konradin
17-11-2009, 12:59
Seguo la procedura per INFETTI:
Windows Xp sp3
Problema: connessione con cellulare nokia pc suite non funziona più. scansione con AVG 8.5: nessun virus
procedo allora pensando ad un problema di qualche installazione recente al Ripristino confugurazione di sistema: niente. Ripeto più volte.
Scarico AVG 9, scansione: trovato virus JS/Downloader.Agent
Risorse di rete: crea nuova connessione non va, non si connette con nessun tipo di connessione.
parto con la procedura:
2. Malwarebytes rileva 7 minacce: 6 trojan.downloader, 1 hijack.system.hid...
Però i blocca e non riesco a salvare il log
3. A- squared, allego log
a-squared Free - Versione 4.5
Ultimo aggiornamento: N/A
Impostazioni scansione:
Scan type: deep
Oggetti: Memoria, Tracce, Cookies, C:\, D:\, F:\
Archivio scansioni: On
Scientifico: Off
ADS Scan: On
Scansione avviata: 15/11/2009 21.56.40
c:\programmi\viewpoint\viewpoint toolbar rilevati: Trace.Directory.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-21-418294568-363835258-2483692802-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Emule --> Order rilevati: Trace.Registry.Emule 5.0!A2
Value: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\internet settings\user agent\post platform --> dial rilevati: Trace.Registry.EnergyPlugin!A2
Value: HKEY_CLASSES_ROOT\CLSID\{0E2C3126-DDED-4A58-800E-9AEDE84EA31E}\InProcServer32 --> ThreadingModel rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_CLASSES_ROOT\CLSID\{A7327C09-B521-4EDB-8509-7D2660C9EC98}\InProcServer32 --> ThreadingModel rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_CLASSES_ROOT\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\InProcServer32 --> ThreadingModel rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-21-418294568-363835258-2483692802-1005\Software\Viewpoint\Content Debugger --> SearchBar rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\.DEFAULT\Software\Viewpoint\Content Debugger --> Viewbar Installer rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-18\Software\Viewpoint\Content Debugger --> Viewbar Installer rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\.DEFAULT\Software\Viewpoint\Content Debugger --> Viewpoint Manager rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-21-418294568-363835258-2483692802-1005\Software\Viewpoint\Content Debugger --> Viewpoint Manager rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-18\Software\Viewpoint\Content Debugger --> Viewpoint Manager rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\.DEFAULT\Software\Viewpoint\Content Debugger --> Viewpoint Manager Installer rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-21-418294568-363835258-2483692802-1005\Software\Viewpoint\Content Debugger --> Viewpoint Manager Installer rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-18\Software\Viewpoint\Content Debugger --> Viewpoint Manager Installer rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-21-418294568-363835258-2483692802-1005\Software\Viewpoint\Viewpoint Toolbar --> ToolbarSelectedInBrowser rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E2C3126-DDED-4A58-800E-9AEDE84EA31E}\InProcServer32 --> ThreadingModel rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7327C09-B521-4EDB-8509-7D2660C9EC98}\InProcServer32 --> ThreadingModel rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\InProcServer32 --> ThreadingModel rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Viewpoint Toolbar --> DisplayName rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Viewpoint Toolbar --> UninstallString rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Viewpoint\Toolbar Runtime --> {F8AD5AA5-D966-4667-9DAF-2561D68B2012} rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Viewpoint\Toolbar Runtime --> Version rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Viewpoint\Viewpoint Toolbar --> Version rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
C:\Documents and Settings\HelpAssistant\Impostazioni locali\Temp\A.tmp rilevati: Trojan-Downloader.Win32.Mebroot!IK
C:\Documents and Settings\HelpAssistant\Impostazioni locali\Temp\jar_cache924474243655318827.tmp rilevati: Win32.SuspectCrc!IK
C:\Documents and Settings\HelpAssistant\Impostazioni locali\Temp\C.tmp rilevati: Trojan-Downloader.Win32.Mebroot!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-4c13906b-263a737e.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-1f8d254-70d9015a.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-77a7d7d1-2a67f3b3.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-213cd4f8-396b08a2.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\6.0\3\295fb583-42909765/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\6.0\7\356118c7-292e19ce/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\6.0\13\1962d7cd-19bcd7aa/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\6.0\51\fdce7f3-2fd18936/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Impostazioni locali\Temp\jar_cache924474243655318827.tmp rilevati: Win32.SuspectCrc!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-4c13906b-263a737e.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-1f8d254-70d9015a.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-77a7d7d1-2a67f3b3.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-213cd4f8-396b08a2.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\6.0\3\295fb583-42909765/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\6.0\7\356118c7-292e19ce/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\6.0\13\1962d7cd-19bcd7aa/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\6.0\51\fdce7f3-2fd18936/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Impostazioni locali\Temp\jar_cache924474243655318827.tmp rilevati: Win32.SuspectCrc!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-4c13906b-263a737e.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-1f8d254-70d9015a.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-77a7d7d1-2a67f3b3.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-213cd4f8-396b08a2.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\6.0\3\295fb583-42909765/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\6.0\7\356118c7-292e19ce/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\6.0\13\1962d7cd-19bcd7aa/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\6.0\51\fdce7f3-2fd18936/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Impostazioni locali\Temp\jar_cache924474243655318827.tmp rilevati: Win32.SuspectCrc!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-4c13906b-263a737e.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-1f8d254-70d9015a.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-77a7d7d1-2a67f3b3.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-213cd4f8-396b08a2.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\6.0\3\295fb583-42909765/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\6.0\7\356118c7-292e19ce/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\6.0\13\1962d7cd-19bcd7aa/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\6.0\51\fdce7f3-2fd18936/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
Scansionati
Files: 137602
Tracce: 722338
Cookies: 0
Processi: 51
Rilevato
Files: 38
Tracce: 24
Cookies: 0
Processi: 0
Chiavi di registro: 0
Fine scansione: 15/11/2009 22.51.34
Tempo scansione: 0:54:54
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-4c13906b-263a737e.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-1f8d254-70d9015a.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-77a7d7d1-2a67f3b3.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-213cd4f8-396b08a2.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\6.0\3\295fb583-42909765/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\6.0\7\356118c7-292e19ce/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\6.0\13\1962d7cd-19bcd7aa/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\6.0\51\fdce7f3-2fd18936/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-4c13906b-263a737e.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-1f8d254-70d9015a.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-77a7d7d1-2a67f3b3.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-213cd4f8-396b08a2.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\6.0\3\295fb583-42909765/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\6.0\7\356118c7-292e19ce/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\6.0\13\1962d7cd-19bcd7aa/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\6.0\51\fdce7f3-2fd18936/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-4c13906b-263a737e.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-1f8d254-70d9015a.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-77a7d7d1-2a67f3b3.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-213cd4f8-396b08a2.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\6.0\3\295fb583-42909765/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\6.0\7\356118c7-292e19ce/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\6.0\13\1962d7cd-19bcd7aa/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\6.0\51\fdce7f3-2fd18936/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-4c13906b-263a737e.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-1f8d254-70d9015a.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-77a7d7d1-2a67f3b3.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-213cd4f8-396b08a2.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\6.0\3\295fb583-42909765/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\6.0\7\356118c7-292e19ce/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\6.0\13\1962d7cd-19bcd7aa/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\6.0\51\fdce7f3-2fd18936/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Impostazioni locali\Temp\jar_cache924474243655318827.tmp In quarantena Win32.SuspectCrc!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Impostazioni locali\Temp\jar_cache924474243655318827.tmp In quarantena Win32.SuspectCrc!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Impostazioni locali\Temp\jar_cache924474243655318827.tmp In quarantena Win32.SuspectCrc!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Impostazioni locali\Temp\jar_cache924474243655318827.tmp In quarantena Win32.SuspectCrc!IK
C:\Documents and Settings\HelpAssistant\Impostazioni locali\Temp\A.tmp In quarantena Trojan-Downloader.Win32.Mebroot!IK
C:\Documents and Settings\HelpAssistant\Impostazioni locali\Temp\C.tmp In quarantena Trojan-Downloader.Win32.Mebroot!IK
In quarantena
Files: 38
Tracce: 0
Cookies: 0
4. F-secure online: non posso connettermi, uso Kaspersky rem tool, allego log (http://www.mediafire.com/file/m2kz2zmm2mt/kasp.rar)
5. Dr web cure it: all'avvio del programma il notebook si riavvia ed esegue scandisc, procedura ripetuta con stesso risultato
6. Sysinspector allego log (http://www.mediafire.com/file/ijyotzrnzrz/SysInspector-NOME-ARJH7HJY1U-091116-2058.rar)
7. Hijackthis: allego log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:41:18, on 16/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\AVG\AVG9\avgchsvx.exe
C:\Programmi\AVG\AVG9\avgrsx.exe
C:\Programmi\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\a-squared Free\a2service.exe
C:\Programmi\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\Programmi\ASUS\ASUS Live Update\ALU.exe
C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\ASUSTek\ASUSDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\atwtusb.exe
C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Asus\Asus ChkMail\ChkMail.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Programmi\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Programmi\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Programmi\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Programmi\File comuni\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Programmi\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ASUS Live Update] C:\Programmi\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Programmi\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\ASUSTek\ASUSDVD\PDVDServ.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: ASUS ChkMail.lnk = C:\Programmi\Asus\Asus ChkMail\ChkMail.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeinternet.it/?PC=1&CD=1
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169891008199
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmi\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programmi\a-squared Free\a2service.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Programmi\AVG\AVG9\avgwdsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Programmi\Viewpoint\Common\ViewpointService.exe
--
End of file - 7431 bytes
8. Gmer: allego log, sulla schermata appare in rosso questo: SERVICE C:\windows\system32\svchost.exe(***hidden***) AUTO qzimzile
GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-16 21:56:53
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Leo\IMPOST~1\Temp\kwldyaog.sys
---- User code sections - GMER 1.0.15 ----
.text C:\Programmi\a-squared Free\a2service.exe[516] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0045495D C:\Programmi\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
.text C:\WINDOWS\system32\dwwin.exe[1044] ADVAPI32.DLL!CryptDestroyKey 77F59EBC 7 Bytes JMP 013628E0
.text C:\WINDOWS\system32\dwwin.exe[1044] ADVAPI32.DLL!CryptDecrypt 77F5A129 7 Bytes JMP 01362890
.text C:\WINDOWS\system32\dwwin.exe[1044] ADVAPI32.DLL!CryptEncrypt 77F5E360 7 Bytes JMP 01362854
.text C:\WINDOWS\system32\dwwin.exe[1044] ws2_32.dll!closesocket 71A33E2B 5 Bytes JMP 01362839
.text C:\WINDOWS\system32\dwwin.exe[1044] ws2_32.dll!send 71A34C27 5 Bytes JMP 013626C5
.text C:\WINDOWS\system32\dwwin.exe[1044] ws2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 013627B7
.text C:\WINDOWS\system32\dwwin.exe[1044] ws2_32.dll!recv 71A3676F 5 Bytes JMP 013626FD
.text C:\WINDOWS\system32\dwwin.exe[1044] ws2_32.dll!WSASend 71A368FA 5 Bytes JMP 01362735
.text C:\WINDOWS\Explorer.EXE[1760] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 016C28E0
.text C:\WINDOWS\Explorer.EXE[1760] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 016C2890
.text C:\WINDOWS\Explorer.EXE[1760] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 016C2854
.text C:\WINDOWS\Explorer.EXE[1760] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 016C2839
.text C:\WINDOWS\Explorer.EXE[1760] WS2_32.dll!send 71A34C27 5 Bytes JMP 016C26C5
.text C:\WINDOWS\Explorer.EXE[1760] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 016C27B7
.text C:\WINDOWS\Explorer.EXE[1760] WS2_32.dll!recv 71A3676F 5 Bytes JMP 016C26FD
.text C:\WINDOWS\Explorer.EXE[1760] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 016C2735
.text C:\WINDOWS\System32\drivers\CDAC11BA.EXE[1836] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 00A528E0
.text C:\WINDOWS\System32\drivers\CDAC11BA.EXE[1836] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 00A52890
.text C:\WINDOWS\System32\drivers\CDAC11BA.EXE[1836] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 00A52854
.text C:\WINDOWS\System32\drivers\CDAC11BA.EXE[1836] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 00A52839
.text C:\WINDOWS\System32\drivers\CDAC11BA.EXE[1836] WS2_32.dll!send 71A34C27 5 Bytes JMP 00A526C5
.text C:\WINDOWS\System32\drivers\CDAC11BA.EXE[1836] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 00A527B7
.text C:\WINDOWS\System32\drivers\CDAC11BA.EXE[1836] WS2_32.dll!recv 71A3676F 5 Bytes JMP 00A526FD
.text C:\WINDOWS\System32\drivers\CDAC11BA.EXE[1836] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 00A52735
.text C:\Programmi\Java\jre6\bin\jqs.exe[2060] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 019E2839
.text C:\Programmi\Java\jre6\bin\jqs.exe[2060] WS2_32.dll!send 71A34C27 5 Bytes JMP 019E26C5
.text C:\Programmi\Java\jre6\bin\jqs.exe[2060] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 019E27B7
.text C:\Programmi\Java\jre6\bin\jqs.exe[2060] WS2_32.dll!recv 71A3676F 5 Bytes JMP 019E26FD
.text C:\Programmi\Java\jre6\bin\jqs.exe[2060] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 019E2735
.text C:\Programmi\Java\jre6\bin\jqs.exe[2060] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 019E28E0
.text C:\Programmi\Java\jre6\bin\jqs.exe[2060] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 019E2890
.text C:\Programmi\Java\jre6\bin\jqs.exe[2060] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 019E2854
.text C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe[2612] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 00B728E0
.text C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe[2612] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 00B72890
.text C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe[2612] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 00B72854
.text C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe[2612] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 00B72839
.text C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe[2612] WS2_32.dll!send 71A34C27 5 Bytes JMP 00B726C5
.text C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe[2612] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 00B727B7
.text C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe[2612] WS2_32.dll!recv 71A3676F 5 Bytes JMP 00B726FD
.text C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe[2612] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 00B72735
.text C:\WINDOWS\System32\alg.exe[2836] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 00B328E0
.text C:\WINDOWS\System32\alg.exe[2836] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 00B32890
.text C:\WINDOWS\System32\alg.exe[2836] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 00B32854
.text C:\WINDOWS\System32\alg.exe[2836] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 00B32839
.text C:\WINDOWS\System32\alg.exe[2836] WS2_32.dll!send 71A34C27 5 Bytes JMP 00B326C5
.text C:\WINDOWS\System32\alg.exe[2836] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 00B327B7
.text C:\WINDOWS\System32\alg.exe[2836] WS2_32.dll!recv 71A3676F 5 Bytes JMP 00B326FD
.text C:\WINDOWS\System32\alg.exe[2836] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 00B32735
.text C:\Programmi\ASUS\ASUS Live Update\ALU.exe[3276] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 00E528E0
.text C:\Programmi\ASUS\ASUS Live Update\ALU.exe[3276] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 00E52890
.text C:\Programmi\ASUS\ASUS Live Update\ALU.exe[3276] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 00E52854
.text C:\Programmi\ASUS\ASUS Live Update\ALU.exe[3276] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 00E52839
.text C:\Programmi\ASUS\ASUS Live Update\ALU.exe[3276] WS2_32.dll!send 71A34C27 5 Bytes JMP 00E526C5
.text C:\Programmi\ASUS\ASUS Live Update\ALU.exe[3276] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 00E527B7
.text C:\Programmi\ASUS\ASUS Live Update\ALU.exe[3276] WS2_32.dll!recv 71A3676F 5 Bytes JMP 00E526FD
.text C:\Programmi\ASUS\ASUS Live Update\ALU.exe[3276] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 00E52735
.text C:\Programmi\Synaptics\SynTP\SynTPLpr.exe[3292] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 011528E0
.text C:\Programmi\Synaptics\SynTP\SynTPLpr.exe[3292] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 01152890
.text C:\Programmi\Synaptics\SynTP\SynTPLpr.exe[3292] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 01152854
.text C:\Programmi\Synaptics\SynTP\SynTPLpr.exe[3292] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 01152839
.text C:\Programmi\Synaptics\SynTP\SynTPLpr.exe[3292] WS2_32.dll!send 71A34C27 5 Bytes JMP 011526C5
.text C:\Programmi\Synaptics\SynTP\SynTPLpr.exe[3292] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 011527B7
.text C:\Programmi\Synaptics\SynTP\SynTPLpr.exe[3292] WS2_32.dll!recv 71A3676F 5 Bytes JMP 011526FD
.text C:\Programmi\Synaptics\SynTP\SynTPLpr.exe[3292] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 01152735
.text C:\Programmi\Synaptics\SynTP\SynTPEnh.exe[3300] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 011B28E0
.text C:\Programmi\Synaptics\SynTP\SynTPEnh.exe[3300] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 011B2890
.text C:\Programmi\Synaptics\SynTP\SynTPEnh.exe[3300] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 011B2854
.text C:\Programmi\Synaptics\SynTP\SynTPEnh.exe[3300] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 011B2839
.text C:\Programmi\Synaptics\SynTP\SynTPEnh.exe[3300] WS2_32.dll!send 71A34C27 5 Bytes JMP 011B26C5
.text C:\Programmi\Synaptics\SynTP\SynTPEnh.exe[3300] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 011B27B7
.text C:\Programmi\Synaptics\SynTP\SynTPEnh.exe[3300] WS2_32.dll!recv 71A3676F 5 Bytes JMP 011B26FD
.text C:\Programmi\Synaptics\SynTP\SynTPEnh.exe[3300] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 011B2735
.text C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe[3308] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 010328E0
.text C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe[3308] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 01032890
.text C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe[3308] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 01032854
.text C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe[3308] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 01032839
.text C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe[3308] WS2_32.dll!send 71A34C27 5 Bytes JMP 010326C5
.text C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe[3308] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 010327B7
.text C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe[3308] WS2_32.dll!recv 71A3676F 5 Bytes JMP 010326FD
.text C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe[3308] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 01032735
.text C:\Programmi\Java\jre6\bin\jusched.exe[3424] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 011328E0
.text C:\Programmi\Java\jre6\bin\jusched.exe[3424] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 01132890
.text C:\Programmi\Java\jre6\bin\jusched.exe[3424] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 01132854
.text C:\Programmi\Java\jre6\bin\jusched.exe[3424] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 01132839
.text C:\Programmi\Java\jre6\bin\jusched.exe[3424] WS2_32.dll!send 71A34C27 5 Bytes JMP 011326C5
.text C:\Programmi\Java\jre6\bin\jusched.exe[3424] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 011327B7
.text C:\Programmi\Java\jre6\bin\jusched.exe[3424] WS2_32.dll!recv 71A3676F 5 Bytes JMP 011326FD
.text C:\Programmi\Java\jre6\bin\jusched.exe[3424] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 01132735
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[4068] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 00CD28E0
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[4068] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 00CD2890
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[4068] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 00CD2854
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[4068] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 00CD2839
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[4068] WS2_32.dll!send 71A34C27 5 Bytes JMP 00CD26C5
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[4068] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 00CD27B7
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[4068] WS2_32.dll!recv 71A3676F 5 Bytes JMP 00CD26FD
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[4068] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 00CD2735
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[4088] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 00EA28E0
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[4088] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 00EA2890
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[4088] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 00EA2854
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[4088] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 00EA2839
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[4088] WS2_32.dll!send 71A34C27 5 Bytes JMP 00EA26C5
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[4088] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 00EA27B7
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[4088] WS2_32.dll!recv 71A3676F 5 Bytes JMP 00EA26FD
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[4088] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 00EA2735
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
Device \Driver\ACPI \Device\00000050 826E0E40
Device \Driver\ACPI \Device\00000051 826E0E40
Device \Driver\ACPI \Device\00000052 826E0E40
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \Driver\ACPI -> \Driver\ACPI \Device\Harddisk0\DR0 826E0E40
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] qzimzklle <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\qzimzklle@DisplayName rbtduxfig
Reg HKLM\SYSTEM\CurrentControlSet\Services\qzimzklle@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\qzimzklle@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\qzimzklle@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\qzimzklle@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\qzimzklle@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\qzimzklle@Description Abilita un computer a riconoscere e adattarsi alle modifiche hardware con il minimo input da parte dell'utente o senza alcun input. Se il servizio viene arrestato o disabilitato, il sistema diventer? instabile.
Reg HKLM\SYSTEM\CurrentControlSet\Services\qzimzklle\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\qzimzklle\Parameters@ServiceDll C:\WINDOWS\system32\yidlubfs.dll
Reg HKLM\SYSTEM\ControlSet003\Services\qzimzklle@DisplayName rbtduxfig
Reg HKLM\SYSTEM\ControlSet003\Services\qzimzklle@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\qzimzklle@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\qzimzklle@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\qzimzklle@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\qzimzklle@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\qzimzklle@Description Abilita un computer a riconoscere e adattarsi alle modifiche hardware con il minimo input da parte dell'utente o senza alcun input. Se il servizio viene arrestato o disabilitato, il sistema diventer? instabile.
Reg HKLM\SYSTEM\ControlSet003\Services\qzimzklle\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\qzimzklle\Parameters@ServiceDll C:\WINDOWS\system32\yidlubfs.dll
---- EOF - GMER 1.0.15 ----
9. Prevx: non riesco a connettermi ad internet.
Se qualcun mi potesse aiutare! tenete presente che non sono molto esperto...:help:
Windows Xp sp3
Problema: connessione con cellulare nokia pc suite non funziona più. scansione con AVG 8.5: nessun virus
procedo allora pensando ad un problema di qualche installazione recente al Ripristino confugurazione di sistema: niente. Ripeto più volte.
Scarico AVG 9, scansione: trovato virus JS/Downloader.Agent
Risorse di rete: crea nuova connessione non va, non si connette con nessun tipo di connessione.
parto con la procedura:
2. Malwarebytes rileva 7 minacce: 6 trojan.downloader, 1 hijack.system.hid...
Però i blocca e non riesco a salvare il log
3. A- squared, allego log
a-squared Free - Versione 4.5
Ultimo aggiornamento: N/A
Impostazioni scansione:
Scan type: deep
Oggetti: Memoria, Tracce, Cookies, C:\, D:\, F:\
Archivio scansioni: On
Scientifico: Off
ADS Scan: On
Scansione avviata: 15/11/2009 21.56.40
c:\programmi\viewpoint\viewpoint toolbar rilevati: Trace.Directory.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-21-418294568-363835258-2483692802-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Emule --> Order rilevati: Trace.Registry.Emule 5.0!A2
Value: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\internet settings\user agent\post platform --> dial rilevati: Trace.Registry.EnergyPlugin!A2
Value: HKEY_CLASSES_ROOT\CLSID\{0E2C3126-DDED-4A58-800E-9AEDE84EA31E}\InProcServer32 --> ThreadingModel rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_CLASSES_ROOT\CLSID\{A7327C09-B521-4EDB-8509-7D2660C9EC98}\InProcServer32 --> ThreadingModel rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_CLASSES_ROOT\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\InProcServer32 --> ThreadingModel rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-21-418294568-363835258-2483692802-1005\Software\Viewpoint\Content Debugger --> SearchBar rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\.DEFAULT\Software\Viewpoint\Content Debugger --> Viewbar Installer rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-18\Software\Viewpoint\Content Debugger --> Viewbar Installer rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\.DEFAULT\Software\Viewpoint\Content Debugger --> Viewpoint Manager rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-21-418294568-363835258-2483692802-1005\Software\Viewpoint\Content Debugger --> Viewpoint Manager rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-18\Software\Viewpoint\Content Debugger --> Viewpoint Manager rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\.DEFAULT\Software\Viewpoint\Content Debugger --> Viewpoint Manager Installer rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-21-418294568-363835258-2483692802-1005\Software\Viewpoint\Content Debugger --> Viewpoint Manager Installer rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-18\Software\Viewpoint\Content Debugger --> Viewpoint Manager Installer rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-21-418294568-363835258-2483692802-1005\Software\Viewpoint\Viewpoint Toolbar --> ToolbarSelectedInBrowser rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E2C3126-DDED-4A58-800E-9AEDE84EA31E}\InProcServer32 --> ThreadingModel rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7327C09-B521-4EDB-8509-7D2660C9EC98}\InProcServer32 --> ThreadingModel rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\InProcServer32 --> ThreadingModel rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Viewpoint Toolbar --> DisplayName rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Viewpoint Toolbar --> UninstallString rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Viewpoint\Toolbar Runtime --> {F8AD5AA5-D966-4667-9DAF-2561D68B2012} rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Viewpoint\Toolbar Runtime --> Version rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Viewpoint\Viewpoint Toolbar --> Version rilevati: Trace.Registry.Viewpoint Media Toolbar!A2
C:\Documents and Settings\HelpAssistant\Impostazioni locali\Temp\A.tmp rilevati: Trojan-Downloader.Win32.Mebroot!IK
C:\Documents and Settings\HelpAssistant\Impostazioni locali\Temp\jar_cache924474243655318827.tmp rilevati: Win32.SuspectCrc!IK
C:\Documents and Settings\HelpAssistant\Impostazioni locali\Temp\C.tmp rilevati: Trojan-Downloader.Win32.Mebroot!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-4c13906b-263a737e.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-1f8d254-70d9015a.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-77a7d7d1-2a67f3b3.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-213cd4f8-396b08a2.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\6.0\3\295fb583-42909765/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\6.0\7\356118c7-292e19ce/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\6.0\13\1962d7cd-19bcd7aa/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\6.0\51\fdce7f3-2fd18936/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Impostazioni locali\Temp\jar_cache924474243655318827.tmp rilevati: Win32.SuspectCrc!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-4c13906b-263a737e.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-1f8d254-70d9015a.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-77a7d7d1-2a67f3b3.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-213cd4f8-396b08a2.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\6.0\3\295fb583-42909765/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\6.0\7\356118c7-292e19ce/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\6.0\13\1962d7cd-19bcd7aa/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\6.0\51\fdce7f3-2fd18936/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Impostazioni locali\Temp\jar_cache924474243655318827.tmp rilevati: Win32.SuspectCrc!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-4c13906b-263a737e.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-1f8d254-70d9015a.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-77a7d7d1-2a67f3b3.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-213cd4f8-396b08a2.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\6.0\3\295fb583-42909765/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\6.0\7\356118c7-292e19ce/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\6.0\13\1962d7cd-19bcd7aa/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\6.0\51\fdce7f3-2fd18936/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Impostazioni locali\Temp\jar_cache924474243655318827.tmp rilevati: Win32.SuspectCrc!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-4c13906b-263a737e.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-1f8d254-70d9015a.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-77a7d7d1-2a67f3b3.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-213cd4f8-396b08a2.zip/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\6.0\3\295fb583-42909765/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\6.0\7\356118c7-292e19ce/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\6.0\13\1962d7cd-19bcd7aa/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\6.0\51\fdce7f3-2fd18936/Java.class rilevati: Trojan-Downloader.Java.OpenConnection!IK
Scansionati
Files: 137602
Tracce: 722338
Cookies: 0
Processi: 51
Rilevato
Files: 38
Tracce: 24
Cookies: 0
Processi: 0
Chiavi di registro: 0
Fine scansione: 15/11/2009 22.51.34
Tempo scansione: 0:54:54
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-4c13906b-263a737e.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-1f8d254-70d9015a.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-77a7d7d1-2a67f3b3.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-213cd4f8-396b08a2.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\6.0\3\295fb583-42909765/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\6.0\7\356118c7-292e19ce/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\6.0\13\1962d7cd-19bcd7aa/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Dati applicazioni\Sun\Java\Deployment\cache\6.0\51\fdce7f3-2fd18936/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-4c13906b-263a737e.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-1f8d254-70d9015a.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-77a7d7d1-2a67f3b3.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-213cd4f8-396b08a2.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\6.0\3\295fb583-42909765/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\6.0\7\356118c7-292e19ce/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\6.0\13\1962d7cd-19bcd7aa/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Dati applicazioni\Sun\Java\Deployment\cache\6.0\51\fdce7f3-2fd18936/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-4c13906b-263a737e.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-1f8d254-70d9015a.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-77a7d7d1-2a67f3b3.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-213cd4f8-396b08a2.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\6.0\3\295fb583-42909765/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\6.0\7\356118c7-292e19ce/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\6.0\13\1962d7cd-19bcd7aa/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Dati applicazioni\Sun\Java\Deployment\cache\6.0\51\fdce7f3-2fd18936/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-4c13906b-263a737e.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-1f8d254-70d9015a.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-77a7d7d1-2a67f3b3.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java.jar-213cd4f8-396b08a2.zip/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\6.0\3\295fb583-42909765/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\6.0\7\356118c7-292e19ce/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\6.0\13\1962d7cd-19bcd7aa/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Dati applicazioni\Sun\Java\Deployment\cache\6.0\51\fdce7f3-2fd18936/Java.class In quarantena Trojan-Downloader.Java.OpenConnection!IK
C:\Documents and Settings\HelpAssistant\Impostazioni locali\Temp\jar_cache924474243655318827.tmp In quarantena Win32.SuspectCrc!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U\Impostazioni locali\Temp\jar_cache924474243655318827.tmp In quarantena Win32.SuspectCrc!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.000\Impostazioni locali\Temp\jar_cache924474243655318827.tmp In quarantena Win32.SuspectCrc!IK
C:\Documents and Settings\HelpAssistant.NOME-ARJH7HJY1U.001\Impostazioni locali\Temp\jar_cache924474243655318827.tmp In quarantena Win32.SuspectCrc!IK
C:\Documents and Settings\HelpAssistant\Impostazioni locali\Temp\A.tmp In quarantena Trojan-Downloader.Win32.Mebroot!IK
C:\Documents and Settings\HelpAssistant\Impostazioni locali\Temp\C.tmp In quarantena Trojan-Downloader.Win32.Mebroot!IK
In quarantena
Files: 38
Tracce: 0
Cookies: 0
4. F-secure online: non posso connettermi, uso Kaspersky rem tool, allego log (http://www.mediafire.com/file/m2kz2zmm2mt/kasp.rar)
5. Dr web cure it: all'avvio del programma il notebook si riavvia ed esegue scandisc, procedura ripetuta con stesso risultato
6. Sysinspector allego log (http://www.mediafire.com/file/ijyotzrnzrz/SysInspector-NOME-ARJH7HJY1U-091116-2058.rar)
7. Hijackthis: allego log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:41:18, on 16/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\AVG\AVG9\avgchsvx.exe
C:\Programmi\AVG\AVG9\avgrsx.exe
C:\Programmi\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\a-squared Free\a2service.exe
C:\Programmi\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\Programmi\ASUS\ASUS Live Update\ALU.exe
C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\ASUSTek\ASUSDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\atwtusb.exe
C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Asus\Asus ChkMail\ChkMail.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Programmi\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Programmi\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Programmi\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Programmi\File comuni\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Programmi\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ASUS Live Update] C:\Programmi\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Programmi\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\ASUSTek\ASUSDVD\PDVDServ.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: ASUS ChkMail.lnk = C:\Programmi\Asus\Asus ChkMail\ChkMail.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeinternet.it/?PC=1&CD=1
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169891008199
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmi\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programmi\a-squared Free\a2service.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Programmi\AVG\AVG9\avgwdsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Programmi\Viewpoint\Common\ViewpointService.exe
--
End of file - 7431 bytes
8. Gmer: allego log, sulla schermata appare in rosso questo: SERVICE C:\windows\system32\svchost.exe(***hidden***) AUTO qzimzile
GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-16 21:56:53
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Leo\IMPOST~1\Temp\kwldyaog.sys
---- User code sections - GMER 1.0.15 ----
.text C:\Programmi\a-squared Free\a2service.exe[516] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0045495D C:\Programmi\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
.text C:\WINDOWS\system32\dwwin.exe[1044] ADVAPI32.DLL!CryptDestroyKey 77F59EBC 7 Bytes JMP 013628E0
.text C:\WINDOWS\system32\dwwin.exe[1044] ADVAPI32.DLL!CryptDecrypt 77F5A129 7 Bytes JMP 01362890
.text C:\WINDOWS\system32\dwwin.exe[1044] ADVAPI32.DLL!CryptEncrypt 77F5E360 7 Bytes JMP 01362854
.text C:\WINDOWS\system32\dwwin.exe[1044] ws2_32.dll!closesocket 71A33E2B 5 Bytes JMP 01362839
.text C:\WINDOWS\system32\dwwin.exe[1044] ws2_32.dll!send 71A34C27 5 Bytes JMP 013626C5
.text C:\WINDOWS\system32\dwwin.exe[1044] ws2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 013627B7
.text C:\WINDOWS\system32\dwwin.exe[1044] ws2_32.dll!recv 71A3676F 5 Bytes JMP 013626FD
.text C:\WINDOWS\system32\dwwin.exe[1044] ws2_32.dll!WSASend 71A368FA 5 Bytes JMP 01362735
.text C:\WINDOWS\Explorer.EXE[1760] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 016C28E0
.text C:\WINDOWS\Explorer.EXE[1760] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 016C2890
.text C:\WINDOWS\Explorer.EXE[1760] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 016C2854
.text C:\WINDOWS\Explorer.EXE[1760] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 016C2839
.text C:\WINDOWS\Explorer.EXE[1760] WS2_32.dll!send 71A34C27 5 Bytes JMP 016C26C5
.text C:\WINDOWS\Explorer.EXE[1760] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 016C27B7
.text C:\WINDOWS\Explorer.EXE[1760] WS2_32.dll!recv 71A3676F 5 Bytes JMP 016C26FD
.text C:\WINDOWS\Explorer.EXE[1760] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 016C2735
.text C:\WINDOWS\System32\drivers\CDAC11BA.EXE[1836] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 00A528E0
.text C:\WINDOWS\System32\drivers\CDAC11BA.EXE[1836] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 00A52890
.text C:\WINDOWS\System32\drivers\CDAC11BA.EXE[1836] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 00A52854
.text C:\WINDOWS\System32\drivers\CDAC11BA.EXE[1836] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 00A52839
.text C:\WINDOWS\System32\drivers\CDAC11BA.EXE[1836] WS2_32.dll!send 71A34C27 5 Bytes JMP 00A526C5
.text C:\WINDOWS\System32\drivers\CDAC11BA.EXE[1836] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 00A527B7
.text C:\WINDOWS\System32\drivers\CDAC11BA.EXE[1836] WS2_32.dll!recv 71A3676F 5 Bytes JMP 00A526FD
.text C:\WINDOWS\System32\drivers\CDAC11BA.EXE[1836] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 00A52735
.text C:\Programmi\Java\jre6\bin\jqs.exe[2060] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 019E2839
.text C:\Programmi\Java\jre6\bin\jqs.exe[2060] WS2_32.dll!send 71A34C27 5 Bytes JMP 019E26C5
.text C:\Programmi\Java\jre6\bin\jqs.exe[2060] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 019E27B7
.text C:\Programmi\Java\jre6\bin\jqs.exe[2060] WS2_32.dll!recv 71A3676F 5 Bytes JMP 019E26FD
.text C:\Programmi\Java\jre6\bin\jqs.exe[2060] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 019E2735
.text C:\Programmi\Java\jre6\bin\jqs.exe[2060] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 019E28E0
.text C:\Programmi\Java\jre6\bin\jqs.exe[2060] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 019E2890
.text C:\Programmi\Java\jre6\bin\jqs.exe[2060] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 019E2854
.text C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe[2612] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 00B728E0
.text C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe[2612] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 00B72890
.text C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe[2612] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 00B72854
.text C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe[2612] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 00B72839
.text C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe[2612] WS2_32.dll!send 71A34C27 5 Bytes JMP 00B726C5
.text C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe[2612] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 00B727B7
.text C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe[2612] WS2_32.dll!recv 71A3676F 5 Bytes JMP 00B726FD
.text C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe[2612] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 00B72735
.text C:\WINDOWS\System32\alg.exe[2836] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 00B328E0
.text C:\WINDOWS\System32\alg.exe[2836] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 00B32890
.text C:\WINDOWS\System32\alg.exe[2836] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 00B32854
.text C:\WINDOWS\System32\alg.exe[2836] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 00B32839
.text C:\WINDOWS\System32\alg.exe[2836] WS2_32.dll!send 71A34C27 5 Bytes JMP 00B326C5
.text C:\WINDOWS\System32\alg.exe[2836] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 00B327B7
.text C:\WINDOWS\System32\alg.exe[2836] WS2_32.dll!recv 71A3676F 5 Bytes JMP 00B326FD
.text C:\WINDOWS\System32\alg.exe[2836] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 00B32735
.text C:\Programmi\ASUS\ASUS Live Update\ALU.exe[3276] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 00E528E0
.text C:\Programmi\ASUS\ASUS Live Update\ALU.exe[3276] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 00E52890
.text C:\Programmi\ASUS\ASUS Live Update\ALU.exe[3276] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 00E52854
.text C:\Programmi\ASUS\ASUS Live Update\ALU.exe[3276] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 00E52839
.text C:\Programmi\ASUS\ASUS Live Update\ALU.exe[3276] WS2_32.dll!send 71A34C27 5 Bytes JMP 00E526C5
.text C:\Programmi\ASUS\ASUS Live Update\ALU.exe[3276] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 00E527B7
.text C:\Programmi\ASUS\ASUS Live Update\ALU.exe[3276] WS2_32.dll!recv 71A3676F 5 Bytes JMP 00E526FD
.text C:\Programmi\ASUS\ASUS Live Update\ALU.exe[3276] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 00E52735
.text C:\Programmi\Synaptics\SynTP\SynTPLpr.exe[3292] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 011528E0
.text C:\Programmi\Synaptics\SynTP\SynTPLpr.exe[3292] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 01152890
.text C:\Programmi\Synaptics\SynTP\SynTPLpr.exe[3292] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 01152854
.text C:\Programmi\Synaptics\SynTP\SynTPLpr.exe[3292] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 01152839
.text C:\Programmi\Synaptics\SynTP\SynTPLpr.exe[3292] WS2_32.dll!send 71A34C27 5 Bytes JMP 011526C5
.text C:\Programmi\Synaptics\SynTP\SynTPLpr.exe[3292] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 011527B7
.text C:\Programmi\Synaptics\SynTP\SynTPLpr.exe[3292] WS2_32.dll!recv 71A3676F 5 Bytes JMP 011526FD
.text C:\Programmi\Synaptics\SynTP\SynTPLpr.exe[3292] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 01152735
.text C:\Programmi\Synaptics\SynTP\SynTPEnh.exe[3300] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 011B28E0
.text C:\Programmi\Synaptics\SynTP\SynTPEnh.exe[3300] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 011B2890
.text C:\Programmi\Synaptics\SynTP\SynTPEnh.exe[3300] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 011B2854
.text C:\Programmi\Synaptics\SynTP\SynTPEnh.exe[3300] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 011B2839
.text C:\Programmi\Synaptics\SynTP\SynTPEnh.exe[3300] WS2_32.dll!send 71A34C27 5 Bytes JMP 011B26C5
.text C:\Programmi\Synaptics\SynTP\SynTPEnh.exe[3300] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 011B27B7
.text C:\Programmi\Synaptics\SynTP\SynTPEnh.exe[3300] WS2_32.dll!recv 71A3676F 5 Bytes JMP 011B26FD
.text C:\Programmi\Synaptics\SynTP\SynTPEnh.exe[3300] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 011B2735
.text C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe[3308] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 010328E0
.text C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe[3308] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 01032890
.text C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe[3308] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 01032854
.text C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe[3308] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 01032839
.text C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe[3308] WS2_32.dll!send 71A34C27 5 Bytes JMP 010326C5
.text C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe[3308] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 010327B7
.text C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe[3308] WS2_32.dll!recv 71A3676F 5 Bytes JMP 010326FD
.text C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe[3308] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 01032735
.text C:\Programmi\Java\jre6\bin\jusched.exe[3424] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 011328E0
.text C:\Programmi\Java\jre6\bin\jusched.exe[3424] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 01132890
.text C:\Programmi\Java\jre6\bin\jusched.exe[3424] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 01132854
.text C:\Programmi\Java\jre6\bin\jusched.exe[3424] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 01132839
.text C:\Programmi\Java\jre6\bin\jusched.exe[3424] WS2_32.dll!send 71A34C27 5 Bytes JMP 011326C5
.text C:\Programmi\Java\jre6\bin\jusched.exe[3424] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 011327B7
.text C:\Programmi\Java\jre6\bin\jusched.exe[3424] WS2_32.dll!recv 71A3676F 5 Bytes JMP 011326FD
.text C:\Programmi\Java\jre6\bin\jusched.exe[3424] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 01132735
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[4068] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 00CD28E0
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[4068] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 00CD2890
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[4068] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 00CD2854
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[4068] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 00CD2839
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[4068] WS2_32.dll!send 71A34C27 5 Bytes JMP 00CD26C5
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[4068] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 00CD27B7
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[4068] WS2_32.dll!recv 71A3676F 5 Bytes JMP 00CD26FD
.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[4068] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 00CD2735
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[4088] ADVAPI32.dll!CryptDestroyKey 77F59EBC 7 Bytes JMP 00EA28E0
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[4088] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 00EA2890
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[4088] ADVAPI32.dll!CryptEncrypt 77F5E360 7 Bytes JMP 00EA2854
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[4088] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 00EA2839
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[4088] WS2_32.dll!send 71A34C27 5 Bytes JMP 00EA26C5
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[4088] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 00EA27B7
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[4088] WS2_32.dll!recv 71A3676F 5 Bytes JMP 00EA26FD
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[4088] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 00EA2735
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
Device \Driver\ACPI \Device\00000050 826E0E40
Device \Driver\ACPI \Device\00000051 826E0E40
Device \Driver\ACPI \Device\00000052 826E0E40
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \Driver\ACPI -> \Driver\ACPI \Device\Harddisk0\DR0 826E0E40
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] qzimzklle <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\qzimzklle@DisplayName rbtduxfig
Reg HKLM\SYSTEM\CurrentControlSet\Services\qzimzklle@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\qzimzklle@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\qzimzklle@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\qzimzklle@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\qzimzklle@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\qzimzklle@Description Abilita un computer a riconoscere e adattarsi alle modifiche hardware con il minimo input da parte dell'utente o senza alcun input. Se il servizio viene arrestato o disabilitato, il sistema diventer? instabile.
Reg HKLM\SYSTEM\CurrentControlSet\Services\qzimzklle\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\qzimzklle\Parameters@ServiceDll C:\WINDOWS\system32\yidlubfs.dll
Reg HKLM\SYSTEM\ControlSet003\Services\qzimzklle@DisplayName rbtduxfig
Reg HKLM\SYSTEM\ControlSet003\Services\qzimzklle@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\qzimzklle@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\qzimzklle@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\qzimzklle@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\qzimzklle@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\qzimzklle@Description Abilita un computer a riconoscere e adattarsi alle modifiche hardware con il minimo input da parte dell'utente o senza alcun input. Se il servizio viene arrestato o disabilitato, il sistema diventer? instabile.
Reg HKLM\SYSTEM\ControlSet003\Services\qzimzklle\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\qzimzklle\Parameters@ServiceDll C:\WINDOWS\system32\yidlubfs.dll
---- EOF - GMER 1.0.15 ----
9. Prevx: non riesco a connettermi ad internet.
Se qualcun mi potesse aiutare! tenete presente che non sono molto esperto...:help: