Condividi:        

win32 themada

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

win32 themada

Postdi Giuseppina » 30/04/09 18:48

Salve a tutti e grazie anticipatamente a chi mi risponderà..
Ho ricevuto una notifica per l'aggiornamento del programma anydvd e avg mi ha segnalato la presenza del virus win32 themada.
Leggendo alcuni topic, mi sembra di capire che questo virus non è di facile eliminazione. Ho installato ed eseguitoHijackThis v2.0.2 e di seguito incollo il log:Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19.26.33, on 30/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Programmi\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Programmi\Hewlett-Packard\IAM\Bin\AsGHost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Programmi\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
c:\Programmi\ActivIdentity\ActivClient\accoca.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
c:\Programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Programmi\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Programmi\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\AccelerometerSt.Exe
C:\Programmi\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Programmi\ActivIdentity\ActivClient\accrdsub.exe
C:\Programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\Programmi\File comuni\Nokia\MPlatform\NokiaMServer.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Programmi\ActivIdentity\ActivClient\acevents.exe
C:\Programmi\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Dati applicazioni\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe
C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Programmi\Creative\Shared Files\CTSched.exe
C:\Programmi\File comuni\LightScribe\LightScribeControlPanel.exe
C:\Programmi\Hewlett-Packard\Shared\HpqToaster.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\OpenOffice.org 3\program\soffice.exe
C:\Programmi\OpenOffice.org 3\program\soffice.bin
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\HP\Digital Imaging\bin\hpqimzone.exe
C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmi\AVG\AVG8\avgui.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Programmi\AVG\AVG8\avgscanx.exe
C:\Programmi\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Programmi\WinRAR\WinRAR.exe
C:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\Rar$EX00.875\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... ll&pf=cmnb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource= ... =CT2102507
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: PHPNukeIT Toolbar - {2c965f3f-8efd-4bfc-a2c5-1672845fdbbf} - C:\Programmi\PHPNukeIT\tbPHPN.dll
O1 - Hosts: 172.20.144.195 sppatrimonio
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: PHPNukeIT Toolbar - {2c965f3f-8efd-4bfc-a2c5-1672845fdbbf} - C:\Programmi\PHPNukeIT\tbPHPN.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG8\avgssie.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Programmi\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programmi\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Programmi\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Programmi\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Programmi\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programmi\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: PHPNukeIT Toolbar - {2c965f3f-8efd-4bfc-a2c5-1672845fdbbf} - C:\Programmi\PHPNukeIT\tbPHPN.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.Exe
O4 - HKLM\..\Run: [IAAnotif] C:\Programmi\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [accrdsub] "c:\Programmi\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [PTHOSTTR] c:\Programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programmi\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Programmi\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [EEventManager] C:\Programmi\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NokiaMServer] C:\Programmi\File comuni\Nokia\MPlatform\NokiaMServer /watchfiles
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Programmi\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Documents and Settings\All Users\Dati applicazioni\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [CreativeTaskScheduler] "C:\Programmi\Creative\Shared Files\CTSched.exe" /logon
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Programmi\File comuni\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Programmi\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio rapido HP Photosmart Premier.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Cerca - C:\Documents and Settings\All Users\Dati applicazioni\AOL\ieToolbar\resources\it-IT\local\search.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a Bluetooth - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O8 - Extra context menu item: Invia a periferica &Bluetooth... - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {4819DFDF-ABC4-488C-A323-919848C51175} (Conviva LivePass) -
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.co ... nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9CF631C-B902-422B-970F-5D5E61218313}: NameServer = 85.37.17.45 85.38.28.99
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmi\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Programmi\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: ackpbsc - c:\WINDOWS\system32\ackpbsc.dll
O20 - Winlogon Notify: acunlock - c:\Programmi\ActivIdentity\ActivClient\acunlock.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: OneCard - c:\Programmi\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - c:\Programmi\ActivIdentity\ActivClient\accoca.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Programmi\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c98d2cca94c196) (gupdate1c98d2cca94c196) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP ProtectTools Service - Hewlett-Packard Development Company, L.P - c:\Programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Programmi\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Programmi\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 15152 bytes


E adesso? Grazie ancora per l'attenzione
Giuseppina
Utente Junior
 
Post: 32
Iscritto il: 30/04/09 18:36

Sponsor
 

Re: win32 themada

Postdi shel » 30/04/09 19:48

ciao

prova a fare una scansione con dr web

scaricalo da qui ====> ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
Doppio click su cureit.exe e clicca sull'opzione "Avvia" ti chiederà se vuoi effettuare un controllo rapido rispondi SI(Ok)
Finita la scansione, metti il puntino nella casella "completa scansione" clicca sul tasto "Play" per far partire la scansione, se trova qualcosa di infetto hai la possibilità di rimuoverlo subito oppure a fine scansione, finita la scansione fai rimuovere gli elementi infetti, salva il report di fine scansione clicca su File>Salva lista report, poi posta il report che hai salvato
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: win32 themada

Postdi Giuseppina » 30/04/09 23:45

Grazie mille per le indicazioni.. L'elaborazione è durata quasi tre ore.. ed ecco il report..

MCCWrapper.dll C:\Programmi\Common Files\Motive Probabile DLOADER.Trojan
A0006500.exe C:\System Volume Information\_restore{46616198-43C1-410E-A2C1-948CCBD25CB5}\RP58 Trojan.Click.21063 Cancellato.
Uno me lo ha fatto cancellare (il trojan), l'altro l'ha segnato come incurabile..
Può bastare?
Giuseppina
Utente Junior
 
Post: 32
Iscritto il: 30/04/09 18:36

Re: win32 themada

Postdi shel » 01/05/09 01:00

troppo poco per un'infezione cosi'

Scarica Combofix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Salvalo sul desktop.
Doppio click su combofix.exe (comparirà una videata.)
Digita 1 premi Invio e segui le indicazioni.
Al termine, verrà creato un file log chiamato C:\ComboFix.txt. Postalo qui.
Durante l'operazione di scansione è importante non usare il PC e attendere pazientemente la fine delle operazioni.
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: win32 themida

Postdi Giuseppina » 01/05/09 10:31

Sono certa di aver chiuso tutte le applicazioni durante la scansione.. Però scopro adesso che il mio coinquilino leggendo i la scansione di avg ha eliminato il file segnalato dall'antivirus (mi dice che dalla scansione erano 2, nella cartella "User" di google crome, ma in realtà gliene ha fatto vedere ed eliminare solo uno).
Non riesco a capire se devo essere contenta oppure se devo preoccuparmi ulteriormente.. Io di pc ne capisco poco..
Comunque adesso procedo secondo quanto mi hai consigliato e ti faccio sapere..
Grazie ancora e a dopo.
Giuseppina
Utente Junior
 
Post: 32
Iscritto il: 30/04/09 18:36

Re: win32 themida

Postdi Giuseppina » 01/05/09 11:16

Ecco il log risultante (non sono riuscita a disattivare l'antivirus..):
ComboFix 09-04-30.05 - Administrator 01/05/2009 11.41.12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.1977.1140 [GMT 2:00]
Eseguito da: c:\documents and settings\Administrator\Documenti\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
.
ADS - WINDOWS: deleted 48 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programmi\QUAD Utilities
c:\programmi\QUAD Utilities\QUAD Registry Cleaner\Vista Scheduler.dll
c:\windows\system32\x64

.
((((((((((((((((((((((((( Files Creati Da 2009-04-01 al 2009-05-01 )))))))))))))))))))))))))))))))))))
.

2009-04-30 19:04 . 2009-04-30 19:04 -------- d-----w c:\documents and settings\Administrator\DoctorWeb
2009-04-25 22:24 . 2009-04-25 22:24 -------- d-----w c:\documents and settings\Administrator\Dati applicazioni\AVG8
2009-04-25 21:44 . 2009-04-25 21:44 -------- d-----w c:\programmi\File comuni\muvee Technologies
2009-04-25 21:33 . 2009-04-25 21:33 -------- d-----w c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Conduit
2009-04-25 21:33 . 2009-04-25 21:33 -------- d-----w c:\programmi\Conduit
2009-04-25 21:33 . 2009-04-28 10:57 -------- d-----w c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\PHPNukeIT
2009-04-25 21:33 . 2009-04-28 10:47 -------- d-----w c:\programmi\PHPNukeIT
2009-04-25 21:24 . 2009-04-25 21:24 -------- d-----w c:\programmi\MSBuild
2009-04-25 21:24 . 2009-04-25 21:24 167312 ----a-w c:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\FontCache3.0.0.0.dat
2009-04-25 21:22 . 2009-04-25 21:22 -------- d-----w c:\windows\system32\XPSViewer
2009-04-25 21:21 . 2009-04-25 21:21 -------- d-----w c:\programmi\Reference Assemblies
2009-04-25 21:21 . 2006-06-29 11:07 14048 ------w c:\windows\system32\spmsg2.dll
2009-04-25 20:04 . 2009-04-25 20:04 -------- d-----w c:\programmi\File comuni\PCSuite
2009-04-25 20:03 . 2009-04-25 20:03 -------- d-----w c:\programmi\PC Connectivity Solution
2009-04-22 21:53 . 2009-03-10 20:18 454016 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-22 21:53 . 2009-03-10 20:26 1437568 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-22 21:53 . 2009-04-22 21:53 -------- d-----w c:\windows\system32\KB905474
2009-04-20 16:59 . 2009-05-01 10:06 -------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Skype
2009-04-20 16:59 . 2009-04-20 16:59 -------- d-----r c:\programmi\Skype
2009-04-20 16:58 . 2009-04-20 16:58 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\Skype
2009-04-20 14:57 . 2009-04-20 14:57 -------- d-----w c:\documents and settings\Administrator\temp
2009-04-16 22:13 . 2009-04-16 22:13 -------- d-----w c:\programmi\LightScribe Template Labeler
2009-04-16 07:44 . 2005-07-26 04:27 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-04-16 07:44 . 2009-03-06 13:59 286208 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 07:44 . 2009-02-06 09:41 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 07:44 . 2009-02-09 10:02 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 07:44 . 2009-02-09 10:02 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 07:44 . 2009-02-06 09:54 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-16 07:44 . 2009-02-09 09:50 111104 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 07:44 . 2009-02-09 10:02 684032 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 07:44 . 2009-02-09 10:02 736768 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 07:42 . 2008-04-21 21:26 219136 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-10 00:40 . 2009-04-10 00:40 103744 ----a-w c:\windows\system32\drivers\AnyDVD.sys
2009-04-08 20:50 . 2009-04-08 20:50 -------- d--h--w c:\windows\system32\CyberInstallerUninstallerSystem
2009-04-08 20:49 . 2009-04-08 20:50 -------- d-----w c:\programmi\GBARL Fox
2009-04-08 20:49 . 2004-08-19 13:00 151552 ----a-w c:\windows\system32\dllcache\scrrun.dll
2009-04-08 20:49 . 2004-08-19 13:00 151552 ----a-w c:\windows\system32\scrrun.dll
2009-04-08 20:49 . 2008-04-13 16:13 1384479 ----a-w c:\windows\system32\msvbvm60.dll
2009-04-08 20:49 . 2000-04-03 17:05 118784 ----a-w c:\windows\system32\MSSTDFMT.DLL
2009-04-08 20:49 . 2009-04-08 20:49 -------- d-----w c:\documents and settings\Administrator\Dati applicazioni\CyberInstaller Studio 2008
2009-04-08 20:35 . 2009-04-08 20:35 -------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Creative
2009-04-07 22:08 . 2009-04-07 22:14 -------- d-----w c:\windows\system32\Conviva

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 22:51 . 2009-04-30 22:51 4966 ----a-w c:\windows\system32\PerfStringBackup.TMP
2009-04-30 22:51 . 2004-08-30 10:50 86718 ----a-w c:\windows\system32\perfc010.dat
2009-04-30 22:51 . 2004-08-30 10:50 498382 ----a-w c:\windows\system32\perfh010.dat
2009-04-25 22:31 . 2009-01-28 22:29 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-25 22:31 . 2009-01-28 22:29 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-25 22:31 . 2009-01-28 22:29 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-25 21:48 . 2009-01-28 20:03 81568 ----a-w c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-04-25 21:44 . 2009-01-30 19:29 -------- d-----w c:\programmi\File comuni\Nokia
2009-04-25 21:44 . 2009-01-30 19:28 -------- d-----w c:\programmi\Nokia
2009-04-21 22:22 . 2009-02-04 20:38 -------- d-----w c:\programmi\OfflineList 0.7.2
2009-04-17 09:10 . 2009-02-26 17:00 -------- d-----w c:\programmi\Memeo
2009-03-31 08:08 . 2009-01-30 10:04 -------- d-----w c:\programmi\Java
2009-03-25 18:37 . 2009-03-24 21:53 -------- d-----w c:\programmi\GBARL Fox(2)
2009-03-23 22:15 . 2009-02-13 09:13 -------- d-----w c:\programmi\GBalpha
2009-03-23 15:49 . 2009-03-23 15:49 -------- d-----w c:\programmi\TeamViewer
2009-03-14 15:17 . 2009-03-14 15:17 -------- d-----w c:\programmi\Microsoft Silverlight
2009-03-12 09:22 . 2009-01-28 22:45 -------- d-----w c:\programmi\File comuni\Adobe
2009-03-09 03:19 . 2009-02-22 15:51 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 13:59 . 2004-08-19 08:00 286208 ----a-w c:\windows\system32\pdh.dll
2009-03-03 10:28 . 2009-01-28 22:39 -------- d-----w c:\programmi\Google
2009-03-01 17:59 . 2009-03-01 17:14 5632 ----a-w c:\windows\system32\drivers\StarOpen.sys
2009-02-17 17:11 . 2009-02-17 17:11 24232 ----a-w c:\windows\system32\drivers\ElbyCDIO.sys
2009-02-17 13:33 . 2009-02-17 13:33 89256 ----a-w c:\windows\system32\ElbyCDIO.dll
2009-02-09 14:56 . 2004-08-19 08:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:41 . 2004-08-19 08:00 2024448 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 11:41 . 2004-08-19 08:00 2146304 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 10:02 . 2004-08-19 08:00 736768 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:02 . 2004-08-19 08:00 734208 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:02 . 2004-08-19 08:00 684032 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:02 . 2004-08-19 08:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 09:50 . 2004-08-19 08:00 111104 ----a-w c:\windows\system32\services.exe
2009-02-09 05:37 . 2009-01-30 19:28 91136 ----a-w c:\windows\system32\nmwcdcls.dll
2009-02-08 09:46 . 2009-02-08 09:46 2678 ----a-w c:\windows\java\Packages\Data\EPJ3J5FN.DAT
2009-02-08 09:46 . 2009-02-08 09:46 2678 ----a-w c:\windows\java\Packages\Data\RFFRRXZ7.DAT
2009-02-08 09:46 . 2009-02-08 09:46 2678 ----a-w c:\windows\java\Packages\Data\R5VRXJTJ.DAT
2009-02-08 09:46 . 2009-02-08 09:46 2678 ----a-w c:\windows\java\Packages\Data\933PZXB3.DAT
2009-02-08 09:46 . 2009-02-08 09:46 2678 ----a-w c:\windows\java\Packages\Data\2NZJV3X7.DAT
2009-02-06 09:54 . 2004-08-19 08:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 20:08 . 2004-08-19 08:00 55808 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2c965f3f-8efd-4bfc-a2c5-1672845fdbbf}]
2008-11-23 21:03 1784856 ----a-w c:\programmi\PHPNukeIT\tbPHPN.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2c965f3f-8efd-4bfc-a2c5-1672845fdbbf}"= "c:\programmi\PHPNukeIT\tbPHPN.dll" [2008-11-23 1784856]

[HKEY_CLASSES_ROOT\clsid\{2c965f3f-8efd-4bfc-a2c5-1672845fdbbf}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"AnyDVD"="c:\programmi\SlySoft\AnyDVD\AnyDVDtray.exe" [2009-04-10 5827520]
"swg"="c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-12 39408]
"ISUSPM"="c:\documents and settings\All Users\Dati applicazioni\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"Google Update"="c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" [2009-01-30 133104]
"CTSyncU.exe"="c:\programmi\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
"CreativeTaskScheduler"="c:\programmi\Creative\Shared Files\CTSched.exe" [2006-11-17 53341]
"LightScribe Control Panel"="c:\programmi\File comuni\LightScribe\LightScribeControlPanel.exe" [2009-01-27 2387968]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2009-03-27 24103720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\programmi\File comuni\Nokia\MPlatform\NokiaMServer" [X]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.Exe" [2008-06-09 82224]
"IAAnotif"="c:\programmi\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-18 178712]
"accrdsub"="c:\programmi\ActivIdentity\ActivClient\accrdsub.exe" [2007-05-15 293168]
"PTHOSTTR"="c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2008-05-07 238984]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2008-05-21 24848]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1040384]
"hpWirelessAssistant"="c:\programmi\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"QlbCtrl.exe"="c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-05-14 177456]
"Cpqset"="c:\programmi\Hewlett-Packard\Default Settings\cpqset.exe" [2008-05-14 61440]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-05 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-05 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-05 141848]
"SoundMAXPnP"="c:\programmi\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-25 1932568]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"EEventManager"="c:\programmi\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 102400]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2007-07-06 177152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\
OpenOffice.org 3.0.lnk - c:\programmi\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Alice ti aiuta.lnk - c:\programmi\Alice ti aiuta\bin\matcli.exe [2009-1-28 212992]
Avvio rapido HP Photosmart Premier.lnk - c:\programmi\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
BTTray.lnk - c:\programmi\WIDCOMM\Bluetooth Software\BTTray.exe [2008-3-31 576104]
HP Digital Imaging Monitor.lnk - c:\programmi\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2007-05-15 14:08 112640 ----a-w c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2007-05-15 14:08 281088 ----a-w c:\programmi\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2008-05-21 00:42 111888 ----a-w c:\programmi\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-25 22:31 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=APSHook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ASWLNPkg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Programmi\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Programmi\\File comuni\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Documents and Settings\\Administrator\\temp\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgupd.exe"=

R2 gupdate1c98d2cca94c196;Google Update Service (gupdate1c98d2cca94c196);c:\programmi\Google\Update\GoogleUpdate.exe [2009-02-12 133104]
R3 getPlus(R) Helper;getPlus(R) Helper;c:\programmi\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
S0 SafeBoot;SafeBoot; [x]
S0 SbAlg;SbAlg; [x]
S0 SbFsLock;SbFsLock; [x]
S0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-03-28 24064]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-25 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-25 108552]
S1 RsvLock;RsvLock; [x]
S2 accoca;ActivClient Middleware Service;c:\programmi\ActivIdentity\ActivClient\accoca.exe [2007-05-15 182576]
S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe [2004-08-19 14336]
S2 ASChannel;Canale di comunicazione locale;c:\windows\System32\svchost.exe [2004-08-19 14336]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-25 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-25 298264]
S2 HP ProtectTools Service;HP ProtectTools Service;c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [2008-05-14 34184]
S2 HpFkCryptService;Drive Encryption Service;c:\programmi\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2008-05-13 256512]
S3 Com4QLBEx;Com4QLBEx;c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a3e4ad6-f29a-11dd-91cb-00216b4fdc36}]
\Shell\AutoRun\command - F:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3cc2b5ba-ee04-11dd-811c-00216b4fdc36}]
\Shell\AutoRun\command - F:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3cc2b5bd-ee04-11dd-811c-00216b4fdc36}]
\Shell\AutoRun\command - F:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{430b2646-eeb3-11dd-811e-00216b4fdc36}]
\Shell\AutoRun\command - F:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{430b2647-eeb3-11dd-811e-00216b4fdc36}]
\Shell\AutoRun\command - F:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68545eed-07de-11de-920d-00216b4fdc36}]
\Shell\AutoRun\command - F:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6e76c5f-ed70-11dd-811a-00216b4fdc36}]
\Shell\AutoRun\command - g:\wd_windows_tools\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2da08bf-25f7-11de-924b-00216b4fdc36}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\programmi\File comuni\LightScribe\LSRunOnce.exe"
.
Contenuto della cartella 'Scheduled Tasks'

2009-05-01 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-28 18:43]

2009-05-01 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-02-12 16:13]

2009-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-320799173-3165008072-334175446-500.job
- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2009-01-30 23:00]

2009-04-30 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 16:04]

2009-05-01 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 16:04]

2009-05-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 20:18]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://search.conduit.com?SearchSource= ... =CT2102507
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Cerca - c:\documents and settings\All Users\Dati applicazioni\AOL\ieToolbar\resources\it-IT\local\search.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Invia a Bluetooth - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: Invia a periferica &Bluetooth... - c:\programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {B9CF631C-B902-422B-970F-5D5E61218313} = 85.37.17.45 85.38.28.99
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\programmi\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {4819DFDF-ABC4-488C-A323-919848C51175}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 12:06
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\programmi\Hewlett-Packard\Default Settings\cpqset.exe? ?????????????????????????|?M?|?????M?|??@

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-320799173-3165008072-334175446-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,fa,a4,c4,2a,c3,c7,45,83,15,e7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,fa,a4,c4,2a,c3,c7,45,83,15,e7,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(908)
c:\windows\system32\ackpbsc.dll
c:\windows\system32\aclog.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\programmi\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll
c:\programmi\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll
c:\programmi\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\programmi\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\programmi\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\programmi\Hewlett-Packard\IAM\bin\brand.dll
c:\programmi\Hewlett-Packard\IAM\bin\ITA\brand.dll
c:\programmi\Hewlett-Packard\IAM\bin\ITA\ItMsg.dll
c:\programmi\Hewlett-Packard\IAM\Bin\AsChnl.dll
c:\programmi\Hewlett-Packard\IAM\Bin\HPPlugIn.dll
c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTHostServices.dll
c:\windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089\mscorlib.resources.dll
c:\windows\assembly\GAC_MSIL\System.Xml.resources\2.0.0.0_it_b77a5c561934e089\System.Xml.resources.dll
c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\Interop.HPQWMIEXLib.dll
c:\programmi\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\programmi\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll
c:\programmi\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\programmi\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll
c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\Interop.PTHstServsLib.dll
c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTHstServs.dll
c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\BIOSDomain.dll
c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\Interop.PTPluginLib.dll
c:\programmi\Hewlett-Packard\Drive Encryption\Languages\0010\SbHpFve.lng
c:\programmi\Hewlett-Packard\HP ProtectTools Security Manager\HPjCard.dll
c:\windows\system32\acomx.dll
c:\windows\system32\acbsi21.dll
c:\programmi\Hewlett-Packard\IAM\Bin\ItVCClient.dll
c:\programmi\Hewlett-Packard\IAM\Bin\ItReports.DLL
c:\programmi\Hewlett-Packard\IAM\Bin\ItVCard.dll
c:\programmi\Hewlett-Packard\IAM\Bin\NetAdmin.dll
c:\programmi\Hewlett-Packard\IAM\bin\ITA\NetAdmin.dll

- - - - - - - > 'lsass.exe'(964)
c:\programmi\Hewlett-Packard\IAM\bin\ASWLNPkg.dll
c:\programmi\Hewlett-Packard\IAM\bin\ItMsg.dll

- - - - - - - > 'explorer.exe'(5324)
c:\programmi\SlySoft\AnyDVD\ADvdDiscHlp.dll
c:\windows\system32\APSHook.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\programmi\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\programmi\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\programmi\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_ita.nlr
c:\programmi\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\scardsvr.exe
c:\programmi\ActivIdentity\ActivClient\acevents.exe
c:\windows\system32\WgaTray.exe
c:\programmi\Hewlett-Packard\IAM\Bin\asghost.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\agrsmsvc.exe
c:\windows\system32\CTSVCCDA.EXE
c:\programmi\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\programmi\AVG\AVG8\avgtray.exe
c:\programmi\File comuni\Nokia\MPlatform\NokiaMServer.exe
c:\windows\system32\igfxsrvc.exe
c:\programmi\ActivIdentity\ActivClient\acevents.exe
c:\programmi\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\programmi\File comuni\LightScribe\LSSrvc.exe
c:\programmi\OpenOffice.org 3\program\soffice.exe
c:\programmi\OpenOffice.org 3\program\soffice.bin
c:\programmi\Alice ti aiuta\bin\mpbtn.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\windows\system32\mqsvc.exe
c:\programmi\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\mqtgsvc.exe
c:\programmi\HP\Digital Imaging\bin\hpqimzone.exe
c:\programmi\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\programmi\HP\Digital Imaging\bin\hpqste08.exe
c:\programmi\Hewlett-Packard\Shared\HpqToaster.exe
.
**************************************************************************
.
Ora fine scansione: 2009-05-01 12.10.33 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-05-01 10:10

Pre-Run: 204.040.560.640 byte disponibili
Post-Run: 204.401.127.424 byte disponibili

WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

370 --- E O F --- 2009-04-30 22:50
Giuseppina
Utente Junior
 
Post: 32
Iscritto il: 30/04/09 18:36

Re: win32 themada

Postdi shel » 01/05/09 13:11

ciao Giuseppina

ho controllato il log ma sembra non esserci niente di dannoso, a parte le eliminazioni iniziali

c:\programmi\QUAD Utilities
c:\programmi\QUAD Utilities\QUAD Registry Cleaner\Vista Scheduler.dll
c:\windows\system32\x64




scarica Ccleaner

http://www.filehippo.com/download_ccleaner/

1) per il download dell'ultima versione clicca a destra in alto sotto la freccia verde
2) installalo
3) clicca su "avvia pulizia", ripeti il procedimento 2 volte

poi

scarica Atfcleaner

http://www.atribune.org/ccount/click.php?id=1

Avvia ATFCleaner.exe con un doppio click

1) seleziona la casella Select All
2) clicca sul pulsante Empty selected
3) aspetta l'avviso Done Cleaning.


Fai unascansione col tuo antivirus e vedi se trova altro
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: win32 themada

Postdi Giuseppina » 01/05/09 14:20

Grazie..
gentilissimo!
Appena termino, ti faccio sapere!
Giuseppina
Utente Junior
 
Post: 32
Iscritto il: 30/04/09 18:36

Re: win32 themada

Postdi Giuseppina » 01/05/09 16:28

Ciao Shel,
ho fatto tutto e ho terminato con la scansione dell'antivirus, che è risultata pulita!
Grazie infinite! Ho un'ultima domanda.. l'aggiornamento non l'ho installato. In futuro come dovrò comportarmi? Si possono prevenire attacchi di questo tipo? Grazie ancora!
Giuseppina
Utente Junior
 
Post: 32
Iscritto il: 30/04/09 18:36

Re: win32 themada

Postdi shel » 01/05/09 20:53

ciao Giuseppina

innanzitutto un consiglio te lo posso dare subito

installa il service pack 3 , e' importante per la sicurezza del pc

http://www.microsoft.com/downloads/deta ... layLang=it

scarica anche l'aggiornamento per l'antivirus, e provvedi a fare almeno una scansione settimanale.

Questi sono gli accorgimenti che devi usare per evitare che ospiti indesiderati entrino nel tuo pc

Se hai altre domande, sono qui ;)
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: win32 themada

Postdi shel » 02/05/09 11:26

oops.... un'ultima cosa Giuseppina mi era sfuggita

esegui questa operazione



Scarica Avenger
http://swandog46.geekstogo.com/avenger.zip

Estrailo in una cartella a tua scelta
Esegui il file avenger.exe
Ora incolla queste righe in rosso nella box bianco che si è aperta:



files to delete:
c:\windows\java\Packages\Data\EPJ3J5FN.DAT
c:\windows\java\Packages\Data\RFFRRXZ7.DAT
c:\windows\java\Packages\Data\R5VRXJTJ.DAT
c:\windows\java\Packages\Data\933PZXB3.DAT
c:\windows\java\Packages\Data\2NZJV3X7.DAT


Premi il pulsante Execute
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà.
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: win32 themada

Postdi Giuseppina » 02/05/09 11:43

Ciao Shel! Ora scarico il service pack3 e procedo con l'operazione che mi hai indicato.. A poi!
Giuseppina
Utente Junior
 
Post: 32
Iscritto il: 30/04/09 18:36

Re: win32 themada

Postdi Giuseppina » 02/05/09 12:03

Eccomi!Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\java\Packages\Data\EPJ3J5FN.DAT" deleted successfully.
File "c:\windows\java\Packages\Data\RFFRRXZ7.DAT" deleted successfully.
File "c:\windows\java\Packages\Data\R5VRXJTJ.DAT" deleted successfully.
File "c:\windows\java\Packages\Data\933PZXB3.DAT" deleted successfully.
File "c:\windows\java\Packages\Data\2NZJV3X7.DAT" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Ora procedo col service pack3..
Giuseppina
Utente Junior
 
Post: 32
Iscritto il: 30/04/09 18:36

Re: win32 themada

Postdi shel » 02/05/09 12:22

ciao Giuseppina dovresti essere a posto

se vuoi facciamo un'ulteriore verifica
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: win32 themada

Postdi Giuseppina » 02/05/09 13:54

Sto procedendo all'installazione dell'aggiornamento di xp. Dimmi tu se è opportuno procedere con un nuovo controllo.. attendo istruzioni :lol:
Ancora grazie! Bravissimo e gentilissimo!
Giuseppina
Utente Junior
 
Post: 32
Iscritto il: 30/04/09 18:36

Re: win32 themada

Postdi shel » 02/05/09 17:15

ciao Giuseppina

sei stata molto brava, hai eseguito tutto alla perfezione

se vuoi fare una scansione online, prova con bitdefender, vediamo se c'e' ancora qualcosa

vai qui ===> http://www.bitdefender.com/scan8/ie.html

fai una scansione completa e togli le minacce che rileva- ricorda che la scansione la devi fare da internet exlorer

posta il report che ti rilascia
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: win32 themada

Postdi Giuseppina » 02/05/09 19:07

Ciao Shel,
dunque.. ho provato diverse volte ad effettuare la scansione da explorer, ma si impalla! Il computer blocca il componente aggiuntivo e poi blocca explorer.. Che faccio? :roll:
Intanto il service pack 3 lo ha installato.. a fatica, ma lo ha fatto..
Giuseppina
Utente Junior
 
Post: 32
Iscritto il: 30/04/09 18:36

Re: win32 themada

Postdi shel » 02/05/09 19:40

hai provato a installare i controlli activex? in alto vicino la barra degli indirizzi- devi accettare i controlli activex per fare la scansione poi fara' tutto da se'
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: win32 themada

Postdi Giuseppina » 03/05/09 09:29

Ciao Shel, ho provato, ma come clicco che autorizzo il controllo activex, si inchioda.. E ho anche difficoltà a chiudere il programma. Ho provato a riavviare diverse volte, ma non risolve..
Giuseppina
Utente Junior
 
Post: 32
Iscritto il: 30/04/09 18:36

Re: win32 themada

Postdi Giuseppina » 04/05/09 21:51

Ciao Shel, il mio computer continua a fare i capricci..ora si impalla anche aprendo cartelle di files..che poi apre a finestra in continuazione.. A momenti mi concede momenti di grazia, come ora, ma explorer ad esempio non me lo fa usare.. e quando apro la cartella di download, si inchioda e poi mi apre a raffica il file che ho chiesto (magari ho cliccato 2 volte e lui me lo apre 10).. Che fare? L'unica cosa che ho imparato a fare bene, è formattare..
Giuseppina
Utente Junior
 
Post: 32
Iscritto il: 30/04/09 18:36

Prossimo

Torna a Sicurezza e Privacy


Topic correlati a "win32 themada":

trojan win32/sirefef
Autore: marzianu
Forum: Sicurezza e Privacy
Risposte: 27
win32/sinowal.gen!y
Autore: diego78
Forum: Sicurezza e Privacy
Risposte: 15

Chi c’è in linea

Visitano il forum: Nessuno e 17 ospiti