Olimpo Informatico

pietruzzzo · Inviato: 05 Feb 2008 22:17 Oggetto:

ti elenco tutta la schermata
USE THE BOOTCFG COMMAND FOR BOOT CONFIGURATION AND RECOVERY

BOOTCFG \ADD
BOOTCFG \REBUILD
BOOTCFG \SCAN
BOOTCFG \LIST
BOOTCFG \DISABLEREDIRECT
BOOTCFG \REDIRECT (PORT BAUDRAT) :(USE BIOS SETTINGS)

/SCAN scan all disks for windows installations and display the results

/ADD adda windows installation to the boot list

/REBUILD iterate through all windows installations and allow the user to choose which to add

/DEFAULT set the default boot entry

/LIST list the entries already in the boot list

/DISABLEREDIRECT disable redirection in the boot loader

/REDIRECT enable redirection in the boot loader with the specified configuration

example : bootcfg /redirect com1 115200
bootcfg /redirect usebiossettings
c:\WINDOWS>bootcfg

bdoriano · Inviato: 05 Feb 2008 22:25 Oggetto:

Direi di usare bootcfg /rebuild, dovrebbe chiederti di aggiungere il S.O.
Così dovremmo ottenere di avere 2 S.O. all'avvio (uno con il bootsafe e uno senza).

pietruzzzo · Inviato: 05 Feb 2008 22:31 Oggetto:

ho inserito rebuild dopo bootcfg/
la risposta è stata:
comando sconosciuto digitare help per ottenere l'elenco deico mandi supportati
ho messo help e mi è apparsa una lista:
tra questi quelli con la "R" sono:
RD
REN
RENAME
RMDIR

ho inserito RD pensando che potesse essere l'unica possibile abbreviazione di "rebuild" ma niente

ps
li ho scritti sia in maiuscolo che in minuscolo ma il risultato è sempre lo stesso

uff Crying or Very sad

pietruzzzo · Inviato: 05 Feb 2008 22:34 Oggetto:

ho provato anche con disableredirect...
stessa sentenza...

ps
se vuoi e parlaimo in qualche chat magari comunichiamo meglio...
se vuoi ho skype.... al limite ti mando il mio nick in pvt

edit by bdoriano: risolto con bootcfg /rebuild da console di comando.

pietruzzzo · Inviato: 05 Feb 2008 23:16 Oggetto:

ecco il log:

ComboFix 08-02.05.3 - pietruzzo 2008-02-05 22.10.06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.524 [GMT 1:00]
Eseguito da: C:\Documents and Settings\pietruzzo\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\recover.reg

----- BITS: Possible infected sites -----

hxxp://ygsondheks.info
.
((((((((((((((((((((((((( Files Creati Da 2008-01-05 al 2008-02-05 )))))))))))))))))))))))))))))))))))
.

2008-02-05 22:04 . 2008-02-05 22:04 <DIR> d-------- C:\Programmi\TeamViewer3
2008-02-05 22:04 . 2008-02-05 22:04 <DIR> d-------- C:\Documents and Settings\pietruzzo\temp
2008-02-05 22:04 . 2008-02-05 22:04 <DIR> d-------- C:\Documents and Settings\pietruzzo\Dati applicazioni\TeamViewer
2008-02-05 14:46 . 2008-02-05 14:46 <DIR> d-------- C:\Programmi\Black List Software
2008-02-05 14:40 . 2008-02-05 14:40 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-05 14:06 . 2008-02-05 14:06 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-05 14:06 . 2008-02-05 14:06 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-05 14:05 . 2008-02-05 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab
2008-02-05 14:05 . 2008-02-05 22:13 2,676,768 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-05 14:05 . 2008-02-05 17:38 31,820 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-05 14:05 . 2008-02-05 22:13 17,696 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-05 14:05 . 2008-02-05 17:38 2,444 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-05 10:29 . 2008-02-05 10:29 <DIR> d-------- C:\Programmi\Plusdate
2008-02-05 10:29 . 2008-02-05 10:29 <DIR> d-------- C:\Documents and Settings\pietruzzo\Dati applicazioni\Plusdate
2008-02-05 10:29 . 2008-02-05 10:29 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Four Help Seek 1
2008-02-05 10:28 . 2008-02-05 10:28 <DIR> d-------- C:\Programmi\Player Tool
2008-02-04 20:02 . 2008-02-04 20:02 <DIR> d-------- C:\Documents and Settings\pietruzzo\Dati applicazioni\Search Settings
2008-02-04 19:53 . 2008-02-04 19:53 <DIR> d-------- C:\Programmi\Search Settings
2008-02-04 19:49 . 2008-02-05 12:53 <DIR> d-------- C:\Programmi\Free FLV Converter
2008-02-04 19:36 . 2008-02-04 19:36 <DIR> d-------- C:\Documents and Settings\pietruzzo\Dati applicazioni\AVS4YOU
2008-02-04 19:36 . 2008-02-04 19:36 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\AVS4YOU
2008-02-04 19:34 . 2008-02-04 19:34 <DIR> d-------- C:\Programmi\File comuni\AVSMedia
2008-02-04 19:33 . 2008-02-04 19:34 <DIR> d-------- C:\Programmi\AVS4YOU
2008-02-04 19:33 . 2007-02-27 19:36 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2008-01-28 19:06 . 2008-01-28 19:06 1,221,267 --a------ C:\WINDOWS\LightWave 3D 9 Uninstaller.exe
2008-01-28 19:05 . 2008-01-28 19:05 <DIR> d-------- C:\Programmi\NewTek
2008-01-26 14:34 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 20:57 --------- d-----w C:\Documents and Settings\pietruzzo\Dati applicazioni\Skype
2008-02-05 13:40 --------- d-----w C:\Programmi\eMule
2008-02-01 13:34 --------- d-----w C:\Documents and Settings\pietruzzo\Dati applicazioni\OpenOffice.org2
2008-01-26 14:55 --------- d-----w C:\Programmi\a-squared Free
2008-01-26 14:22 --------- d-----w C:\Programmi\Wireless LAN Utility
2008-01-26 14:20 --------- d-----w C:\Programmi\QuickTime
2008-01-26 14:13 --------- d-----w C:\Programmi\File comuni\Autodesk Shared
2008-01-26 14:04 --------- d-----w C:\Programmi\Bonjour
2008-01-04 15:41 --------- d-----w C:\Programmi\Labtec
2008-01-04 15:41 --------- d-----w C:\Programmi\File comuni\LogiShrd
2008-01-04 15:41 --------- d-----w C:\Programmi\File comuni\Labtec
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}]
2007-12-06 11:58 1198432 --a------ C:\Programmi\Search Settings\kb125\SearchSettings.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 14:39 15360]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-08-19 15:51 1667584]
"Skype"="C:\Programmi\Skype\Phone\Skype.exe" [2007-08-17 02:45 23120680]
"nameproc"="C:\DOCUME~1\PIETRU~1\DATIAP~1\Plusdate\Hold Bits Data.exe" [2008-02-05 10:28 428032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"ISUSPM"="C:\Programmi\File comuni\InstallShield\UpdateService\ISUSPM.exe" [ ]
"SoundMan"="SOUNDMAN.EXE" [2002-03-21 03:23 46592 C:\WINDOWS\SOUNDMAN.EXE]
"Adobe Version Cue CS2"="C:\Programmi\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 18:58 856064]
"TI WLAN"="C:\Programmi\Wireless LAN Utility\TIWLANCu.exe" [2005-07-20 10:12 1159168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50 155648]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"Adobe Reader Speed Launcher"="C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"LogitechCommunicationsManager"="C:\Programmi\File comuni\LogiShrd\LComMgr\Communications_Helper.exe" [2007-03-06 17:48 488984]
"LogitechQuickCamRibbon"="C:\Programmi\Labtec\WebCam10\WebCam10.exe" [2007-03-06 17:58 1060376]
"SearchSettings"="C:\Programmi\Search Settings\SearchSettings.exe" [2007-12-06 11:58 1069920]
"seek 1 skip mfcd"="C:\Documents and Settings\All Users\Dati applicazioni\Four Help Seek 1\Boob road.exe" [2008-02-05 21:57 1002496]
"AVP"="C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2007-03-09 20:50 200768]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23 75520]
"RemoteControl"="C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe" [ ]
"LanguageShortcut"="C:\Programmi\CyberLink\PowerDVD\Language\Language.exe" [ ]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]
"Adobe Photo Downloader"="C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 14:39 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Avvio veloce di Adobe Reader.lnk]
backup=C:\WINDOWS\pss\Avvio veloce di Adobe Reader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^pietruzzo^Menu Avvio^Programmi^Esecuzione automatica^OpenOffice.org 2.1.lnk]
backup=C:\WINDOWS\pss\OpenOffice.org 2.1.lnkStartup

R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS [2001-12-18 07:45]
R3 TUSB1150;802.11g WLAN USB Adapter;C:\WINDOWS\system32\DRIVERS\tusb1150.sys [2005-06-03 09:42]

.
Contenuto della cartella 'Scheduled Tasks'
"2008-02-05 21:00:00 C:\WINDOWS\Tasks\A0B3FF9F919C7D1F.job"
- c:\docume~1\pietru~1\datiap~1\plusdate\Surf Wma Vc.exe
"2008-01-26 14:26:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 22:13:47
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-02-05 22.14.33
ComboFix-quarantined-files.txt 2008-02-05 21:14:18

bdoriano · Inviato: 05 Feb 2008 23:22 Oggetto:

Scarica avenger e scompattalo in una sua cartella non temporanea e non sul desktop

Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:

pietruzzzo · Inviato: 05 Feb 2008 23:28 Oggetto:

log di avenger

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\yeshljcp

*******************

Script file located at: \??\C:\WINDOWS\system32\nlbjptmv.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\DOCUME~1\PIETRU~1\DATIAP~1\Plusdate\Hold Bits Data.exe deleted successfully.
File C:\Documents and Settings\All Users\Dati applicazioni\Four Help Seek 1\Boob road.exe deleted successfully.
File C:\Programmi\Search Settings\SearchSettings.exe deleted successfully.
File C:\WINDOWS\Tasks\A0B3FF9F919C7D1F.job deleted successfully.
File c:\docume~1\pietru~1\datiap~1\plusdate\Surf Wma Vc.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

pietruzzzo · Inviato: 05 Feb 2008 23:29 Oggetto:

log di hijack

Logfile of HijackThis v1.99.1
Scan saved at 22.28.00, on 05/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\programmi\a-squared free\a2service.exe
C:\Programmi\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Wireless LAN Utility\tiwlnsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Programmi\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Programmi\Wireless LAN Utility\TIWLANCu.exe
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programmi\File comuni\LogiShrd\LComMgr\Communications_Helper.exe
C:\Programmi\Labtec\WebCam10\WebCam10.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Programmi\Java\jre1.5.0_11\bin\jusched.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\File comuni\LogiShrd\LComMgr\LVComSX.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\PIETRU~1\IMPOST~1\Temp\Rar$EX00.942\HijackThis.exe
C:\DOCUME~1\PIETRU~1\IMPOST~1\Temp\Rar$EX00.633\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Programmi\Search Settings\kb125\SearchSettings.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ISUSPM] "C:\Programmi\File comuni\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Programmi\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [TI WLAN] C:\Programmi\Wireless LAN Utility\TIWLANCu.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programmi\File comuni\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programmi\Labtec\WebCam10\WebCam10.exe" /hide
O4 - HKLM\..\Run: [SearchSettings] C:\Programmi\Search Settings\SearchSettings.exe
O4 - HKLM\..\Run: [seek 1 skip mfcd] C:\Documents and Settings\All Users\Dati applicazioni\Four Help Seek 1\Boob road.exe
O4 - HKLM\..\Run: [AVP] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_11\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programmi\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [nameproc] C:\DOCUME~1\PIETRU~1\DATIAP~1\Plusdate\Hold Bits Data.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Anti-virus web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programmi\bonjour\mdnsnsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{98AF8819-9362-4944-9276-4D2AA181316D}: NameServer = 213.140.2.12,213.140.2.21
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\programmi\a-squared free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Programmi\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Programmi\File comuni\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LVSrvLauncher - Labtec Inc. - C:\Programmi\File comuni\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Programmi\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - C:\Programmi\Wireless LAN Utility\tiwlnsvc.exe

pietruzzzo · Inviato: 05 Feb 2008 23:32 Oggetto:

GRAZIE BDORIANO

SEI UN GRANDE!!!!

Very Happy

bdoriano · Inviato: 06 Feb 2008 21:29 Oggetto:

pietruzzzo · Inviato: 07 Feb 2008 15:00 Oggetto:

subito maestro!
Very Happy

report gmer 01.txt

pietruzzzo · Inviato: 07 Feb 2008 15:19 Oggetto:

sulla seconda scansione Gmer mi ha comunicato di non aver trovato nessun tipo di modifica al sistema e non mi ha dato nessun report...

devo fare altro? Rolling Eyes

bdoriano · Inviato: 07 Feb 2008 22:30 Oggetto:

Apri il notepad, e copia/incolla questo codice

pietruzzzo · Inviato: 08 Feb 2008 14:43 Oggetto:

ciao Bdoriano...

ho fatto come mi hai detto.
ho messo il file fix.reg su C:/ ma al riavvio dopo aver fatto tutto il processo con avenger mi ha dato errore dicendo che non riusciva a trovare il file in C:/....
bho... eppure non ho fatto errori.. ho contolato più volte ed è tutto giusto.

comunque ecco i report di avenger e hijack

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wphbvwhk

*******************

Script file located at: \??\C:\Documents and Settings\brdnhfbx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Documents and Settings\All Users\Dati applicazioni\Four Help Seek 1\Boob road.exe not found!
Deletion of file C:\Documents and Settings\All Users\Dati applicazioni\Four Help Seek 1\Boob road.exe failed!

Could not process line:
C:\Documents and Settings\All Users\Dati applicazioni\Four Help Seek 1\Boob road.exe
Status: 0xc0000034

File C:\DOCUME~1\PIETRU~1\DATIAP~1\Plusdate\Hold Bits Data.exe not found!
Deletion of file C:\DOCUME~1\PIETRU~1\DATIAP~1\Plusdate\Hold Bits Data.exe failed!

Could not process line:
C:\DOCUME~1\PIETRU~1\DATIAP~1\Plusdate\Hold Bits Data.exe
Status: 0xc0000034

File C:\Programmi\Search Settings\kb125\SearchSettings.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|seek 1 skip mfcd deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SearchSettings deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E312764E-7706-43F1-8DAB-FCDD2B1E416D} deleted successfully.
Program C:\fix.reg successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 13.43.23, on 08/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\programmi\a-squared free\a2service.exe
C:\Programmi\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Wireless LAN Utility\tiwlnsvc.exe
C:\Programmi\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Programmi\Wireless LAN Utility\TIWLANCu.exe
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\File comuni\LogiShrd\LComMgr\Communications_Helper.exe
C:\Programmi\Labtec\WebCam10\WebCam10.exe
C:\Programmi\Java\jre1.5.0_11\bin\jusched.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\File comuni\LogiShrd\LComMgr\LVComSX.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Java\jre1.5.0_11\bin\jucheck.exe
C:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\PIETRU~1\IMPOST~1\Temp\Rar$EX00.133\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ISUSPM] "C:\Programmi\File comuni\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Programmi\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [TI WLAN] C:\Programmi\Wireless LAN Utility\TIWLANCu.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programmi\File comuni\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programmi\Labtec\WebCam10\WebCam10.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_11\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programmi\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [nameproc] C:\DOCUME~1\PIETRU~1\DATIAP~1\Plusdate\Hold Bits Data.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programmi\bonjour\mdnsnsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{98AF8819-9362-4944-9276-4D2AA181316D}: NameServer = 213.140.2.12,213.140.2.21
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\programmi\a-squared free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Programmi\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Programmi\File comuni\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LVSrvLauncher - Labtec Inc. - C:\Programmi\File comuni\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Programmi\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - C:\Programmi\Wireless LAN Utility\tiwlnsvc.exe

bdoriano · Inviato: 08 Feb 2008 20:53 Oggetto:

Hai verificato se ora puoi avviare il pc in modalità provvisoria? Think

Disabilita il ripristino di sistema e avvia il pc in modalità provvisoria
esegui hijackthis
clicca su do a system scan only
metti il segno di spunta a questa voce: