aiuto virus! [Archivio] - Hardware Upgrade Forum

Dr. Stein

24-07-2007, 17:55

ciao,
da circa 10gg sono alle prese con un/alcuni virus che non riesco a debellare...

configurazione:
win xp sp2
antivir
ad aware
spybot search and destroy
hijackthis
firewall zonealarm

sintomi:
appena mi connetto il pc impazzisce,
spesso l'antivirus trova un sacco di cose e appena tento di eliminare e neutralizzare qualcosa mi esce immediatamente un'altra finestra...
nonostante ciò riesco a navigare per qualche minuto,
dopo di che il pc non risponde più ai comandi,
qualsiasi icona clicco o qualsiasi programma che tento di aprire
non funziona, la clessidra gira un paio di volte e non succede nulla.
non si può nemmeno spegnere il pc, devo usare il pulsante di reset

quando riparte windows mi segnala:
file boot.ini non trovato
avvio da c:/windows (???????????)

quando entro nel desktop tutto ok, funziona tutto
ma non riesco ad avviare hijack this
però l'antivirus e tutti gli altri programmi offline funzionano!

ho provato un po' di tutto,
antivir non riesce a togliere i virus
hijack this non trova nulla
grozmon remover ha tolto tutto ma il pc continua a fare le bizze
ad aware e spybot ogni tanto trovano e rimuovono qualcosa ma non cambia nulla!
ho provato un po' tutti i software suggeriti su questo forum, anche in modalità provvisoria...

tra poco cerco di postarvi i log dei vari programmi
(mi sto connettendo con una live usb di linux lenta come la fame...)

grazie in anticipo!

PS ho due partizioni su pc
una con windows e un'altra con dati, foto e documenti
se formatto posso formattare solo la prima oppure è meglio un formattone totale? :help:

wizard1993

24-07-2007, 18:00

posta un log di hijackthis

Dr. Stein

24-07-2007, 18:57

posto il log di hijack
e un paio di antivir l`ultimo e ripulito delle cose non interessanti

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23.17.02, on 23/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\system32\spoolsv.exe
C:\Programmi\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\D-Link\Software Bluetooth\bin\btwdins.exe
C:\windows\system32\cisvc.exe
C:\windows\system32\nvsvc32.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\windows\system32\svchost.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\compaq-flash.exe",
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Coolstreaming_Tool-Bar_v1.0 toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Coolstreaming_Tool-Bar_v1.0 toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [PCTVRemote] C:\Programmi\Pinnacle\PCTV Stereo\Remote\Remoterm.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ImMsn] C:\WINDOWS\msncomm.exe /i
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Programmi\iolo\System Mechanic 5\StartupGuard.exe"
O4 - HKLM\..\Policies\Explorer\Run: [1] C:\WINDOWS\winsys.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-21-2000478354-413027322-839522115-1003\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized (User 'Andrea')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\D-Link\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\D-Link\Software Bluetooth\btsendto_ie.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://tittuz88.spaces.live.com//PhotoUpload/MsnPUpld.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: 0F65FB12 - Unknown owner - C:\windows\system32\1DDDD796.EXE (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Programmi\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: B4620E06 - Unknown owner - C:\windows\system32\CC3980EC.EXE (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Programmi\D-Link\Software Bluetooth\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6323 bytes

ANTIVIR PRIMA VOLTA VIRUS

AntiVir PersonalEdition Classic
Report file date: giovedì 12 luglio 2007 19:00

Scanning for 915634 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: Andrea
Computer name: BIBO-7676FB98A5

Version information:
BUILD.DAT : 247 11838 Bytes 10/05/2007 11:48:00
AVSCAN.EXE : 7.0.4.15 274472 Bytes 22/04/2007 20:13:06
AVSCAN.DLL : 7.0.4.4 33832 Bytes 22/04/2007 20:13:06
LUKE.DLL : 7.0.4.11 135208 Bytes 22/04/2007 20:13:06
LUKERES.DLL : 7.0.4.0 10280 Bytes 22/04/2007 20:13:06
ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 31/05/2006 18:25:39
ANTIVIR1.VDF : 6.39.0.129 7251968 Bytes 10/07/2007 17:24:47
ANTIVIR2.VDF : 6.39.0.130 2048 Bytes 10/07/2007 17:24:47
ANTIVIR3.VDF : 6.39.0.131 2048 Bytes 10/07/2007 17:24:47
AVEWIN32.DLL : 7.4.0.39 2482688 Bytes 05/07/2007 17:18:53
AVWINLL.DLL : 1.0.0.7 14376 Bytes 22/04/2007 20:13:06
AVPREF.DLL : 7.0.2.1 18984 Bytes 22/04/2007 20:13:06
AVREP.DLL : 7.0.0.1 122920 Bytes 22/04/2007 20:13:07
AVPACK32.DLL : 7.3.0.13 348200 Bytes 27/06/2007 17:17:40
AVREG.DLL : 7.0.1.2 31784 Bytes 22/04/2007 20:13:06
AVEVTLOG.DLL : 7.0.0.18 81960 Bytes 22/04/2007 20:13:06
AVARKT.DLL : No Information!
NETNT.DLL : 6.32.0.0 6696 Bytes 27/09/2005 07:56:45
RCIMAGE.DLL : 7.0.1.15 2228264 Bytes 22/04/2007 20:13:03
RCTEXT.DLL : 7.0.45.0 86056 Bytes 22/04/2007 20:13:03

Configuration settings for the scan:
Jobname..........................: Active Processes
Configuration file...............: C:\Programmi\AntiVir PersonalEdition Classic\process.avp
Logging..........................: medium
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Scan memory......................: off
Process scan.....................: on
Extended process scan............: on
Scan registry....................: off
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Deviating archive types..........: +Netscape/Mozilla Mailbox, +MS Outlook Mailbox,
Macro heuristic..................: on
File heuristic...................: medium
Deviating risk categories........: +GAME,+JOKE,+PCK,+SPR,

Start of the scan: giovedì 12 luglio 2007 19:00

The scan of running processes will be started
Scan process 'avscan.exe' - '31' Module(s) have been scanned
Scan process 'avcenter.exe' - '55' Module(s) have been scanned
Scan process 'PCLEScheduler.exe' - '23' Module(s) have been scanned
Scan process 'iPodService.exe' - '0' Module(s) have been scanned
Scan process 'soundman.exe' - '20' Module(s) have been scanned
Scan process 'alg.exe' - '0' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '25' Module(s) have been scanned
Scan process 'rundll32.exe' - '30' Module(s) have been scanned
Scan process 'remoterm.exe' - '17' Module(s) have been scanned
Scan process 'avgnt.exe' - '34' Module(s) have been scanned
Scan process 'acrotray.exe' - '19' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'PAStiSvc.exe' - '0' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '0' Module(s) have been scanned
Scan process 'btwdins.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'avguard.exe' - '0' Module(s) have been scanned
Scan process 'sched.exe' - '0' Module(s) have been scanned
Scan process 'PhotoshopElementsFileAgent.exe' - '0' Module(s) have been scanned
Scan process 'spoolsv.exe' - '0' Module(s) have been scanned
Scan process 'explorer.exe' - '87' Module(s) have been scanned
Module is infected -> 'C:\windows\system32\41E3EBE0.DLL'
Scan process 'compaq-flash.exe' - '32' Module(s) have been scanned
Module is infected -> 'C:\windows\system32\41E3EBE0.DLL'
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'lsass.exe' - '0' Module(s) have been scanned
Scan process 'services.exe' - '0' Module(s) have been scanned
Scan process 'winlogon.exe' - '0' Module(s) have been scanned
Scan process 'csrss.exe' - '0' Module(s) have been scanned
Scan process 'smss.exe' - '0' Module(s) have been scanned

11 processes with 373 modules were scanned

End of the scan: giovedì 12 luglio 2007 19:00
Used time: 00:19 min

The scan has been done completely.

0 Scanning directories
372 Files were scanned
2 viruses and/or unwanted programs were found
2 classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
0 Files cannot be scanned
368 Files not concerned
0 Archives were scanned
0 Warnings
0 Notes
0 Hidden objects were found

ANTIVIR ULTIMO SCAN COMPLETO, LOG TRONCATO DELLE PARTI POCO INTERESSANTI

AntiVir PersonalEdition Classic
Report file date: lunedì 23 luglio 2007 21:03

Scanning for 915634 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: Andrea
Computer name: BIBO-7676FB98A5

Version information:
BUILD.DAT : 247 11838 Bytes 10/05/2007 11:48:00
AVSCAN.EXE : 7.0.4.15 274472 Bytes 22/04/2007 20:13:06
AVSCAN.DLL : 7.0.4.4 33832 Bytes 22/04/2007 20:13:06
LUKE.DLL : 7.0.4.11 135208 Bytes 22/04/2007 20:13:06
LUKERES.DLL : 7.0.4.0 10280 Bytes 22/04/2007 20:13:06
ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 31/05/2006 18:25:39
ANTIVIR1.VDF : 6.39.0.129 7251968 Bytes 10/07/2007 17:24:47
ANTIVIR2.VDF : 6.39.0.130 2048 Bytes 10/07/2007 17:24:47
ANTIVIR3.VDF : 6.39.0.131 2048 Bytes 10/07/2007 17:24:47
AVEWIN32.DLL : 7.4.0.39 2482688 Bytes 05/07/2007 17:18:53
AVWINLL.DLL : 1.0.0.7 14376 Bytes 22/04/2007 20:13:06
AVPREF.DLL : 7.0.2.1 18984 Bytes 22/04/2007 20:13:06
AVREP.DLL : 7.0.0.1 122920 Bytes 22/04/2007 20:13:07
AVPACK32.DLL : 7.3.0.13 348200 Bytes 27/06/2007 17:17:40
AVREG.DLL : 7.0.1.2 31784 Bytes 22/04/2007 20:13:06
AVEVTLOG.DLL : 7.0.0.18 81960 Bytes 22/04/2007 20:13:06
AVARKT.DLL : No Information!
NETNT.DLL : 6.32.0.0 6696 Bytes 27/09/2005 07:56:45
RCIMAGE.DLL : 7.0.1.15 2228264 Bytes 22/04/2007 20:13:03
RCTEXT.DLL : 7.0.45.0 86056 Bytes 22/04/2007 20:13:03

Configuration settings for the scan:
Jobname..........................: Manual Selection
Configuration file...............: C:\Documents and Settings\All Users\Dati applicazioni\AntiVir PersonalEdition Classic\PROFILES\folder.avp
Logging..........................: medium
Primary action...................: repair
Secondary action.................: delete
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Deviating archive types..........: +Netscape/Mozilla Mailbox, +MS Outlook Mailbox,
Macro heuristic..................: on
File heuristic...................: medium
Deviating risk categories........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: lunedì 23 luglio 2007 21:03

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'compaq-flash.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'lsass.exe' - '0' Module(s) have been scanned
Scan process 'services.exe' - '0' Module(s) have been scanned
Scan process 'winlogon.exe' - '0' Module(s) have been scanned
Scan process 'csrss.exe' - '0' Module(s) have been scanned
Scan process 'smss.exe' - '0' Module(s) have been scanned
4 processes with 4 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[NOTE] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
C:\WINDOWS\system32\
C:\Programmi\Adobe\Acrobat 7.0\Distillr\
C:\Programmi\AntiVir PersonalEdition Classic\
C:\Programmi\Pinnacle\PCTV Stereo\Remote\
C:\windows\system32\
C:\WINDOWS\system32\
C:\Programmi\iTunes\
C:\WINDOWS\system32\
C:\Programmi\Zone Labs\ZoneAlarm\
C:\WINDOWS\
C:\WINDOWS\system32\
C:\Programmi\Skype\Phone\
C:\WINDOWS\system32\
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
C:\Programmi\Pinnacle\Shared Files\Programs\Scheduler\
C:\Documents and Settings\Andrea\Menu Avvio\Programmi\Esecuzione automatica\
C:\WINDOWS\system32\config\systemprofile\Menu Avvio\Programmi\Esecuzione automatica\
The registry was scanned ( '18' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\
C:\pagefile.sys
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\_cleaned.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!

C:\Documents and Settings\Andrea\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\tittuz88@hotmail.it\SharingMetadata\Working\
C:\Documents and Settings\Andrea\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\tittuz88@hotmail.it\SharingMetadata\Working\database_8AA8_C62B_A8C6_161B\
C:\Documents and Settings\Andrea\Impostazioni locali\Dati applicazioni\Microsoft\Movie Maker\
C:\Documents and Settings\Andrea\Impostazioni locali\Dati applicazioni\Microsoft\OIS\
C:\Documents and Settings\Andrea\Impostazioni locali\Dati applicazioni\Microsoft\Outlook\
C:\Documents and Settings\Andrea\Impostazioni locali\Dati applicazioni\Microsoft\Outlook\backupppostavecchia.pst
[0] Archive type: MS Outlook Mailbox
--> Mailbox_[Folder:archivio posta in arrivo 2005 - 06][Subject:Administration][From:info@it.tiscali.com]2135.document.zip
[DETECTION] Contains signature of the worm WORM/NetSky.P
[WARNING] Infected files in archives cannot be repaired!
[1] Archive type: ZIP
--> details.txt .pif
[DETECTION] Contains signature of the worm WORM/NetSky.P
[WARNING] Infected files in archives cannot be repaired!
--> Mailbox_[Folder:archivio posta in arrivo 2005 - 06][Subject:Hi][From:carla.rubatto@aemedia.com]4912.application.zip
[DETECTION] Contains signature of the worm WORM/NetSky.P
[WARNING] Infected files in archives cannot be repaired!
[1] Archive type: ZIP
--> document.txt .exe
[DETECTION] Contains signature of the worm WORM/NetSky.P
[WARNING] Infected files in archives cannot be repaired!
--> Mailbox_[Folder:archivio posta in arrivo 2005 - 06][Subject:Your password has been updated][From:administrator@libero.it]5590.updated-password.zip
[DETECTION] Contains signature of the worm WORM/Mytob.GK
[WARNING] Infected files in archives cannot be repaired!
[1] Archive type: ZIP
--> updated-password.htm .pif
[DETECTION] Contains signature of the worm WORM/Mytob.GK
[WARNING] Infected files in archives cannot be repaired!
[WARNING] The file was ignored!
C:\Documents and Settings\Andrea\Impostazioni locali\Dati applicazioni\Microsoft\Outlook\Outlook.pst
[0] Archive type: MS Outlook Mailbox
--> Mailbox_[Folder:Titta][Subject:noia... actun!][From:eryca90@hotmail.com]5651.Che_noia.zip
[1] Archive type: ZIP
--> Che noia!.exe
[DETECTION] Contains signature of the joke program JOKE/Noia
[WARNING] Infected files in archives cannot be repaired!
--> Mailbox_[Folder:Titta][Subject:noia... actun!][From:eryca90@hotmail.com]5653.Che_noia.zip
[1] Archive type: ZIP
--> Che noia!.exe
[DETECTION] Contains signature of the joke program JOKE/Noia
[WARNING] Infected files in archives cannot be repaired!
--> Mailbox_[Folder:Posta eliminata][Subject:Video CNN][From:info@lalocomotivaweb.it]576.cnn_news.asx
[DETECTION] Is the Trojan horse TR/Dldr.VB.FT.89
[WARNING] Infected files in archives cannot be repaired!
[WARNING] The file was ignored!
C:\Documents and Settings\Andrea\Impostazioni locali\Dati applicazioni\Microsoft\Windows\
C:\Documents and Settings\Andrea\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!

C:\Documents and Settings\Andrea\Impostazioni locali\Dati applicazioni\Sun\Java\jre1.5.0_09\
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR1.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR10.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR11.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR12.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR13.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR14.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR15.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR16.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR17.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR18.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR19.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR1A.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR1B.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR1C.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR1D.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR1E.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR1F.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR2.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR20.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR21.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR22.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR23.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR24.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR25.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR26.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR27.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR28.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR29.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR2A.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR2B.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR2C.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR2D.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR2E.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR2F.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR3.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR30.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR31.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR32.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR33.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR34.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR35.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR36.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR37.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR38.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR39.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR3A.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR3B.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR3C.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR3D.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR3E.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR3F.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR4.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR40.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR41.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR42.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR43.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR44.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR45.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR46.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR47.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR48.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR49.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR4A.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR4B.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR4C.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR4D.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR4E.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR4F.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR5.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR50.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR51.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR52.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR53.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR54.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR55.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR56.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR57.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR58.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR6.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR7.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR8.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXR9.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXRA.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXRB.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXRC.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXRD.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXRE.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\Andrea\Impostazioni locali\Temp\PXRF.tmp
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!

C:\Documents and Settings\Andrea\Impostazioni locali\Temporary Internet Files\Content.IE5\ST67W9AB\
C:\Documents and Settings\Andrea\Impostazioni locali\Temporary Internet Files\Content.IE5\ST67W9AB\jz0619[1].exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '77db2dba.qua'!
C:\Documents and Settings\Andrea\Impostazioni locali\Temporary Internet Files\Content.IE5\ST67W9AB\jz0619[2].exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '76fc2657.qua'!
C:\Documents and Settings\Andrea\Impostazioni locali\Temporary Internet Files\Content.IE5\ST67W9AB\mh0618[1].exe
[DETECTION] Is the Trojan horse TR/PSW.Agent.20480
[INFO] A backup was created as '77db2da9.qua' ( QUARANTINE )
[INFO] The file was deleted!
C:\Documents and Settings\Andrea\Impostazioni locali\Temporary Internet Files\Content.IE5\ST67W9AB\qj0617[1].exe
[DETECTION] Is the Trojan horse TR/PSW.OnLineGame.YF
[INFO] A backup was created as '77db2dab.qua' ( QUARANTINE )
[INFO] The file was deleted!
C:\Documents and Settings\Andrea\Impostazioni locali\Temporary Internet Files\Content.IE5\ST67W9AB\wow0617[1].exe
[DETECTION] Is the Trojan horse TR/PSW.Agent.20480
[INFO] A backup was created as '7cd574b0.qua' ( QUARANTINE )
[INFO] The file was deleted!
C:\Documents and Settings\Andrea\Impostazioni locali\Temporary Internet Files\Content.IE5\ST67W9AB\wow0617[2].exe
[DETECTION] Is the Trojan horse TR/PSW.Agent.20480
[INFO] A backup was created as '7df27f5d.qua' ( QUARANTINE )
[INFO] The file was deleted!
C:\Documents and Settings\Andrea\Impostazioni locali\Temporary Internet Files\Content.IE5\ST67W9AB\zt0616[1].exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] A backup was created as '77db2db6.qua' ( QUARANTINE )
[INFO] The file was deleted!
C:\Documents and Settings\Andrea\Impostazioni locali\Temporary Internet Files\Content.IE5\ST67W9AB\zt0616[2].exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] A backup was created as '76fc265b.qua' ( QUARANTINE )
[INFO] The file was deleted!

C:\Documents and Settings\LocalService\
C:\Documents and Settings\LocalService\NTUSER.DAT
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\LocalService\ntuser.dat.LOG
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\LocalService\Cookies\
C:\Documents and Settings\LocalService\Dati applicazioni\Microsoft\HTML Help\
C:\Documents and Settings\LocalService\Impostazioni locali\
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\MSHist012006072520060726\
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\MSHist012006072820060729\
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\

C:\Documents and Settings\NetworkService\
C:\Documents and Settings\NetworkService\NTUSER.DAT
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!

C:\Programmi\File comuni\Services\lbA.exe
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Programmi\File comuni\Services\uvO.exe
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\Programmi\File comuni\Services\VlymF.exe
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!

C:\Programmi\File comuni\System\Yco.exe
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!

C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask
[0] Archive type: ZIP
--> Ad-Aware SE Default.skn
[WARNING] The archive is encrypted
[WARNING] The archive is encrypted

C:\WINDOWS\
C:\WINDOWS\compaq-flash.exe
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!

C:\WINDOWS\system32\
C:\WINDOWS\system32\41E3EBE0.DLL
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '8bd8465e.qua'!
C:\WINDOWS\system32\7B1DE621.exe
[DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
[INFO] A backup was created as '8be9326f.qua' ( QUARANTINE )
[INFO] The file was deleted!
C:\WINDOWS\system32\k11852036782.exe
[DETECTION] Is the Trojan horse TR/PSW.Agent.20480
[INFO] A backup was created as '7bdd326f.qua' ( QUARANTINE )
[INFO] The file was deleted!
C:\WINDOWS\system32\k11852172122.exe
[DETECTION] Is the Trojan horse TR/PSW.Agent.20480
[INFO] A backup was created as '7bdd3270.qua' ( QUARANTINE )
[INFO] The file was deleted!
C:\WINDOWS\system32\1033\
C:\WINDOWS\system32\1040\
C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\
C:\WINDOWS\system32\CatRoot2\
C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\
C:\WINDOWS\system32\Color\
C:\WINDOWS\system32\Com\
C:\WINDOWS\system32\config\
C:\WINDOWS\system32\config\default
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\WINDOWS\system32\config\default.LOG
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\WINDOWS\system32\config\SAM
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\WINDOWS\system32\config\SAM.LOG
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\WINDOWS\system32\config\SECURITY
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\WINDOWS\system32\config\SECURITY.LOG
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\WINDOWS\system32\config\software
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\WINDOWS\system32\config\software.LOG
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\WINDOWS\system32\config\system
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\WINDOWS\system32\config\system.LOG
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!

C:\WINDOWS\system32\drivers\dtscsi.sys
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!
C:\WINDOWS\system32\drivers\sptd9981.sys
[WARNING] The file could not be opened!
[WARNING] Error code: 0x000D
[WARNING] Access error/file locked!

End of the scan: lunedì 23 luglio 2007 21:29
Used time: 26:07 min

The scan has been done completely.

6007 Scanning directories
179636 Files were scanned
21 viruses and/or unwanted programs were found
3 classified as suspicious:
9 files were deleted
0 files were repaired
12 files were moved to quarantine
0 files were renamed
621 Files cannot be scanned
179612 Files not concerned
2294 Archives were scanned
672 Warnings
0 Notes
0 Hidden objects were found

pcì

24-07-2007, 19:17

che ci farai con questo pc :rolleyes:
mail di posta piene di virus e schifezze varie, file temporanei internet altrettanto.
scarica ccleaner e svuota la cache del browser

lancetta

24-07-2007, 19:28

vado un pò di fretta ma ci sono un pò di cose da fixare -R3 -F2 -023 eccetera

Dr. Stein

24-07-2007, 19:31

che ci farai con questo pc :rolleyes:
mail di posta piene di virus e schifezze varie, file temporanei internet altrettanto.
scarica ccleaner e svuota la cache del browser

che ci faccio?
papa',mamma e sorella utenti sprovveduti, ecco cosa faccio!!! :doh:

ok, allora inizio con i tuoi suggerimenti...

dal prossimo formattone metto linux per navigare in internet
e in windows utenti limitati... :rolleyes:

Dr. Stein

24-07-2007, 20:35

ciao a tutti,
ancora grazie per l'aiuto

CCcleaner effettuato e un po' di spazzatura buttata...

in ogni caso non riesco a avviare hijack this
e il pc è ancora castrato...

avete altri suggerimenti?

PS ho trovato un utente "fantasma" in documents and settings...

non mi torna per niente il messaggio all'avvio di windows

"boot.ini file non valido
avvio da c:\windows"

lancetta

24-07-2007, 23:15

disattiva il ripristino config di sistema se non sai come fare vedi QUI link (http://support.microsoft.com/kb/310405/it)
comincia col fixare questi:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\compaq-flash.exe",
O4 - HKLM\..\Run: [ImMsn] C:\WINDOWS\msncomm.exe /i
O4 - HKLM\..\Policies\Explorer\Run: [1] C:\WINDOWS\winsys.exe
O23 - Service: 0F65FB12 - Unknown owner - C:\windows\system32\1DDDD796.EXE (file missing)
O23 - Service: B4620E06 - Unknown owner - C:\windows\system32\CC3980EC.EXE (file missing)

provaci dalla modalità provvisoria (F8 al boot) se non riesci da normale
poi da Start->esegui digiti regedit dai ok e navighi fino a questa chiave
HK Local Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon e sulla destra doppio clic su Userinit...devi cancellare solo questa parte:"c:\windows\compaq-flash.exe", in modo che la chiave risulti così:C:\WINDOWS\system32\userinit.exe, compresa la virgola -attenzione se cancelli tutta la chiave il S.O non si avvia più!Quindi prudenza! Visualizza le cartelle nascoste:
apri una cartella qualsiasi vai su sulla barra :strumenti->opzioni cartella->visualizzazione->metti la spunta a "visualizza file e cartelle nascoste" e togli la spunta a "nascondi file protetti di sistema"--> applica

sempre da provvisoria cerca e cancella questi file in queste directory:

c:\windows\compaq-flash.exe
C:\WINDOWS\msncomm.exe
C:\WINDOWS\winsys.exe
C:\windows\system32\1DDDD796.EXE
C:\windows\system32\CC3980EC.EXE
Poi rifai la scansione con l'antivirus e con l'antispyware (http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWARE) naturalmente dopo averli aggiornati
poi vedremo il da farsi....

Edit fai girare anche questo http://info.prevx.com/gromozon.asp

Dr. Stein

25-07-2007, 20:25

ok, grazie dell'aiuto,
adesso la situazione sembra un attimino sotto controllo
a parte antivir che non mi aggiorna più...

però questo "c:\windows\compaq-flash.exe"
non l'ho trovato nel registro!

boh!

lancetta

25-07-2007, 21:50

ok, grazie dell'aiuto,
adesso la situazione sembra un attimino sotto controllo
a parte antivir che non mi aggiorna più...

però questo "c:\windows\compaq-flash.exe"
non l'ho trovato nel registro!

boh!

Se non l'hai trovato nella chiave indicata,allora hijackthis (il tool o Superantispy) è riuscito in pieno nella sua azione,il che non sempre succede,meglio così :D
Comunque per sicurezza posta un altro log di hijackthis....

Saluti :cool:

Dr. Stein

26-07-2007, 22:15

nuovo log...
adesso sto backuppando tutto, poi nel weeknd si formatta!
speriamo di non backuppare i virus!:doh:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23.19.46, on 26/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\system32\spoolsv.exe
C:\Programmi\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\D-Link\Software Bluetooth\bin\btwdins.exe
C:\windows\system32\cisvc.exe
C:\windows\system32\nvsvc32.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\Pinnacle\PCTV Stereo\Remote\Remoterm.exe
C:\windows\system32\rundll32.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\windows\SOUNDMAN.EXE
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmi\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\windows\system32\cidaemon.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Coolstreaming_Tool-Bar_v1.0 toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Coolstreaming_Tool-Bar_v1.0 toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Coolstreaming_Tool-Bar_v1.0 toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [PCTVRemote] C:\Programmi\Pinnacle\PCTV Stereo\Remote\Remoterm.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\D-Link\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\windows\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\windows\system32\shdocvw.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\D-Link\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\D-Link\Software Bluetooth\btsendto_ie.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.hwupgrade.it
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://tittuz88.spaces.live.com//PhotoUpload/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{367CB5AE-699C-4A2B-BA87-DA01DB260F9D}: NameServer = 85.38.28.15 85.38.28.74
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Programmi\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Programmi\D-Link\Software Bluetooth\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7949 bytes

Dr. Stein

26-07-2007, 22:22

ostrega ma non è possibile
ieri ho pulito tutto, e oggi questo!

Virus or unwanted program 'BDS/Agent.ahj.713'
detected in file 'G:\auto.exe' [BDS/Agent.ahj.713].

sembra che si crei un autorun appena collego la chiavetta USB...

maledetti virussisti!

Bugs Bunny

26-07-2007, 23:04

formatta la chiavetta

lancetta

27-07-2007, 14:56

infatti hai vanificato con la chiavetta.......