|
| Precedente :: Successivo |
| Autore |
Messaggio |
kgss
Mortale devoto
Registrato: 27/12/07 20:54
Messaggi: 11
|
 Inviato: 27 Dic 2007 21:02 Oggetto: Infezione multipla |
 |
|
... sono nuovo e vi scrivo perché ho un problema. mi sono imbattuto in questo forum cercando soluzioni per risolvere il mio problema...
il mio computer ha lo stesso problema, come scritto in questo post
http://forum.zeusnews.com/viewtopic.php?t=24364
ho seguito alla lettera le istruzioni date per risolvere il problema, ma alla fine è stato risolto in parte.
anche a me è sparita la scritta "Your computer is infected" etc. etc., ma ancora non visualizzo nè il pannello di controllo nè tantomeno task manager. in più mi viene fuori sempre questa scritta qua e non scomapre: IMPOSSIBILE TROVARE IL DISCO NELL'UNITà. INSERIRE UN DISCO NELL'UNITà\DEVICE\HARDDISK1\DR3
Cosa vuol dire?
Vi posto anche il log hjt
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19.32.31, on 27/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\mmall.exe
C:\WINDOWS\mmall.exe
C:\Programmi\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\WINDOWS\mmall.exe
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\_install.exe
C:\WINDOWS\ntfyapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da VirgilioTin
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F3 - REG:win.ini: run=C:\WINDOWS\mmall.exe
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Programmi\Helper\ifastseek.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [FLMTRUSTMOUSE] C:\Programmi\Trust mouse utility\1.0\mouse32a.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Microsoft all] C:\WINDOWS\mmall.exe
O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe
O4 - HKLM\..\Run: [winroot] C:\WINDOWS\system32\winsn.exe
O4 - HKCU\..\Run: [Microsoft all] C:\WINDOWS\mmall.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ntfyapp] C:\WINDOWS\ntfyapp.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Windows Update] svmhost.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [MP Services] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Windows Update] svmhost.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [MP Services] (User 'Default user')
O4 - Global Startup: .protected
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: AudioDeck.lnk = C:\Programmi\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O4 - Global Startup: _install.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programmi\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programmi\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\swdsvc.exe
O23 - Service: UPnPService - Magix AG - C:\Programmi\File comuni\MAGIX Shared\UPnPService\UPnPService.exe
--
End of file - 4932 bytes
spero riusciate a darmi una mano. grazie |
|
| Top |
|
 |
Sante62
Dio maturo
Registrato: 27/06/07 17:55
Messaggi: 3477
Residenza: Floridia
|
| Inviato: 27 Dic 2007 23:13 Oggetto: |
|
|
Ciao kgss 
Immagino che hai gia fatto girare RogueRemover. Altrimenti guarda questa discussione e fai la scansione del PC con quello. Sempre guardandoi la stessa discussione scarica e fai la scansione anche con Combofix, postando quì i risultati come indicato. Alla fine posta pure un log di HjT aggiornato. |
|
| Top |
|
|
kgss
Mortale devoto
Registrato: 27/12/07 20:54
Messaggi: 11
|
| Inviato: 28 Dic 2007 00:44 Oggetto: |
|
|
intanto grazie x la disponibilità.
con i tuoi consigli ho risolto metà del problema.
Il pannello di controllo c'è, ma appena volgio accedervi, ritorna quella fastidiosa scritta..
intanto ecco il report di combo e i log hjt
combo
Eseguito da: C:\Documents and Settings\Sion\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\.exe
C:\WINDOWS\system32\drivers\asc3550p.sys
.
((((((((((((((((((((((((( Files Creati Da 2007-11-27 al 2007-12-27 )))))))))))))))))))))))))))))))))))
.
2007-12-27 21:50 . 2007-12-27 21:50 0 --a------ C:\WINDOWS\system32\dllgh8jkd1q8.exe
2007-12-27 18:50 . 2007-12-27 18:50 127,378 --a------ C:\Programmi\avenger.zip
2007-12-27 17:23 . 2007-12-27 10:11 13 --ah----- C:\WINDOWS\mmax_clasic.ini
2007-12-27 16:53 . 2007-12-27 16:53 <DIR> d-------- C:\Programmi\Trend Micro
2007-12-27 16:52 . 2007-12-27 16:52 812,344 --a------ C:\Programmi\HJTInstall.exe
2007-12-27 16:47 . 2007-12-27 21:26 <DIR> d-------- C:\Programmi\RogueRemover FREE
2007-12-27 16:46 . 2007-12-27 16:46 690,088 --a------ C:\Programmi\rr-free-setup.exe
2007-12-27 16:25 . 2007-12-27 16:51 <DIR> d-------- C:\Programmi\Router
2007-12-27 16:22 . 2007-12-27 16:22 24,576 --a------ C:\WINDOWS\spend.exe
2007-12-27 16:22 . 2007-12-27 16:22 16,384 --a------ C:\WINDOWS\system32\users32.dat
2007-12-23 23:37 . 2007-12-23 23:37 16,384 --a------ C:\WINDOWS\windisk.dll
2007-12-23 21:44 . 2007-12-23 17:38 135,168 --a------ C:\Documents and Settings\Sion\Dati applicazioni\_install.exe
2007-12-23 19:32 . 2007-12-27 10:11 37,376 --a------ C:\WINDOWS\mmar.exe
2007-12-23 19:32 . 2007-12-27 10:11 14 --ah----- C:\WINDOWS\mmax.ini
2007-12-23 19:31 . 2007-12-27 10:11 37,376 --a------ C:\WINDOWS\mm_tmpar.exe
2007-12-23 19:31 . 2007-12-27 10:11 36,864 --a------ C:\WINDOWS\mmgr.exe
2007-12-23 19:30 . 2007-12-23 19:30 532,480 --a------ C:\WINDOWS\mmoc1.exe
2007-12-23 19:30 . 2007-12-27 10:10 41,472 --a------ C:\WINDOWS\mmhr.exe
2007-12-23 19:30 . 2007-12-27 10:09 41,472 --a------ C:\WINDOWS\mm_tmphr.exe
2007-12-23 19:30 . 2007-12-27 10:10 36,864 --a------ C:\WINDOWS\mm_tmpgr.exe
2007-12-23 19:30 . 2007-12-27 10:09 4 --a------ C:\WINDOWS\c.pid
2007-12-23 19:29 . 2007-12-27 21:09 532,480 --a------ C:\WINDOWS\mm_tmpoc1.exe
2007-12-23 19:29 . 2007-12-27 10:09 38,400 --a------ C:\WINDOWS\mmyh_co.exe
2007-12-23 19:29 . 2007-12-27 10:09 38,400 --a------ C:\WINDOWS\mm_tmpyh_co.exe
2007-12-23 19:29 . 2007-12-27 16:22 9,216 --a------ C:\WINDOWS\system32\suspend.exe
2007-12-23 19:28 . 2007-12-23 19:28 23,552 --a------ C:\WINDOWS\mmall.exe
2007-12-23 19:28 . 2007-12-27 21:36 19,068 --a------ C:\WINDOWS\ntfyapp.config
2007-12-23 19:28 . 2007-12-27 22:49 13,760 --a------ C:\WINDOWS\system32\taskmon.sys
2007-12-23 19:28 . 2007-12-23 17:38 8,704 --a------ C:\WINDOWS\syss_.exe
2007-12-23 19:27 . 2007-12-23 19:27 27,136 ---hs---- C:\WINDOWS\system32\drivers\sysdrv.exe
2007-12-23 19:27 . 2007-12-23 19:27 27,136 ---hs---- C:\Documents and Settings\Sion\scvhost.exe
2007-12-23 17:38 . 2007-12-23 17:38 135,168 --a------ C:\WINDOWS\ntfyapp.exe
2007-12-23 17:38 . 2007-12-27 16:12 48,146 --a------ C:\WINDOWS\taskmon.exe
2007-12-23 17:38 . 2007-12-21 20:42 39,936 -ra------ C:\WINDOWS\mrofinu27.exe.tmp
2007-12-23 17:38 . 2007-12-27 10:06 5,120 --a------ C:\WINDOWS\svc32.dll
2007-12-23 17:37 . 2007-12-27 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Google Updater
2007-12-23 17:37 . 2007-12-23 17:37 112,128 --a------ C:\WINDOWS\system32\runtime.exe
2007-12-23 17:37 . 2007-12-23 17:37 35,702 --a------ C:\WINDOWS\system32\dllgh8jkd1q2.exe
2007-12-23 17:37 . 2007-12-23 17:37 29,184 --a------ C:\WINDOWS\wsystmp_dmf.exe
2007-12-23 17:37 . 2007-12-23 17:37 18,294 --a------ C:\WINDOWS\system32\dllgh8jkd1q7.exe
2007-12-23 17:37 . 2007-12-23 17:37 17,782 --a------ C:\WINDOWS\system32\dllgh8jkd1q6.exe
2007-12-23 17:37 . 2007-12-23 17:37 16,758 --a------ C:\WINDOWS\system32\dllgh8jkd1q5.exe
2007-12-23 17:37 . 2007-12-23 17:37 11,638 --a------ C:\WINDOWS\system32\dllgh8jkd1q1.exe
2007-12-23 17:36 . 2007-12-23 17:36 <DIR> d-------- C:\Programmi\EliteProtector
2007-12-23 17:35 . 2007-12-23 17:35 89,088 ---hs---- C:\WINDOWS\system32\winsn.exe
2007-12-23 17:35 . 2007-12-23 17:35 89,088 ---hs---- C:\WINDOWS\system32\shovth.exe
2007-12-23 17:35 . 2007-12-23 17:35 89,088 ---hs---- C:\08DD2F22.exe
2007-12-23 17:35 . 2007-12-27 10:06 28,929 --a------ C:\WINDOWS\system32\winsos.exe
2007-12-23 17:35 . 2007-12-23 17:35 93 -r-hs---- C:\autorun.inf
2007-12-23 17:34 . 2007-12-23 17:35 89,088 --a------ C:\WINDOWS\wsystmp_bct.exe
2007-12-23 17:11 . 2007-12-23 17:11 0 --a------ C:\WINDOWS\wsystmp_lbd.exe
2007-12-23 16:32 . 2007-12-23 16:32 0 --a------ C:\WINDOWS\wsystmp_zil.exe
2007-12-23 16:30 . 2007-12-27 10:06 6,144 --a------ C:\WINDOWS\system32\user32.dat
2007-12-23 16:29 . 2007-12-27 21:47 8,192 --a------ C:\WINDOWS\medichi2.exe
2007-12-23 16:29 . 2007-12-27 21:47 6,144 --a------ C:\WINDOWS\murka.dat
2007-12-23 16:29 . 2007-12-27 21:47 5,632 --a------ C:\WINDOWS\medichi.exe
2007-12-23 16:28 . 2007-12-23 16:28 35,840 --a------ C:\WINDOWS\wsystmp_qxf.exe
2007-12-23 16:28 . 2005-04-27 05:30 25,600 --a------ C:\Documents and Settings\Sion\Dati applicazioni\mcrupdate.exe
2007-12-23 16:27 . 2007-12-23 16:27 15,872 --a------ C:\WINDOWS\windsk.dll
2007-12-23 16:09 . 2007-12-23 16:09 34,049 --a------ C:\WINDOWS\trayicon.exe
2007-12-23 16:09 . 2007-12-23 16:09 34,049 --a------ C:\Documents and Settings\Sion\wn852.exe
2007-12-13 16:21 . 2007-12-13 16:42 <DIR> d-------- C:\Programmi\MAGIX
2007-12-13 16:21 . 2007-12-13 16:21 <DIR> d-------- C:\Programmi\File comuni\MAGIX
2007-12-13 16:21 . 2007-12-13 16:22 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\MAGIX
2007-12-13 16:21 . 2006-03-31 15:57 430,080 --a------ C:\WINDOWS\system32\MXRestore.exe
2007-12-13 16:21 . 2007-04-27 10:43 120,200 --a------ C:\WINDOWS\system32\DLLDEV32i.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-27 19:57 --------- d-----w C:\Programmi\AVPersonal
2007-12-27 15:25 58,060 ----a-w C:\Programmi\RogueRemover_d5360.htm
2007-12-27 15:22 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2007-12-27 15:22 --------- d-----w C:\Programmi\Common Files
2007-12-27 02:16 --------- d-----w C:\Programmi\QuickTime
2007-12-27 02:16 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2007-12-23 16:37 --------- d-----w C:\Programmi\Google
2007-12-19 15:13 --------- d-----w C:\Documents and Settings\Sion\Dati applicazioni\TransRender
2007-12-13 15:21 --------- d-----w C:\Programmi\File comuni\MAGIX Shared
2007-12-08 00:28 --------- d-----w C:\Documents and Settings\Sion\Dati applicazioni\ConvertTemp
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 00:24 --------- d-----w C:\Programmi\Windows Live
2007-11-10 00:17 --------- dcsh--w C:\Programmi\File comuni\WindowsLiveInstaller
2007-11-10 00:17 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\WLInstaller
2007-11-09 15:59 --------- d-----w C:\Programmi\Macrogaming
2007-11-06 21:21 --------- d-----w C:\Documents and Settings\Sion\Dati applicazioni\Temporary
2007-10-31 18:55 --------- d-----w C:\Programmi\File comuni\Adobe
2007-10-29 22:42 1,292,800 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-25 08:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-18 10:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll
2007-08-01 13:59 9,806 ----a-w C:\Documents and Settings\Sion\xuvgcb.exe
2005-01-09 12:48 56 -csha-r C:\WINDOWS\system32\067412BFB6.sys
2006-08-18 19:30 56 -csh--r C:\WINDOWS\system32\817A04AEA5.sys
2007-06-23 14:50 8 --sh--r C:\WINDOWS\system32\D17A890923.sys
2007-06-23 14:50 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft all"="C:\WINDOWS\mmall.exe" [2007-12-23 19:28]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 13:00]
"ntfyapp"="C:\WINDOWS\ntfyapp.exe" [2007-12-23 17:38]
"Starting up"="wvsvc.exe" []
"Start Uppings"="mssupdate.exe" []
"Microsoft Windows Update"="svmhost.exe" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-03-21 18:23 C:\WINDOWS\SOUNDMAN.EXE]
"FLMTRUSTMOUSE"="C:\Programmi\Trust mouse utility\1.0\mouse32a.exe" []
"CARPService"="carpserv.exe" [2003-01-09 12:42 C:\WINDOWS\system32\carpserv.exe]
"Microsoft all"="C:\WINDOWS\mmall.exe" [2007-12-23 19:28]
"sis32"="C:\WINDOWS\system32\winsos.exe" [2007-12-27 10:06]
"winroot"="C:\WINDOWS\system32\winsn.exe" [2007-12-23 17:35]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows Update"="svmhost.exe" []
"Starting up"="wvsvc.exe" []
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"MP Services"="" []
"NvCplScan"="" []
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-19 23:22]
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Alice ti aiuta.lnk - C:\Programmi\Alice ti aiuta\bin\matcli.exe [2007-05-29 14:57:20]
AudioDeck.lnk - C:\Programmi\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe [2005-06-09 11:57:45]
_install.exe [2007-12-23 17:38:14]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS [2001-12-18 13:45]
R2 cpwnt;cpwnt;C:\WINDOWS\system32\drivers\cpwnt.sys [1997-05-30 00:00]
S0 smfqlvfv;smfqlvfv;C:\WINDOWS\system32\drivers\krthccrn.sys []
S3 avgntdw;avgntdw;C:\Programmi\AVPersonal\AVGNTDW.SYS [2005-04-29 08:07]
S3 Qlevtm;Qlevtm;C:\WINDOWS\System32\drivers\asyncmac.sys [2004-08-19 13:00]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 16:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 16:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 16:59]
S3 taskmon.sys;taskmon.sys;C:\WINDOWS\system32\taskmon.sys [2007-12-27 22:49]
S3 ulusba;NEC 616 Command Port Driver;C:\WINDOWS\system32\DRIVERS\ulusba.sys [2003-06-23 02:00]
S3 ulusbc;NEC 616 CONTROL Driver;C:\WINDOWS\system32\DRIVERS\ulusbc.sys [2003-06-23 02:00]
S3 ulusbe;NEC 616 ENUMERATION Driver;C:\WINDOWS\system32\DRIVERS\ulusbe.sys [2003-06-23 02:00]
S3 ulusbm;NEC 616 Modem Driver;C:\WINDOWS\system32\DRIVERS\ulusbm.sys [2003-06-23 02:00]
S3 ulusbo;NEC 616 OBEX Port Driver;C:\WINDOWS\system32\DRIVERS\ulusbo.sys [2003-07-24 02:00]
S3 usb20l;Sitecom USB 2.0 10/100 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\usb20l.sys [2002-07-09 08:46]
S3 Via4in1;Via4in1;C:\DOCUME~1\andrea\IMPOST~1\Temp\pft11~tmp\Via4in1.sys []
S3 Vsp;Vsp;C:\WINDOWS\system32\drivers\Vsp.sys [2003-05-27 15:45]
S3 wanusb;IPM Datacom USB ADSL WAN Modem;C:\WINDOWS\system32\DRIVERS\gwausb.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\
\Shell\open\Command - C:\08DD2F22.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\
\Shell\open\Command - D:\A8162F0F.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setup.exe
.
Contenuto della cartella 'Scheduled Tasks'
"2007-09-21 16:09:45 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
"2007-06-24 16:08:54 C:\WINDOWS\Tasks\cidppvm.job"
"2007-06-25 10:44:10 C:\WINDOWS\Tasks\hbwp.job"
"2007-06-25 11:05:55 C:\WINDOWS\Tasks\mex.job"
"2007-06-24 09:23:43 C:\WINDOWS\Tasks\onxnhfl.job"
"2007-06-23 23:38:28 C:\WINDOWS\Tasks\ujpjm.job"
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-27 10:20:01
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
C:\WINDOWS\system32\bldy.config 21013 bytes
C:\WINDOWS\system32\bldy2395-2849.sys 129664 bytes executable
Scansione completata con successo
Files nascosti: 2
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\bldy2395-2849]
"ImagePath"="\??\C:\WINDOWS\system32\bldy2395-2849.sys"
.
Ora fine scansione: 2007-12-27 10:21:03
C:\ComboFix2.txt ... 2007-12-27 09:55
.
2007-12-27 16:30:58 --- E O F ---
hjt
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13, on 2007-12-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\mmall.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ntfyapp.exe
C:\Programmi\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\_install.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\mmyh_co.exe
C:\WINDOWS\mmoc1.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\mmgr.exe
C:\WINDOWS\mmar.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F3 - REG:win.ini: run=C:\WINDOWS\mmall.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [FLMTRUSTMOUSE] C:\Programmi\Trust mouse utility\1.0\mouse32a.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Microsoft all] C:\WINDOWS\mmall.exe
O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe
O4 - HKLM\..\Run: [winroot] C:\WINDOWS\system32\winsn.exe
O4 - HKCU\..\Run: [Microsoft all] C:\WINDOWS\mmall.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ntfyapp] C:\WINDOWS\ntfyapp.exe
O4 - HKCU\..\Run: [Starting up] wvsvc.exe
O4 - HKCU\..\Run: [Start Uppings] mssupdate.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] svmhost.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Windows Update] svmhost.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [MP Services] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Windows Update] svmhost.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [MP Services] (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: AudioDeck.lnk = C:\Programmi\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O4 - Global Startup: _install.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programmi\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programmi\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\swdsvc.exe
--
End of file - 4659 bytes |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 28 Dic 2007 01:04 Oggetto: |
|
|
Direi che sei conciato molto male... 
Disabilita il ripristino di sistema
Cominciamo a fare qualche cancellazione...
Scarica avenger e scompattalo in una sua cartella non temporanea e non sul desktop
Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:
| Citazione: | Files to delete:
C:\WINDOWS\mmyh_co.exe
C:\WINDOWS\ntfyapp.exe
C:\WINDOWS\mmall.exe
C:\WINDOWS\mmar.exe
C:\WINDOWS\mmgr.exe
C:\WINDOWS\spend.exe
C:\WINDOWS\mmoc1.exe
C:\WINDOWS\system32\winsn.exe
C:\WINDOWS\system32\winsos.exe
C:\WINDOWS\system32\shovth.exe
C:\WINDOWS\system32\dllgh8jkd1q8.exe
C:\WINDOWS\system32\bldy2395-2849.sys
C:\WINDOWS\system32\bldy.config
C:\WINDOWS\Tasks\cidppvm.job
C:\WINDOWS\Tasks\hbwp.job
C:\WINDOWS\Tasks\mex.job
C:\WINDOWS\Tasks\onxnhfl.job
C:\WINDOWS\Tasks\ujpjm.job
D:\A8162F0F.exe
C:\08DD2F22.exe |
Clicca su Done
Clicca sul semaforo
Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
Al termine dell'operazione, posta qui il risultato con un log aggiornato di hijackthis.
Fai queste scansioni con GMER e posta i logs su FreeFileHosting come indicato qui. |
|
| Top |
|
|
kgss
Mortale devoto
Registrato: 27/12/07 20:54
Messaggi: 11
|
| Inviato: 28 Dic 2007 03:35 Oggetto: |
|
|
grazie bdoriano per le istruzioni datemi...
ecco il log di hjt
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:16, on 2007-12-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AVPersonal\AVGUARD.EXE
C:\Programmi\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Programmi\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ntfyapp.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\Sion\IMPOST~1\Temp\Directory temporanea 2 per gmer.zip\gmer.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [FLMTRUSTMOUSE] C:\Programmi\Trust mouse utility\1.0\mouse32a.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Microsoft all] C:\WINDOWS\mmall.exe
O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe
O4 - HKLM\..\Run: [winroot] C:\WINDOWS\system32\winsn.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programmi\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [Microsoft all] C:\WINDOWS\mmall.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ntfyapp] C:\WINDOWS\ntfyapp.exe
O4 - HKCU\..\Run: [Starting up] wvsvc.exe
O4 - HKCU\..\Run: [Start Uppings] mssupdate.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] svmhost.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Windows Update] svmhost.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [MP Services] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Windows Update] svmhost.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [MP Services] (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: AudioDeck.lnk = C:\Programmi\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O4 - Global Startup: _install.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8EEDAC7-4AF7-4D55-B194-6C7C18CC4D9D}: NameServer = 85.37.17.52 85.38.28.92
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programmi\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programmi\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\swdsvc.exe
--
End of file - 4180 bytes
il link del primo passaggio con gmer
Scan.txt
il link del secondo passaggio
Scan2.txt
Grazie! |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 28 Dic 2007 09:44 Oggetto: |
|
|
Servirebbe anche il log generato da avenger dopo l'operazione. 
Comunque, esegui queste operazioni:
- Apri il notepad, e copia/incolla questo codice
| Citazione: | Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft all"=-
"ntfyapp"=-
"Starting up"=-
"Start Uppings"=-
"Microsoft Windows Update"=- |
poi salva il file col nome di fix.reg in C:\ (IMPORTANTE!)
avvia Avenger e questa volta inserisci questo script:
| Citazione: | Files to delete:
C:\WINDOWS\Temp\checkmemory.exe
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\mmall.exe
C:\WINDOWS\system32\winsos.exe
C:\WINDOWS\system32\winsn.exe
C:\WINDOWS\ntfyapp.exe
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\_install.exe
Registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | Microsoft all
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | sis32
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | winroot
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved | {E9BD18F4-7B76-47C0-BAF2-3FF006271D03}
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved | {DB9E4151-A142-491D-833E-B53BEA1621FB}
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved | {757B1DA6-9967-4418-BF10-38319FEB8DFB}
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved | {FA4A0A41-A11E-491C-86E1-6E81D118F8E9}
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved | {F4AE26B2-FA67-4675-9B2D-17847EAF742B}
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved | {214B220D-BE4D-418E-AC9F-6068ED913EE4}
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved | {2EA4B742-0EEE-4FF4-A589-6BB59A6CD640}
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved | {C488751C-1997-4291-AFAC-563CED7C9583}
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved | {2D82FB50-5ED5-4452-9421-A8225E0858E3}
Registry keys to replace with dummy:
HKLM\Software\Classes\.scr
Programs to launch on reboot:
C:\fix.reg |
Clicca su Done
Clicca sul semaforo
Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
Al termine dell'operazione, posta qui il risultato di Avenger con un log aggiornato di hijackthis. |
|
| Top |
|
|
kgss
Mortale devoto
Registrato: 27/12/07 20:54
Messaggi: 11
|
| Inviato: 28 Dic 2007 18:21 Oggetto: |
|
|
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\txnjlqqr
*******************
Script file located at: \??\C:\Documents and Settings\glxhnlci.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\Temp\checkmemory.exe not found!
Deletion of file C:\WINDOWS\Temp\checkmemory.exe failed!
Could not process line:
C:\WINDOWS\Temp\checkmemory.exe
Status: 0xc0000034
File C:\WINDOWS\system32\guard.tmp deleted successfully.
File C:\WINDOWS\mmall.exe not found!
Deletion of file C:\WINDOWS\mmall.exe failed!
Could not process line:
C:\WINDOWS\mmall.exe
Status: 0xc0000034
File C:\WINDOWS\system32\winsos.exe not found!
Deletion of file C:\WINDOWS\system32\winsos.exe failed!
Could not process line:
C:\WINDOWS\system32\winsos.exe
Status: 0xc0000034
File C:\WINDOWS\system32\winsn.exe not found!
Deletion of file C:\WINDOWS\system32\winsn.exe failed!
Could not process line:
C:\WINDOWS\system32\winsn.exe
Status: 0xc0000034
File C:\WINDOWS\ntfyapp.exe deleted successfully.
File C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\_install.exe deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|Microsoft all deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|sis32 deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|winroot deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{E9BD18F4-7B76-47C0-BAF2-3FF006271D03} deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{DB9E4151-A142-491D-833E-B53BEA1621FB} deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{757B1DA6-9967-4418-BF10-38319FEB8DFB} deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{FA4A0A41-A11E-491C-86E1-6E81D118F8E9} deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{F4AE26B2-FA67-4675-9B2D-17847EAF742B} deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{214B220D-BE4D-418E-AC9F-6068ED913EE4} deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{2EA4B742-0EEE-4FF4-A589-6BB59A6CD640} deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{C488751C-1997-4291-AFAC-563CED7C9583} deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{2D82FB50-5ED5-4452-9421-A8225E0858E3} deleted successfully.
Registry key HKLM\Software\Classes\.scr replaced with dummy successfully.
Program C:\fix.reg successfully set up to run once on reboot.
Completed script processing.
*******************
Finished! Terminate.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:21, on 2007-12-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\AVPersonal\AVGUARD.EXE
C:\Programmi\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Programmi\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\internet explorer\iexplore.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [FLMTRUSTMOUSE] C:\Programmi\Trust mouse utility\1.0\mouse32a.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programmi\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Windows Update] svmhost.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [MP Services] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Windows Update] svmhost.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [MP Services] (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: AudioDeck.lnk = C:\Programmi\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8EEDAC7-4AF7-4D55-B194-6C7C18CC4D9D}: NameServer = 85.37.17.52 85.38.28.92
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programmi\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programmi\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\swdsvc.exe
--
End of file - 3646 bytes |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 28 Dic 2007 20:48 Oggetto: |
|
|
Disabilita il ripristino di sistema e avvia il pc in modalità provvisoria
esegui hijackthis
clicca su do a system scan only
metti il segno di spunta a queste voci:
| Citazione: | O4 - HKUS\S-1-5-18\..\Run: [Microsoft Windows Update] svmhost.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [MP Services] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Windows Update] svmhost.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [MP Services] (User 'Default user') |
clicca fix checked
Riavvia il pc in modalità normale, rifai il log di hijackthis e postalo
Ti chiedo una cortesia: una volta fatte le operazioni con Avenger, troverai uno o più files backup*.zip in C:\avenger. Se puoi, caricali su freefilehosting e mandami, via  , il link che ti viene assegnato.
Alla fine, collegati a Kaspersky on-line scanner e fai la scansione estesa, come indicato qui.
Salva il risultato della scansione in un file (in formato HTML), carica il file su Freefilehosting e posta qui il link che ti viene assegnato. |
|
| Top |
|
|
kgss
Mortale devoto
Registrato: 27/12/07 20:54
Messaggi: 11
|
| Inviato: 29 Dic 2007 03:39 Oggetto: |
|
|
ti ho mandato i link con dei back up...
questo è il log i hjt
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:41, on 2007-12-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AVPersonal\AVGUARD.EXE
C:\Programmi\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\carpserv.exe
C:\Programmi\AVPersonal\AVGNT.EXE
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\WINDOWS\system32\suspend.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\internet explorer\iexplore.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [FLMTRUSTMOUSE] C:\Programmi\Trust mouse utility\1.0\mouse32a.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programmi\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [Starting up] wvsvc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [NvCplScan] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Starting up] wvsvc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [NvCplScan] (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: AudioDeck.lnk = C:\Programmi\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8EEDAC7-4AF7-4D55-B194-6C7C18CC4D9D}: NameServer = 85.37.17.52 85.38.28.92
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programmi\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programmi\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\swdsvc.exe
--
End of file - 4084 bytes
il report della scansione di KS FreeFile Hosting non me lo carica. Viene sempre fuori "Impossibile visualizzare la pagina". Come facciamo? Grazie |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 29 Dic 2007 10:34 Oggetto: |
|
|
Riprova con FreeFileHosting (a volte fa i capricci), altrimenti vai su xzshare.it.
Sono rimaste ancora alcune voci sospette. 
Aspettiamo di vedere il log di Kaspersky, però.  |
|
| Top |
|
|
kgss
Mortale devoto
Registrato: 27/12/07 20:54
Messaggi: 11
|
| Inviato: 29 Dic 2007 13:02 Oggetto: |
|
|
ecco il link di xzshare
http://www.xzshare.it/106418
p.s. sei un grande! |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 29 Dic 2007 15:28 Oggetto: |
|
|
Ho dato un'occhiata al log, 15MB!!!
Ci sono parecchie infezioni. 
- Scarica drWeb CureIt
- Avvia il pc in modalità provvisoria
- Avvia CureIt e fagli fare la scansione completa (dovrebbe rimuovere anche le minacce che riconosce)
- Avvia il pc in modalità normale
- Scarica VirIt
- Installa VirIt
- Avvialo e aggiornalo (importante)
- Riavvia il pc
- Avvia VirIt e fai lo scan completo.
Alla fine posta i logs delle operazioni.
Poi, fai questi passaggi:
- Scarica anche ATF-Cleaner.
Avvia ATF-Cleaner (serve a eliminare i files temporanei)
Metti il segno di spunta a Select All
(se vuoi conservare i files del cestino, togli il segno di spunta a Recycle bin)
Clicca su Empty selected
Clicca sulla voce FireFox
Metti il segno di spunta a Firefox caches e Firefox cookies e clicca su Empty selected
- Chiudi tutte le applicazioni, anche Word e Messenger (non ci deve essere l'icona vicino all'orologio).
- Collegati a Kaspersky on-line scanner e fai la scansione estesa, come indicato qui. Non usare il pc durante la scansione!
- Salva il risultato della scansione in un file (in formato HTML), carica il file su Freefilehosting e posta qui il link che ti viene assegnato.
|
|
| Top |
|
|
kgss
Mortale devoto
Registrato: 27/12/07 20:54
Messaggi: 11
|
| Inviato: 30 Dic 2007 00:04 Oggetto: |
|
|
VirIT eXplorer Lite Log
[SCANSIONE DELLA MEMORIA]
OK
[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
29/12/2007 - 21:02:00
[SCANSIONE DEL REGISTRO]
OK
[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
C:\Documents and Settings\Sion\DoctorWeb\Quarantine\A0000069.exe Infetto da Trojan.Win32.NDRV.Gen
* * * RIMOSSO * * *
C:\Documents and Settings\Sion\DoctorWeb\Quarantine\lsass.exe Infetto da Trojan.Win32.NDRV.Gen
* * * RIMOSSO * * *
C:\Documents and Settings\Sion\Impostazioni locali\Temp\dm_0172.exe Possibile variante da Trojan.Win32.Small.RJ
C:\qoobox\Quarantine\C\WINDOWS\b138.exe.vir Infetto da Adware.Agent.J
* * * RIMOSSO * * *
C:\WINDOWS\lasys32.exe Possibile variante da Trojan.Win32.Small.RJ
C:\WINDOWS\svc32.dll Infetto da Trojan.Win32.Agent.BFG
Il file sarà spostato nella cartella di quarantena.
Chiavi Registro infette: 0.
Files Infetti: 6.
Files Sospetti: 0.
Files Analizzati: 62699.
Files Totali: 62699.
Chiavi Registro rimosse: 0.
Virus Rimossi: 3.
Adesso puoi RIAVVIARE il computer per spostare il file nella cartella di quarantena.
DR. WEB
http://www.xzshare.it/971356
KASPERSKY
http://www.xzshare.it/313060 |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 30 Dic 2007 13:25 Oggetto: |
|
|
Il tuo log con Kaspersky continua a essere mastodontico!!! 15MB!
Impossibile da analizzare dettagliatamente e in poco tempo.
E, stranamente, ci sono ancora files che non dovrebbero esserci dopo aver fatto tutti i passaggi che ti ho indicato precedentemente.
Ad, esempio, questo passaggio ripulisce i files temporanei:
| Citazione: | Avvia ATF-Cleaner (serve a eliminare i files temporanei)
Metti il segno di spunta a Select All
(se vuoi conservare i files del cestino, togli il segno di spunta a Recycle bin)
Clicca su Empty selected
Clicca sulla voce FireFox
Metti il segno di spunta a Firefox caches e Firefox cookies e clicca su Empty selected |
Che, invece, nel log sono ancora presenti. 
Quest'altro passaggio:
| Citazione: | | Chiudi tutte le applicazioni aperte, anche Word e Messenger (non ci deve essere l'icona vicino all'orologio). |
Dovresti chiudere tutte le applicazioni (Word, Excel, Powerpoint, Adobe Reader, Messenger) e non lasciare aperta neanche una finestra (solo quella per la scansione). Chiudi anche tutte le icone aperte vicino all'orologio, deve rimanere il minimo indispensabile.
Il pc è usato insieme ad altre persone? Avete una password ciascuno?
Purtroppo, fintanto che non ci sarà un log più umano, non potrò essere sicuro di poterti aiutare a debellare definitivamente le tue infezioni (perché ce ne sono ancora alcune).
Disabilita il ripristino di sistema
Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:
| Citazione: | Files to delete:
C:\Documents and Settings\Sion\DoctorWeb\Quarantine\A0000070.exe
C:\Documents and Settings\Sion\DoctorWeb\Quarantine\mm_tmpoc1.exe
C:\Documents and Settings\Sion\DoctorWeb\Quarantine\UnInstall.exe
C:\Documents and Settings\Sion\Impostazioni locali\Temp\dm_0172.exe
C:\Programmi\Router\Router.exe
C:\qoobox\Quarantine\C\Documents and Settings\Sion\Dati applicazioni\antivirus.exe.vir
C:\qoobox\Quarantine\C\Documents and Settings\Sion\Dati applicazioni\trant.exe.vir
C:\qoobox\Quarantine\C\Programmi\File comuni\Yazzle1560OinUninstaller.exe.vir
C:\qoobox\Quarantine\C\WINDOWS\b151.exe.vir
C:\qoobox\Quarantine\C\WINDOWS\system32\vedxga1me4t1.exe.vir
C:\qoobox\Quarantine\catchme2007-12-27_ 95303.09.zip
C:\QUARANTENA_VIRIT\svc32.dll
C:\System Volume Information\_restore{E43D5535-27BF-4E1E-930B-7559D07CCFE2}\RP1\A0000033.exe
C:\System Volume Information\_restore{E43D5535-27BF-4E1E-930B-7559D07CCFE2}\RP1\A0000033.exe
C:\System Volume Information\_restore{E43D5535-27BF-4E1E-930B-7559D07CCFE2}\RP1\A0000033.exe
C:\WINDOWS\Downloaded Program Files\303487.exe
C:\WINDOWS\svc32.dll
C:\WINDOWS\syss_.exe
C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\8T6NW1YZ\Bridge-c95[1].cab
C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\OXEV8DMZ\bridge-c46[1].cab
C:\WINDOWS\system32\HotVideo_it-uninstall.exe
C:\WINDOWS\system32\runtime.exe
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\taskmon.exe |
Clicca su Done
Clicca sul semaforo
Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
Al termine dell'operazione, posta qui il risultato di Avenger con un log aggiornato di hijackthis. |
|
| Top |
|
|
kgss
Mortale devoto
Registrato: 27/12/07 20:54
Messaggi: 11
|
| Inviato: 30 Dic 2007 15:41 Oggetto: |
|
|
sì ho eseguito tutti i passaggi per filo e per segno. Comunque sì, condivido il pc con un'altra persona ed ognuno ha il suo account e la sua password.
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qkcqnbbk
*******************
Script file located at: \??\C:\Documents and Settings\cawpmpfw.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\Documents and Settings\Sion\DoctorWeb\Quarantine\A0000070.exe deleted successfully.
File C:\Documents and Settings\Sion\DoctorWeb\Quarantine\mm_tmpoc1.exe deleted successfully.
File C:\Documents and Settings\Sion\DoctorWeb\Quarantine\UnInstall.exe deleted successfully.
File C:\Documents and Settings\Sion\Impostazioni locali\Temp\dm_0172.exe deleted successfully.
File C:\Programmi\Router\Router.exe deleted successfully.
File C:\qoobox\Quarantine\C\Documents and Settings\Sion\Dati applicazioni\antivirus.exe.vir deleted successfully.
File C:\qoobox\Quarantine\C\Documents and Settings\Sion\Dati applicazioni\trant.exe.vir deleted successfully.
File C:\qoobox\Quarantine\C\Programmi\File comuni\Yazzle1560OinUninstaller.exe.vir deleted successfully.
File C:\qoobox\Quarantine\C\WINDOWS\b151.exe.vir deleted successfully.
File C:\qoobox\Quarantine\C\WINDOWS\system32\vedxga1me4t1.exe.vir deleted successfully.
File C:\qoobox\Quarantine\catchme2007-12-27_ 95303.09.zip deleted successfully.
File C:\QUARANTENA_VIRIT\svc32.dll deleted successfully.
File C:\System Volume Information\_restore{E43D5535-27BF-4E1E-930B-7559D07CCFE2}\RP1\A0000033.exe deleted successfully.
File C:\System Volume Information\_restore{E43D5535-27BF-4E1E-930B-7559D07CCFE2}\RP1\A0000033.exe not found!
Deletion of file C:\System Volume Information\_restore{E43D5535-27BF-4E1E-930B-7559D07CCFE2}\RP1\A0000033.exe failed!
Could not process line:
C:\System Volume Information\_restore{E43D5535-27BF-4E1E-930B-7559D07CCFE2}\RP1\A0000033.exe
Status: 0xc0000034
File C:\System Volume Information\_restore{E43D5535-27BF-4E1E-930B-7559D07CCFE2}\RP1\A0000033.exe not found!
Deletion of file C:\System Volume Information\_restore{E43D5535-27BF-4E1E-930B-7559D07CCFE2}\RP1\A0000033.exe failed!
Could not process line:
C:\System Volume Information\_restore{E43D5535-27BF-4E1E-930B-7559D07CCFE2}\RP1\A0000033.exe
Status: 0xc0000034
File C:\WINDOWS\Downloaded Program Files\303487.exe deleted successfully.
File C:\WINDOWS\svc32.dll deleted successfully.
File C:\WINDOWS\syss_.exe deleted successfully.
File C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\8T6NW1YZ\Bridge-c95[1].cab deleted successfully.
File C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\OXEV8DMZ\bridge-c46[1].cab deleted successfully.
File C:\WINDOWS\system32\HotVideo_it-uninstall.exe deleted successfully.
File C:\WINDOWS\system32\runtime.exe deleted successfully.
File C:\WINDOWS\system32\users32.dat deleted successfully.
File C:\WINDOWS\taskmon.exe deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:31, on 2007-12-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AVPersonal\AVGUARD.EXE
C:\Programmi\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\svchost.exe
C:\VEXPLITE\viritsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\AVPersonal\AVGNT.EXE
C:\VEXPLITE\MONLITE.EXE
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tgsoft.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [FLMTRUSTMOUSE] C:\Programmi\Trust mouse utility\1.0\mouse32a.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programmi\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [5R19C2X74Z] C:\WINDOWS\syss_.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [Starting up] wvsvc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [NvCplScan] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Starting up] wvsvc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [NvCplScan] (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: AudioDeck.lnk = C:\Programmi\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programmi\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programmi\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\swdsvc.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
--
End of file - 3944 bytes |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 31 Dic 2007 13:59 Oggetto: |
|
|
| kgss ha scritto: | | sì ho eseguito tutti i passaggi per filo e per segno. Comunque sì, condivido il pc con un'altra persona ed ognuno ha il suo account e la sua password. |
Svelato l'arcano. 
Per fare le operazioni seguenti, dovrai usare Internet Explorer:
|
|
| Top |
|
|
kgss
Mortale devoto
Registrato: 27/12/07 20:54
Messaggi: 11
|
| Inviato: 31 Dic 2007 20:04 Oggetto: |
|
|
BitDefender
http://www.freefilehosting.net/download/39l97
Panda Active Scan non si avvia....
Con ESET non si riesce a salvare il log...  |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 01 Gen 2008 10:54 Oggetto: |
|
|
Vedo che BitDefender ha fatto altre cancellazioni. Bene!
ESET ha cancellato ancora qualcosa?
Che errore ti segnala Panda? |
|
| Top |
|
|
kgss
Mortale devoto
Registrato: 27/12/07 20:54
Messaggi: 11
|
| Inviato: 01 Gen 2008 20:11 Oggetto: |
 |
|
allora ESET è riuscito ad eliminarmi 10 virus
Panda non mi fa partire la scansione quando clicco su "My Computer" oppure sulle altre icone... ho eseguito l'ActiveX, ho installato il tutto... ma non parte... |
|
| Top |
|
|
|
|
Non puoi inserire nuovi argomenti
Non puoi rispondere a nessun argomento
Non puoi modificare i tuoi messaggi
Non puoi cancellare i tuoi messaggi
Non puoi votare nei sondaggi
|
|
FAQ
Cerca
Lista utenti
Gruppi
Registrati
Profilo
Messaggi privati
Log in
