:47

scusa ma non sono capace

Discussione: attacco malware e alureon.h

Strumenti discussione

Ricerca discussione

Visualizza

attacco malware e alureon.h

ecco

virus total

Permessi di invio