Cosa sara' ? Virus o che ?

[federicoweb]

Ciao a tutti, da un paio di giorni in mail mi arrivano mail strane...

intendo dire che e' come se avessi scritto a qualcuno e mi tornano indietro,
il bello che non le ho scritte da mio account, difatti sono mail scritte in cirillico e con
suffisso .ru

Arrivano al mattino e sono una quarantina !!!

Ho fatto scansione con Norton, Avs ed altri online, chiaramente ogni volta disabilito quello
in uso, ma non trovano nulla se non un paio di cookies del cazzo

Da cosa puo' dipendere, solo un caso che sparira' tra qualche giorno...? Virus strano ?

Insomma vi posto Postmaster delivery , se avete un' idea, vi ringrazio

Received: from [62.113.100.74] (HELO izenguard-zmail-1.zenon.net)
by zfrontend1.aha.ru (CommuniGate Pro SMTP 4.3.12)
with ESMTP id 111190231 for dro@id.ru; Tue, 15 Dec 2009 11:53:27 +0300
Received: from izenguard-zmail-1.zenon.net (localhost [127.0.0.1])
by izenguard-zmail-1.zenon.net (Postfix) with SMTP id 1432A175A
for <dro@id.ru>; Tue, 15 Dec 2009 11:53:27 +0300 (MSK)
Received: from zfrontend1.aha.ru (zfrontend1.aha.ru [195.2.83.147])
by izenguard-zmail-1.zenon.net (Postfix) with ESMTP id E099C1757
for <dro@id.ru>; Tue, 15 Dec 2009 11:53:26 +0300 (MSK)
Received: from zfrontend1.aha.ru (zfrontend1.aha.ru [195.2.83.147])
by zfrontend1.aha.ru (Postfix) with ESMTP id DE8D35537
for <dro@id.ru>; Tue, 15 Dec 2009 11:53:26 +0300 (MSK)
X-iZenGuard: ZMAIL
Received: from triband-mum-120.61.2.76.mtnl.net.in ([120.61.2.76] verified)
by zfrontend1.aha.ru (CommuniGate Pro SMTP 4.3.12)
with ESMTP id 111190029 for dro@id.ru; Tue, 15 Dec 2009 11:53:24 +0300
Received-SPF: none
receiver=zfrontend1.aha.ru; client-ip=120.61.2.76; envelope-from=............ ( qui c'era mio nome ) !!!
Received: from .( qui c'era mio nome ) ; Tue, 15 Dec 2009 14:23:02 +0530
Message-ID: <000d01ca7d64$02529a90$6400a8c0@info>
From: =?koi8-r?B?9MHNz9bO0Togz8Laz9IgydrNxc7FzsnK?=
To: <diman@id.ru>
Subject: =?koi8-r?B?9dDMwdTBINTBzc/Wxc7O2cgg0M/bzMnO?=
Date: Tue, 15 Dec 2009 14:23:02 +0530
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="koi8-r";
reply-type=original
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Content-Transfer-Encoding: quoted-printable
X-iZenGuard-Host: izenguard-zmail-1.zenon.net
X-DSPAM-Result: Spam
X-DSPAM-Processed: Tue Dec 15 11:53:27 2009
X-DSPAM-Confidence: 0.8507
X-DSPAM-Probability: 1.0000
X-DSPAM-Signature: 522,4b274e875431803117154

[El Diablo]

E' spam, nulla di che.

[federicoweb]

Diablo 80 mail in 2 giorni...?? in modalita' Re...??
Non mi era mai successo in tanti anni ( ed in tanti account )

speriamo sia solo spam...

Ti ringrazio cmq per la risposta !
FEDE

[El Diablo]

Dipende da dove lasci il tuo indirizzo mail, se in qualche forum lo scrivi in chiaro, altro che 80 mail!!!
Comunque, se vuoi, per sicurezza puoi postare il log di HijackThis http://www.hijackthis.de/downloads/HJTInstall.exe

[federicoweb]

Non uso mai mio account in web...uso alternativi.. non sono un pivello, pensa che continuo a ripetere anche di non fare girare catene e minkiate varie che poi sono causa di spam...

Cmg grazie per risp, ti aggiorno nei prox day

Fede

[federicoweb]

Ecco fatto, io non ci vedo nulla di anomalo, ma se trovi qualcosa tu comunicamelo
Grazie ancora

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:56:32, on 16/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\a-squared Free\a2service.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programmi\File comuni\AntiVirus\SBAMSvc.exe
C:\Programmi\TomTom HOME 2\TomTomHOMEService.exe
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programmi\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Programmi\Glary Utilities\Integrator.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Programmi\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Programmi\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Programmi\internet explorer\iexplore.exe
C:\Programmi\internet explorer\iexplore.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Programmi\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Programmi\Norton 360\Engine\3.5.2.11\IPSBHO.DLL
O2 - BHO: Guida per l'accesso a Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programmi\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Programmi\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programmi\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Programmi\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [RadioSure] C:\Documents and Settings\.....\Impostazioni locali\Dati applicazioni\RadioSure\RadioSure.exe /hidden
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://www.vexcast.com/download/vexcast.cab
O16 - DPF: {DFB5BCF1-06AE-4ABB-BFA8-1E228F41C50A} (CamfrogWEB Advanced Unicode Control) -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0F0AD09-FE08-4AE3-9799-7F3267BDE13D}: NameServer = 85.37.17.4 85.38.28.70
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Programmi\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programmi\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Double Anti-Spy Task Manager - Unknown owner - C:\PROGRA~1\AVANQU~1\DoubleAS\MXTask.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Programmi\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Double Anti-Spy (SBAMSvc) - Sunbelt Software - C:\Programmi\File comuni\AntiVirus\SBAMSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\pctsSvc.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Programmi\TomTom HOME 2\TomTomHOMEService.exe
End of file - 9716 bytes

[belnudo]

ho trovato DUE errori micidiali nel resoconto della tua email:

Platform: Windows XP SP3 (WinNT 5.01.2600) --------> sostituire con GNU/Linux, Ubuntu 9.10
MSIE: Internet Explorer v8.00 (8.00.6001.18702) --------> sostiturire con Firefox 3.5.6

[El Diablo]

A parte i consigli di Belnudo che nulla hanno a che vedere con la risoluzione del problema, veniamo al log.

Sul tuo pc hai installato qualcosa che abbia a che fare con RadioSure?
Stessa domanda per:
Trend Micro ActiveX Scan Agent 6.6
http://www.vexcast.com/download/vexcast.cab
CamfrogWEB Advanced Unicode Control

Fai sapere,ciao

Dimenticavo: ma non hai un antivirus attivo sullla macchina?
O lo avevi disabilitato prima di fare il controllo?

[federicoweb]

Radio sure e' una radio online che ho sempre avuto e ti raccomando, ascolti, registri e salvi brani inmp3 !

Certo che ho antivirus, Norton che ho sostituito a Avs, fatto scansiona anche con Panda ed un paio online

Per Belnudo: Ho gia' ubuntu installato, l' ho provato, ma mi fa gia' incazzare che per rimuovelo sia un casino vero.....!!!

[federicoweb]

dimenticavo..
1- Trend Micro ActiveX Scan Agent 6.6 ( scanner antivirus )
http://www.vexcast.com/download/vexcast.cab ( programma per vedere partite sul pc)
CamfrogWEB Advanced Unicode Control ( questo non so cosa sia...)

2- Grazie

[El Diablo]

http://www.camfrogweb.com/advanced-demo.html
Se conosci il sito è ok, altrimenti fixa le voci relative al suddetto sito.

Come ho già scritto altre volte, non mi assumo nessuna responsabilitè

[federicoweb]

No, come detto non so cosa sia non conosco il sito...
fixxo, fixxo !!!
Ciao Fede

[El Diablo]

Ok.
E quando ti arrivano mail strane, di cui non conosci il destinatario, o con allegati che non conosci, non aprirle, cestinare.
Ciao

[federicoweb]

Bhe' certo che non le apro...
stamane solo un paio, da 40 direi che facciamo progressi !
Ciao Daivolo !

[federicoweb]

oggi nessuna mail "targata" RU, avevi ragione forse era semplice spam...

pero' andata avanti per giorni...

Grazie ciao FEDE