troyan BDS poison

[principe69]

allora in breve ecco cosa mi succede,apro mailwasher e mi fa vedere in anteprima le email in arrivo,senza andare su outlook clicco su un link di una qualsiasi email arrivata e ecco cosa mi dice avira



non mi permette di aprire il link e sto bastar... crea una cartella vuota "stubs"nella directory del programma

ecco un log di combofix

ComboFix 10-04-26.01 - Principe 26/04/2010 19.30.11.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1279.883 [GMT 2:00]
Eseguito da: c:\documents and settings\Principe\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {00000000-0000-0000-0000-000000000000}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-6C25-9E7C08000A00}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Creati Da 2010-03-26 al 2010-04-26 )))))))))))))))))))))))))))))))))))
.

2010-04-25 09:52 . 2010-04-25 09:52 -------- d-----w- c:\programmi\SpywareBlaster
2010-04-03 17:24 . 2006-11-23 18:13 40960 ----a-w- c:\windows\unL273_.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-26 17:26 . 2010-04-23 22:39 2920478 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-26 16:58 . 2008-06-30 18:54 -------- d---a-w- c:\documents and settings\All Users\Dati applicazioni\TEMP
2010-04-26 11:51 . 2008-03-21 13:10 -------- d-----w- c:\programmi\eMule
2010-04-25 21:36 . 2008-03-23 16:02 -------- d-----w- c:\documents and settings\Principe\Dati applicazioni\Skype
2010-04-23 19:57 . 2010-04-23 19:57 -------- d-----w- c:\documents and settings\Principe\Dati applicazioni\CheckPoint
2010-04-23 19:57 . 2010-04-23 19:57 -------- d-----w- c:\programmi\CheckPoint
2010-04-23 19:57 . 2008-03-20 23:27 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-23 19:57 . 2010-04-23 19:57 -------- d-----w- c:\programmi\Zone Labs
2010-04-03 17:24 . 2008-03-20 22:42 -------- d--h--w- c:\programmi\InstallShield Installation Information
2010-03-28 10:27 . 2001-08-31 15:00 70544 ----a-w- c:\windows\system32\perfc010.dat
2010-03-28 10:27 . 2001-08-31 15:00 440128 ----a-w- c:\windows\system32\perfh010.dat
2010-03-27 11:37 . 2010-03-27 11:37 -------- d-----w- c:\programmi\File comuni\Skype
2010-03-10 19:32 . 2010-03-10 19:31 -------- d-----w- c:\programmi\PDFCreator
2010-03-02 19:50 . 2008-03-20 22:40 24472 ----a-w- c:\documents and settings\Principe\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-03-02 18:07 . 2008-08-19 12:34 -------- d-----w- c:\documents and settings\Principe\Dati applicazioni\foobar2000
2010-02-02 22:54 . 2010-01-07 21:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-01 16:06 . 2010-02-01 16:06 9010781 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_2010_02_01_17_05_43_full.dmp.zip
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\programmi\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\programmi\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Principe\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" [2009-02-26 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2010-01-11 246504]
"ZoneAlarm Client"="c:\programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2009-12-04 1037192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 21:16 39792 ----a-w- c:\programmi\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-05-03 19:05 344064 ----a-w- c:\programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2009-03-02 11:08 209153 ----a-w- c:\programmi\Avira\AntiVir Desktop\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2005-05-19 13:47 57344 ----a-w- c:\programmi\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-13 18:14 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 13:38 1289000 ----a-w- c:\programmi\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-12-22 07:38 241664 ----a-w- c:\programmi\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-16 22:11 49152 ----a-w- c:\programmi\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2004-03-04 15:46 172032 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-12-12 07:31 1840424 ----a-w- c:\programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISW]
2009-10-27 15:58 730480 ----a-w- c:\programmi\CheckPoint\ZAForceField\ForceField.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-04-13 10:09 49152 ----a-w- c:\programmi\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-12-02 14:29 2221352 ----a-w- c:\programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-11-06 07:25 570664 ----a-w- c:\programmi\File comuni\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
2008-06-17 15:00 1249280 ----a-w- c:\programmi\Nokia\Nokia PC Suite 7\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-12-07 21:57 30208 ------w- c:\programmi\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-11-17 04:42 577536 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
2001-08-31 15:00 3072 ----a-w- c:\windows\system32\systray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-01-15 22:54 37376 ----a-w- c:\programmi\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\programmi\Microsoft ActiveSync\rapimgr.exe"= c:\programmi\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\programmi\Microsoft ActiveSync\wcescomm.exe"= c:\programmi\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\programmi\Microsoft ActiveSync\WCESMgr.exe"= c:\programmi\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\programmi\CheckPoint\ZAForceField\ISWKL.sys [27/10/2009 17.58.32 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\programmi\CheckPoint\ZAForceField\ISWSVC.exe [27/10/2009 17.58.58 476528]
S3 ldiskl;ldiskl;\??\c:\docume~1\Principe\IMPOST~1\Temp\ldiskl.sys --> c:\docume~1\Principe\IMPOST~1\Temp\ldiskl.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contenuto della cartella 'Scheduled Tasks'

2010-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-706699826-1343024091-1003Core.job
- c:\documents and settings\Principe\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2009-02-26 22:48]

2010-04-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-706699826-1343024091-1003UA.job
- c:\documents and settings\Principe\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2009-02-26 22:48]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://start.gioco.it
mStart Page = hxxp://home.sweetim.com
uInternet Connection Wizard,ShellNext = iexplore
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {9C10D56A-93CA-4CAC-A7AD-567EAFB9DC96} = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Principe\Dati applicazioni\Mozilla\Firefox\Profiles\7tsj9xq5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo!
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - component: c:\programmi\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\Principe\Impostazioni locali\Dati applicazioni\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\programmi\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
HKU-Default-Run-Nokia.PCSync - c:\programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
MSConfigStartUp-DSLAGENTEXE - c:\program files\Hamlet\Adsl\dslagent.exe
MSConfigStartUp-DSLSTATEXE - c:\program files\Hamlet\Adsl\dslstat.exe
MSConfigStartUp-MSMSGS - c:\programmi\Messenger\msmsgs.exe
MSConfigStartUp-MsnMsgr - c:\programmi\Windows Live\Messenger\MsnMsgr.Exe
MSConfigStartUp-msqxedjh - c:\documents and settings\principe\impostazioni locali\dati applicazioni\msqxedjh.exe
MSConfigStartUp-PCSuiteTrayApplication - c:\programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
MSConfigStartUp-PivotSoftware - c:\programmi\Portrait Displays\Pivot Software\wpctrl.exe
MSConfigStartUp-StartCCC - c:\programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
MSConfigStartUp-SunJavaUpdateSched - c:\programmi\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-26 19:34
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3472)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Ora fine scansione: 2010-04-26 19:36:00
ComboFix-quarantined-files.txt 2010-04-26 17:35

Pre-Run: 11.869.974.528 byte disponibili
Post-Run: 11.860.574.208 byte disponibili

- - End Of File - - 3797AA27221C04327B7C7DACC83667BF

[principe69]

ed ecco un log anche di Malwarebytes

Malwarebytes' Anti-Malware 1.45


Versione database: 4039

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

26/04/2010 20.40.42
mbam-log-2010-04-26 (20-40-42).txt

Tipo di scansione: Scansione completa (C:\|D:\|)
Elementi esaminati: 159145
Tempo trascorso: 47 minuti, 19 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Voci infette nei dati di registro: 3
Cartelle infette: 0
File infetti: 0

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
(Non sono stati rilevati elementi nocivi)

Valori di registro infetti:
(Non sono stati rilevati elementi nocivi)

Voci infette nei dati di registro:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Cartelle infette:
(Non sono stati rilevati elementi nocivi)


praticamente sono 3 chiavi di registro di avira e non credo sia questo il problema

[Chill-Out]

Ciao, per quanto concerne Avira esiste un 3D dedicato http://www.hwupgrade.it/forum/showthread.php?t=1514684

Ricordo inoltre http://www.hwupgrade.it/forum/showthread.php?t=1751598

Chiudo