Olimpo Informatico

[poisongirl81]

Salve
non riesco a trovare in rete informazioni esaurienti per togliere questi virus
i problemi che rilevo dal pc sono che ogni tanto mi si disconnette la connessione senza motivo apparente e certi giorni quando avvio il pc non si avvia e mi dice di fare il setup o avviare in modalità provvisoria

Vi allego il log di Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 15.06.03, on 27/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgfwsrv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\Wcgopsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MySpace\IM\MySpaceIM.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Skype\Plugin Manager\skypePM.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\MediaMonkey\MediaMonkey.exe
C:\Programmi\Winamp\Winamp.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Documents and Settings\-\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.arianna.it/perie/hometestie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Infostrada LIBERO
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WebCam Go Plus Sti Service Application] Wcgopsvc
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Programmi\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmi\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Programmi\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Programmi\Octoshape Streaming Services\-\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Transload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5004
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesit.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesit.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O15 - Trusted Zone: http://toolbar.imageshack.us
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://presence.games.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://poisongirl981.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61} (DownloaderActiveX Control) - http://c6.community.virgilio.it/download/DownloaderActiveX.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F68FBA0F-3906-4A63-897C-358C17A54E1F}: NameServer = 85.37.17.16 85.38.28.68
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Unknown owner - C:\Programmi\a-squared Anti-Malware\a2service.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgfwsrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe

Grazie in anticipo a chi vorrà aiutarmi

Ester

[Sante62]

Ciao.
Dal log di Hijackthis, metti la spunta a sinistra di queste vosi:
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com
Clicca Fix Cheked
Riavvia il PC, rifai un'altro log di HJT e postalo.
Poi bisogna resettare il Winsock, prova così:
Start -->> Esegui -->> digita cmd e dai l'Ok
-Al prompt dei comandi digita netsh Winsock reset e dai l'Ok
Quando ricevi un messaggio del genere reimpostazione catalogo Winsock completata dovrai riavviare
-Al riavvio vai di nuovo al prompt e questa volta digita netsh int ip reset reset.log e premi invio
-Dovrebbe essere resettato il WinSock adesso
PS:le operazioni eseguile con tutte le altre applicazioni chiuse.
Poi, fai anche questi passaggi:
http://forum.zeusnews.com/viewtopic.php?p=194965#194965 passaggio 1 -

http://forum.zeusnews.com/viewtopic.php?p=194966#194966 passaggio 2 -

[Orange]

ciao, poisongirl81! benvenuta anche da parte mia.

[poisongirl81]

Questo è il nuovo log di hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 23.03.53, on 27/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\Wcgopsvc.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MySpace\IM\MySpaceIM.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\WINDOWS\system32\cisvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgfwsrv.exe
C:\Programmi\CyberLink\PowerDVD\bak\PDVDServ.exe
C:\Programmi\iPod\bin\iPodService.exe
c:\programmi\internet explorer\iexplore.exe
C:\Programmi\Skype\Plugin Manager\skypePM.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\-\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.arianna.it/perie/hometestie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Infostrada LIBERO
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WebCam Go Plus Sti Service Application] Wcgopsvc
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Programmi\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmi\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Programmi\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Programmi\Octoshape Streaming Services\-\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Transload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5004
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesit.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesit.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O15 - Trusted Zone: http://toolbar.imageshack.us
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://presence.games.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://poisongirl981.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61} (DownloaderActiveX Control) - http://c6.community.virgilio.it/download/DownloaderActiveX.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F68FBA0F-3906-4A63-897C-358C17A54E1F}: NameServer = 85.37.17.16 85.38.28.68
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Unknown owner - C:\Programmi\a-squared Anti-Malware\a2service.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgfwsrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe

E questo il log con l altro programma


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~

Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\PROGRA~1\ANYDVD\BAK

02/03/2006 14.19 459.264 AnyDVD.exe
1 File 459.264 byte
2 Directory 7.648.153.600 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\PROGRA~1\ITUNES\BAK

30/10/2006 10.36 256.576 iTunesHelper.exe
1 File 256.576 byte
2 Directory 7.648.153.600 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\PROGRA~1\QUICKT~1\BAK

06/12/2006 03.41 282.624 qttask.exe
1 File 282.624 byte
2 Directory 7.648.149.504 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\PROGRA~1\SUPERA~1\BAK

01/05/2007 09.29 1.318.128 SUPERAntiSpyware.exe
1 File 1.318.128 byte
2 Directory 7.648.149.504 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\PROGRA~1\UNLOCKER\BAK

0 File 0 byte
2 Directory 7.648.149.504 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\WINDOWS\SYSTEM32\BAK

19/08/2004 15.39 15.360 ctfmon.exe
09/07/2001 12.50 155.648 NeroCheck.exe
2 File 171.008 byte
2 Directory 7.648.149.504 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\PROGRA~1\AHEAD\INCD\BAK

21/07/2007 13.22 131.057 Error.log
27/08/2004 11.01 1.450.096 InCD.exe
2 File 1.581.153 byte
2 Directory 7.648.149.504 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\PROGRA~1\BABYLON\BABYLO~1\BAK

23/04/2006 19.24 2.655.272 Babylon.exe
1 File 2.655.272 byte
2 Directory 7.648.149.504 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

31/10/2003 19.42 32.768 PDVDServ.exe
1 File 32.768 byte
2 Directory 7.648.149.504 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\PROGRA~1\GRISOFT\AVGFRE~1\BAK

16/02/2007 03.23 406.016 avgcc.exe
1 File 406.016 byte
2 Directory 7.648.149.504 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\PROGRA~1\MYSPACE\IM\BAK

12/01/2007 03.45 4.898.816 MySpaceIM.exe
1 File 4.898.816 byte
2 Directory 7.648.149.504 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\PROGRA~1\OCTOSH~1\-\BAK

13/02/2006 18.33 214.648 OctoshapeClient.exe
1 File 214.648 byte
2 Directory 7.648.145.408 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\PROGRA~1\SLYSOFT\CLONECD\BAK

09/12/2004 15.56 57.344 CloneCDTray.exe
1 File 57.344 byte
2 Directory 7.648.145.408 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

06/12/2004 22.31 36.975 jusched.exe
1 File 36.975 byte
2 Directory 7.648.145.408 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

11/09/2003 05.00 99.840 E_S4I0H2.EXE
1 File 99.840 byte
2 Directory 7.648.145.408 byte disponibili


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

24080 6 Jul 2007 "C:\Programmi\AnyDVD\AnyDVD.exe"
459264 2 Mar 2006 "C:\Programmi\AnyDVD\bak\AnyDVD.exe"
257088 26 May 2007 "C:\Programmi\iTunes\iTunesHelper.exe1183752334"
256576 30 Oct 2006 "C:\Programmi\iTunes\bak\iTunesHelper.exe"
102400 11 Jul 2007 "C:\WINDOWS\Installer\{85B90D8C-70F3-4E84-BD31-5E9489C0F9FB}\iTunesIco.exe"
116024 11 Jul 2007 "C:\Documents and Settings\All Users\Dati applicazioni\Apple Computer\Installer Cache\iTunes 7.3.0.54\iTunesSetupAdmin.exe"
24080 6 Jul 2007 "C:\Programmi\QuickTime\qttask.exe"
282624 6 Dec 2006 "C:\Programmi\QuickTime\bak\qttask.exe"
1318128 1 May 2007 "C:\Programmi\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe"
15360 19 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 19 Aug 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
24080 6 Jul 2007 "C:\WINDOWS\system32\NeroCheck.exe"
155648 9 Jul 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
127746 16 Feb 2007 "C:\Programmi\Ahead\InCD\Error.log"
131057 21 Jul 2007 "C:\Programmi\Ahead\InCD\bak\Error.log"
24080 6 Jul 2007 "C:\Programmi\Ahead\InCD\InCD.exe"
1450096 27 Aug 2004 "C:\Programmi\Ahead\InCD\bak\InCD.exe"
24080 6 Jul 2007 "C:\Programmi\Babylon\Babylon-Pro\Babylon.exe"
2655272 23 Apr 2006 "C:\Programmi\Babylon\Babylon-Pro\bak\Babylon.exe"
24080 6 Jul 2007 "C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe"
32768 31 Oct 2003 "C:\Programmi\CyberLink\PowerDVD\bak\PDVDServ.exe"
416256 11 Jul 2007 "C:\Programmi\Grisoft\AVG Free\avgcc.exe"
406016 16 Feb 2007 "C:\Programmi\Grisoft\AVG Free\bak\avgcc.exe"
4898816 12 Jan 2007 "C:\Programmi\MySpace\IM\MySpaceIM.exe1174437795"
4898816 12 Jan 2007 "C:\Programmi\MySpace\IM\bak\MySpaceIM.exe"
73368 26 Apr 2007 "F:\Programmi\MySpaceIM_Setup.exe"
24080 6 Jul 2007 "C:\Programmi\Octoshape Streaming Services\-\OctoshapeClient.exe"
214648 13 Feb 2006 "C:\Programmi\Octoshape Streaming Services\-\bak\OctoshapeClient.exe"
317048 23 May 2007 "C:\Programmi\Octoshape Streaming Services\-\octoprogram-L03-N00_1G_900\OctoshapeClient.exe"
24080 6 Jul 2007 "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe"
57344 9 Dec 2004 "C:\Programmi\SlySoft\CloneCD\bak\CloneCDTray.exe"
36975 6 Dec 2004 "C:\Programmi\Java\jre1.5.0_01\bin\bak\jusched.exe"
24080 6 Jul 2007 "C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I0H2.EXE"
99840 11 Sep 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_S4I0H2.EXE"


end of report

[Sante62]

Ciao.
Dal log di HIjackthis metti la spunta a sinistra di questa riga;
O15 - Trusted Zone: *.whataboutarabit.com
Clicca Fix Checked
Riavvia il PC

Scarica Avenger: http://swandog46.geekstogo.com/avenger.zip
Avvialo
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:
Files to delete:
C:\Programmi\AnyDVD\AnyDVD.exe
C:\Programmi\iTunes\iTunesHelper.exe1183752334
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\Programmi\Ahead\InCD\Error.log
C:\Programmi\Ahead\InCD\InCD.exe
C:\Programmi\Babylon\Babylon-Pro\Babylon.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Grisoft\AVG Free\avgcc.exe
C:\Programmi\Octoshape Streaming Services\-\OctoshapeClient.exe
C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I0H2.EXE

Files to move:
C:\Programmi\AnyDVD\bak\AnyDVD.exe | C:\Programmi\AnyDVD\AnyDVD.exe
C:\Programmi\iTunes\bak\iTunesHelper.exe | C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\QuickTime\bak\qttask.exe | C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\system32\bak\NeroCheck.exe | C:\WINDOWS\system32\NeroCheck.exe
C:\Programmi\Ahead\InCD\bak\Error.log | C:\Programmi\Ahead\InCD\Error.log
C:\Programmi\Ahead\InCD\bak\InCD.exe | C:\Programmi\Ahead\InCD\InCD.exe
C:\Programmi\Babylon\Babylon-Pro\bak\Babylon.exe | C:\Programmi\Babylon\Babylon-Pro\Babylon.exe
C:\Programmi\CyberLink\PowerDVD\bak\PDVDServ.exe | C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Grisoft\AVG Free\bak\avgcc.exe | C:\Programmi\Grisoft\AVG Free\avgcc.exe
C:\Programmi\Octoshape Streaming Services\-\bak\OctoshapeClient.exe | C:\Programmi\Octoshape Streaming Services\-\OctoshapeClient.exe
C:\Programmi\SlySoft\CloneCD\bak\CloneCDTray.exe | C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_S4I0H2.EXE | C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I0H2.EXE

Folders to delete:
C:\Programmi\AnyDVD\bak
C:\Programmi\iTunes\bak
C:\Programmi\QuickTime\bak
C:\WINDOWS\system32\bak
C:\Programmi\Ahead\InCD\bak
C:\Programmi\Babylon\Babylon-Pro\bak
C:\Programmi\CyberLink\PowerDVD\bak
C:\Programmi\Grisoft\AVG Free\bak
C:\Programmi\Octoshape Streaming Services\-\bak
C:\Programmi\SlySoft\CloneCD\bak
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak
Clicca su Done
Clicca sul semaforo
Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
In C:\Avenger.txt trovi il risultato dell'operazione. Mettilo quì.
Al termine dell'operazione, posta un log aggiornato di hijackthis.

Fai analizzare questo file su www.virustotal.com
C:\WINDOWS\Wcgopsvc.exe
Dalla pagina principale clicca su Upload;
Indica il percorso del file e poi clicca su Apri, e poi su send.
Attendi che i vari antivirus analizzino il file.
Incolla quì il risultato.

[poisongirl81]

Questo è il risultato di avenger

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\smfbujbg

*******************

Script file located at: \??\C:\WINDOWS\system32\pthywxqd.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Programmi\AnyDVD\AnyDVD.exe deleted successfully.
File C:\Programmi\iTunes\iTunesHelper.exe1183752334 deleted successfully.
File C:\Programmi\QuickTime\qttask.exe deleted successfully.
File C:\WINDOWS\system32\NeroCheck.exe deleted successfully.
File C:\Programmi\Ahead\InCD\Error.log deleted successfully.
File C:\Programmi\Ahead\InCD\InCD.exe deleted successfully.
File C:\Programmi\Babylon\Babylon-Pro\Babylon.exe deleted successfully.
File C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe deleted successfully.
File C:\Programmi\Grisoft\AVG Free\avgcc.exe deleted successfully.
File C:\Programmi\Octoshape Streaming Services\-\OctoshapeClient.exe deleted successfully.
File C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe deleted successfully.
File C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I0H2.EXE deleted successfully.
File move operation C:\Programmi\AnyDVD\bak\AnyDVD.exe|C:\Programmi\AnyDVD\AnyDVD.exe completed successfully.
File move operation C:\Programmi\iTunes\bak\iTunesHelper.exe|C:\Programmi\iTunes\iTunesHelper.exe completed successfully.
File move operation C:\Programmi\QuickTime\bak\qttask.exe|C:\Programmi\QuickTime\qttask.exe completed successfully.
File move operation C:\WINDOWS\system32\bak\NeroCheck.exe|C:\WINDOWS\system32\NeroCheck.exe completed successfully.
File move operation C:\Programmi\Ahead\InCD\bak\Error.log|C:\Programmi\Ahead\InCD\Error.log completed successfully.
File move operation C:\Programmi\Ahead\InCD\bak\InCD.exe|C:\Programmi\Ahead\InCD\InCD.exe completed successfully.
File move operation C:\Programmi\Babylon\Babylon-Pro\bak\Babylon.exe|C:\Programmi\Babylon\Babylon-Pro\Babylon.exe completed successfully.
File move operation C:\Programmi\CyberLink\PowerDVD\bak\PDVDServ.exe|C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe completed successfully.
File move operation C:\Programmi\Grisoft\AVG Free\bak\avgcc.exe|C:\Programmi\Grisoft\AVG Free\avgcc.exe completed successfully.
File move operation C:\Programmi\Octoshape Streaming Services\-\bak\OctoshapeClient.exe|C:\Programmi\Octoshape Streaming Services\-\OctoshapeClient.exe completed successfully.
File move operation C:\Programmi\SlySoft\CloneCD\bak\CloneCDTray.exe|C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe completed successfully.
File move operation C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_S4I0H2.EXE|C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I0H2.EXE completed successfully.
Folder C:\Programmi\AnyDVD\bak deleted successfully.
Folder C:\Programmi\iTunes\bak deleted successfully.
Folder C:\Programmi\QuickTime\bak deleted successfully.


Could not delete folder C:\WINDOWS\system32\bak
Deletion of folder C:\WINDOWS\system32\bak failed!

Could not process line:
C:\WINDOWS\system32\bak
Status: 0xc0000035



Could not delete folder C:\Programmi\Ahead\InCD\bak
Deletion of folder C:\Programmi\Ahead\InCD\bak failed!

Could not process line:
C:\Programmi\Ahead\InCD\bak
Status: 0xc0000035



Could not delete folder C:\Programmi\Babylon\Babylon-Pro\bak
Deletion of folder C:\Programmi\Babylon\Babylon-Pro\bak failed!

Could not process line:
C:\Programmi\Babylon\Babylon-Pro\bak
Status: 0xc0000035



Could not delete folder C:\Programmi\CyberLink\PowerDVD\bak
Deletion of folder C:\Programmi\CyberLink\PowerDVD\bak failed!

Could not process line:
C:\Programmi\CyberLink\PowerDVD\bak
Status: 0xc0000035



Could not delete folder C:\Programmi\Grisoft\AVG Free\bak
Deletion of folder C:\Programmi\Grisoft\AVG Free\bak failed!

Could not process line:
C:\Programmi\Grisoft\AVG Free\bak
Status: 0xc0000035



Could not delete folder C:\Programmi\Octoshape Streaming Services\-\bak
Deletion of folder C:\Programmi\Octoshape Streaming Services\-\bak failed!

Could not process line:
C:\Programmi\Octoshape Streaming Services\-\bak
Status: 0xc0000035



Could not delete folder C:\Programmi\SlySoft\CloneCD\bak
Deletion of folder C:\Programmi\SlySoft\CloneCD\bak failed!

Could not process line:
C:\Programmi\SlySoft\CloneCD\bak
Status: 0xc0000035

Folder C:\WINDOWS\system32\spool\drivers\w32x86\3\bak deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

E QUESTO è IL NUOVO LOG DI HIJACKTHIS

Logfile of HijackThis v1.99.1
Scan saved at 12.32.32, on 30/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Wcgopsvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Programmi\Ahead\InCD\InCD.exe
C:\Programmi\Prevx2\PXAgent.exe
C:\Programmi\Prevx2\PXConsole.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\MySpace\IM\MySpaceIM.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgfwsrv.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\-\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.arianna.it/perie/hometestie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Infostrada LIBERO
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Dati applicazioni\Prevx\pxbho.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WebCam Go Plus Sti Service Application] Wcgopsvc
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Programmi\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmi\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Programmi\Prevx2\PXConsole.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Programmi\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Programmi\Octoshape Streaming Services\-\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Transload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5004
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesit.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesit.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://presence.games.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://poisongirl981.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61} (DownloaderActiveX Control) - http://c6.community.virgilio.it/download/DownloaderActiveX.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F68FBA0F-3906-4A63-897C-358C17A54E1F}: NameServer = 85.37.17.16 85.38.28.68
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Unknown owner - C:\Programmi\a-squared Anti-Malware\a2service.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgfwsrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Programmi\Prevx2\PXAgent.exe" -f (file missing)

Sembra che non ci siano più ma non mi parte pià l antivirus avg
Wcgopsvc.exe è un file per la webcam
..e ora?

[Sante62]

Ciao
Il log di HJT mi sembra pulito.
Vorrei però fare qualche altro controllo.
Fai nuovamente la scansione con FindAWF, e posta quì il risultato.
Temo che qualcosa mi sia sfuggita
Poi fai una scansione online con Kaspersky, quì è scritto come fare:
http://forum.zeusnews.com/viewtopic.php?t=21705
Quando sta scaricando i file necessari, disattiva momentaneamente l'antivirus ed eventualmente anche il firewall. Non appena inizia la scansione del PC disconnettiti da internet.
Alla fine carica il risultato su www.freefilehosting.net, riportando quì il link che ti viene assegnato.
Una volta fatti questi controlli, ed eliminati eventuali residui, ripristineremo il Winsock.
Ciao.

[whitesquall]

Ciao poisongirl81
Mi intrometto nel 3d solo per dirti che se vuoi puoi presentarti qui

[poisongirl81]

Questo è risultato della scansione con AWF

Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~

Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\PROGRA~1\SUPERA~1\BAK

01/05/2007 09.29 1.318.128 SUPERAntiSpyware.exe
1 File 1.318.128 byte
2 Directory 7.641.628.672 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\PROGRA~1\UNLOCKER\BAK

0 File 0 byte
2 Directory 7.641.628.672 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\WINDOWS\SYSTEM32\BAK

19/08/2004 15.39 15.360 ctfmon.exe
1 File 15.360 byte
2 Directory 7.641.624.576 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\PROGRA~1\AHEAD\INCD\BAK

0 File 0 byte
2 Directory 7.641.624.576 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\PROGRA~1\BABYLON\BABYLO~1\BAK

0 File 0 byte
2 Directory 7.641.624.576 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

0 File 0 byte
2 Directory 7.641.624.576 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\PROGRA~1\GRISOFT\AVGFRE~1\BAK

0 File 0 byte
2 Directory 7.641.624.576 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\PROGRA~1\MYSPACE\IM\BAK

12/01/2007 03.45 4.898.816 MySpaceIM.exe
1 File 4.898.816 byte
2 Directory 7.641.624.576 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\PROGRA~1\OCTOSH~1\-\BAK

0 File 0 byte
2 Directory 7.641.624.576 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\PROGRA~1\SLYSOFT\CLONECD\BAK

0 File 0 byte
2 Directory 7.641.624.576 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1C98-E3E5

Directory di C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

06/12/2004 22.31 36.975 jusched.exe
1 File 36.975 byte
2 Directory 7.641.624.576 byte disponibili


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

1318128 1 May 2007 "C:\Programmi\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe"
15360 19 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 19 Aug 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
4898816 12 Jan 2007 "C:\Programmi\MySpace\IM\MySpaceIM.exe1174437795"
4898816 12 Jan 2007 "C:\Programmi\MySpace\IM\bak\MySpaceIM.exe"
73368 26 Apr 2007 "F:\Programmi\MySpaceIM_Setup.exe"
36975 6 Dec 2004 "C:\Programmi\Java\jre1.5.0_01\bin\bak\jusched.exe"


end of report
-------------------------
Quando provo a fare la scansione online con Kaspersky mi dice:
Kaspersky online license has expired

ps.sono giorni che non riuscivo ad accedere al forum

[ste_95]

con avenger;:

Avvialo
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:

Files to delete:
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MySpace\IM\MySpaceIM.exe1174437795
C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
Files to move:
C:\Programmi\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe | C:\Programmi\SUPERAntiSpyware
C:\WINDOWS\system32\bak\ctfmon.exe | C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MySpace\IM\bak\MySpaceIM.exe | C:\Programmi\MySpace\IM\MySpaceIM.exe
C:\Programmi\Java\jre1.5.0_01\bin\bak\jusched.exe | C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
Folders to delete:
C:\Programmi\SUPERAntiSpyware\bak
C:\WINDOWS\system32\bak
C:\PROGRAMMI\SLYSOFT\CLONECD\BAK
C:\Programmi\AnyDVD\bak
C:\Programmi\iTunes\bak
C:\Programmi\QuickTime\bak
C:\Programmi\MySpace\IM\bak
C:\Programmi\Java\jre1.5.0_01\bin\bak
C:\Programmi\Ahead\InCD\bak
C:\Programmi\Babylon\Babylon-Pro\bak
C:\Programmi\CyberLink\PowerDVD\bak
C:\Programmi\Grisoft\AVG Free\bak
C:\Programmi\Octoshape Streaming Services\-\bak
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak
Clicca su Done
Clicca sul semaforo
Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
In C:\Avenger.txt trovi il risultato dell'operazione. Mettilo quì.

[Orange]

[ste_95]

stando a quello che dice AWF si...

mi sbaglio...?

[bdoriano]

@ste_95
Il virus dalle labbra rosse, oltre dalla presenza delle cartelle BAK viene segnalato dalla presenza di files della medesima lunghezza in bytes (circa 24KB).
Nell'ultimo log di findAWF riportato non c'è la minima presenza del virus in questione.

@poisongirl81
Per le scansioni online, prova a vedere anche questa pagina.

[poisongirl81]

quindi la faccio o no quella cosa con avenger???

[ste_95]

aspettiamo pareri....

[poisongirl81]

Ho appena fatto la scansione online con mcafee (visto che con kaspersky non ci riesco) e mi da questi 2 file sospetti nei file di windows

C:\WINDOWS\services.dll Generic PWS.j
C:\WINDOWS\xhelper.dll Generic AdClicker.d

[ste_95]

con avenger;:

Avvialo
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:

Files to delete:
C:\WINDOWS\services.dll
C:\WINDOWS\xhelper.dll

Clicca su Done
Clicca sul semaforo
Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
In C:\Avenger.txt trovi il risultato dell'operazione. Mettilo quì.

[bdoriano]

Dopo le operazioni indicate da ste_95, esegui anche queste operazioni

[poisongirl81]

Ecco il risultato di avenger

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\abstttgy

*******************

Script file located at: \??\C:\ovmbqxcr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\services.dll deleted successfully.
File C:\WINDOWS\xhelper.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[poisongirl81]

questo è il link dopo il 1o passaggio con gmer

link

questo il link dopo il 2o passaggio

link

grazie a chi mi sta aiutando