Olimpo Informatico

[lua]

Apwin32 firewall prototype raygold sexo sex drogas drugs pedo qwert lolita collection casero novia hermana ilegal_

QUESTO è IL NOME DELLA COSA CHE è PRESENTE SUL DESTOP E NON RESCO ALEMINARLA


ESCE SCRITTO : FILE GIA IN USO DA UTEBTE O PROGRAMMA

[Orange]

ciao, lua
potrebbe essere un problema di malware il tuo.
segui le indicazioni di questo topic e posta un log di HJT.


P.S. evita per favore di scrivere in maiuscolo, equivale a gridare

[lua]

ok grazie ma scusa non so bene le regole sono nuovissimo grazie ancora

[lua]

mando il log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16.22.31, on 23/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Utente\Documenti\PROGRAMMI UTILI\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R3 - URLSearchHook: Share_Accelerator_MM toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Programmi\Share_Accelerator_MM\tbShar.dll
R3 - URLSearchHook: Online_TV toolbar - {40d1c3a7-4ffb-4443-b3a0-a64b2df7fc3b} - C:\Programmi\Online_TV\tbOnli.dll
R3 - URLSearchHook: RadioItalia Toolbar - {0aaeaede-aefd-4672-a764-5c5c037612a2} - C:\Programmi\RadioItalia\tbRadi.dll
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Programmi\ShoppingReport\Bin\2.0.24\ShoppingReport.dll (file missing)
O2 - BHO: Online_TV toolbar - {40d1c3a7-4ffb-4443-b3a0-a64b2df7fc3b} - C:\Programmi\Online_TV\tbOnli.dll
O2 - BHO: Share_Accelerator_MM toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Programmi\Share_Accelerator_MM\tbShar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B9D5F58D-98D7-4534-BCA3-277D9F01C00C} - C:\windows\system32\jkkjg.dll (file missing)
O2 - BHO: (no name) - {E4EEFFED-93CD-4CF0-A0F3-50D139121FEE} - C:\windows\system32\opnmlji.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: Share_Accelerator_MM toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Programmi\Share_Accelerator_MM\tbShar.dll
O3 - Toolbar: Online_TV toolbar - {40d1c3a7-4ffb-4443-b3a0-a64b2df7fc3b} - C:\Programmi\Online_TV\tbOnli.dll
O3 - Toolbar: RadioItalia Toolbar - {0aaeaede-aefd-4672-a764-5c5c037612a2} - C:\Programmi\RadioItalia\tbRadi.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [himem] "c:\windows\himem.exe" 3fff 8ffff
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Programmi\ShoppingReport\Bin\2.0.24\ShoppingReport.dll (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Programmi\ShoppingReport\Bin\2.0.24\ShoppingReport.dll (file missing)
O20 - Winlogon Notify: jkkjg - C:\windows\system32\jkkjg.dll (file missing)
O20 - Winlogon Notify: opnmlji - opnmlji.dll (file missing)
O20 - Winlogon Notify: winlvi32 - winlvi32.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4964 bytes

[Smjert]

Le regole andrebbero lette prima di postare.

Comunque ricordo che per cancellare file che non si riescono a cancellare c'è sempre il buon Unlocker .

[ste_95]

seleziona queste voci e premi fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Programmi\ShoppingReport\Bin\2.0.24\ShoppingReport.dll (file missing)
O2 - BHO: (no name) - {B9D5F58D-98D7-4534-BCA3-277D9F01C00C} - C:\windows\system32\jkkjg.dll (file missing)
O2 - BHO: (no name) - {E4EEFFED-93CD-4CF0-A0F3-50D139121FEE} - C:\windows\system32\opnmlji.dll (file missing)
O4 - HKCU\..\Run: [himem] "c:\windows\himem.exe" 3fff 8ffff
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Programmi\ShoppingReport\Bin\2.0.24\ShoppingReport.dll (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Programmi\ShoppingReport\Bin\2.0.24\ShoppingReport.dll (file missing)
O20 - Winlogon Notify: jkkjg - C:\windows\system32\jkkjg.dll (file missing)
O20 - Winlogon Notify: opnmlji - opnmlji.dll (file missing)
O20 - Winlogon Notify: winlvi32 - winlvi32.dll (file missing)

elimina questo file:
C:\windows\himem.exe

e fai uno scan con questo tool:

http://www.atribune.org/content/view/24/2/

[bdoriano]

@ste_95:
quando si sospetta un'infezione di VirtuMonde, conviene procedere in questa sequenza:

1° passaggio
Scarica VundoFix.exe sul desktop

- Esegui VundoFix.exe
- Clicca Scan for Vundo.
- al termine della scansione, clicca Remove Vundo.
- ti chiede se vuoi eliminare i files infetti, clicca YES
- il tuo video diventerà nero durante la rimozione di Vundo.
- al termine ti chiederà di riavviare il pc, clicca OK.
- Copia qui il contenuto del log C:\vundofix.txt e un nuovo log di hijackthis.

Nota: VundoFix potrebbe non riuscire ad eliminare qualche file. In questo caso, VundoFix si avvierà automaticamente al riavvio del pc, ripeti le operazioni indicate sopra partendo da "Clicca Scan for Vundo" quando VundoFix apparirà al riavvio.

2° passaggio:
Usare VirtumundoBeGone avviandolo in modalità provvisoria.

3° passaggio:
Fare una scansione con ComboFix.

4° passaggio:
Usare Avenger, ma è proprio l'ultima spiaggia.

[ste_95]

si in questo caso mi sembrava che se ne fosse già andato, ma gli ho dato il tool comunque, per combofix non avendomi detto che aveva problemi con i servizi di win....scusate

[bdoriano]

Non ti preoccupare, le indicazioni che hai dato non sono errate, si dovevano invertire i due passaggi.
Un'ultima cosa, i fix con hijackthis è meglio farli in modalità provvisoria, come consigliato qui.

[lua]

ciao tutti passaggi da te spiegati fatti ti mando resoconto

1 VundoFix
VundoFix V6.5.10

Checking Java version...

Sun Java not detected
Scan started at 9.21.55 24/10/2007

Listing files found while scanning....

C:\windows\system32\gjkkj.bak1
C:\windows\system32\gjkkj.bak2
C:\windows\system32\gjkkj.ini
C:\windows\system32\jkkjg.dll
C:\windows\system32\opnmlji.dll

Beginning removal...

Attempting to delete C:\windows\system32\gjkkj.bak1
C:\windows\system32\gjkkj.bak1 Has been deleted!

Attempting to delete C:\windows\system32\gjkkj.bak2
C:\windows\system32\gjkkj.bak2 Has been deleted!

Attempting to delete C:\windows\system32\gjkkj.ini
C:\windows\system32\gjkkj.ini Has been deleted!

Performing Repairs to the registry.
Done!


2

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9.32.53, on 24/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\windows\system32\wuauclt.exe
C:\Documents and Settings\Utente\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R3 - URLSearchHook: Share_Accelerator_MM toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Programmi\Share_Accelerator_MM\tbShar.dll
R3 - URLSearchHook: Online_TV toolbar - {40d1c3a7-4ffb-4443-b3a0-a64b2df7fc3b} - C:\Programmi\Online_TV\tbOnli.dll
R3 - URLSearchHook: RadioItalia Toolbar - {0aaeaede-aefd-4672-a764-5c5c037612a2} - C:\Programmi\RadioItalia\tbRadi.dll
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Programmi\ShoppingReport\Bin\2.0.24\ShoppingReport.dll (file missing)
O2 - BHO: Online_TV toolbar - {40d1c3a7-4ffb-4443-b3a0-a64b2df7fc3b} - C:\Programmi\Online_TV\tbOnli.dll
O2 - BHO: Share_Accelerator_MM toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Programmi\Share_Accelerator_MM\tbShar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B9D5F58D-98D7-4534-BCA3-277D9F01C00C} - C:\windows\system32\jkkjg.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: Share_Accelerator_MM toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Programmi\Share_Accelerator_MM\tbShar.dll
O3 - Toolbar: Online_TV toolbar - {40d1c3a7-4ffb-4443-b3a0-a64b2df7fc3b} - C:\Programmi\Online_TV\tbOnli.dll
O3 - Toolbar: RadioItalia Toolbar - {0aaeaede-aefd-4672-a764-5c5c037612a2} - C:\Programmi\RadioItalia\tbRadi.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmi\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [himem] "c:\windows\himem.exe" 3fff 8ffff
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Programmi\ShoppingReport\Bin\2.0.24\ShoppingReport.dll (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Programmi\ShoppingReport\Bin\2.0.24\ShoppingReport.dll (file missing)
O20 - Winlogon Notify: jkkjg - C:\windows\system32\jkkjg.dll (file missing)
O20 - Winlogon Notify: opnmlji - opnmlji.dll (file missing)
O20 - Winlogon Notify: winlvi32 - winlvi32.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4587 bytes


3

You have used an invalid url to download ComboFix.exe. Please be advised that these are the correct links to use

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

http://download.bleepingcomputer.com/sUBs/ComboFix.exe


provato e eliminare dal desktop icona e non sono riuscito!!

[ste_95]

rifai girare vundofix, perchè o sei tu che lo hai postato male, o lui non ha fatto tutto...

per hijackthis, selezioana queste voci e premi fix checked:

O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Programmi\ShoppingReport\Bin\2.0.24\ShoppingReport.dll (file missing)
O2 - BHO: (no name) - {B9D5F58D-98D7-4534-BCA3-277D9F01C00C} - C:\windows\system32\jkkjg.dll (file missing)
O4 - HKCU\..\Run: [himem] "c:\windows\himem.exe" 3fff 8ffff
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Programmi\ShoppingReport\Bin\2.0.24\ShoppingReport.dll (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Programmi\ShoppingReport\Bin\2.0.24\ShoppingReport.dll (file missing)
O20 - Winlogon Notify: jkkjg - C:\windows\system32\jkkjg.dll (file missing)
O20 - Winlogon Notify: opnmlji - opnmlji.dll (file missing)
O20 - Winlogon Notify: winlvi32 - winlvi32.dll (file missing)

elimina poi qusti file:
c:\windows\himem.exe

[bdoriano]

Se VundoFix non ha funzionato, può voler dire che non ha riconosciuto correttamente il virus (magari è una nuova variante).

Prima di utilizzare hijackthis, fai questi passaggi:

Scarica VirtumundoBeGone sul tuo desktop (dovrai disattivare il tuo antivirus per poterlo fare), avvia il pc in modalità provvisoria. A questo punto avvia VirtumundoBegone. Posta il log che verrà generato

Scarica ComboFix da qui o qui e fagli fare una scansione completa. Al termine posta qui il log generato.

[ste_95]

mah il vundo pare che l'abbia riconosciuto, ma non ha eliminato alcuni files....sbaglio?

[lua]

1 di virtumundo...


[10/24/2007, 9:37:43] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Utente\Documenti\PROGRAMMI UTILI\VirtumundoBeGone.exe" )
[10/24/2007, 9:37:50] - Detected System Information:
[10/24/2007, 9:37:50] - Windows Version: 5.1.2600, Service Pack 2
[10/24/2007, 9:37:50] - Current Username: Utente (Admin)
[10/24/2007, 9:37:50] - Windows is in SAFE mode with Networking.
[10/24/2007, 9:37:50] - Searching for Browser Helper Objects:
[10/24/2007, 9:37:50] - BHO 1: {100EB1FD-D03E-47FD-81F3-EE91287F9465} (ShoppingReport)
[10/24/2007, 9:37:50] - BHO 2: {40d1c3a7-4ffb-4443-b3a0-a64b2df7fc3b} (Online_TV toolbar)
[10/24/2007, 9:37:50] - BHO 3: {4596013b-6c31-408b-a266-deae5c086dc2} (Share_Accelerator_MM toolbar)
[10/24/2007, 9:37:50] - BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[10/24/2007, 9:37:50] - BHO 5: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[10/24/2007, 9:37:50] - BHO 6: {B9D5F58D-98D7-4534-BCA3-277D9F01C00C} ()
[10/24/2007, 9:37:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/24/2007, 9:37:50] - Checking for HKLM\...\Winlogon\Notify\jkkjg
[10/24/2007, 9:37:50] - Found: HKLM\...\Winlogon\Notify\jkkjg - This is probably Virtumundo.
[10/24/2007, 9:37:50] - Assigning {B9D5F58D-98D7-4534-BCA3-277D9F01C00C} MSEvents Object
[10/24/2007, 9:37:50] - BHO list has been changed! Starting over...
[10/24/2007, 9:37:50] - BHO 1: {100EB1FD-D03E-47FD-81F3-EE91287F9465} (ShoppingReport)
[10/24/2007, 9:37:50] - BHO 2: {40d1c3a7-4ffb-4443-b3a0-a64b2df7fc3b} (Online_TV toolbar)
[10/24/2007, 9:37:50] - BHO 3: {4596013b-6c31-408b-a266-deae5c086dc2} (Share_Accelerator_MM toolbar)
[10/24/2007, 9:37:50] - BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[10/24/2007, 9:37:50] - BHO 5: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[10/24/2007, 9:37:50] - BHO 6: {B9D5F58D-98D7-4534-BCA3-277D9F01C00C} (MSEvents Object)
[10/24/2007, 9:37:50] - ALERT: Found MSEvents Object!
[10/24/2007, 9:37:51] - Finished Searching Browser Helper Objects
[10/24/2007, 9:37:51] - *** Detected MSEvents Object
[10/24/2007, 9:37:51] - Trying to remove MSEvents Object...
[10/24/2007, 9:37:52] - Terminating Process: IEXPLORE.EXE
[10/24/2007, 9:37:52] - Terminating Process: RUNDLL32.EXE
[10/24/2007, 9:37:52] - Disabling Automatic Shell Restart
[10/24/2007, 9:37:52] - Terminating Process: EXPLORER.EXE
[10/24/2007, 9:37:52] - Suspending the NT Session Manager System Service
[10/24/2007, 9:37:52] - Terminating Windows NT Logon/Logoff Manager
[10/24/2007, 9:37:52] - Re-enabling Automatic Shell Restart
[10/24/2007, 9:37:52] - File to disable: C:\windows\system32\jkkjg.dll
[10/24/2007, 9:37:52] - Removing HKLM\...\Browser Helper Objects\{B9D5F58D-98D7-4534-BCA3-277D9F01C00C}
[10/24/2007, 9:37:52] - Removing HKCR\CLSID\{B9D5F58D-98D7-4534-BCA3-277D9F01C00C}
[10/24/2007, 9:37:52] - Adding Kill Bit for ActiveX for GUID: {B9D5F58D-98D7-4534-BCA3-277D9F01C00C}
[10/24/2007, 9:37:52] - Deleting ATLEvents/MSEvents Registry entries
[10/24/2007, 9:37:52] - Removing HKLM\...\Winlogon\Notify\jkkjg
[10/24/2007, 9:37:52] - Searching for Browser Helper Objects:
[10/24/2007, 9:37:52] - BHO 1: {100EB1FD-D03E-47FD-81F3-EE91287F9465} (ShoppingReport)
[10/24/2007, 9:37:52] - BHO 2: {40d1c3a7-4ffb-4443-b3a0-a64b2df7fc3b} (Online_TV toolbar)
[10/24/2007, 9:37:52] - BHO 3: {4596013b-6c31-408b-a266-deae5c086dc2} (Share_Accelerator_MM toolbar)
[10/24/2007, 9:37:52] - BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[10/24/2007, 9:37:52] - BHO 5: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[10/24/2007, 9:37:52] - Finished Searching Browser Helper Objects
[10/24/2007, 9:37:52] - Finishing up...
[10/24/2007, 9:37:52] - A restart is needed.
[10/24/2007, 9:37:54] - Attempting to Restart via STOP error (Blue Screen!)

[10/25/2007, 8:43:20] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Utente\Documenti\PROGRAMMI UTILI\VirtumundoBeGone.exe" )
[10/25/2007, 8:43:32] - User choose NOT to continue. Exiting...


2 di combofix

ComboFix 07-10-23.2 - Utente 2007-10-25 8.47.54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.243 [GMT 2:00]
Running from: C:\Documents and Settings\Utente\Documenti\PROGRAMMI UTILI\combofix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\ANNA.CASA\Application Data\ShoppingReport
C:\Documents and Settings\ANNA.CASA\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\ANNA.CASA\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\ANNA.CASA\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\ANNA.CASA\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\ANNA.CASA\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\ANNA.CASA\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\ANNA.CASA\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Documents and Settings\ANNA.CASA\Desktop\internet.lnk
C:\Documents and Settings\Utente\Dati applicazioni\inst.exe
C:\Documents and Settings\Utente\Dati applicazioni\ShoppingReport
C:\Documents and Settings\Utente\Dati applicazioni\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Utente\Dati applicazioni\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\Utente\Dati applicazioni\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\Utente\Dati applicazioni\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\Utente\Dati applicazioni\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\Utente\Dati applicazioni\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\Utente\Dati applicazioni\ShoppingReport\cs\res2\WhiteList.dbs
C:\Programmi\ShoppingReport
C:\Programmi\ShoppingReport\Uninst.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 )))))))))))))))))))))))))))))))
.

2007-10-25 08:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-24 09:21 <DIR> d-------- C:\VundoFix Backups
2007-10-23 14:29 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-10-23 14:23 <DIR> d-------- C:\Programmi\Sunbelt Software
2007-10-23 14:03 <DIR> d-------- C:\Programmi\RadioItalia
2007-10-03 12:07 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-10-03 12:07 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-10-03 12:07 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-24 06:44 --------- d-----w C:\Programmi\Microsoft Works
2007-10-24 06:31 --------- d-----w C:\Programmi\PowerArchiver
2007-10-24 06:27 --------- d-----w C:\Programmi\eMule
2007-10-24 06:18 10,646 --sha-w C:\windows\system32\KGyGaAvL.sys
2007-10-23 12:33 --------- d-----w C:\Programmi\Online TV Player 3
2007-09-21 10:30 --------- d--h--w C:\Programmi\InstallShield Installation Information
2007-09-21 10:24 --------- d-----w C:\Programmi\KONAMI
2007-09-13 13:43 --------- d-----w C:\Programmi\BearShare Applications
2007-09-13 13:34 --------- d-----w C:\Programmi\Prefiss2
2007-09-13 13:20 --------- d-----w C:\Programmi\Online_TV
2007-09-12 06:45 --------- d-----w C:\Programmi\PAN2
2007-09-10 09:52 --------- d--h--w C:\Programmi\Zenographics
2007-09-07 13:13 --------- d-----w C:\Programmi\iTunes
2007-09-07 13:12 --------- d-----w C:\Programmi\iPod
2007-09-06 11:05 --------- d-----w C:\Programmi\SlySoft
2007-09-06 11:05 --------- d-----w C:\Programmi\Elaborate Bytes
2007-09-06 11:00 --------- d-----w C:\Programmi\DVD Shrink
2007-09-05 15:48 --------- d-----w C:\Documents and Settings\ANNA.CASA\Application Data\SlySoft
2007-09-05 11:22 --------- d-----w C:\Documents and Settings\Utente\Dati applicazioni\SlySoft
2007-08-29 12:18 47,360 ----a-w C:\Documents and Settings\Utente\Dati applicazioni\pcouffin.sys
2007-08-29 12:18 --------- d-----w C:\Documents and Settings\Utente\Dati applicazioni\Vso
2007-08-29 11:15 94,208 ----a-w C:\Documents and Settings\Utente\Dati applicazioni\ezplay.sys
2007-08-28 11:40 --------- d-----w C:\Programmi\Google
2007-08-21 06:16 683,520 ----a-w C:\windows\system32\inetcomm.dll
2007-08-11 15:23 574,508 ----a-w C:\windows\system32\wyuywtho.exe
2007-08-10 19:56 93,128 ----a-w C:\windows\system32\ElbyCDIO.dll
2007-07-30 17:19 92,504 ----a-w C:\windows\system32\cdm.dll
2007-07-30 17:19 549,720 ----a-w C:\windows\system32\wuapi.dll
2007-07-30 17:19 53,080 ----a-w C:\windows\system32\wuauclt.exe
2007-07-30 17:19 43,352 ----a-w C:\windows\system32\wups2.dll
2007-07-30 17:19 325,976 ----a-w C:\windows\system32\wucltui.dll
2007-07-30 17:19 271,224 ----a-w C:\windows\system32\mucltui.dll
2007-07-30 17:19 207,736 ----a-w C:\windows\system32\muweb.dll
2007-07-30 17:19 203,096 ----a-w C:\windows\system32\wuweb.dll
2007-07-30 17:19 1,712,984 ----a-w C:\windows\system32\wuaueng.dll
2007-07-30 17:18 33,624 ----a-w C:\windows\system32\wups.dll
2007-01-10 11:43 5 ----a-w C:\Programmi\zinf
2003-07-31 09:53 147,456 ----a-w C:\windows\inf\EL2K_XP.sys
2003-07-31 09:50 448,768 ----a-w C:\windows\inf\EL2K_N64.sys
2003-07-31 09:43 147,456 ----a-w C:\windows\inf\EL2K_2K.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{100EB1FD-D03E-47FD-81F3-EE91287F9465}]
C:\Programmi\ShoppingReport\Bin\2.0.24\ShoppingReport.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2007-06-29 06:24]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 15:06 C:\WINDOWS\system32\ptipbmf.dll]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2007-09-05 18:03]
"nod32kui"="C:\Programmi\Eset\nod32kui.exe" [2007-10-03 12:06]
"UnlockerAssistant"="C:\Programmi\Unlocker\UnlockerAssistant.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-23 10:45]
"himem"="c:\windows\himem.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmlji]
opnmlji.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlvi32]
winlvi32.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d92bfc9-83d9-11db-b9f3-0009dd10330e}]
AutoRun\command - H:\InstallTomTomHOME.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-10-19 12:35:00 C:\windows\Tasks\AppleSoftwareUpdate.job"
"2007-04-17 20:53:26 C:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1168963566.job"
- C:\Programmi\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2007-10-23 15:49:00 C:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1170607747.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-25 08:54:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-25 8.54.40
.
--- E O F ---


aspetto altre direttive grazie

[bdoriano]

[lua]

ciao attivo sistem scan arriva alla fase dieci e si blocca e poi se faccio conrol alt canc leggo stato non risponde che devo fare ?

[bdoriano]

Quando avvii systemscan, togli il segno di spunta alla voce Alternate Data Streams.

[lua]

ok appena torno a casa vedo e provo...

ti volevo chiedere tu quale consideri il migliore antivirus tra i tanti che ci sono secondo te il nod 32 e buono??

[lua]

ciao finita scansione con suspect caricato su sito ora ti mando la scansione e il link del sito grazie mille veramente gentilissimo cosi una volta per tutte vediamo di pulire il pc da schifezze grazie ancora...

Forum suspect.txt


scansione:

edit by bdoriano: log eliminato perché eccessivamente lungo
Quando richiesto, i logs vanno postati su FreeFileHosting e non sul forum. Sul forum va indicato solo il link. Ti ringrazio per la collaborazione.

[bdoriano]

Comincia a scaricare questo e scompattalo in una sua cartella non temporanea e non sul desktop.
Lo useremo per far fare le pulizie autunnali al tuo pc.

Adesso, sii paziente che ci si legge il log.