|
| Precedente :: Successivo |
| Autore |
Messaggio |
pino
Eroe in grazia degli dei
Registrato: 21/09/06 14:39
Messaggi: 126
Residenza: varese
|
 Inviato: 11 Set 2007 08:58 Oggetto: logonhook, winsoftware ad altro |
 |
|
Ieri IE ha iniziato ad aprire finestre a raffica indirizzate a winsoftware
Fatto diversi scan con avast, adaware, spybot, trovato winsoftware, virtumonde, abetterinternet
Eliminato diversi files come pxr--.tmp, win--.tmp.exe dove ? sono umeri, srvbkf.exe?.
Al riavvio in modalità normale il problema si ripresenta.
Adesso ho attivo lo shield di spysweeper e dopo pochi minuti dall?avvio mi blocca rundll32.exe che sta tentando di installare un addon per il browser poi il secondo avviso che run32dll.exe file geedb.dll sta tentando di installare un addon
La dll la posso cancellare da modalità provvisoria ma si ricrea con un nome diverso ad ogni riavvio
Allego un log di haijackthis con spysweeper shield attivo
Ringrazio anticipatamente per ogni aiuto
Logfile of HijackThis v1.99.1
Scan saved at 8.43.06, on 11/09/07
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
g:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
g:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\system32\E_S00RP2.EXE
C:\WINNT\System32\svchost.exe
D:\Bus\Msde\binn\sqlservr.exe
C:\WINNT\system32\PDFCreatorMessages.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
G:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
D:\Bus\Msde\binn\sqlagent.exe
C:\Programmi\Analog Devices\SoundMAX\Smtray.exe
C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
G:\Programmi\Iomega\DriveIcons\ImgIcon.exe
G:\PROGRA~1\ZONELA~1\ZoneAlarm\zapro.exe
G:\Programmi\JawsSystems\Jaws PDF Creator\PDFClient.exe
G:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\Dit.exe
C:\WINNT\DitExp.exe
G:\Programmi\QuickTime\qttask.exe
G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\VoiceAge\Common\VaCtrl.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\DShutdown\RDShutdown.exe
C:\Programmi\VoiceAge\Common\VaLangInterf.exe
G:\Programmi\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\system32\internat.exe
G:\Programmi\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
C:\Programmi\Microsoft ActiveSync\Wcescomm.exe
G:\Programmi\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\MICROS~3\rapimgr.exe
G:\Programmi\Microsoft Office\Office\FINDFAST.EXE
D:\Bus\Msde\Binn\sqlmangr.exe
G:\Programmi\FreePOPs\freepopsd.exe
g:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\msiexec.exe
G:\Programmi\Webroot\Spy Sweeper\SSU.EXE
C:\WINNT\system32\rundll32.exe
G:\Programmi\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Administrator\Desktop\strumenti vari per rimozioni virus\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [Smapp] "C:\Programmi\Analog Devices\SoundMAX\Smtray.exe"
O4 - HKLM\..\Run: [PMXInit] C:\WINNT\System32\pmxinit.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] g:\Programmi\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] "g:\Programmi\Iomega\DriveIcons\deskup.exe" /IMGSTART
O4 - HKLM\..\Run: [Zone Labs Client] G:\PROGRA~1\ZONELA~1\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [PDFCreatorClient] "g:\Programmi\JawsSystems\Jaws PDF Creator\PDFClient.exe"
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] "G:\Programmi\Corel\Corel Graphics 12\Languages\IT\Programs\Registration.exe" /title="CorelDRAW Graphics Suite 12" /date=091607 serial=DR12WEX-1504397-KTY lang=IT
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] g:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VaCtrl] C:\Programmi\VoiceAge\Common\VaCtrl.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RDShutdown] "C:\Programmi\DShutdown\RDShutdown.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] "G:\Programmi\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [UIWatcher] "G:\Programmi\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\Wcescomm.exe"
O4 - Startup: Collegamento a freepopsd.exe.lnk = G:\Programmi\FreePOPs\freepopsd.exe
O4 - Global Startup: Avvio Office.lnk = G:\Programmi\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = G:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ricerca rapida.lnk = G:\Programmi\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Service Manager.lnk = D:\Bus\Msde\Binn\sqlmangr.exe
O8 - Extra context menu item: Scarica con Download &Express - g:\Programmi\Download Express\Add_Url.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - g:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - g:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122529522031
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C6B7DC0-D0D1-40BF-BB6F-109728E384E7}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C6B7DC0-D0D1-40BF-BB6F-109728E384E7}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - g:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - g:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - g:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - g:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON V3 Service2(02) (EPSON_PM_RPCV2_02) - SEIKO EPSON CORPORATION - C:\WINNT\system32\E_S00RP2.EXE
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - C:\WINNT\system32\PDFCreatorMessages.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Sistema Webroot Spy Sweeper (WebrootSpySweeperService) - Webroot Software, Inc. - G:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Programmi\Iomega\AutoDisk\ADService.exe |
|
| Top |
|
 |
pino
Eroe in grazia degli dei
Registrato: 21/09/06 14:39
Messaggi: 126
Residenza: varese
|
| Inviato: 11 Set 2007 09:16 Oggetto: |
|
|
un piccolo appunto
hijackthis 1.99 mi da un errore quando dopo lo scan dovrebbe aprire il file di testo con il log (che non apre, devo andare ad aprire manualmente il file di log)
ho provato hijackthis 2 ma mi da un errore all'avvio e dice che verrà chiuso generando il file di log (che non ho trovato....) |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 11 Set 2007 11:03 Oggetto: |
|
|
Ciao pino, 
Si tratta di Vundo, e per questo HJT non funziona.
Scarica VundoFix sul desktop: http://www.atribune.org/ccount/click.php?id=4
- Esegui VundoFix.exe
- Clicca Scan for Vundo.
- al termine della scansione, clicca Remove Vundo.
- ti chiede se vuoi eliminare i files infetti, clicca YES
- il tuo video diventerà nero durante la rimozione di Vundo.
- al termine ti chiederà di riavviare il pc, clicca OK.
- Copia qui il contenuto del log C:\vundofix.txt e un nuovo log di hijackthis.
Nota: VundoFix potrebbe non riuscire ad eliminare qualche file. In questo caso, VundoFix si avvierà automaticamente al riavvio del pc, ripeti le operazioni indicate sopra partendo da "Clicca Scan for Vundo" quando VundoFix apparirà al riavvio. |
|
| Top |
|
|
pino
Eroe in grazia degli dei
Registrato: 21/09/06 14:39
Messaggi: 126
Residenza: varese
|
| Inviato: 11 Set 2007 12:33 Oggetto: |
|
|
grazie per la rapida risposta
ho scaricato e lanciato vundofix
non ha trovato niente e non ha eliminato niente
in attesa della tua risposta avevo lanciato un altro scan con spyweeper che aveva trovato ancora virtumonde e l'ho messo in quarantena
al riavvio funzionavano sia hijackthis 2 che hijackthis 1.99 completando lo scan, scrivendo il log e aprendolo.
lo shield di spyweeper non blocca più niente
Poi ho fatto un altro riavvio
hijackthis 2 non parte più dando errore e chiudendosi
hijackthis 1.99 invece funziona
lo shield di spyweeper non blocca più niente
vundofix non trova niente
questo l'ultimo log con hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 12.34.49, on 11/09/07
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
g:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
g:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\system32\E_S00RP2.EXE
C:\WINNT\System32\svchost.exe
D:\Bus\Msde\binn\sqlservr.exe
C:\WINNT\system32\PDFCreatorMessages.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
G:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\Explorer.EXE
C:\Programmi\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
D:\Bus\Msde\binn\sqlagent.exe
G:\Programmi\Iomega\DriveIcons\ImgIcon.exe
G:\PROGRA~1\ZONELA~1\ZoneAlarm\zapro.exe
G:\Programmi\JawsSystems\Jaws PDF Creator\PDFClient.exe
G:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\Dit.exe
C:\WINNT\DitExp.exe
G:\Programmi\QuickTime\qttask.exe
G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\VoiceAge\Common\VaCtrl.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\DShutdown\RDShutdown.exe
C:\Programmi\VoiceAge\Common\VaLangInterf.exe
G:\Programmi\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\system32\internat.exe
G:\Programmi\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
C:\Programmi\Microsoft ActiveSync\Wcescomm.exe
G:\Programmi\Microsoft Office\Office\OSA.EXE
G:\Programmi\Microsoft Office\Office\FINDFAST.EXE
C:\PROGRA~1\MICROS~3\rapimgr.exe
D:\Bus\Msde\Binn\sqlmangr.exe
G:\Programmi\FreePOPs\freepopsd.exe
C:\WINNT\system32\msiexec.exe
G:\Programmi\Webroot\Spy Sweeper\SSU.EXE
C:\WINNT\system32\ZoneLabs\vsmon.exe
g:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINNT\system32\rundll32.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0FE24910-6076-4147-A4DE-61FFE6E7CE40} - C:\WINNT\system32\ssqrs.dll
O2 - BHO: (no name) - {524A994E-2501-43C7-8CCD-275068F832A7} - C:\WINNT\system32\ddcyv.dll (file missing)
O2 - BHO: (no name) - {5B22E413-EAB9-4F38-BF1D-09D8C7CFE6A7} - C:\WINNT\system32\pmkhh.dll (file missing)
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - C:\WINNT\system32\jkkiife.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] "C:\Programmi\Analog Devices\SoundMAX\Smtray.exe"
O4 - HKLM\..\Run: [PMXInit] C:\WINNT\System32\pmxinit.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] g:\Programmi\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] "g:\Programmi\Iomega\DriveIcons\deskup.exe" /IMGSTART
O4 - HKLM\..\Run: [Zone Labs Client] G:\PROGRA~1\ZONELA~1\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [PDFCreatorClient] "g:\Programmi\JawsSystems\Jaws PDF Creator\PDFClient.exe"
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] "G:\Programmi\Corel\Corel Graphics 12\Languages\IT\Programs\Registration.exe" /title="CorelDRAW Graphics Suite 12" /date=091607 serial=DR12WEX-1504397-KTY lang=IT
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] g:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VaCtrl] C:\Programmi\VoiceAge\Common\VaCtrl.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RDShutdown] "C:\Programmi\DShutdown\RDShutdown.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] G:\Programmi\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [UIWatcher] "G:\Programmi\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\Wcescomm.exe"
O4 - Startup: Collegamento a freepopsd.exe.lnk = G:\Programmi\FreePOPs\freepopsd.exe
O4 - Global Startup: Avvio Office.lnk = G:\Programmi\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = G:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ricerca rapida.lnk = G:\Programmi\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Service Manager.lnk = D:\Bus\Msde\Binn\sqlmangr.exe
O8 - Extra context menu item: Scarica con Download &Express - g:\Programmi\Download Express\Add_Url.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - g:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - g:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122529522031
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C6B7DC0-D0D1-40BF-BB6F-109728E384E7}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C6B7DC0-D0D1-40BF-BB6F-109728E384E7}: NameServer = 208.67.222.222,208.67.220.220
O20 - Winlogon Notify: ActiveSync - C:\WINNT\SYSTEM32\WcesWlgn.dll
O20 - Winlogon Notify: jkkiife - C:\WINNT\SYSTEM32\jkkiife.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - g:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - g:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - g:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - g:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON V3 Service2(02) (EPSON_PM_RPCV2_02) - SEIKO EPSON CORPORATION - C:\WINNT\system32\E_S00RP2.EXE
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - C:\WINNT\system32\PDFCreatorMessages.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Sistema Webroot Spy Sweeper (WebrootSpySweeperService) - Webroot Software, Inc. - G:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Programmi\Iomega\AutoDisk\ADService.exe |
|
| Top |
|
|
Orange
Dio maturo
Registrato: 18/02/07 13:20
Messaggi: 2224
Residenza: Roma
|
| Inviato: 11 Set 2007 12:51 Oggetto: |
|
|
hmmm.. Vundo è ancora lì. strano che vundofix non ha trovato niente.... 
prova con quest'altro tool (da usare in modalità provvisoria). posta il log generato |
|
| Top |
|
|
pino
Eroe in grazia degli dei
Registrato: 21/09/06 14:39
Messaggi: 126
Residenza: varese
|
| Inviato: 11 Set 2007 13:11 Oggetto: |
|
|
questo il log
[09/11/2007, 13:07:21] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrator\Desktop\VirtumundoBeGone.exe" )
[09/11/2007, 13:07:30] - Detected System Information:
[09/11/2007, 13:07:30] - Windows Version: 5.0.2195, Service Pack 4
[09/11/2007, 13:07:30] - Current Username: Administrator (Admin)
[09/11/2007, 13:07:30] - Windows is in SAFE mode.
[09/11/2007, 13:07:30] - Searching for Browser Helper Objects:
[09/11/2007, 13:07:30] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[09/11/2007, 13:07:30] - BHO 2: {0FE24910-6076-4147-A4DE-61FFE6E7CE40} ()
[09/11/2007, 13:07:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/11/2007, 13:07:30] - Checking for HKLM\...\Winlogon\Notify\ssqrs
[09/11/2007, 13:07:30] - Key not found: HKLM\...\Winlogon\Notify\ssqrs, continuing.
[09/11/2007, 13:07:30] - BHO 3: {524A994E-2501-43C7-8CCD-275068F832A7} ()
[09/11/2007, 13:07:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/11/2007, 13:07:30] - Checking for HKLM\...\Winlogon\Notify\ddcyv
[09/11/2007, 13:07:30] - Key not found: HKLM\...\Winlogon\Notify\ddcyv, continuing.
[09/11/2007, 13:07:30] - BHO 4: {5B22E413-EAB9-4F38-BF1D-09D8C7CFE6A7} ()
[09/11/2007, 13:07:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/11/2007, 13:07:30] - Checking for HKLM\...\Winlogon\Notify\pmkhh
[09/11/2007, 13:07:30] - Key not found: HKLM\...\Winlogon\Notify\pmkhh, continuing.
[09/11/2007, 13:07:30] - BHO 5: {733E9132-53CA-4C97-9AC9-145C4502FA20} ()
[09/11/2007, 13:07:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/11/2007, 13:07:30] - Checking for HKLM\...\Winlogon\Notify\jkkiife
[09/11/2007, 13:07:30] - Found: HKLM\...\Winlogon\Notify\jkkiife - This is probably Virtumundo.
[09/11/2007, 13:07:30] - Assigning {733E9132-53CA-4C97-9AC9-145C4502FA20} MSEvents Object
[09/11/2007, 13:07:30] - BHO list has been changed! Starting over...
[09/11/2007, 13:07:30] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[09/11/2007, 13:07:30] - BHO 2: {0FE24910-6076-4147-A4DE-61FFE6E7CE40} ()
[09/11/2007, 13:07:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/11/2007, 13:07:30] - Checking for HKLM\...\Winlogon\Notify\ssqrs
[09/11/2007, 13:07:30] - Key not found: HKLM\...\Winlogon\Notify\ssqrs, continuing.
[09/11/2007, 13:07:30] - BHO 3: {524A994E-2501-43C7-8CCD-275068F832A7} ()
[09/11/2007, 13:07:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/11/2007, 13:07:30] - Checking for HKLM\...\Winlogon\Notify\ddcyv
[09/11/2007, 13:07:30] - Key not found: HKLM\...\Winlogon\Notify\ddcyv, continuing.
[09/11/2007, 13:07:30] - BHO 4: {5B22E413-EAB9-4F38-BF1D-09D8C7CFE6A7} ()
[09/11/2007, 13:07:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/11/2007, 13:07:30] - Checking for HKLM\...\Winlogon\Notify\pmkhh
[09/11/2007, 13:07:30] - Key not found: HKLM\...\Winlogon\Notify\pmkhh, continuing.
[09/11/2007, 13:07:30] - BHO 5: {733E9132-53CA-4C97-9AC9-145C4502FA20} (MSEvents Object)
[09/11/2007, 13:07:30] - ALERT: Found MSEvents Object!
[09/11/2007, 13:07:30] - Finished Searching Browser Helper Objects
[09/11/2007, 13:07:30] - *** Detected MSEvents Object
[09/11/2007, 13:07:30] - Trying to remove MSEvents Object...
[09/11/2007, 13:07:31] - Terminating Process: IEXPLORE.EXE
[09/11/2007, 13:07:31] - Terminating Process: RUNDLL32.EXE
[09/11/2007, 13:07:31] - Disabling Automatic Shell Restart
[09/11/2007, 13:07:31] - Terminating Process: EXPLORER.EXE
[09/11/2007, 13:07:31] - Suspending the NT Session Manager System Service
[09/11/2007, 13:07:31] - Terminating Windows NT Logon/Logoff Manager
[09/11/2007, 13:07:31] - Re-enabling Automatic Shell Restart
[09/11/2007, 13:07:31] - File to disable: C:\WINNT\system32\jkkiife.dll
[09/11/2007, 13:07:31] - Renaming C:\WINNT\system32\jkkiife.dll -> C:\WINNT\system32\jkkiife.dll.vir
[09/11/2007, 13:07:31] - ! File rename was unsucessful.
[09/11/2007, 13:07:31] - Attempting to Deny Access to C:\WINNT\system32\jkkiife.dll
[09/11/2007, 13:07:31] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[09/11/2007, 13:07:31] - processed file: C:\WINNT\system32\jkkiife.dll
[09/11/2007, 13:07:31] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[09/11/2007, 13:07:31] - Removing HKLM\...\Browser Helper Objects\{733E9132-53CA-4C97-9AC9-145C4502FA20}
[09/11/2007, 13:07:31] - Removing HKCR\CLSID\{733E9132-53CA-4C97-9AC9-145C4502FA20}
[09/11/2007, 13:07:31] - Adding Kill Bit for ActiveX for GUID: {733E9132-53CA-4C97-9AC9-145C4502FA20}
[09/11/2007, 13:07:31] - Deleting ATLEvents/MSEvents Registry entries
[09/11/2007, 13:07:31] - Removing HKLM\...\Winlogon\Notify\jkkiife
[09/11/2007, 13:07:31] - Searching for Browser Helper Objects:
[09/11/2007, 13:07:31] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[09/11/2007, 13:07:31] - BHO 2: {0FE24910-6076-4147-A4DE-61FFE6E7CE40} ()
[09/11/2007, 13:07:31] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/11/2007, 13:07:31] - Checking for HKLM\...\Winlogon\Notify\ssqrs
[09/11/2007, 13:07:31] - Key not found: HKLM\...\Winlogon\Notify\ssqrs, continuing.
[09/11/2007, 13:07:31] - BHO 3: {524A994E-2501-43C7-8CCD-275068F832A7} ()
[09/11/2007, 13:07:31] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/11/2007, 13:07:31] - Checking for HKLM\...\Winlogon\Notify\ddcyv
[09/11/2007, 13:07:31] - Key not found: HKLM\...\Winlogon\Notify\ddcyv, continuing.
[09/11/2007, 13:07:31] - BHO 4: {5B22E413-EAB9-4F38-BF1D-09D8C7CFE6A7} ()
[09/11/2007, 13:07:31] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/11/2007, 13:07:31] - Checking for HKLM\...\Winlogon\Notify\pmkhh
[09/11/2007, 13:07:31] - Key not found: HKLM\...\Winlogon\Notify\pmkhh, continuing.
[09/11/2007, 13:07:31] - Finished Searching Browser Helper Objects
[09/11/2007, 13:07:31] - Finishing up...
[09/11/2007, 13:07:31] - A restart is needed.
[09/11/2007, 13:07:45] - Attempting to Restart via STOP error (Blue Screen!) |
|
| Top |
|
|
Orange
Dio maturo
Registrato: 18/02/07 13:20
Messaggi: 2224
Residenza: Roma
|
| Inviato: 11 Set 2007 13:29 Oggetto: |
|
|
qualcosa è stato eliminato.
per favore, posta il log aggiornato di HJT. |
|
| Top |
|
|
pino
Eroe in grazia degli dei
Registrato: 21/09/06 14:39
Messaggi: 126
Residenza: varese
|
| Inviato: 11 Set 2007 13:48 Oggetto: |
|
|
ecco il nuovo log di HJT
adesso funziona anche la vrsione 2 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13.44.31, on 11/09/07
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
g:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
g:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\system32\E_S00RP2.EXE
C:\WINNT\System32\svchost.exe
D:\Bus\Msde\binn\sqlservr.exe
C:\WINNT\system32\PDFCreatorMessages.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
G:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programmi\Analog Devices\SoundMAX\Smtray.exe
C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
G:\Programmi\Iomega\DriveIcons\ImgIcon.exe
G:\PROGRA~1\ZONELA~1\ZoneAlarm\zapro.exe
G:\Programmi\JawsSystems\Jaws PDF Creator\PDFClient.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\faxsvc.exe
G:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\Dit.exe
G:\Programmi\QuickTime\qttask.exe
G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\DitExp.exe
C:\Programmi\VoiceAge\Common\VaCtrl.exe
D:\Bus\Msde\binn\sqlagent.exe
C:\Programmi\VoiceAge\Common\VaLangInterf.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\DShutdown\RDShutdown.exe
G:\Programmi\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\system32\internat.exe
G:\Programmi\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
C:\Programmi\Microsoft ActiveSync\Wcescomm.exe
G:\Programmi\Microsoft Office\Office\OSA.EXE
G:\Programmi\Microsoft Office\Office\FINDFAST.EXE
C:\PROGRA~1\MICROS~3\rapimgr.exe
D:\Bus\Msde\Binn\sqlmangr.exe
G:\Programmi\FreePOPs\freepopsd.exe
G:\Programmi\Webroot\Spy Sweeper\SSU.EXE
g:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0FE24910-6076-4147-A4DE-61FFE6E7CE40} - C:\WINNT\system32\ssqrs.dll
O2 - BHO: (no name) - {524A994E-2501-43C7-8CCD-275068F832A7} - C:\WINNT\system32\ddcyv.dll (file missing)
O2 - BHO: (no name) - {5B22E413-EAB9-4F38-BF1D-09D8C7CFE6A7} - C:\WINNT\system32\pmkhh.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] "C:\Programmi\Analog Devices\SoundMAX\Smtray.exe"
O4 - HKLM\..\Run: [PMXInit] C:\WINNT\System32\pmxinit.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] g:\Programmi\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] "g:\Programmi\Iomega\DriveIcons\deskup.exe" /IMGSTART
O4 - HKLM\..\Run: [Zone Labs Client] G:\PROGRA~1\ZONELA~1\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [PDFCreatorClient] "g:\Programmi\JawsSystems\Jaws PDF Creator\PDFClient.exe"
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] "G:\Programmi\Corel\Corel Graphics 12\Languages\IT\Programs\Registration.exe" /title="CorelDRAW Graphics Suite 12" /date=091607 serial=DR12WEX-1504397-KTY lang=IT
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] g:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VaCtrl] C:\Programmi\VoiceAge\Common\VaCtrl.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RDShutdown] "C:\Programmi\DShutdown\RDShutdown.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] "G:\Programmi\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [UIWatcher] "G:\Programmi\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Programmi\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Collegamento a freepopsd.exe.lnk = G:\Programmi\FreePOPs\freepopsd.exe
O4 - Global Startup: Avvio Office.lnk = G:\Programmi\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = G:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ricerca rapida.lnk = G:\Programmi\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Service Manager.lnk = D:\Bus\Msde\Binn\sqlmangr.exe
O8 - Extra context menu item: Scarica con Download &Express - g:\Programmi\Download Express\Add_Url.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - g:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - g:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122529522031
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C6B7DC0-D0D1-40BF-BB6F-109728E384E7}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C6B7DC0-D0D1-40BF-BB6F-109728E384E7}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - g:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - g:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - g:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - g:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON V3 Service2(02) (EPSON_PM_RPCV2_02) - SEIKO EPSON CORPORATION - C:\WINNT\system32\E_S00RP2.EXE
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - C:\WINNT\system32\PDFCreatorMessages.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Sistema Webroot Spy Sweeper (WebrootSpySweeperService) - Webroot Software, Inc. - G:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Programmi\Iomega\AutoDisk\ADService.exe
--
End of file - 8202 bytes |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 11 Set 2007 13:57 Oggetto: |
|
|
Scarica questo e scompattalo in una sua cartella non temporanea e non sul desktop
Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:
| Citazione: | Files to delete:
C:\WINNT\system32\ssqrs.dll
C:\WINNT\system32\ddcyv.dll
C:\WINNT\system32\pmkhh.dll
C:\WINNT\system32\jkkiife.dll
Registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0FE24910-6076-4147-A4DE-61FFE6E7CE40}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{524A994E-2501-43C7-8CCD-275068F832A7}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B22E413-EAB9-4F38-BF1D-09D8C7CFE6A7}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{733E9132-53CA-4C97-9AC9-145C4502FA20}
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkkiife |
Clicca su Done
Clicca sul semaforo
Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
Al termine dell'operazione, posta qui il risultato e un log aggiornato di hijackthis. |
|
| Top |
|
|
Orange
Dio maturo
Registrato: 18/02/07 13:20
Messaggi: 2224
Residenza: Roma
|
| Inviato: 11 Set 2007 14:05 Oggetto: |
|
|
caspita quanto sei veloce BD!
stavo giusto per premere "Invia"  |
|
| Top |
|
|
pino
Eroe in grazia degli dei
Registrato: 21/09/06 14:39
Messaggi: 126
Residenza: varese
|
| Inviato: 11 Set 2007 14:16 Oggetto: |
|
|
c'è la gara del mod più veloce 
questi i due log
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\yqpyqsfe
*******************
Script file located at: \??\C:\WINNT\fmkbbiew.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINNT\system32\ssqrs.dll deleted successfully.
File C:\WINNT\system32\ddcyv.dll not found!
Deletion of file C:\WINNT\system32\ddcyv.dll failed!
Could not process line:
C:\WINNT\system32\ddcyv.dll
Status: 0xc0000034
File C:\WINNT\system32\pmkhh.dll not found!
Deletion of file C:\WINNT\system32\pmkhh.dll failed!
Could not process line:
C:\WINNT\system32\pmkhh.dll
Status: 0xc0000034
File C:\WINNT\system32\jkkiife.dll deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0FE24910-6076-4147-A4DE-61FFE6E7CE40} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0FE24910-6076-4147-A4DE-61FFE6E7CE40} failed!
Status: 0xc0000034
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{524A994E-2501-43C7-8CCD-275068F832A7} deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B22E413-EAB9-4F38-BF1D-09D8C7CFE6A7} deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{733E9132-53CA-4C97-9AC9-145C4502FA20} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{733E9132-53CA-4C97-9AC9-145C4502FA20} failed!
Status: 0xc0000034
Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkkiife not found!
Deletion of registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkkiife failed!
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.18.02, on 11/09/07
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
g:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
g:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\system32\E_S00RP2.EXE
C:\WINNT\System32\svchost.exe
D:\Bus\Msde\binn\sqlservr.exe
C:\WINNT\system32\PDFCreatorMessages.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
G:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
D:\Bus\Msde\binn\sqlagent.exe
C:\WINNT\Explorer.EXE
C:\Programmi\Analog Devices\SoundMAX\Smtray.exe
C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
G:\Programmi\Iomega\DriveIcons\ImgIcon.exe
G:\PROGRA~1\ZONELA~1\ZoneAlarm\zapro.exe
g:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
G:\Programmi\JawsSystems\Jaws PDF Creator\PDFClient.exe
C:\WINNT\system32\msiexec.exe
G:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\Dit.exe
C:\WINNT\DitExp.exe
G:\Programmi\QuickTime\qttask.exe
G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\VoiceAge\Common\VaCtrl.exe
G:\Programmi\Microsoft Office\Office\WINWORD.EXE
C:\Programmi\VoiceAge\Common\VaLangInterf.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\DShutdown\RDShutdown.exe
G:\Programmi\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\system32\internat.exe
G:\Programmi\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
C:\Programmi\Microsoft ActiveSync\Wcescomm.exe
G:\Programmi\Microsoft Office\Office\OSA.EXE
G:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINNT\system32\notepad.exe
G:\Programmi\Microsoft Office\Office\FINDFAST.EXE
C:\PROGRA~1\MICROS~3\rapimgr.exe
D:\Bus\Msde\Binn\sqlmangr.exe
G:\Programmi\FreePOPs\freepopsd.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
G:\Programmi\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Administrator\Desktop\strumenti vari per rimozioni virus\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {62725CC0-0049-4DD0-96F2-B4377902122B} - C:\WINNT\system32\ssqrs.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [Smapp] "C:\Programmi\Analog Devices\SoundMAX\Smtray.exe"
O4 - HKLM\..\Run: [PMXInit] C:\WINNT\System32\pmxinit.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] g:\Programmi\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] "g:\Programmi\Iomega\DriveIcons\deskup.exe" /IMGSTART
O4 - HKLM\..\Run: [Zone Labs Client] G:\PROGRA~1\ZONELA~1\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [PDFCreatorClient] "g:\Programmi\JawsSystems\Jaws PDF Creator\PDFClient.exe"
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] "G:\Programmi\Corel\Corel Graphics 12\Languages\IT\Programs\Registration.exe" /title="CorelDRAW Graphics Suite 12" /date=091607 serial=DR12WEX-1504397-KTY lang=IT
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] g:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VaCtrl] C:\Programmi\VoiceAge\Common\VaCtrl.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RDShutdown] "C:\Programmi\DShutdown\RDShutdown.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] G:\Programmi\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [UIWatcher] "G:\Programmi\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Programmi\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Collegamento a freepopsd.exe.lnk = G:\Programmi\FreePOPs\freepopsd.exe
O4 - Global Startup: Avvio Office.lnk = G:\Programmi\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = G:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ricerca rapida.lnk = G:\Programmi\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Service Manager.lnk = D:\Bus\Msde\Binn\sqlmangr.exe
O8 - Extra context menu item: Scarica con Download &Express - g:\Programmi\Download Express\Add_Url.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - g:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - g:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122529522031
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C6B7DC0-D0D1-40BF-BB6F-109728E384E7}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C6B7DC0-D0D1-40BF-BB6F-109728E384E7}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - g:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - g:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - g:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - g:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON V3 Service2(02) (EPSON_PM_RPCV2_02) - SEIKO EPSON CORPORATION - C:\WINNT\system32\E_S00RP2.EXE
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - C:\WINNT\system32\PDFCreatorMessages.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Sistema Webroot Spy Sweeper (WebrootSpySweeperService) - Webroot Software, Inc. - G:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Programmi\Iomega\AutoDisk\ADService.exe
--
End of file - 8142 bytes |
|
| Top |
|
|
Orange
Dio maturo
Registrato: 18/02/07 13:20
Messaggi: 2224
Residenza: Roma
|
| Inviato: 11 Set 2007 14:46 Oggetto: |
|
|
credo proprio che il nemico è stato sconfitto 
ora avvia HiJack, seleziona Do a system scan only, metti la spunta a questa voce e premi Fix checked:
O2 - BHO: (no name) - {62725CC0-0049-4DD0-96F2-B4377902122B} - C:\WINNT\system32\ssqrs.dll (file missing) |
|
| Top |
|
|
pino
Eroe in grazia degli dei
Registrato: 21/09/06 14:39
Messaggi: 126
Residenza: varese
|
| Inviato: 11 Set 2007 15:16 Oggetto: |
|
|
O.K. fatto, eliminato anche quella voce, spero che non si ripresenti,
ringrazio ancora tanto per la gentilezza
|
|
| Top |
|
|
pino
Eroe in grazia degli dei
Registrato: 21/09/06 14:39
Messaggi: 126
Residenza: varese
|
| Inviato: 12 Set 2007 10:23 Oggetto: |
|
|
mi è rimasto questo fastidioso problema che era presente anche quando c'era l'infezione
all'apertura di diverse applicazioni (esplora risorse, quelle di office ma anche non MS) durante il caricamento mi si apre la finestra di windows installer con solo la scritta "preparazione dell'installazione in corso" senza fare riferimento all'applicazione che l'ha chiamata nè fare richiesta di indicare il file di installazione.
dopo qualche secondo la finestra si chiude e procede il caricamento dell'applicazione
alcune applicazioni fanno aprire anche 4-5 finestre in sequenza prima di procedere con il caricamento
qualche idea? |
|
| Top |
|
|
pino
Eroe in grazia degli dei
Registrato: 21/09/06 14:39
Messaggi: 126
Residenza: varese
|
| Inviato: 12 Set 2007 14:39 Oggetto: |
 |
|
mi rispondo da solo visto che pare abbia risolto.
nei giorni scorsi mi aveva chiesto un paio di volte di inserire il cd con il file proplus.msi
ho messo nel lettore il cd di installazione di office e quando è uscita la finestra di windows installer, il sistema ha fatto delle correzioni nell'installazione di office.
ora sembra a posto |
|
| Top |
|
|
|
|
Non puoi inserire nuovi argomenti
Non puoi rispondere a nessun argomento
Non puoi modificare i tuoi messaggi
Non puoi cancellare i tuoi messaggi
Non puoi votare nei sondaggi
|
|
FAQ
Cerca
Lista utenti
Gruppi
Registrati
Profilo
Messaggi privati
Log in
