Processi che si avviano in automatico

[snapshot83]

Salve a tutti, eccomi qui disperato ad esporvi il mio problema.

Dopo soli 4 mesi ho dovuto ri formattare a causa di un (presunto) virus maledetto...

In pratica non potevo più usare nessun programma perchè, improvvisamente, mi si apriva il wmp e successivamente decine di volte il browser di firefox con la home page di google, impedendomi di scrivere qualsiasi messaggio o di fare qualsiasi operazione...

Pensavo fosse tutto risolto ma ecco che, dopo un pomeriggio perso, nulla è tornato alla normalità...

Cosa fare adesso?
Non so proprio a che santo votarmi..
Se è successo anche a voi fatemi sapere...
Ho già provato prima del format decine di antispyware ad entivirus con risultati pressocchè nulli...

[Franz.]

Ciao, occorre procedere ad un accurata bonifica del tuo pc.

Leggi le REGOLE di SEZIONE, e poi segui attentamente le indicazioni riportate nella GUIDA alla DISINFEZIONE per INFETTI
Ricordati quindi di pubblicarci nell'ordine tutti i log richiesti rispettando le regole di pubblicazione degli stessi.

[snapshot83]

ho fatto tutto...
Ma non vengo a capo di nulla

Ecco i miei log, nell'odine richiesto.

F- Secure

Scanning Report Sunday, May 11, 2008 21:55:30 - 22:28:00 Computer name: ALFIO-DESKTOP Scanning type: Scan system for malware, rootkits Target: C:\ D:\ L:\ ------------------------------------------------------------------------ Result: 2 malware found Backdoor.Win32.Rbot.pbc (virus) * L:\PROGRAMMI\JASC PAINT SHOP PHOTO ALBUM DELUXE 5.1 KEYGENERATOR.EXE (Renamed & Submitted) Tracking Cookie (spyware) * System ------------------------------------------------------------------------ Statistics Scanned: * Files: 25164 * System: 2355 * Not scanned: 8 Actions: * Disinfected: 0 * Renamed: 1 * Deleted: 0 * None: 1 * Submitted: 1 Files not scanned: * C:\PAGEFILE.SYS * C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT * C:\WINDOWS\SYSTEM32\CONFIG\SAM * C:\WINDOWS\SYSTEM32\CONFIG\SECURITY * C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE * C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM * C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{01F9E0CC-BE0E-443B-9242-14917A76F841}.BIN * C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{E457EB63-7356-48F1-BEF3-30BBE135B33F}.BIN ------------------------------------------------------------------------ Options Scanning engines: * F-Secure USS: 2.30.0 * F-Secure Blacklight: 1.0.68 * F-Secure Hydra: 2.8.8110, 2008-05-11 * F-Secure Pegasus: 1.20.0, 2008-02-28 * F-Secure AVP: 7.0.171, 2008-05-11 Scanning options: * Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR * Use Advanced heuristics ------------------------------------------------------------------------ Copyright © 1998-2007 Product support |Send virus sample to F-Secure F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.



Sys Inspector (non riesco ad allegare il log)



Hijackthis

Codice:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22.36.13, on 11/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe
C:\Programmi\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Programmi\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Programmi\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\Programmi\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\Programmi\a-squared Free\a2service.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Programmi\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Programmi\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programmi\a-squared Free\a2service.exe
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Premium\avesvc.exe

--
End of file - 4888 bytes

Gmer

Codice:

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-05-11 22:40:48
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT   F7BD92FC                                                                                        ZwCreateThread
SSDT   F7BD92E8                                                                                        ZwOpenProcess
SSDT   F7BD92ED                                                                                        ZwOpenThread
SSDT   F7BD92F7                                                                                        ZwTerminateProcess
SSDT   F7BD92F2                                                                                        ZwWriteVirtualMemory

---- User code sections - GMER 1.0.14 ----

.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] kernel32.dll!LoadResource                 7C809FB5 7 Bytes  JMP 28001CC0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] kernel32.dll!FindResourceExW              7C80AC88 7 Bytes  JMP 28001B00 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] kernel32.dll!FindResourceW                7C80BBCE 7 Bytes  JMP 28001A80 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] kernel32.dll!SizeofResource               7C80BC69 7 Bytes  JMP 28001D80 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] kernel32.dll!FindResourceA                7C80BE89 7 Bytes  JMP 28001B90 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] kernel32.dll!LockResource                 7C80CC97 5 Bytes  JMP 28001DF0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] kernel32.dll!CreateEventA                 7C8308AD 5 Bytes  JMP 28001840 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] kernel32.dll!FindResourceExA              7C835F78 7 Bytes  JMP 28001C20 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] kernel32.dll!SetUnhandledExceptionFilter  7C84467D 5 Bytes  JMP 0056DBBD C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe (Windows Live Messenger/Microsoft Corporation)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] kernel32.dll!OutputDebugStringW           7C85A42D 5 Bytes  JMP 28001E50 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] ADVAPI32.dll!CryptDeriveKey               77F5A685 7 Bytes  JMP 28001000 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] ADVAPI32.dll!CryptDecrypt                 77F5A7B1 2 Bytes  JMP 28001060 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] ADVAPI32.dll!CryptDecrypt + 3             77F5A7B4 4 Bytes  [ 0A, B0, CC, CC ]
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] USER32.dll!PeekMessageW                   7E39929B 5 Bytes  JMP 28004010 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] USER32.dll!CreateWindowExW                7E39FC25 5 Bytes  JMP 280037A0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] USER32.dll!SetWindowRgn                   7E39FFB2 7 Bytes  JMP 28005900 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] USER32.dll!LoadIconW                      7E3A0894 5 Bytes  JMP 28006210 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] USER32.dll!LoadImageW                     7E3A2CFE 5 Bytes  JMP 28006020 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] USER32.dll!CreateDialogParamW             7E3A7D4F 5 Bytes  JMP 28005A20 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] USER32.dll!SetWindowPlacement             7E3AD84C 5 Bytes  JMP 280057C0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] USER32.dll!MessageBoxIndirectW            7E3E62AB 5 Bytes  JMP 28005C10 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] USER32.dll!TrackPopupMenuEx               7E3ECD28 5 Bytes  JMP 280048F0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] WS2_32.dll!send                           71A3428A 5 Bytes  JMP 28009EE0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] WS2_32.dll!WSARecv                        71A34318 5 Bytes  JMP 28009CC0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] WS2_32.dll!recv                           71A3615A 5 Bytes  JMP 28009B20 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] WS2_32.dll!WSASend                        71A36233 5 Bytes  JMP 2800A0C0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] WS2_32.dll!closesocket                    71A39639 5 Bytes  JMP 2800A300 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] SHELL32.dll!Shell_NotifyIconW             7CA31B92 5 Bytes  JMP 28002F50 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] ole32.dll!CoInitializeEx                  774CEF6B 5 Bytes  JMP 28002100 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] ole32.dll!CoRegisterClassObject           774E8720 5 Bytes  JMP 28002200 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] WININET.dll!InternetCloseHandle           4330DA59 5 Bytes  JMP 28008CE0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] WININET.dll!HttpOpenRequestA              43314331 5 Bytes  JMP 280089A0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] WININET.dll!InternetReadFile              4331ABA4 5 Bytes  JMP 28008B30 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text  C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[2012] WININET.dll!HttpSendRequestA              4331CD28 5 Bytes  JMP 28008C10 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

---- EOF - GMER 1.0.14 ----

e per ultimo Prevx

non sono riuscito a generare il log ma compare la scritta "No malware has been found"

[wjmat]

riedita il tuo post ed allega tutti i log con il comando gestisci allegati
manca a-squared

[snapshot83]

non riesco ad editrali in quel modo perchè mi avvisa che sono formati non corretti o riconosiuti..con a squared ho eliminato 5 cookie, nonho salvato il log purtroppo..dovrei rifare la scansione per spedirlo..

[wjmat]

manca anche il log di Dr.Web CureIT scaricato oggi
che problemi ti da il log di ESET SysInspector?

[murack83pa]

completa la guida e poi una domanda stupida ma fondamentale: il ripristino configurazione sistema era (prima di iniziare la guida) ed è ancora disattivato?