Olimpo Informatico

[Roxicella]

Ecco il risultato di avenger. Alcuni dei file ke tu avevi selezionato risultano non trovati perkè in seguito alla scansione di kaspersky li avevo eliminati manualmente


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\dksstekb

*******************

Script file located at: \??\C:\Program Files\ecmjhagm.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\images018.zip not found!
Deletion of file C:\WINDOWS\images018.zip failed!

Could not process line:
C:\WINDOWS\images018.zip
Status: 0xc0000034



File C:\WINDOWS\itsME67.zip not found!
Deletion of file C:\WINDOWS\itsME67.zip failed!

Could not process line:
C:\WINDOWS\itsME67.zip
Status: 0xc0000034

File C:\WINDOWS\system32\libmsns.dll deleted successfully.
File C:\WINDOWS\system32\lsaepttw.exe deleted successfully.


File C:\WINDOWS\webcam-photos041.zip not found!
Deletion of file C:\WINDOWS\webcam-photos041.zip failed!

Could not process line:
C:\WINDOWS\webcam-photos041.zip
Status: 0xc0000034



File C:\WINDOWS\TEMP\zcehaa.exe not found!
Deletion of file C:\WINDOWS\TEMP\zcehaa.exe failed!

Could not process line:
C:\WINDOWS\TEMP\zcehaa.exe
Status: 0xc0000034

File C:\WINDOWS\TEMP\wqpfaa.exe not found!
Deletion of file C:\WINDOWS\TEMP\wqpfaa.exe failed!

Could not process line:
C:\WINDOWS\TEMP\wqpfaa.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


Qui la scansione di hijack

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10.40.17, on 10/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\VEXPLITE\MONLITE.EXE
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\Microsoft Encarta\Encarta Enciclopedia Plus\EDICT.EXE
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\VEXPLITE\viritsvc.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\File comuni\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Vis\Desktop\Rossellina\Hijack\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.live.com/results.aspx?mkt=it-it&q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.msn.com/
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKLM\..\Run: [zcehaa.exe] C:\WINDOWS\TEMP\zcehaa.exe
O4 - HKLM\..\Run: [wqpfaa.exe] C:\WINDOWS\TEMP\wqpfaa.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Nokia.PCSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://rox-10.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D54D61AC-3F9D-40B0-A55A-5C662D15B172}: NameServer = 85.37.17.51 85.38.28.97
O21 - SSODL: printers - {74789FED-CD80-4BC2-8137-889DC1B1DD81} - libmsns.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

--
End of file - 3982 bytes

[bdoriano]

Terapia d'urto...
Clicca qui.
Salva il file, anche sul desktop se vuoi.
(se hai problemi a salvare il file, tieni premuto il tasto CTRL mentre clicchi)
Disattiva temporaneamente il tuo antivirus.
Avvia il file appena scaricato (sys#####)
Assicurati che tutte le voci siano spuntate.
clicca su Scan now
L'operazione può durare diversi minuti... abbi pazienza
Al termine della scansione, ti verrà aperto il blocco note. Puoi chiuderlo tranquillamente.
Chiudi il programma e riattiva il tuo antivirus.
Carica il file c:\suspectfile\report.txt su http://www.freefilehosting.net
Posta qui il link che ti viene assegnato.

[Roxicella]

Ecco il link ke hai kiesto:
http://www.freefilehosting.net/download/MTAxNzg=

p.s.ho fatto un'altra scansione online con kaspersky e mi ha segnalato come unici virus quelli presenti nella cartella di backup di avenger...Li devo eliminare?

p.s.s.bdoriano, tu6 1mito

[Roxicella]

Ehi ragazzi...poi non mi avete fatto sapere più nulla...Qualcosa rilevato dalla scansione con Systemscan?Cmq nel frattempo ho cambiato antivirus: Nod32 2.5 invece di avg 7.5...Però c'è un problema: il nuovo antivirus nella barra del firewall non risulta aggiornato, mentre nella propria skermata si...Vi posto cmq un log di hijack. fatemi sapere!

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11.39.54, on 11/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\Microsoft Encarta\Encarta Enciclopedia Plus\EDICT.EXE
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\File comuni\Nokia\MPAPI\MPAPI3s.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Vis\Desktop\Rossellina\Hijack\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.live.com/results.aspx?mkt=it-it&q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [zcehaa.exe] C:\WINDOWS\TEMP\zcehaa.exe
O4 - HKLM\..\Run: [wqpfaa.exe] C:\WINDOWS\TEMP\wqpfaa.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Nokia.PCSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://rox-10.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D54D61AC-3F9D-40B0-A55A-5C662D15B172}: NameServer = 85.37.17.51 85.38.28.97
O21 - SSODL: printers - {74789FED-CD80-4BC2-8137-889DC1B1DD81} - libmsns.dll (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 3779 bytes

[bdoriano]

Sii paziente, molti sono in ferie e anch'io devo dedicarmi anche alla vita sociale...

[bdoriano]

Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:

[Roxicella]

Qui il log di Avenger. Sto ancora facendo lo scan con panda e mi ha trovato un dialer.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ojcxbfsu

*******************

Script file located at: \??\C:\Documents and Settings\yglctryu.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\TEMP\zcehaa.exe not found!
Deletion of file C:\WINDOWS\TEMP\zcehaa.exe failed!

Could not process line:
C:\WINDOWS\TEMP\zcehaa.exe
Status: 0xc0000034



File C:\WINDOWS\TEMP\wqpfaa.exe not found!
Deletion of file C:\WINDOWS\TEMP\wqpfaa.exe failed!

Could not process line:
C:\WINDOWS\TEMP\wqpfaa.exe
Status: 0xc0000034



File C:\WINDOWS\SYSTEM32\libmsns.dll not found!
Deletion of file C:\WINDOWS\SYSTEM32\libmsns.dll failed!

Could not process line:
C:\WINDOWS\SYSTEM32\libmsns.dll
Status: 0xc0000034

File c:\windows\tasks\lrkylcx.job deleted successfully.
File c:\windows\tasks\tqbpl.job deleted successfully.
File c:\windows\tasks\sjrtabc.job deleted successfully.
File c:\windows\tasks\tww.job deleted successfully.
File c:\windows\tasks\tqckhan.job deleted successfully.
File c:\windows\tasks\ryvzcwo.job deleted successfully.
File c:\windows\tasks\nijimff.job deleted successfully.
File c:\windows\tasks\mhftg.job deleted successfully.
File c:\windows\tasks\pklkb.job deleted successfully.
File c:\windows\tasks\ruksohy.job deleted successfully.
File c:\windows\tasks\pmp.job deleted successfully.
File c:\windows\tasks\ujdgv.job deleted successfully.
File c:\windows\tasks\yancskg.job deleted successfully.
File c:\windows\tasks\xzqbh.job deleted successfully.
File c:\windows\tasks\yotdlt.job deleted successfully.
File c:\windows\tasks\zwwfh.job deleted successfully.
File c:\windows\tasks\zfbnjg.job deleted successfully.
File c:\windows\tasks\xmagb.job deleted successfully.
File c:\windows\tasks\vldov.job deleted successfully.
File c:\windows\tasks\uzkm.job deleted successfully.
File c:\windows\tasks\wcbvul.job deleted successfully.
File c:\windows\tasks\wvebtn.job deleted successfully.
File c:\windows\tasks\wpyqqe.job deleted successfully.
File c:\windows\tasks\kgbba.job deleted successfully.
File c:\windows\tasks\jcxcrzwh.job deleted successfully.
File c:\windows\tasks\kqr.job deleted successfully.
File c:\windows\tasks\lerxmwg.job deleted successfully.
File c:\windows\tasks\lcaajqg.job deleted successfully.
File c:\windows\tasks\flaj.job deleted successfully.
File c:\windows\tasks\fxgszzc.job deleted successfully.
File c:\windows\tasks\gpd.job deleted successfully.
File c:\windows\tasks\euyu.job deleted successfully.
File c:\windows\tasks\faremr.job deleted successfully.
File c:\windows\tasks\fkqq.job deleted successfully.
File c:\windows\tasks\gzejzse.job deleted successfully.
File c:\windows\tasks\iryiqr.job deleted successfully.
File c:\windows\tasks\ixssclp.job deleted successfully.
File c:\windows\tasks\hmivv.job deleted successfully.
File c:\windows\tasks\hghyq.job deleted successfully.
File c:\windows\tasks\hgxi.job deleted successfully.
File c:\windows\tasks\beg.job deleted successfully.
File c:\windows\tasks\apbka.job deleted successfully.
File c:\windows\tasks\ajo.job deleted successfully.
File c:\windows\tasks\ddsk.job deleted successfully.
File c:\windows\tasks\ejme.job deleted successfully.
File c:\windows\tasks\dzo.job deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|zcehaa.exe deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|wqpfaa.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|printers deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[Roxicella]

Non mi è comparso nessun risultato in pagina web da salvare su freefilehosting...Solo un blocco note il cui contenuto ti copio qui

Incident Status Location

Dialer:dialer.min Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DB893839-10F0-4AF9-92FA-B23528F530AF}
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Vis\Cookies\vis@atdmt[1].txt

[bdoriano]

Sembrerebbero tracce nel file di registro e basta...

Scarica e installa la versione free di SuperAntiSpyware, aggiornalo e fagli fare una passata completa.
Puoi provare ad usare anche:
a-squared
lavasoft ad-aware
spybot search and destroy

[Roxicella]

Sto facendo come mi dici, ho scaricato SUPERAntispyware, aggiornato e fatto lo scan completo del pc, ma sono tranquilla xkè tutto sembra andare bene (MSN compreso:))...Se passi di qui, ti kiedo un ultimo consiglio (sperando ke non avrò + problemi in futuro ) : qual'è l'antivirus migliore ke posso mettere nel pc (naturalmente free) e dove lo posso trovare?..Confidando sempre nella tua gentilezza, ti ringrazio di vero cuore di tutto.
Rossella

[bdoriano]

Ottimo! Fai sapere se ci sono problemi.
Per gli antivirus, dai un'occhiata a questo topic.