Olimpo Informatico

[Centurion]

Ciao ragazzi, mi chiamo Mauro e purtroppo anch'io ho riscontrato lo stesso problema, da giorni leggo i vostri interventi sul forum e qualcosina sono riuscito a fare, anche grazie a kaspersky, ma di eliminare del tutto il dialer non se ne parla.... accendendo windows mi compare comunque il messaggio di tentativo di connessione di Explorer con NON IN LINEA o RIPROVA.
Ho i programmi che avete suggerito, però nel mio caso, non so quali voci devo aggiungere in avenger.
Qualcuno di voi se la sente di dare una mano anche a me? Ve ne sono grato.

Non ho aperto un'altra discussione in quanto sempre di questo dannato dialer si parla, e vedo che Diamante ha risolto, quindi non si accavallerebbero le soluzioni dato che lui grazie a voi ce l'ha fatta

[bdoriano]

Ciao Centurion,

purtroppo ogni infezione è un caso a se stante, per questo chiediamo di aprire un thread specifico per ogni utente.

Andiamo a cominciare...

Segui le istruzioni di questo topic per postare il log di hijackthis.

Fai anche questa scansione con FindAWF

PS: se vuoi, puoi presentarti qui

[Centurion]

Grazie, gentilissimo! Mi sono anche andato a presentare di là
Ecco questo è il log di hijack


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23.50.19, on 22/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\HiJackThis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliType] "C:\Programmi\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [WheelMouse] C:\WHEELM~1\wh_exec.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Acrobat8\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Software\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\Software\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Software\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179681438645
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4FF79FCD-FBA2-4750-8A43-83C39E4E5CF8}: NameServer = 193.70.152.15 193.70.152.25
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7009 bytes

[Centurion]

Questo è invece il log generato da AWF

Find AWF report by noahdfear ©2006
Version 1.40



bak folders found
~~~~~~~~~~~

Il volume nell'unit? C ? Hard Disk XP
Numero di serie del volume: 3C1B-E879

Directory di C:\WHEELM~1\BAK

30/11/2001 21.18 77.824 wh_exec.exe
1 File 77.824 byte
2 Directory 56.804.737.024 byte disponibili
Il volume nell'unit? C ? Hard Disk XP
Numero di serie del volume: 3C1B-E879

Directory di C:\PROGRA~1\ESET\BAK

0 File 0 byte
2 Directory 56.804.737.024 byte disponibili
Il volume nell'unit? C ? Hard Disk XP
Numero di serie del volume: 3C1B-E879

Directory di C:\PROGRA~1\HAMLET~1\BAK

11/03/2003 20.10 454.656 CnxDslTb.exe
1 File 454.656 byte
2 Directory 56.804.732.928 byte disponibili
Il volume nell'unit? C ? Hard Disk XP
Numero di serie del volume: 3C1B-E879

Directory di C:\PROGRA~1\MSNMES~1\BAK

0 File 0 byte
2 Directory 56.804.732.928 byte disponibili
Il volume nell'unit? C ? Hard Disk XP
Numero di serie del volume: 3C1B-E879

Directory di C:\PROGRA~1\QUICKT~1\BAK

0 File 0 byte
2 Directory 56.804.732.928 byte disponibili
Il volume nell'unit? C ? Hard Disk XP
Numero di serie del volume: 3C1B-E879

Directory di C:\PROGRA~1\WINDOW~4\BAK

03/11/2006 17.20 866.584 MSASCui.exe
1 File 866.584 byte
2 Directory 56.804.732.928 byte disponibili
Il volume nell'unit? C ? Hard Disk XP
Numero di serie del volume: 3C1B-E879

Directory di C:\SOFTWARE\SYSTEM~1\BAK

20/12/2006 16.47 557.056 SMSystemAnalyzer.exe
1 File 557.056 byte
2 Directory 56.804.732.928 byte disponibili
Il volume nell'unit? C ? Hard Disk XP
Numero di serie del volume: 3C1B-E879

Directory di C:\WINDOWS\SYSTEM32\BAK

19/08/2004 14.39 15.360 ctfmon.exe
02/06/2006 09.45 385.024 JMRaidTool.exe
2 File 400.384 byte
2 Directory 56.804.732.928 byte disponibili
Il volume nell'unit? C ? Hard Disk XP
Numero di serie del volume: 3C1B-E879

Directory di C:\PROGRA~1\ACROBAT8\READER\BAK

10/10/2007 18.51 39.792 Reader_sl.exe
1 File 39.792 byte
2 Directory 56.804.732.928 byte disponibili
Il volume nell'unit? C ? Hard Disk XP
Numero di serie del volume: 3C1B-E879

Directory di C:\PROGRA~1\ANALOG~1\CORE\BAK

01/05/2006 11.07 843.776 smax4pnp.exe
1 File 843.776 byte
2 Directory 56.804.732.928 byte disponibili
Il volume nell'unit? C ? Hard Disk XP
Numero di serie del volume: 3C1B-E879

Directory di C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK

10/04/2006 08.19 729.088 Smax4.exe
1 File 729.088 byte
2 Directory 56.804.732.928 byte disponibili
Il volume nell'unit? C ? Hard Disk XP
Numero di serie del volume: 3C1B-E879

Directory di C:\PROGRA~1\ATITEC~1\ATI.ACE\BAK

25/09/2006 08.12 90.112 CLIStart.exe
1 File 90.112 byte
2 Directory 56.804.728.832 byte disponibili
Il volume nell'unit? C ? Hard Disk XP
Numero di serie del volume: 3C1B-E879

Directory di C:\PROGRA~1\MICROS~3\KEYBOARD\BAK

12/06/2001 00.20 69.632 type32.exe
1 File 69.632 byte
2 Directory 56.804.728.832 byte disponibili
Il volume nell'unit? C ? Hard Disk XP
Numero di serie del volume: 3C1B-E879

Directory di C:\PROGRA~1\NOKIA\NOKIAP~1\BAK

23/03/2007 12.20 227.328 LaunchApplication.exe
1 File 227.328 byte
2 Directory 56.804.728.832 byte disponibili
Il volume nell'unit? D ? Trainsimulator
Numero di serie del volume: 8CBD-2AB2

Directory di D:\TS2GAL~1\TRAINS~1\TRAINS\TRAINSET\FS_ADP~1\BAK

25/05/2007 21.04 699.378 TettoP.ace
25/05/2007 20.34 626.569 TettoPO.ace
25/05/2007 20.41 659.333 TettoPOL.ace
3 File 1.985.280 byte
2 Directory 67.868.590.080 byte disponibili
Il volume nell'unit? D ? Trainsimulator
Numero di serie del volume: 8CBD-2AB2

Directory di D:\TS2GAL~1\TRAINS~1\TRAINS\TRAINSET\FS_E44~1\BAK

02/05/2007 23.56 6.368.740 090mayo.zip
01/06/2007 22.50 9.235.815 FS_E444_006.BAK
01/06/2007 22.51 1.091 FS_E444_006.PolyMaster
01/05/2007 23.06 3.548.966 FS_E444_090.BAK
01/06/2007 22.53 1.079 FS_E444_090.PolyMaster
5 File 19.155.691 byte
2 Directory 67.868.590.080 byte disponibili


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

14348 31 Dec 2007 "C:\WheelMouse\wh_exec.exe"
77824 30 Nov 2001 "C:\WheelMouse\bak\wh_exec.exe"
14348 31 Dec 2007 "C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe"
454656 11 Mar 2003 "C:\Programmi\Hamlet HDSL640S USB ADSL Modem\bak\CnxDslTb.exe"
14348 31 Dec 2007 "C:\Programmi\Windows Defender\MSASCui.exe"
866584 3 Nov 2006 "C:\Programmi\Windows Defender\bak\MSASCui.exe"
14348 31 Dec 2007 "C:\Software\System Mechanic Professional 6\SMSystemAnalyzer.exe"
557056 20 Dec 2006 "C:\Software\System Mechanic Professional 6\bak\SMSystemAnalyzer.exe"
15360 19 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 19 Aug 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
14348 31 Dec 2007 "C:\WINDOWS\system32\JMRaidTool.exe"
385024 2 Jun 2006 "C:\WINDOWS\system32\bak\JMRaidTool.exe"
14348 31 Dec 2007 "C:\Programmi\Acrobat8\Reader\Reader_sl.exe"
39792 10 Oct 2007 "C:\Programmi\Acrobat8\Reader\bak\Reader_sl.exe"
14348 31 Dec 2007 "C:\Programmi\Analog Devices\Core\smax4pnp.exe"
843776 1 May 2006 "C:\Programmi\Analog Devices\Core\bak\smax4pnp.exe"
14348 31 Dec 2007 "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe"
729088 10 Apr 2006 "C:\Programmi\Analog Devices\SoundMAX\bak\Smax4.exe"
14348 31 Dec 2007 "C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe"
90112 25 Sep 2006 "C:\Programmi\ATI Technologies\ATI.ACE\bak\CLIStart.exe"
14348 31 Dec 2007 "C:\Programmi\Microsoft Hardware\Keyboard\type32.exe"
69632 12 Jun 2001 "C:\Programmi\Microsoft Hardware\Keyboard\bak\type32.exe"
69632 12 Jun 2001 "C:\Programmi\Microsoft IntelliType Pro\Keyboard\Setup\MSH\KBD\type32.exe"
14348 31 Dec 2007 "C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe"
227328 23 Mar 2007 "C:\Programmi\Nokia\Nokia PC Suite 6\bak\LaunchApplication.exe"
800164 9 Oct 2007 "D:\TrainSimulator\TRAINS\TRAINSET\FS_ADP_Pack\TettoP.ace"
699378 25 May 2007 "D:\Ts2Galimi\Train Simulator\TRAINS\trainset\FS_ADP_Pack\TettoP.ace"
699378 25 May 2007 "D:\Ts2Galimi\Train Simulator\TRAINS\trainset\FS_ADP_Pack\Bak\TettoP.ace"
800164 9 Oct 2007 "E:\TrainSimulator\TRAINS\TRAINSET\FS_ADP_Pack\TettoP.ace"
800164 9 Oct 2007 "E:\TS\TRAINS\TRAINSET\FS_ADP_Pack\TettoP.ace"
699378 25 May 2007 "G:\OFFICINA Pubblicazioni\3D incompleti\FS_ADP_Pack\TettoP.ace"
1160173 2 Apr 2007 "G:\OFFICINA Pubblicazioni\REPAINT MIEI\Pilote ADP\liguri\TettoP.ace"
1166479 22 Mar 2007 "G:\OFFICINA Pubblicazioni\REPAINT MIEI\Pilote ADP\Pilota REVAMP\TettoP.ace"
699378 25 May 2007 "G:\OFFICINA Pubblicazioni\REPAINT MIEI\REPAINT ADP\COND senza pubblicit?\TettoP.ace"
320125 25 Sep 2007 "G:\OFFICINA Pubblicazioni\REPAINT MIEI\REPAINT ADP\pilota isolata ADP cond\TettoP.ace"
861540 9 Oct 2007 "D:\TrainSimulator\TRAINS\TRAINSET\FS_ADP_Pack\TettoPO.ace"
699378 25 May 2007 "D:\Ts2Galimi\Train Simulator\TRAINS\trainset\FS_ADP_Pack\TettoPO.ace"
626569 25 May 2007 "D:\Ts2Galimi\Train Simulator\TRAINS\trainset\FS_ADP_Pack\Bak\TettoPO.ace"
861540 9 Oct 2007 "E:\TrainSimulator\TRAINS\TRAINSET\FS_ADP_Pack\TettoPO.ace"
861540 9 Oct 2007 "E:\TS\TRAINS\TRAINSET\FS_ADP_Pack\TettoPO.ace"
699378 25 May 2007 "G:\OFFICINA Pubblicazioni\3D incompleti\FS_ADP_Pack\TettoPO.ace"
1040183 22 Mar 2007 "G:\OFFICINA Pubblicazioni\REPAINT MIEI\Pilote ADP\Pilota OLD\TettoPO.ace"
699378 25 May 2007 "G:\OFFICINA Pubblicazioni\REPAINT MIEI\REPAINT ADP\OLD Graffiti\TettoPO.ace"
721045 9 Oct 2007 "D:\TrainSimulator\TRAINS\TRAINSET\FS_ADP_Pack\TettoPOL.ace"
699378 26 May 2007 "D:\Ts2Galimi\Train Simulator\TRAINS\trainset\FS_ADP_Pack\TettoPOL.ace"
659333 25 May 2007 "D:\Ts2Galimi\Train Simulator\TRAINS\trainset\FS_ADP_Pack\Bak\TettoPOL.ace"
721045 9 Oct 2007 "E:\TrainSimulator\TRAINS\TRAINSET\FS_ADP_Pack\TettoPOL.ace"
721045 9 Oct 2007 "E:\TS\TRAINS\TRAINSET\FS_ADP_Pack\TettoPOL.ace"
699378 26 May 2007 "G:\OFFICINA Pubblicazioni\3D incompleti\FS_ADP_Pack\TettoPOL.ace"
6368740 2 May 2007 "D:\Ts2Galimi\Train Simulator\TRAINS\trainset\Fs_E444_Pack\Bak\090mayo.zip"
37298 26 May 2007 "D:\TrainSimulator\TRAINS\TRAINSET\FS_E444_089_ESCI\FS_E444_089.eng.bak"
9235815 1 Jun 2007 "D:\Ts2Galimi\Train Simulator\TRAINS\trainset\Fs_E444_Pack\Bak\FS_E444_006.BAK"
37298 26 May 2007 "E:\TrainSimulator\TRAINS\TRAINSET\FS_E444_089_ESCI\FS_E444_089.eng.bak"
37298 26 May 2007 "E:\TS\TRAINS\TRAINSET\FS_E444_089_ESCI\FS_E444_089.eng.bak"
1091 1 Jun 2007 "D:\Ts2Galimi\Train Simulator\TRAINS\trainset\Fs_E444_Pack\Bak\FS_E444_006.PolyMaster"
3548966 1 May 2007 "D:\Ts2Galimi\Train Simulator\TRAINS\trainset\Fs_E444_Pack\Bak\FS_E444_090.BAK"
1079 1 Jun 2007 "D:\Ts2Galimi\Train Simulator\TRAINS\trainset\Fs_E444_Pack\Bak\FS_E444_090.PolyMaster"


end of report

[Orange]

Benvenuto anche da parte mia

* scarica Avenger e scompattalo sul desktop
avvialo, seleziona Input script manually
clicca sulla lente d'ingrandimento
nella finestra che si apre View/Edit scrit copia/incolla queste righe:

[Centurion]

Ecco qua, ho fatto come mi hai suggerito... questo è il log generato dopo il riavvio



Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vpncmpuo

*******************

Script file located at: \??\C:\WINDOWS\system32\wkldcfrf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WheelMouse\wh_exec.exe deleted successfully.
File C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe deleted successfully.
File C:\Programmi\Windows Defender\MSASCui.exe deleted successfully.
File C:\Software\System Mechanic Professional 6\SMSystemAnalyzer.exe deleted successfully.
File C:\WINDOWS\system32\JMRaidTool.exe deleted successfully.
File C:\Programmi\Acrobat8\Reader\Reader_sl.exe deleted successfully.
File C:\Programmi\Analog Devices\Core\smax4pnp.exe deleted successfully.
File C:\Programmi\Analog Devices\SoundMAX\Smax4.exe deleted successfully.
File C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe deleted successfully.
File C:\Programmi\Microsoft Hardware\Keyboard\type32.exe deleted successfully.
File C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe deleted successfully.
File move operation C:\WheelMouse\bak\wh_exec.exe|C:\WheelMouse\wh_exec.exe completed successfully.
File move operation C:\Programmi\Hamlet HDSL640S USB ADSL Modem\bak\CnxDslTb.exe|C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe completed successfully.
File move operation C:\Programmi\Windows Defender\bak\MSASCui.exe|C:\Programmi\Windows Defender\MSASCui.exe completed successfully.
File move operation C:\Software\System Mechanic Professional 6\bak\SMSystemAnalyzer.exe|C:\Software\System Mechanic Professional 6\SMSystemAnalyzer.exe completed successfully.
File move operation C:\WINDOWS\system32\bak\JMRaidTool.exe|C:\WINDOWS\system32\JMRaidTool.exe completed successfully.
File move operation C:\Programmi\Acrobat8\Reader\bak\Reader_sl.exe|C:\Programmi\Acrobat8\Reader\Reader_sl.exe completed successfully.
File move operation C:\Programmi\Analog Devices\Core\bak\smax4pnp.exe|C:\Programmi\Analog Devices\Core\smax4pnp.exe completed successfully.
File move operation C:\Programmi\Analog Devices\SoundMAX\bak\Smax4.exe|C:\Programmi\Analog Devices\SoundMAX\Smax4.exe completed successfully.
File move operation C:\Programmi\ATI Technologies\ATI.ACE\bak\CLIStart.exe|C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe completed successfully.
File move operation C:\Programmi\Microsoft Hardware\Keyboard\bak\type32.exe|C:\Programmi\Microsoft Hardware\Keyboard\type32.exe completed successfully.
File move operation C:\Programmi\Nokia\Nokia PC Suite 6\bak\LaunchApplication.exe|C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe completed successfully.

Completed script processing.

*******************

Finished! Terminate.

[Centurion]

ecco, anche adesso mi si è verificato un altro tentativo di collegamento a quel dannato sito! Kaspersky parte disattivato, e si attiva poi subito dopo, come se il virus lo bloccasse momentaneamente per fare i suoi sporchi comodi...

[Centurion]

Ragazzi, mi avete abbandonato? Finisce qui la disinfezione o devo fare altro?

[bdoriano]

Ciao Centurion,

riecchime.

Evidentemente hai anche altri agenti all'opera.
Facciamo altre scansioni off-line.

Segui le istruzioni di questo topic per postare il log di combofix.

Poi, fai queste scansioni con GMER e posta i logs su FreeFileHosting come indicato qui.

[Centurion]

grazie tante! provo a fare il tutto e poi ti posto il log!

[Centurion]

ComboFix 08-01-23.1C - Mauro 2008-01-27 17.40.15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.1401 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Mauro\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Creati Da 2007-12-27 al 2008-01-27 )))))))))))))))))))))))))))))))))))
.

2008-01-27 17:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-23 23:41 . 2008-01-23 23:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-23 23:41 . 2008-01-23 23:41 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-22 23:49 . 2008-01-22 23:54 <DIR> d-------- C:\HiJackThis
2008-01-21 23:22 . 2008-01-21 23:22 <DIR> d-------- C:\Programmi\Kaspersky Lab
2008-01-21 23:22 . 2008-01-27 17:47 21,941,280 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-21 23:22 . 2008-01-27 12:02 316,808 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-21 23:22 . 2008-01-27 17:47 116,000 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-21 23:22 . 2008-01-21 23:30 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-21 23:22 . 2008-01-21 23:30 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-21 23:22 . 2008-01-27 12:02 16,568 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-21 22:35 . 2008-01-21 22:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-20 12:43 . 2008-01-20 12:43 <DIR> d-------- C:\Programmi\ThemeEditor6600
2008-01-10 15:26 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-02 11:10 . 2008-01-10 15:26 <DIR> d-------- C:\Programmi\Java
2008-01-02 11:10 . 2008-01-02 11:10 <DIR> d-------- C:\Programmi\File comuni\Java
2007-12-31 00:06 . 2008-01-25 00:29 <DIR> d-------- C:\WINDOWS\system32\bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 23:29 385,024 ----a-w C:\WINDOWS\system32\JMRaidTool.exe
2008-01-24 23:29 155,648 ----a-w C:\WINDOWS\system32\NeroCheck.exe
2008-01-24 23:28 --------- d-----w C:\Programmi\Windows Defender
2008-01-24 23:28 --------- d-----w C:\Programmi\QuickTime
2008-01-24 23:28 --------- d-----w C:\Programmi\Hamlet HDSL640S USB ADSL Modem
2007-12-30 23:06 --------- d-----w C:\Programmi\MSN Messenger
2007-12-13 14:54 --------- d-----w C:\Programmi\DivX
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 01:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-29 22:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 21:53 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-11-28 21:53 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-11-28 21:53 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-11-28 21:53 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-11-28 21:52 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-25 16:56 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-11-07 09:27 727,552 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:42 1,292,800 ----a-w C:\WINDOWS\system32\quartz.dll
2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
2007-05-21 09:33 88 --sh--r C:\WINDOWS\system32\3C491B7E0C.sys
2006-05-03 10:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
------w 843,776 2006-05-01 10:07:44 C:\Programmi\Analog Devices\Core\bak\smax4pnp.exe
----a-w 843,776 2008-01-24 23:29:49 C:\Programmi\Analog Devices\Core\smax4pnp.exe

------w 454,656 2003-03-11 19:10:38 C:\Programmi\Hamlet HDSL640S USB ADSL Modem\bak\CnxDslTb.exe
----a-w 454,656 2008-01-24 23:29:49 C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe

------w 132,496 2007-09-25 00:11:35 C:\Programmi\Java\jre1.6.0_03\bin\bak\jusched.exe
----a-w 132,496 2008-01-24 23:29:49 C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe

------w 69,632 2001-06-11 23:20:24 C:\Programmi\Microsoft Hardware\Keyboard\bak\type32.exe
----a-w 69,632 2008-01-24 23:29:49 C:\Programmi\Microsoft Hardware\Keyboard\type32.exe

------w 227,328 2007-03-23 11:20:52 C:\Programmi\Nokia\Nokia PC Suite 6\bak\LaunchApplication.exe
----a-w 227,328 2008-01-24 23:29:49 C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe

------w 866,584 2006-11-03 16:20:12 C:\Programmi\Windows Defender\bak\MSASCui.exe
----a-w 866,584 2008-01-24 23:29:49 C:\Programmi\Windows Defender\MSASCui.exe

------w 557,056 2006-12-20 15:47:00 C:\Software\System Mechanic Professional 6\bak\SMSystemAnalyzer.exe
----a-w 557,056 2008-01-24 23:29:49 C:\Software\System Mechanic Professional 6\SMSystemAnalyzer.exe

------w 77,824 2001-11-30 20:18:38 C:\WheelMouse\bak\wh_exec.exe
----a-w 77,824 2008-01-24 23:29:49 C:\WheelMouse\wh_exec.exe

----a-w 15,360 2004-08-19 13:39:36 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-19 13:39:36 C:\WINDOWS\system32\ctfmon.exe

----a-w 699,378 2007-05-25 20:04:58 D:\Ts2Galimi\Train Simulator\TRAINS\trainset\FS_ADP_Pack\Bak\TettoP.ace
----a-w 699,378 2007-05-25 20:04:58 D:\Ts2Galimi\Train Simulator\TRAINS\trainset\FS_ADP_Pack\TettoP.ace

----a-w 626,569 2007-05-25 19:34:16 D:\Ts2Galimi\Train Simulator\TRAINS\trainset\FS_ADP_Pack\Bak\TettoPO.ace
----a-w 699,378 2007-05-25 20:59:22 D:\Ts2Galimi\Train Simulator\TRAINS\trainset\FS_ADP_Pack\TettoPO.ace

----a-w 659,333 2007-05-25 19:41:46 D:\Ts2Galimi\Train Simulator\TRAINS\trainset\FS_ADP_Pack\Bak\TettoPOL.ace
----a-w 699,378 2007-05-26 10:45:30 D:\Ts2Galimi\Train Simulator\TRAINS\trainset\FS_ADP_Pack\TettoPOL.ace

----a-w 6,368,740 2007-05-02 22:56:10 D:\Ts2Galimi\Train Simulator\TRAINS\trainset\Fs_E444_Pack\Bak\090mayo.zip

----a-w 9,235,815 2007-06-01 21:50:46 D:\Ts2Galimi\Train Simulator\TRAINS\trainset\Fs_E444_Pack\Bak\FS_E444_006.BAK

----a-w 1,091 2007-06-01 21:51:14 D:\Ts2Galimi\Train Simulator\TRAINS\trainset\Fs_E444_Pack\Bak\FS_E444_006.PolyMaster

----a-w 3,548,966 2007-05-01 22:06:46 D:\Ts2Galimi\Train Simulator\TRAINS\trainset\Fs_E444_Pack\Bak\FS_E444_090.BAK

----a-w 1,079 2007-06-01 21:53:58 D:\Ts2Galimi\Train Simulator\TRAINS\trainset\Fs_E444_Pack\Bak\FS_E444_090.PolyMaster

.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Programmi\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"SMSystemAnalyzer"="C:\Software\System Mechanic Professional 6\SMSystemAnalyzer.exe" [2008-01-25 00:29 557056]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 14:39 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Programmi\Analog Devices\Core\smax4pnp.exe" [2008-01-25 00:29 843776]
"SoundMAX"="C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" [2008-01-25 00:29 729088]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2008-01-25 00:29 385024]
"ATICCC"="C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe" [2008-01-25 00:29 90112]
"CnxDslTaskBar"="C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe" [2008-01-25 00:29 454656]
"Windows Defender"="C:\Programmi\Windows Defender\MSASCui.exe" [2008-01-25 00:29 866584]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2008-01-25 00:29 282624]
"IntelliType"="C:\Programmi\Microsoft Hardware\Keyboard\type32.exe" [2008-01-25 00:29 69632]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2008-01-25 00:29 155648]
"PCSuiteTrayApplication"="C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2008-01-25 00:29 227328]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-19 14:39 110592 C:\WINDOWS\system32\bthprops.cpl]
"WheelMouse"="C:\WHEELM~1\wh_exec.exe" [2008-01-25 00:29 77824]
"Adobe Reader Speed Launcher"="C:\Programmi\Acrobat8\Reader\Reader_sl.exe" [2008-01-25 00:29 39792]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-25 00:29 132496]
"AVP"="C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 14:39 15360]
"Nokia.PCSync"="C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 14:58 1744896]
"DWQueuedReporting"="C:\PROGRA~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 12:45 36040]

R3 CnxEtP;Conexant AccessRunner USB ADSL WAN Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxEtP.sys [2003-03-07 14:46]
R3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxEtU.sys [2003-03-07 14:46]
R3 CnxTgN;Conexant AccessRunner USB ADSL WAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgN.sys [2003-03-11 19:59]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
R3 whfltr2k;WheelMouse USB Lower Filter Driver;C:\WINDOWS\system32\DRIVERS\whfltr2k.sys [2001-10-01 20:18]

*Newly Created Service* - PROCEXP90
.
Contenuto della cartella 'Scheduled Tasks'
"2008-01-27 15:30:08 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Programmi\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 17:47:29
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WHEELM~1\wh_hook.dll
.
Ora fine scansione: 2008-01-27 17.53.05
.
2008-01-25 09:40:49 --- E O F ---

[Centurion]

Questi sono i log di Gmer... spero di aver fatto tutto in modo corretto...
Chissà se riuscirò mai a recuperare il mio povero pc! Oggi va stranamente molto lento..

link

link

[bdoriano]

I logs di gmer e combofix sembrano puliti.

Vedo che hai Kaspersky come antivirus e System Mechanic (per monitorare l'andamento del pc, penso). Non so dirti a cosa possa essere dovuto il rallentamento.

Fai questa scansione con SystemScan e posta il log su FreeFileHosting come indicato qui.

[Centurion]

Allora, probabilmente è pulito adesso...

L'antivirus mi ha dato due segnalazioni sospette, ma una ho scoperto essere legata al wga di windows, l'altro è combofix che non so perché un giorno mi ha segnalato come modification of virus heur.invader, ma avendo letto che combofix quando lavora modifica l'orologio, immagino che l'antivirus abbia sospettato di lui, ma che non ci sia in realtà alcun pericolo... magari l'ha visto come virus in base alle istruzioni dell'exe.
Il pc sembra più veloce adesso... Quindi per adesso considero risolto il problema. Se dovessi riscontare altre anomalie torno a postare!

Grazie mille per l'aiuto siete stati grandiosi!

[bdoriano]

Contento che hai risolto.

Se hai bisogno, siamo qui.