w32/spamta.aip.worm

[trilok83]

Grazie Luke, l'errore che commettevo in sintesi era, anzichè di postare il link dove avevo inserito il file, scaricavo IO direttamente il file per postarlo....ok tutto chiaro ecco il link
08_04_2010_22_00_report.zip
Grazie per l'aiuto

[Luke57]

Ciao, non connesso, con l'antivirus disattivato esegui, SystemScan clicca poi su Removal Script. All'interno della finestra copia/incolla i valori riportati in neretto:

Files to delete:
C:\Windows\system32\drivers\wkwzeh.sys

Registry keys to delete:
HKLM\system\currentcontrolset\services\wkwzeh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wkwzeh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wkwzeh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wkwzeh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\wkwzeh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\wkwzeh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\wkwzeh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\wkwzeh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\wkwzeh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\wkwzeh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet011\Services\wkwzeh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet012\Services\wkwzeh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Services\wkwzeh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet014\Services\wkwzeh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet015\Services\wkwzeh

Clicca su "Proceed with removal",
Il computer si dovrebbe riavviare, dopo il riavvio portati in C:\ dove troverai il file avenger.txt

copia/incolla il contenuto del file avenger.txt in un nuovo post.

[trilok83]

Ho eseguito il tutto...ma quando provo a rimuovere i file da te elencati, mi dice ke è impossibile eliminare xkè il programma funziona solo con Windows 2000 o XP.....come mi comporto?

[-> EleKtrA <-]

Ciao trilok83, scarica the Avenger
Lo salvi in una cartella, scompatti il file .zip
Individua avenger.exe, tasto destro > esegui come amministratore
Inserisci lo script di Luke57 nel box bianco

Clicca su Execute
Il pc dovrebbe riavviarsi (se così non fosse, fallo tu)
Posta il log che verrà creato in C:\Avenger

[trilok83]

Scusate se non mi sono fatto sentire ma ho avuto prob con il pc....
eccovi il log di avanger

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open file "C:\Windows\system32\drivers\wkwzeh.sys"
Deletion of file "C:\Windows\system32\drivers\wkwzeh.sys" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)


Error: could not open registry key "HKLM\system\currentcontrolset\services\wkwzeh" for deletion
Deletion of registry key "HKLM\system\currentcontrolset\services\wkwzeh" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)


Error: could not open registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wkwzeh" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wkwzeh" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)


Error: could not open registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wkwzeh" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wkwzeh" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)


Error: could not open registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wkwzeh" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wkwzeh" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)


Error: could not open registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\wkwzeh" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\wkwzeh" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)


Error: could not open registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\wkwzeh" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\wkwzeh" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)


Error: could not open registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\wkwzeh" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\wkwzeh" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)


Error: could not open registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\wkwzeh" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\wkwzeh" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)


Error: could not open registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\wkwzeh" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\wkwzeh" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)


Error: could not open registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\wkwzeh" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\wkwzeh" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)


Error: could not open registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet011\Services\wkwzeh" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet011\Services\wkwzeh" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)


Error: could not open registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet012\Services\wkwzeh" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet012\Services\wkwzeh" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)


Error: could not open registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Services\wkwzeh" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Services\wkwzeh" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)


Error: could not open registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet014\Services\wkwzeh" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet014\Services\wkwzeh" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)


Error: could not open registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet015\Services\wkwzeh" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet015\Services\wkwzeh" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)


Completed script processing.

*******************

Finished! Terminate.



Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Error: Script file not found!
Could not open script file! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Abort!

[trilok83]

Qualcuno può leggermi questo log?....grazie per l'aiuto

[-> EleKtrA <-]

Ciao trilok83, l'ultimo log di Avenger che hai allegato dice che l'operazione è fallita, ma dopo un mese e mezzo molte cose potrebbero essere cambiate.

Se vuoi essere certo dell'attuale situazione dovremmo ripetere le scansioni.

Disattiva momentaneamente l'antivirus
Scarica Combofix | Tutorial
Tasto destro sull'exe, esegui come amministratore
Lascia lavorare il programma senza interferire
Allega il rapporto C:\ComboFix.txt nella tua risposta.

Aggiorna Malwarebytes ed esegui una scansione completa.
Allega i log nel Topic inserendoli nel tag "code". (CLICCA)

[trilok83]

log combofix

ComboFix 10-06-01.05 - Andrea 02/06/2010 21.28.54.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.39.1040.18.3582.2335 [GMT 2:00]
Eseguito da: c:\users\Andrea\Desktop\ComboFix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Creati Da 2010-05-02 al 2010-06-02 )))))))))))))))))))))))))))))))))))
.

2010-06-02 19:37 . 2010-06-02 19:37 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-02 19:37 . 2010-06-02 19:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-01 12:32 . 2010-06-01 12:32 -------- d-----w- c:\users\Andrea\AppData\Roaming\BlackBean
2010-05-31 20:50 . 2010-05-31 20:50 -------- d-----w- c:\users\Andrea\AppData\Roaming\Rilla.it
2010-05-25 18:06 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-24 20:12 . 2010-05-24 20:13 -------- d-----w- c:\program files\QuickTime
2010-05-24 20:11 . 2010-05-24 20:11 -------- d-----w- c:\program files\Common Files\Apple
2010-05-24 20:10 . 2010-05-24 20:10 -------- d-----w- c:\programdata\Apple
2010-05-24 20:10 . 2010-05-24 20:10 -------- d-----w- c:\program files\Apple Software Update
2010-05-12 18:22 . 2010-05-12 18:22 -------- d-----w- c:\program files\Common Files\Corel
2010-05-12 18:15 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-08 11:39 . 2010-05-08 11:39 1496064 ----a-w- c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-05-08 11:39 . 2010-03-26 08:33 43008 ----a-w- c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-05-08 11:39 . 2010-03-26 08:33 339456 ----a-w- c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-05-08 11:39 . 2010-03-26 08:32 346112 ----a-w- c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-05-04 18:47 . 2010-05-04 18:47 -------- d-----w- c:\users\Andrea\AppData\Roaming\FreeCDRipper

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-02 19:17 . 2007-11-21 06:37 662608 ----a-w- c:\windows\system32\perfh010.dat
2010-06-02 19:17 . 2007-11-21 06:37 120120 ----a-w- c:\windows\system32\perfc010.dat
2010-06-02 19:08 . 2009-06-02 14:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-01 18:06 . 2007-11-20 22:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-31 20:50 . 2008-04-30 20:38 129976 ----a-w- c:\users\Andrea\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-24 20:12 . 2008-05-01 20:20 -------- d-----w- c:\programdata\Apple Computer
2010-05-22 13:34 . 2009-06-17 12:25 -------- d-----w- c:\program files\Google
2010-05-17 20:55 . 2010-04-09 18:13 -------- d-----w- c:\program files\HSPA USB MODEM
2010-05-17 20:55 . 2010-04-09 18:13 -------- d-----w- c:\program files\Common Files\DeviceHelper
2010-05-14 06:14 . 2010-02-23 23:57 -------- d-----w- c:\program files\Sophos
2010-05-14 06:12 . 2010-01-10 09:17 -------- d-----w- c:\program files\Attack on Pearl Harbor
2010-05-12 23:21 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-12 23:21 . 2008-05-16 12:23 -------- d-----w- c:\programdata\Microsoft Help
2010-05-12 19:06 . 2009-01-29 19:43 -------- d-----w- c:\users\Andrea\AppData\Roaming\vlc
2010-05-12 18:26 . 2009-05-10 15:56 -------- d-----w- c:\users\Andrea\AppData\Roaming\Corel
2010-05-12 18:21 . 2007-11-20 22:29 -------- d-----w- c:\program files\Common Files\InstallShield
2010-05-12 18:21 . 2010-01-11 15:44 -------- d-----w- c:\program files\Corel
2010-05-12 09:21 . 2009-10-02 17:58 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 18:46 . 2010-05-04 18:46 -------- d-----w- c:\users\Andrea\AppData\Roaming\FreeAudioPack
2010-05-04 18:46 . 2010-05-04 18:46 -------- d-----w- c:\program files\Free Audio Pack
2010-04-29 13:39 . 2009-06-02 14:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 13:39 . 2009-06-02 14:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 19:49 . 2010-04-27 19:49 -------- d-----w- c:\program files\Veetle
2010-04-18 12:15 . 2008-12-21 09:40 -------- d-----w- c:\program files\Mozilla Firefox 3 Beta 5
2010-04-13 08:30 . 2010-01-11 15:46 -------- d-----w- c:\programdata\Corel
2010-04-13 08:28 . 2009-05-10 15:56 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2010-04-13 08:28 . 2009-05-10 15:56 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2010-04-08 18:58 . 2010-02-24 19:17 117760 ----a-w- c:\users\Andrea\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-07 19:09 . 2010-04-07 19:09 -------- d-----w- c:\program files\Lame for Audacity
2010-04-05 20:05 . 2010-04-05 20:05 -------- d-----w- c:\program files\Microsoft
2010-04-05 20:04 . 2010-04-05 20:04 -------- d-----w- c:\program files\Windows Live
2010-04-05 12:10 . 2009-01-04 20:40 -------- d-----w- c:\users\Andrea\AppData\Roaming\dvdcss
2010-03-27 16:32 . 2010-03-27 16:32 4128 ----a-w- C:\NanoRepository.bin
2010-03-06 14:35 . 2010-03-06 14:35 264 ----a-w- c:\windows\system32\PSUNCpl.dat
2010-03-05 14:01 . 2010-04-17 09:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2007-11-21 06:51 . 2007-11-21 06:39 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2009-11-02 08:00 312576 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Pending Delete Icon]
@="{0847B599-9191-4A27-BD61-DE11598D3B1B}"
[HKEY_CLASSES_ROOT\CLSID\{0847B599-9191-4A27-BD61-DE11598D3B1B}]
2009-11-02 08:00 312576 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2009-11-02 08:00 312576 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-12 1414144]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-03-28 3325952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [BU]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"tsnp2std"="c:\windows\tsnp2std.exe" [2006-01-16 114688]
"ZSSnp211"="c:\windows\ZSSnp211.exe" [2006-08-18 49152]
"Domino"="c:\windows\Domino.exe" [2006-08-18 49152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-01-10 92704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-10 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-10 88608]
"DefragTaskBar"="c:\program files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe" [2008-10-09 173408]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-02 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2009-10-30 361728]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-5-1 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):2d,82,11,37,7b,47,ca,01

R0 ElbyVCD;ElbyVCD;c:\windows\system32\DRIVERS\ElbyVCD.sys [x]
R0 etrikdw;etrikdw;c:\windows\system32\drivers\gcobpg.sys [x]
R2 DeviceManager;DeviceManager;c:\program files\Common Files\DeviceHelper\DeviceManager.exe [2009-08-27 40960]
R2 gupdate;Servizio di Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-22 136176]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-11-23 7408]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-07-31 717296]
S1 PSINKNC;PSINKNC;c:\windows\system32\DRIVERS\psinknc.sys [2009-10-13 114184]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-11-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-11-23 74480]
S2 NanoServiceMain;NanoServiceMain;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [2009-10-30 136448]
S2 PSINAflt;PSINAflt;c:\windows\system32\DRIVERS\PSINAflt.sys [2009-10-30 146440]
S2 PSINFile;PSINFile;c:\windows\system32\DRIVERS\PSINFile.sys [2009-10-13 97800]
S2 PSINProc;PSINProc;c:\windows\system32\DRIVERS\PSINProc.sys [2009-10-13 101384]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2009-06-17 12648]
S3 qcusbser;Modem Interface USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\qcusbser.sys [2009-08-27 103552]


--- Altri Servizi/Drivers In Memoria ---

*Deregistered* - wkwzeh

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contenuto della cartella 'Scheduled Tasks'

2010-06-02 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-03-05 12:51]

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-22 13:33]

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-22 13:33]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.libero.it/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Settings,ProxyOverride = local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - www.libero.it
FF - prefs.js: keyword.URL - hxxp://it.yhs.search.yahoo.com/avg/sear ... -web_it&p=
FF - component: c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox 3 Beta 5\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3 Beta 5\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
------- Associazioni dei file -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-02 21:37
Windows 6.0.6002 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\wkwzeh]

.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'Explorer.exe'(6096)
c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll
.
Ora fine scansione: 2010-06-02 21:38:54
ComboFix-quarantined-files.txt 2010-06-02 19:38
ComboFix2.txt 2010-03-19 19:24
ComboFix3.txt 2010-03-18 19:26
ComboFix4.txt 2010-03-01 20:05

Pre-Run: 344.445.345.792 byte disponibili
Post-Run: 343.388.102.656 byte disponibili

- - End Of File - - 16822035488DA051D46EC9EDE7BF3475

log malware

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Versione database: 4169

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

04/06/2010 20.45.29
mbam-log-2010-06-04 (20-45-29).txt

Tipo di scansione: Scansione completa (C:\|D:\|E:\|)
Elementi esaminati: 315084
Tempo trascorso: 1 ore, 17 minuti, 28 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Voci infette nei dati di registro: 0
Cartelle infette: 0
File infetti: 2

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
(Non sono stati rilevati elementi nocivi)

Valori di registro infetti:
(Non sono stati rilevati elementi nocivi)

Voci infette nei dati di registro:
(Non sono stati rilevati elementi nocivi)

Cartelle infette:
(Non sono stati rilevati elementi nocivi)

File infetti:
C:\Users\Andrea\Downloads\u98.exe (Adware.UltraReach) -> No action taken.
C:\Windows\System32\drivers\wkwzeh.sys (Rootkit.Agent) -> No action taken.

[-> EleKtrA <-]

Apri un file di testo sul Desktop
Start > esegui, digita: notepad.exe e poi clicca Ok
Incolla il codice che vedi qui sotto, e salvi il file di testo obbligatoriamente
con il nome CFScript

Codice: Seleziona tutto

Killall::
File::
c:\windows\system32\drivers\gcobpg.sys
C:\Users\Andrea\Downloads\u98.exe
C:\Windows\System32\drivers\wkwzeh.sys
Driver::
etrikdw
wkwzeh
gcobpg
NetSvcs::
etrikdw
wkwzeh
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_etrikdw]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_etrikdw]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_etrikdw]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_etrikdw]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_etrikdw]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\etrikdw]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\etrikdw]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\etrikdw]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\etrikdw]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\etrikdw]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_wkwzeh]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_wkwzeh]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_wkwzeh]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_wkwzeh]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_wkwzeh]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wkwzeh]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wkwzeh]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wkwzeh]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wkwzeh]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wkwzeh]
Folder::
C:\WINDOWS\temp
C:\WINDOWS\Tasks


col mouse trascina il file CFScript.txt sull'icona rossa di combofix

lascia lavorare il programma
finito verrà creato un nuovo log combofix.txt, copialo, inserendolo nel tag code.

Scarica sul desktop GMER
Scopatta, sempre sul desktop il file gmer.zip.
Esegui gmer.exe
Clicca sul Tab "Rootkit"
Clicca su "Scan"
finita la scansione clicca su "Copy"
Apri il Blocco Note salva il file ed allegalo.