www.MegaLab.it

[Marco90]

Salve ragazzi, sono nuovo del Forum e saluto tutti!
Voglio esporre brevemente il mio problema e spero che possa trovare un aiuto da voi.
Da qualche giorno il mio PC (Pentium 4 CPU 3.00GHz, ram 1.00), si blocca dopo qualche minuto che avvio un programma per es. Sophos antivirus, quando cerco di chiudere la finestra, emette un suono continuo e lo devo riavviare.
Ho eseguito una scansione con GMER, non sono mai riuscito a completarla, tuttavia ho salvato il file di lettura prima che si bloccasse il PC. Cerco di postarlo, con la speranza che qualcuno lo interpreti. Grazie per l'aiuto. Marco

GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-20 12:02:32
Windows 5.1.2600 Service Pack 3
Running: kn25598h.exe; Driver: C:\DOCUME~1\CARMEL~1\IMPOST~1\Temp\kxtdypow.sys


---- User code sections - GMER 1.0.15 ----

.text C:\PROGRAMMI\A-SQUARED FREE\a2service.exe[1640] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0045495D C:\PROGRAMMI\A-SQUARED FREE\a2service.exe (a-squared Service/Emsi Software GmbH)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs savonaccessfilter.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 868C1B00
Device \Driver\atapi \Device\Ide\IdePort0 868C1B00
Device \Driver\atapi \Device\Ide\IdePort1 868C1B00
Device \Driver\atapi \Device\Ide\IdePort2 868C1B00
Device \Driver\atapi \Device\Ide\IdePort3 868C1B00
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e 868C1B00

AttachedDevice \FileSystem\Fastfat \Fat savonaccessfilter.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{73897CEE-5253-8BA1-281B-C3CC10F1A2DC}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{73897CEE-5253-8BA1-281B-C3CC10F1A2DC}@hajdphbcenkncmjo 0x69 0x61 0x6E 0x64 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{73897CEE-5253-8BA1-281B-C3CC10F1A2DC}@iahefbcenmpiopefmg 0x69 0x61 0x6E 0x64 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

[crazy.cat]

Comincia a fare il test con il tool fixmbr e spera di risolvere, altrimenti è una bella rogna questo virus.
sicurezza/virus-sul-settore-1-mbr-t58918.html

Riguardo i suoni continui controllerei se tutte le ventole girano bene e non ci sia sporco nel pc, potrebbe essere un allarme dovuto a qualche surriscaldamento.

[Marco90]

Ho eseguito mbr.exe da modalità provvisoria, posto il file log. Cosa significa? mi spiegate per favore?

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x012A18AC1
malicious code @ sector 0x012A18AC4 !
PE file found in sector at 0x012A18ADA !

e poi scansione con ComboFix: ecco il log.

ComboFix 09-11-22.04 - Carmelo Munafò 23/11/09 9.13.10.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1023.765 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Carmelo Munafò\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\RECYCLER\S-1-5-21-515967899-152049171-725345543-1004
C:\windows\system32\api.dat
C:\windows\system32\osmultiplexcore.dll

.
((((((((((((((((((((((((( Files Creati Da 2009-10-23 al 2009-11-23 )))))))))))))))))))))))))))))))))))
.

2019-04-24 06:27:19 . 2019-04-24 06:31:31 0 d-----w- C:\Programmi\Eazel-IT
2009-11-23 07:29:04 . 2009-11-20 09:53:58 77312 ----a-w- C:\mbr.exe
2009-11-17 11:12:03 . 2008-05-19 14:35:34 130104 ----a-w- C:\windows\system32\sdccoinstaller.dll
2009-11-17 11:11:41 . 2009-11-17 11:11:41 0 d-----w- C:\Programmi\File comuni\Cisco Systems
2009-11-17 11:11:33 . 2008-08-21 11:22:58 23552 ----a-w- C:\windows\system32\SophosBootTasks.exe
2009-11-17 11:11:21 . 2009-11-17 11:12:54 0 d-----w- C:\Programmi\Sophos
2009-11-17 11:10:51 . 2009-01-05 10:41:48 110848 ----a-w- C:\windows\system32\drivers\savonaccesscontrol.sys
2009-11-17 11:10:51 . 2009-01-05 10:41:30 38528 ----a-w- C:\windows\system32\drivers\savonaccessfilter.sys
2009-11-17 11:10:51 . 2008-05-23 06:38:24 14976 ----a-w- C:\windows\system32\drivers\SophosBootDriver.sys
2009-11-12 10:24:42 . 2009-11-17 09:41:32 1503264 --sha-w- C:\windows\system32\drivers\fidbox.dat
2009-11-09 15:25:02 . 2009-11-09 15:25:02 0 d-----w- C:\windows\system32\wbem\Repository
2009-11-09 15:18:46 . 2009-11-09 15:18:46 475084 ----a-w- C:\windows\system32\prfh0410.dat
2009-11-09 15:18:45 . 2009-11-09 15:18:45 77574 ----a-w- C:\windows\system32\prfc0410.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2009-11-14 05:15:14 . 7B10F2D555A4A9C5E4697418B77C8FED . 96512 . . [------] . . C:\windows\system32\drivers\atapi.sys
[7] 2008-04-13 18:40:30 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512 (xpsp.080413-2108)] . . C:\windows\ServicePackFiles\i386\atapi.sys
[7] 2008-04-13 18:40:30 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512 (xpsp.080413-2108)] . . C:\windows\SoftwareDistribution\Download\fc12fb9dc078edc471023573f97c4e40\atapi.sys
[7] 2004-08-19 12:00:00 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] . . C:\windows\$NtServicePackUninstall$\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ecdc465a-cf20-4b82-9a26-47c9dc52fa32}"= "C:\Programmi\Eazel-IT\tbEaz1.dll" [2019-04-24 06:31:31 1883672]

[HKEY_CLASSES_ROOT\clsid\{ecdc465a-cf20-4b82-9a26-47c9dc52fa32}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 10:47:00 333192 ----a-w- C:\Programmi\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ecdc465a-cf20-4b82-9a26-47c9dc52fa32}]
2019-04-24 06:31:31 1883672 ----a-w- C:\Programmi\Eazel-IT\tbEaz1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ecdc465a-cf20-4b82-9a26-47c9dc52fa32}"= "C:\Programmi\Eazel-IT\tbEaz1.dll" [2019-04-24 06:31:31 1883672]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "C:\Programmi\AskBarDis\bar\bin\askBar.dll" [2009-04-02 10:47:00 333192]

[HKEY_CLASSES_ROOT\clsid\{ecdc465a-cf20-4b82-9a26-47c9dc52fa32}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{ECDC465A-CF20-4B82-9A26-47C9DC52FA32}"= "C:\Programmi\Eazel-IT\tbEaz1.dll" [2019-04-24 06:31:31 1883672]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "C:\Programmi\AskBarDis\bar\bin\askBar.dll" [2009-04-02 10:47:00 333192]

[HKEY_CLASSES_ROOT\clsid\{ecdc465a-cf20-4b82-9a26-47c9dc52fa32}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Programmi\Java\jre6\bin\jusched.exe" [2009-10-11 03:17:36 149280]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2007-03-02 09:37:54 282624]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-07-01 08:12:00 81920]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-01 08:12:00 4112384]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50:42 155648]
"nwiz"="nwiz.exe" - C:\WINDOWS\system32\nwiz.exe [2004-07-01 08:12:00 843776]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 02:14:03 15360]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Acrobat Assistant.lnk - C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Gamma Loader.exe.lnk - C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-21 113664]
AutoUpdate Monitor.lnk - C:\Programmi\Sophos\AutoUpdate\ALMon.exe [2009-11-17 245760]
EPSON Status Monitor 3 Environment Check.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2008-12-4 131584]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKLM\~\startupfolder\C:^Documents and Settings^Carmelo Munafò^Menu Avvio^Programmi^Esecuzione automatica^is-0G4EF.lnk]
path=C:\Documents and Settings\Carmelo Munafò\Menu Avvio\Programmi\Esecuzione automatica\is-0G4EF.lnk
backup=C:\windows\pss\is-0G4EF.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\eMule\\emule.exe"=
"C:\\Programmi\\BearShare\\BearShare.exe"=
"C:\\Munafò\\Download\\Bearshare 5.2.2\\Programma\\BearShare\\BearShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

--- Altri Servizi/Drivers In Memoria ---

*NewlyCreated* - CLASSPNP_2
*Deregistered* - CLASSPNP_2
.
Contenuto della cartella 'Scheduled Tasks'

2009-11-17 C:\windows\Tasks\Scansione Pianificata.job
- C:\Programmi\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2009-01-22 15:45:04 . 2009-01-22 15:45:04]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {0A24593B-0E47-4A72-8F4A-075D19451D33} = 192.167.101.10
FF - ProfilePath - C:\Documents and Settings\Carmelo Munafò\Dati applicazioni\Mozilla\Firefox\Profiles\c3hqcdow.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3&q=
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=
FF - plugin: C:\Programmi\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKLM-Run-Logitech Hardware Abstraction Layer - KHALMNPR.EXE
HKLM-Run-Cmaudio - cmicnfg.cpl
AddRemove-AP Guitar Tuner 1.02 - C:\Programmi\Audio Phonics

[Marco90]

e poi anche systemscan: Vi prego aiutatemi!

report.txt

[dario-vr]

e poi anche systemscan: Vi prego aiutatemi!

report.txt

Ciao, ci sono passato anche io da questa tua esperienza e se ti può consolare sono riuscito a debellarlo anche se son rimasti residui del rootkit nel MBR, ma può capitare però ora è innocuo.
Se vuoi puoi provare a seguire la procedura che ho adottato io dietro consiglio
di amici esperti
Da Systemscan ho visto che hai in C/documents and settings l'utente HelpAssistant (sintomo e segnale del rootkit)

Per rimuoverlo dovrai fare una serie di scansioni, meglio da modalità provvisoria e con ripristino disattivato.

Rifai, dopo avere ripulito del vecchio Combofix, con la procedura sotto descritta, riavvio e Ccleaner:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Salvalo sul desktop.

Importante: Disabilita il tuo antivirus e chiudi TUTTI i programmi aperti,(Firewall compreso) e dopo aver scaricato COMBOFIX, chiudi la connessione.

Doppio click su combofix.exe (comparirà una videata.)
Se ti verrà chiesto se vuoi Installare LA CONSOLE DI RIPRISTINO DI EMERGENZA, clicca NO.
E' probabile che ti siano inviati messaggi dall'antivirus, tu ignorali.
Durante l'operazione di scansione è importante non usare il PC (neanche il mouse) e attendere pazientemente la fine delle operazioni.
Al termine, verrà creato un file log sul Desktop, chiamato C:\ComboFix.txt. Postalo qui.

Disinstalla combofix in questo modo: (dopo che avrò visto il log)
Start
Esegui
nella finestra di dialogo, copia ed incolla questo comando: Combofix /u e premi Invio poi cancella le cartelle in "C" di Combofix e (qoobox)

Fai:
Start\Esegui\copia e incolla la stringa %temp% clicca su Ok, svuota la cartella temp. (non eliminare la cartella)
Poi:
Lancia Hijackthis e pulisci gli ADS in questo modo:
clicca sulla voce Open the misc tool section
clicca su Open ads spy
togli la spunta alla voce Quick scan (windows base folder only)
clicca su Scan.
Aspetta pazientemente la fine della scansione.
se venissero rilevati ADS, spunta tutte (senza paura) le caselline e clicca su Remove selected

Poi:
Scarica Norman Malware Cleaner:
http://normanasa.vo.llnwd.net/o29/publi ... leaner.exe
e salvalo sul desktop

Accedi al sistema in modalità provvisoria

lancia Norman ed esegui una scansione completa

al termine della scansione verrà rilasciato un log: salvalo sul Desktop con il nome Norman1 e riavvia il sistema


accedi nuovamente al sistema in modalità provvisoria

rilancia Norman ed esegui una seconda scansione completa

al termine della scansione verrà rilasciato un log: salvalo sul Desktop con il nome Norman2

riavvia il sistema in modalità normale

Per ultimo scarica Prevx free ed esegui una scansione completa:
http://info.prevx.com/downloadcsi.asp

Riavvia nuovamente e rilancia Systemscan

[Marco90]

Grazie per il tuo prezioso suggerimento.
Alla fine di tutte le scansioni, posterò i vari log.
Marco.

[Marco90]

Ecco tutti i log:
MBR.log

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x012A18AC1
malicious code @ sector 0x012A18AC4 !
PE file found in sector at 0x012A18ADA !

Combofix

ComboFix 09-11-22.04 - Carmelo Munafò 23/11/09 14.25.11.4.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1023.743 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Carmelo Munafò\Desktop\ComboFix.exe
Opzioni usate :: / u
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((( Files Creati Da 2009-10-23 al 2009-11-23 )))))))))))))))))))))))))))))))))))
.

2019-04-24 06:27:19 . 2019-04-24 06:31:31 0 d-----w- C:\Programmi\Eazel-IT
2009-11-23 13:19:45 . 2009-11-23 13:19:45 0 d-----w- C:\Programmi\Trend Micro
2009-11-23 13:13:08 . 2009-11-23 13:13:10 0 d-----w- C:\Programmi\CCleaner
2009-11-23 07:29:04 . 2009-11-20 09:53:58 77312 ----a-w- C:\mbr.exe
2009-11-17 11:12:03 . 2008-05-19 14:35:34 130104 ----a-w- C:\windows\system32\sdccoinstaller.dll
2009-11-17 11:11:41 . 2009-11-17 11:11:41 0 d-----w- C:\Programmi\File comuni\Cisco Systems
2009-11-17 11:11:33 . 2008-08-21 11:22:58 23552 ----a-w- C:\windows\system32\SophosBootTasks.exe
2009-11-17 11:11:21 . 2009-11-17 11:12:54 0 d-----w- C:\Programmi\Sophos
2009-11-17 11:10:51 . 2009-01-05 10:41:48 110848 ----a-w- C:\windows\system32\drivers\savonaccesscontrol.sys
2009-11-17 11:10:51 . 2009-01-05 10:41:30 38528 ----a-w- C:\windows\system32\drivers\savonaccessfilter.sys
2009-11-17 11:10:51 . 2008-05-23 06:38:24 14976 ----a-w- C:\windows\system32\drivers\SophosBootDriver.sys
2009-11-16 08:32:36 . 2009-11-16 08:32:36 0 d-----w- C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab Setup Files
2009-11-12 10:24:42 . 2009-11-17 09:41:32 1503264 --sha-w- C:\windows\system32\drivers\fidbox.dat
2009-11-09 15:25:02 . 2009-11-09 15:25:02 0 d-----w- C:\windows\system32\wbem\Repository
2009-11-09 15:18:46 . 2009-11-09 15:18:46 475084 ----a-w- C:\windows\system32\prfh0410.dat
2009-11-09 15:18:45 . 2009-11-09 15:18:45 77574 ----a-w- C:\windows\system32\prfc0410.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2019-04-24 07:46:13 . 2009-04-21 10:00:35 0 d-----w- C:\Programmi\Total Video Converter
2009-11-17 11:08:57 . 2004-08-19 12:00:00 78474 ----a-w- C:\windows\system32\perfc010.dat
2009-11-17 11:08:57 . 2004-08-19 12:00:00 477260 ----a-w- C:\windows\system32\perfh010.dat
2009-11-17 09:41:32 . 2009-11-12 10:24:42 10244 --sha-w- C:\windows\system32\drivers\fidbox.idx
2009-11-10 08:10:28 . 2008-11-28 10:06:55 0 d-----w- C:\Programmi\a-squared Free
2009-11-04 07:17:08 . 2009-03-27 09:13:04 0 d-----w- C:\Programmi\Java
2009-10-23 14:17:24 . 2009-10-23 14:17:24 64072 ----a-w- C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.736\Italian\setup.exe
2009-10-23 09:26:26 . 2009-10-23 09:26:26 0 d-----w- C:\Programmi\Fastrate USB 100
2009-10-11 03:17:27 . 2009-03-27 09:13:33 411368 ----a-w- C:\windows\system32\deploytk.dll
2009-09-11 14:17:34 . 2004-08-19 12:00:00 136192 ----a-w- C:\windows\system32\msv1_0.dll
2009-09-04 21:03:04 . 2004-08-19 12:00:00 58880 ----a-w- C:\windows\system32\msasn1.dll
2009-09-04 12:12:25 . 2009-09-03 12:10:35 3072 ----a-w- C:\windows\system32\dtmssystem.dll
2009-08-29 07:56:22 . 2004-08-19 12:00:00 916480 ------w- C:\windows\system32\wininet.dll
2009-08-26 08:00:31 . 2004-08-19 12:00:00 247326 ----a-w- C:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ecdc465a-cf20-4b82-9a26-47c9dc52fa32}"= "C:\Programmi\Eazel-IT\tbEaz1.dll" [2019-04-24 06:31:31 1883672]

[HKEY_CLASSES_ROOT\clsid\{ecdc465a-cf20-4b82-9a26-47c9dc52fa32}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 10:47:00 333192 ----a-w- C:\Programmi\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ecdc465a-cf20-4b82-9a26-47c9dc52fa32}]
2019-04-24 06:31:31 1883672 ----a-w- C:\Programmi\Eazel-IT\tbEaz1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ecdc465a-cf20-4b82-9a26-47c9dc52fa32}"= "C:\Programmi\Eazel-IT\tbEaz1.dll" [2019-04-24 06:31:31 1883672]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "C:\Programmi\AskBarDis\bar\bin\askBar.dll" [2009-04-02 10:47:00 333192]

[HKEY_CLASSES_ROOT\clsid\{ecdc465a-cf20-4b82-9a26-47c9dc52fa32}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{ECDC465A-CF20-4B82-9A26-47C9DC52FA32}"= "C:\Programmi\Eazel-IT\tbEaz1.dll" [2019-04-24 06:31:31 1883672]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "C:\Programmi\AskBarDis\bar\bin\askBar.dll" [2009-04-02 10:47:00 333192]

[HKEY_CLASSES_ROOT\clsid\{ecdc465a-cf20-4b82-9a26-47c9dc52fa32}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Programmi\Java\jre6\bin\jusched.exe" [2009-10-11 03:17:36 149280]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2007-03-02 09:37:54 282624]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-07-01 08:12:00 81920]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-01 08:12:00 4112384]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50:42 155648]
"nwiz"="nwiz.exe" - C:\WINDOWS\system32\nwiz.exe [2004-07-01 08:12:00 843776]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [BU]
"Cmaudio"="cmicnfg.cpl" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 02:14:03 15360]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Acrobat Assistant.lnk - C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Gamma Loader.exe.lnk - C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-21 113664]
AutoUpdate Monitor.lnk - C:\Programmi\Sophos\AutoUpdate\ALMon.exe [2009-11-17 245760]
EPSON Status Monitor 3 Environment Check.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2008-12-4 131584]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKLM\~\startupfolder\C:^Documents and Settings^Carmelo Munafò^Menu Avvio^Programmi^Esecuzione automatica^is-0G4EF.lnk]
path=C:\Documents and Settings\Carmelo Munafò\Menu Avvio\Programmi\Esecuzione automatica\is-0G4EF.lnk
backup=C:\windows\pss\is-0G4EF.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\eMule\\emule.exe"=
"C:\\Programmi\\BearShare\\BearShare.exe"=
"C:\\Munafò\\Download\\Bearshare 5.2.2\\Programma\\BearShare\\BearShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 SAVService;Sophos Anti-Virus;C:\Programmi\Sophos\Sophos Anti-Virus\SavService.exe [21/08/08 12.04.26 98304]
S0 pavboot;pavboot;C:\windows\system32\drivers\pavboot.sys C:\windows\system32\drivers\pavboot.sys
S1 SAVOnAccessControl;SAVOnAccessControl;C:\WINDOWS\system32\drivers\savonaccesscontrol.sys [17/11/09 12.10.51 110848]
S1 SAVOnAccessFilter;SAVOnAccessFilter;C:\WINDOWS\system32\drivers\savonaccessfilter.sys [17/11/09 12.10.51 38528]
S2 ASKUpgrade;ASKUpgrade;C:\Programmi\AskBarDis\bar\bin\ASKUpgrade.exe [24/06/09 11.10.23 234888]
S2 SAVAdminService;Crea report sullo stato di Sophos Anti-Virus;C:\Programmi\Sophos\Sophos Anti-Virus\SAVAdminService.exe [17/11/09 12.23.46 80936]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [27/03/09 12.50.25 38496]
S4 SophosBootDriver;SophosBootDriver;C:\WINDOWS\system32\drivers\SophosBootDriver.sys [17/11/09 12.10.51 14976]
.
Contenuto della cartella 'Scheduled Tasks'

2009-11-17 C:\windows\Tasks\Scansione Pianificata.job
- C:\Programmi\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2009-01-22 15:45:04 . 2009-01-22 15:45:04]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {0A24593B-0E47-4A72-8F4A-075D19451D33} = 192.167.101.10
FF - ProfilePath - C:\Documents and Settings\Carmelo Munafò\Dati applicazioni\Mozilla\Firefox\Profiles\c3hqcdow.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3&q=
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=
FF - plugin: C:\Programmi\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

Norman1

Norman Malware Cleaner
Version 1.5.0.5
Copyright © 1990 - 2009, Norman ASA. Built 2009/11/23 10:21:47

Norman Scanner Engine Version: 6.03.02
Nvcbin.def Version: 6.03.00, Date: 2009/11/23 10:21:47, Variants: 4383320

Scan started: 23/11/2009 14:46:59

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600(Safe mode) Service Pack 3
Logged on user: MUNAFO\Carmelo Munafò

Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000000
Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000000
Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000
Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000


Scanning running processes and process memory...

Number of processes/threads found: 1014
Number of processes/threads scanned: 1014
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 43s


Scanning file system...

Scanning: C:\*.*

C:\Documents and Settings\Carmelo Munafò\Preferiti\Siti Mp3\elimdekileri herkesle paylasabilmek için açtim bu blogu 2009-02.url (Error opening file: Not found)

C:\FindyKill\ByPass.exe (Infected with Malware.JXYI)
Deleted file

C:\Munafò\Download\Antivirus\FindyKill.exe (Infected with Malware.JVBP)
Deleted file

C:\Programmi\AskBarDis\bar\bin\AskSplash.exe (Infected with W32/AskBar.M)
Deleted file

C:\Programmi\AskBarDis\bar\bin\AskTBApp.exe (Infected with W32/AskBar.L)
Deleted file

C:\Programmi\Total Video Converter\regsvr32.exe (Infected with W32/Smallworm.FMX)
Deleted file

C:\System Volume Information\_restore{320E9B18-0405-4E1E-B0CF-EB3E9113E0F7}\RP1\A0003240.exe (Infected with Malware.JXYI)
Deleted file

C:\System Volume Information\_restore{320E9B18-0405-4E1E-B0CF-EB3E9113E0F7}\RP1\A0003241.exe (Infected with Malware.JVBP)
Deleted file

C:\System Volume Information\_restore{320E9B18-0405-4E1E-B0CF-EB3E9113E0F7}\RP1\A0003242.exe (Infected with W32/AskBar.M)
Deleted file

C:\System Volume Information\_restore{320E9B18-0405-4E1E-B0CF-EB3E9113E0F7}\RP1\A0003243.exe (Infected with W32/AskBar.L)
Deleted file

C:\System Volume Information\_restore{320E9B18-0405-4E1E-B0CF-EB3E9113E0F7}\RP1\A0003244.exe (Infected with W32/Smallworm.FMX)
Deleted file

C:\WINDOWS\system32\TDSSmtvd.dat (Infected with INI/TDSSServ.A)
Deleted file

Scanning: C:\System Volume Information\*.*


Running post-scan cleanup routine:

Number of files found: 62879
Number of archives unpacked: 0
Number of files scanned: 62867
Number of files not scanned: 12
Number of files skipped due to exclude list: 0
Number of infected files found: 11
Number of infected files repaired/deleted: 11
Number of infections removed: 11
Total scanning time: 1h 9m 23s

Norman2

Norman Malware Cleaner
Version 1.5.0.5
Copyright © 1990 - 2009, Norman ASA. Built 2009/11/23 10:21:47

Norman Scanner Engine Version: 6.03.02
Nvcbin.def Version: 6.03.00, Date: 2009/11/23 10:21:47, Variants: 4383320

Scan started: 23/11/2009 16:13:17

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600(Safe mode) Service Pack 3
Logged on user: MUNAFO\Carmelo Munafò



Scanning running processes and process memory...

Number of processes/threads found: 1050
Number of processes/threads scanned: 1050
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 47s


Scanning file system...

Scanning: C:\*.*

C:\Documents and Settings\Carmelo Munafò\Preferiti\Siti Mp3\elimdekileri herkesle paylasabilmek için açtim bu blogu 2009-02.url (Error opening file: Not found)


Running post-scan cleanup routine:

Number of files found: 26966
Number of archives unpacked: 0
Number of files scanned: 26959
Number of files not scanned: 7
Number of files skipped due to exclude list: 0
Number of infected files found: 0
Number of infected files repaired/deleted: 0
Number of infections removed: 0
Total scanning time: 27m 13s

Systemscan

report.txt

Spero che mi date una buona notizia!

[dario-vr]

Scarica MBR.EXE direttamente nella Directory C:\ (è importante che venga scaricato in C:\ )
http://www2.gmer.net/mbr/mbr.exe
Clicca Start

Clicca Esegui...

Digita: cmd

si apre la finestra DOS, digita: CD \

premi invio

digita: mbr -f (fai il copia-incolla non digitarlo direttamente dal comando esegui )

premi invio

Poi digita: exit

premi invio

Riavvia il pc

Posta qui il contenuto del log C:\mbr.log


PS il log di Combofix non mi sembra completo
Norman lo hai eseguito con il ripristino disattivato?
Tieni il ripristino disattivato fino a risoluzione dei problemi: è normale cheCombofix quando lo lanci riattivi il ripristino per cui poi per le successive scansoni con Norman è necessario disattivarlo

[Marco90]

Scusa, ho disattivato il ripristino solo all'inizio. Poi ho eseguito le varie scansioni in modalità provvisoria (tranne Prevx free).
ti posto il log mbr

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x012A18AC1
malicious code @ sector 0x012A18AC4 !
PE file found in sector at 0x012A18ADA !

Devo rifare tutto?

[dario-vr]

Temo di sì.
Norman lo devi rilanciare in provvisoria con ripristino disattivato.
Comunque ora prova così:
Scarica il tool standalone (non necessita di installazione) Symantec Trojan.Mebroot Removal Tool:

http://www.ziddu.com/download/4428377/F ... t.exe.html

Fai doppio click sul file FixMebroot.exe , poi clicca su I Accept
quindi clicca su Start e segui le istruzioni a video.
Una volta conclusa la scansione verrà generato sul desktop il log dal nome FixMebroot.log
Nel caso in cui tu non sia infetto da MBR comparirà il messaggio :
Trojan.Mebroot has not been found active on your computer.

e comunque sarà richiesto il riavvio del pc.

Infine per verifica una bella ripasssata di Prevx 3.0 non guasta!
Fagli fare una bella scansione completa!


Infine:
Esegui questa scansione:
Scarica ed installa MalwareBytes
clicca qui per il download : http://www.malwarebytes.org/mbam.php
Prima di fare la scansione AGGIORNALO. (è molto importante)
Esegui una scansione completa del sistema.
Posta il log.

[dario-vr]

Per ultimo fai questo:
Se hai installato Combofix, disistallalo così:
Start
Esegui
nella finestra di dialogo, copia ed incolla questo comando: Combofix /u e premi Invio poi cancella le cartelle in "C" di Combofix e (qoobox)

Installa questa versione:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Sconnettiti da internet, disattiva l'antivirus.
Prova a far girare Combobix in Modalità provvisoria.

[Marco90]

Ciao Dario.
ti posto i log che hai chiesto.
Combofix

ComboFix 09-11-23.04 - Carmelo Munafò 24/11/09 14.20.07.6.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1023.753 [GMT 1:00]
Eseguito da: c:\documents and settings\Carmelo Munafò\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((( Files Creati Da 2009-10-24 al 2009-11-24 )))))))))))))))))))))))))))))))))))
.

2019-04-24 06:27 . 2019-04-24 06:31 -------- d-----w- c:\programmi\Eazel-IT
2009-11-24 12:26 . 2009-11-24 12:26 4045527 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-24 08:52 . 2009-11-24 08:52 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-24 08:38 . 2009-11-24 08:38 53136 ----a-w- c:\windows\system32\PxSecure.dll
2009-11-24 08:38 . 2009-11-24 08:38 46896 ----a-w- c:\windows\system32\drivers\pxrts.sys
2009-11-24 08:38 . 2009-11-24 08:38 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys
2009-11-24 08:38 . 2009-11-24 08:38 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2009-11-24 08:38 . 2009-11-24 08:38 -------- d-----w- c:\programmi\Prevx
2009-11-24 08:37 . 2009-11-24 13:15 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\PrevxCSI
2009-11-23 13:19 . 2009-11-23 13:19 -------- d-----w- c:\programmi\Trend Micro
2009-11-23 13:13 . 2009-11-23 13:13 -------- d-----w- c:\programmi\CCleaner
2009-11-23 07:29 . 2009-11-20 09:53 77312 ----a-w- C:\mbr.exe
2009-11-17 11:12 . 2008-05-19 14:35 130104 ----a-w- c:\windows\system32\sdccoinstaller.dll
2009-11-17 11:11 . 2009-11-17 11:11 -------- d-----w- c:\programmi\File comuni\Cisco Systems
2009-11-17 11:11 . 2008-08-21 11:22 23552 ----a-w- c:\windows\system32\SophosBootTasks.exe
2009-11-17 11:11 . 2009-11-17 11:12 -------- d-----w- c:\programmi\Sophos
2009-11-17 11:10 . 2009-01-05 10:41 110848 ----a-w- c:\windows\system32\drivers\savonaccesscontrol.sys
2009-11-17 11:10 . 2009-01-05 10:41 38528 ----a-w- c:\windows\system32\drivers\savonaccessfilter.sys
2009-11-17 11:10 . 2008-05-23 06:38 14976 ----a-w- c:\windows\system32\drivers\SophosBootDriver.sys
2009-11-16 08:32 . 2009-11-16 08:32 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab Setup Files
2009-11-12 10:24 . 2009-11-17 09:41 1503264 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-09 15:25 . 2009-11-09 15:25 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-09 15:18 . 2009-11-09 15:18 475084 ----a-w- c:\windows\system32\prfh0410.dat
2009-11-09 15:18 . 2009-11-09 15:18 77574 ----a-w- c:\windows\system32\prfc0410.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-24 12:27 . 2009-03-27 11:50 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2009-11-23 14:10 . 2009-04-21 10:00 -------- d-----w- c:\programmi\Total Video Converter
2009-11-17 11:08 . 2004-08-19 12:00 78474 ----a-w- c:\windows\system32\perfc010.dat
2009-11-17 11:08 . 2004-08-19 12:00 477260 ----a-w- c:\windows\system32\perfh010.dat
2009-11-17 09:41 . 2009-11-12 10:24 10244 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-10 08:10 . 2008-11-28 10:06 -------- d-----w- c:\programmi\a-squared Free
2009-11-04 07:17 . 2009-03-27 09:13 -------- d-----w- c:\programmi\Java
2009-10-23 14:17 . 2009-10-23 14:17 64072 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.736\Italian\setup.exe
2009-10-23 09:26 . 2009-10-23 09:26 -------- d-----w- c:\programmi\Fastrate USB 100
2009-10-11 03:17 . 2009-03-27 09:13 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:17 . 2004-08-19 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 13:54 . 2009-03-27 11:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2009-03-27 11:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-19 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 12:12 . 2009-09-03 12:10 3072 ----a-w- c:\windows\system32\dtmssystem.dll
2009-08-29 07:56 . 2004-08-19 12:00 916480 ------w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ecdc465a-cf20-4b82-9a26-47c9dc52fa32}"= "c:\programmi\Eazel-IT\tbEaz1.dll" [2019-04-24 1883672]

[HKEY_CLASSES_ROOT\clsid\{ecdc465a-cf20-4b82-9a26-47c9dc52fa32}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 10:47 333192 ----a-w- c:\programmi\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ecdc465a-cf20-4b82-9a26-47c9dc52fa32}]
2019-04-24 06:31 1883672 ----a-w- c:\programmi\Eazel-IT\tbEaz1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ecdc465a-cf20-4b82-9a26-47c9dc52fa32}"= "c:\programmi\Eazel-IT\tbEaz1.dll" [2019-04-24 1883672]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\programmi\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{ecdc465a-cf20-4b82-9a26-47c9dc52fa32}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{ECDC465A-CF20-4B82-9A26-47C9DC52FA32}"= "c:\programmi\Eazel-IT\tbEaz1.dll" [2019-04-24 1883672]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\programmi\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{ecdc465a-cf20-4b82-9a26-47c9dc52fa32}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2007-03-02 282624]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-07-01 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-01 4112384]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-07-01 843776]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Acrobat Assistant.lnk - c:\programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Gamma Loader.exe.lnk - c:\programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-21 113664]
AutoUpdate Monitor.lnk - c:\programmi\Sophos\AutoUpdate\ALMon.exe [2009-11-17 245760]
EPSON Status Monitor 3 Environment Check.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2008-12-4 131584]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKLM\~\startupfolder\C:^Documents and Settings^Carmelo Munafò^Menu Avvio^Programmi^Esecuzione automatica^is-0G4EF.lnk]
path=c:\documents and settings\Carmelo Munafò\Menu Avvio\Programmi\Esecuzione automatica\is-0G4EF.lnk
backup=c:\windows\pss\is-0G4EF.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\BearShare\\BearShare.exe"=
"c:\\Munafò\\Download\\Bearshare 5.2.2\\Programma\\BearShare\\BearShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [24/11/09 9.38.16 30280]
R2 SAVService;Sophos Anti-Virus;c:\programmi\Sophos\Sophos Anti-Virus\SavService.exe [21/08/08 12.04.26 98304]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [24/11/09 9.38.13 24368]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys c:\windows\system32\drivers\pavboot.sys
S1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [17/11/09 12.10.51 110848]
S1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [17/11/09 12.10.51 38528]
S2 ASKUpgrade;ASKUpgrade;c:\programmi\AskBarDis\bar\bin\ASKUpgrade.exe [24/06/09 11.10.23 234888]
S2 CSIScanner;CSIScanner;c:\programmi\Prevx\prevx.exe [24/11/09 9.38.11 6213584]
S2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [24/11/09 9.38.16 46896]
S2 SAVAdminService;Crea report sullo stato di Sophos Anti-Virus;c:\programmi\Sophos\Sophos Anti-Virus\SAVAdminService.exe [17/11/09 12.23.46 80936]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [27/03/09 12.50.25 38224]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [17/11/09 12.10.51 14976]
.
Contenuto della cartella 'Scheduled Tasks'

2009-11-17 c:\windows\Tasks\Scansione Pianificata.job
- c:\programmi\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2009-01-22 15:45]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {0A24593B-0E47-4A72-8F4A-075D19451D33} = 192.167.101.10
FF - ProfilePath - c:\documents and settings\Carmelo Munafò\Dati applicazioni\Mozilla\Firefox\Profiles\c3hqcdow.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3&q=
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKLM-Run-Logitech Hardware Abstraction Layer - KHALMNPR.EXE
HKLM-Run-Cmaudio - cmicnfg.cpl
AddRemove-AP Guitar Tuner 1.02 - c:\programmi\Audio Phonics
AddRemove-foobar2000 - c:\programmi\foobar2000\uninstall.exe _?=c:\programmi\foobar2000
AddRemove-NVIDIA Drivers - c:\windows\system32\nvudisp.exe UninstallGUI



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-24 14:25
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1715567821-861567501-1801674531-1093\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{73897CEE-5253-8BA1-281B-C3CC10F1A2DC}*]
"hajdphbcenkncmjo"=hex:69,61,6e,64,66,61,65,6e,66,6a,63,6a,6e,6b,6c,63,67,6a,
00,00
"iahefbcenmpiopefmg"=hex:69,61,6e,64,66,61,65,6e,66,6a,63,6a,6e,6b,6c,63,67,6a,
00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ð•€|ÿÿÿÿ.•€|þ»Ñw*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(1152)
c:\windows\system32\WININET.dll
c:\progra~1\MICROS~2\OFFICE11\MCPS.DLL
c:\programmi\Microsoft Office\OFFICE11\msohev.dll
c:\windows\system32\PortableDeviceApi.dll
.
Ora fine scansione: 2009-11-24 14:27
ComboFix-quarantined-files.txt 2009-11-24 13:27

Pre-Run: 136.304.435.200 byte disponibili
Post-Run: 136.310.923.264 byte disponibili

- - End Of File - - 95B05324872B975B04D49D2B7A61290B

FixMebroot:

Symantec Trojan.Mebroot Removal Tool 1.0.2
Found drive \\.\PhysicalDrive0, analyzing MBR...
Creating FixMebroot service driver
Running driver...
Trojan.Mebroot has not been found active on your computer.
Delete service driver
Delete driver file
End


The tool initiated a system reboot.

mbam-log

Symantec Trojan.Mebroot Removal Tool 1.0.2
Found drive \\.\PhysicalDrive0, analyzing MBR...
Creating FixMebroot service driver
Running driver...
Trojan.Mebroot has not been found active on your computer.
Delete service driver
Delete driver file
End


The tool initiated a system reboot.

Prevx 3.0

PREVX 3.0

THREAT sys39698.exe in c:\documents and settings\... (Medium Risk Malware)
THREAT keygen.exe in c:\documents and settings\... (High Risk Worm)
THREAT combofix.exe in c:\documents and settings\... (High Risk Spyware)

License required to clean.

Speriamo bene. Ciao
P.S. Sto eseguendo Norman in provvisoria e senza ripristino.

[dario-vr]

Non c'è il log di Malwarebytes perché hai ripetuto due volte il log di Fixmeroot.
Sembra che il rootkit nell'MBR non ci sia più.
Prevx vede come malevolo Combofix (è normale , accade spesso) ma i primi due non riesco a leggere che sono:
THREAT sys39698.exe in c:\documents and settings\... (Medium Risk Malware) ?
THREAT keygen.exe in c:\documents and settings\... (High Risk Worm) ?
THREAT combofix.exe in c:\documents and settings\... (High Risk Spyware) Combofix

Riesci a risalire ai due files nella cartella documents and settings?
Prova a controllarli su:
http://www.virustotal.com

[Marco90]

Malwarebytes' Anti-Malware

Malwarebytes' Anti-Malware 1.41
Versione del database: 2775
Windows 5.1.2600 Service Pack 3 (Safe Mode)

25/11/09 9.14.13
mbam-log-2009-11-25 (09-14-13).txt

Tipo di scansione: Scansione completa (C:\|)
Elementi scansionati: 147265
Tempo trascorso: 50 minute(s), 7 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 0

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
(Nessun elemento malevolo rilevato)

In realtà con una precedente scansione di PREVX 3.0 avevo trovato una riga con scritto "Rootkit-MBR" o qualcosa del genere... scritta in neretto, non so se con qualche procedura (che non ricordo) l'ho cancellata. Le scritte in Rosso che sono rimaste, non è possibile eliminarle.

THREAT keygen.exe in c:\documents and settings\documenti\microsoft\office2003\genuine advantage.patcher-clony\ (High Risk Worm)
THREAT sys 39698.exe in c:\documents and settings\ sembra che sia su c desktop.
comunque controllo non appena conclude "Norman".

[dario-vr]

Prevx nella versione free elimina il rootkit.
Non le altre derivazioni: trojan - worm - backdoor

Fai girare il tuo antivirus sempre in provvisoria e con ripristino sempre disattivato.

Ah togli prima Combofix in questo modo:
Start
Esegui
nella finestra di dialogo, copia ed incolla questo comando: Combofix /u e premi Invio poi cancella le cartelle in "C" di Combofix e (qoobox)

[dario-vr]

THREAT keygen.exe in c:\documents and settings\documenti\microsoft\office2003\genuine advantage.patcher-clony\ (High Risk Worm)
Questo non è originale vero? proviene da emule??? i crack son spesso portatori di rogne
THREAT sys 39698.exe in c:\documents and settings\ sembra che sia su c desktop.
Questo invece dovrebbe far parte diCombofix
comunque controllo non appena conclude "Norman".

Altra informazione utile:
Il Rootkit, (dipende da vari fattori) crea, alle volte, una cartella in C:\Documents and Settings
Chiamata:"HELPASSISTANT" .

Poi puoi anche provare con questo tool:
http://www.softpedia.com/get/Antivirus/ ... Tool.shtml

[Marco90]

Norman

Norman Malware Cleaner
Version 1.5.0.5
Copyright © 1990 - 2009, Norman ASA. Built 2009/11/23 10:21:47

Norman Scanner Engine Version: 6.03.02
Nvcbin.def Version: 6.03.00, Date: 2009/11/23 10:21:47, Variants: 4383320

Scan started: 25/11/2009 09:35:51

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600(Safe mode) Service Pack 3
Logged on user: MUNAFO\Carmelo Munafò

Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLS = -> ""
Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000000
Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000
Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000


Scanning running processes and process memory...

Number of processes/threads found: 1015
Number of processes/threads scanned: 1015
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 41s


Scanning file system...

Scanning: C:\*.*

C:\Documents and Settings\Carmelo Munafò\Preferiti\Siti Mp3\elimdekileri herkesle paylasabilmek için açtim bu blogu 2009-02.url (Error opening file: Not found)

Scanning: E:\*.*


Running post-scan cleanup routine:

Number of files found: 60118
Number of archives unpacked: 0
Number of files scanned: 60106
Number of files not scanned: 12
Number of files skipped due to exclude list: 0
Number of infected files found: 0
Number of infected files repaired/deleted: 0
Number of infections removed: 0
Total scanning time: 1h 5m 50s

[dario-vr]

Norman

Norman Malware Cleaner
Version 1.5.0.5
Copyright © 1990 - 2009, Norman ASA. Built 2009/11/23 10:21:47

Norman Scanner Engine Version: 6.03.02
Nvcbin.def Version: 6.03.00, Date: 2009/11/23 10:21:47, Variants: 4383320

Scan started: 25/11/2009 09:35:51

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600(Safe mode) Service Pack 3
Logged on user: MUNAFO\Carmelo Munafò

Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLS = -> ""
Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000000
Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000
Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000


Scanning running processes and process memory...

Number of processes/threads found: 1015
Number of processes/threads scanned: 1015
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 41s


Scanning file system...

Scanning: C:\*.*

C:\Documents and Settings\Carmelo Munafò\Preferiti\Siti Mp3\elimdekileri herkesle paylasabilmek için açtim bu blogu 2009-02.url (Error opening file: Not found)

Scanning: E:\*.*


Running post-scan cleanup routine:

Number of files found: 60118
Number of archives unpacked: 0
Number of files scanned: 60106
Number of files not scanned: 12
Number of files skipped due to exclude list: 0
Number of infected files found: 0
Number of infected files repaired/deleted: 0
Number of infections removed: 0
Total scanning time: 1h 5m 50s

Non mi sembra poi così male.
Esegui le scansioni con il tuo antivirus (mod.provvisoria)
ed il tool (modalità normale) che sopra ti ho riportato

Che problemi riscontri ora?

[Marco90]

Ciao Dario,
il file "sys39698.exe" riconosciuto da "Malwarebytes' Anti-Malware" come virus, è in
realtà l'applicativo di "Systemscan"; mentre il file "Keygen.exe" è un generatore seriale,
scaricato con e-Mule che non ho mai utilizzato. La scansione eseguita stamattina con Kaspersky, in "modalità normale", non ha rilevato nessun elemento virale (non ho potuto postare il log perché il testo supera i 50Mb).
Tuttavia, sembra che il PC funzioni correttamente.
Che ne dici?

[dario-vr]

Beh direi che puoi provare ad usarlo per qualche giorno e vedere che ti succede.
Quel keygen però fossi in te non lo utilizzerei...
prova a verificarlo su
http://www.virustotal.com



Poi se tutto è a posto eseguirei queste ultime operazioni:

Start\Esegui\
copia e incolla la stringa
%temp%
clicca su Ok, svuota la cartella temp. (non eliminare la cartella)
Poi:
Provvedi a svuotare del suo contenuto la cartella Prefetch :
clicca su Risorse del Computer
clicca su Disco locale C:
cerca, all’interno delle cartelle che saranno visualizzate la cartella Windows, aprila ed, al suo interno, cerca la cartella Prefetch, la apri ed elimina tutte le voci conservate al suo interno ( non eliminare la cartella)
SVUOTA IL CESTINO


Poi:
Lancia Hijackthis e pulisci gli ADS in questo modo:
clicca sulla voce Open the misc tool section
clicca su Open ads spy
togli la spunta alla voce Quick scan (windows base folder only)
clicca su Scan.
Aspetta pazientemente la fine della scansione.
se venissero rilevati ADS, spunta tutte (senza paura) le caselline e clicca su Remove selected

Riavvia il pc.



Fai uno ScanDisk , e una deframmentazione del HD.

Riattiva il ripristino configurazione di sistema e, se tutto è a posto, creane uno nuovo.

Ciao Marco