Precedente :: Successivo |
Autore |
Messaggio |
cuchucambiasso Mortale devoto

Registrato: 19/12/07 08:24 Messaggi: 12
|
Inviato: 19 Dic 2007 08:32 Oggetto: problema troyan Virtumonde |
|
|
Ciao a tutti, ho un problema da alcuni giorni con il mio pc..
Facendo la scansione con Spyware Doctor son stati individuati questi due virus: Troyan.Virtumonde e Troyan-Downloader.ConHook che pero' al riavvio del sistema ricompaiono.Potete aiutarmi a debellarli?grazie 1000..... |
|
Top |
|
 |
bdoriano Amministratore


Registrato: 02/04/07 12:05 Messaggi: 14391 Residenza: 3° pianeta del sistema solare...
|
Inviato: 19 Dic 2007 10:04 Oggetto: |
|
|
Ciao cuchucambiasso,
- Scarica VundoFix.exe sul desktop
- Esegui VundoFix.exe
- Clicca Scan for Vundo.
- al termine della scansione, clicca Remove Vundo.
- ti chiede se vuoi eliminare i files infetti, clicca YES
- il tuo video diventerà nero durante la rimozione di Vundo.
- al termine ti chiederà di riavviare il pc, clicca OK.
- Copia qui il contenuto del log C:\vundofix.txt e un nuovo log di hijackthis.
Nota: VundoFix potrebbe non riuscire ad eliminare qualche file. In questo caso, VundoFix si avvierà automaticamente al riavvio del pc, ripeti le operazioni indicate sopra partendo da "Clicca Scan for Vundo" quando VundoFix apparirà al riavvio.
- Scarica ATF-Cleaner.
Avvia ATF-Cleaner (serve a eliminare i files temporanei)
Metti il segno di spunta a Select All
(se vuoi conservare i files del cestino, togli il segno di spunta a Recycle bin)
Clicca su Empty selected
- Al termine, segui le istruzioni di questo topic per postare il log di hijackthis.
PS: se vuoi, puoi presentarti qui |
|
Top |
|
 |
cuchucambiasso Mortale devoto

Registrato: 19/12/07 08:24 Messaggi: 12
|
Inviato: 19 Dic 2007 11:08 Oggetto: |
|
|
grazie 1000!!!!
non so come ho fatto ma ero gia riuscito ad eliminare i 2 virus con ad-aware...
ora al riavvio non ricompaiono piu'...
grazie ancora  |
|
Top |
|
 |
bdoriano Amministratore


Registrato: 02/04/07 12:05 Messaggi: 14391 Residenza: 3° pianeta del sistema solare...
|
Inviato: 19 Dic 2007 12:25 Oggetto: |
|
|
Ehm...
Non vorrei spegnere brutalmente il tuo entusiasmo. Se hai risolto, sono contento per te.
Ma, virtumonde, è uno dei virus più rognosi da eliminare.
Ti consiglio di fare comunque i passaggi che ti ho indicato, male non fanno.
PS: prometto che non ti costa nulla.  |
|
Top |
|
 |
cuchucambiasso Mortale devoto

Registrato: 19/12/07 08:24 Messaggi: 12
|
Inviato: 19 Dic 2007 12:28 Oggetto: |
|
|
ok....adesso provo..grazie... |
|
Top |
|
 |
cuchucambiasso Mortale devoto

Registrato: 19/12/07 08:24 Messaggi: 12
|
Inviato: 19 Dic 2007 12:47 Oggetto: |
|
|
fatto tutto cio' che mi hai consigliato...mi sa che avevi ragione...
vundo mi ha trovato 2 virus che mi ha cancellato, al riavvio ho eliminato i temp con ATF-Cleaner poi ho lanciato hijak...
questo e' il log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11.44.08, on 19/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\PDF Complete\pdfsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmi\HoverSnap (fotografa desktop)\HoverSnap.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {1515B906-999A-48F3-8BF4-B7EC61BF5B38} - C:\WINDOWS\system32\byxwtrq.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Programmi\File comuni\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\FILECO~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O3 - Toolbar: Mostra Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Programmi\File comuni\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ccApp] C:\Programmi\File comuni\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Collegamento a HoverSnap.lnk = C:\Programmi\HoverSnap (fotografa desktop)\HoverSnap.exe
O4 - Global Startup: Tasto di scelta rapida per l'avvio di AutoCAD.lnk = C:\Programmi\File comuni\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{152DB784-17B6-44A3-BDAD-7F95A607995B}: NameServer = 151.99.125.2,151.99.125.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{152DB784-17B6-44A3-BDAD-7F95A607995B}: NameServer = 151.99.125.2,151.99.125.3
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: byxwtrq - byxwtrq.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Programmi\PDF Complete\pdfsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\FILECO~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Utilità di pianificazione di LiveUpdate automatico - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe |
|
Top |
|
 |
bdoriano Amministratore


Registrato: 02/04/07 12:05 Messaggi: 14391 Residenza: 3° pianeta del sistema solare...
|
|
Top |
|
 |
cuchucambiasso Mortale devoto

Registrato: 19/12/07 08:24 Messaggi: 12
|
Inviato: 19 Dic 2007 14:45 Oggetto: |
|
|
fatto...ti riporto ora il nuovo log di hijack: e grazie ancora per la pazienza!!!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\PDF Complete\pdfsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmi\HoverSnap (fotografa desktop)\HoverSnap.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\FILECO~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Programmi\File comuni\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\FILECO~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O3 - Toolbar: Mostra Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Programmi\File comuni\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ccApp] C:\Programmi\File comuni\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Collegamento a HoverSnap.lnk = C:\Programmi\HoverSnap (fotografa desktop)\HoverSnap.exe
O4 - Global Startup: Tasto di scelta rapida per l'avvio di AutoCAD.lnk = C:\Programmi\File comuni\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{152DB784-17B6-44A3-BDAD-7F95A607995B}: NameServer = 151.99.125.2,151.99.125.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{152DB784-17B6-44A3-BDAD-7F95A607995B}: NameServer = 151.99.125.2,151.99.125.3
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: byxwtrq - byxwtrq.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Programmi\PDF Complete\pdfsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\FILECO~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Utilità di pianificazione di LiveUpdate automatico - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe |
|
Top |
|
 |
bdoriano Amministratore


Registrato: 02/04/07 12:05 Messaggi: 14391 Residenza: 3° pianeta del sistema solare...
|
Inviato: 19 Dic 2007 16:13 Oggetto: |
|
|
Dovresti postare anche il log di combofix (c:\combofix.txt).  |
|
Top |
|
 |
cuchucambiasso Mortale devoto

Registrato: 19/12/07 08:24 Messaggi: 12
|
Inviato: 19 Dic 2007 16:15 Oggetto: |
|
|
eccolo....
ComboFix 07-12-19.3 - Administrator 2007-12-19 13.37.38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.1497 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\dat.txt
C:\WINDOWS\rs.txt
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Creati Da 2007-11-19 al 2007-12-19 )))))))))))))))))))))))))))))))))))
.
2007-12-19 11:29 . 2007-12-19 11:29 <DIR> d-------- C:\VundoFix Backups
2007-12-18 17:09 . 2007-12-18 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab Setup Files
2007-12-18 16:49 . 2007-12-18 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Yahoo! Companion
2007-12-18 16:43 . 2007-12-18 16:43 <DIR> d-------- C:\program files
2007-12-18 16:39 . 2007-12-18 16:39 <DIR> d-------- C:\Programmi\Yahoo!
2007-12-18 16:12 . 2007-12-18 16:23 <DIR> d-------- C:\Programmi\Enigma Software Group
2007-12-18 15:05 . 2007-12-18 15:05 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-18 15:01 . 2007-12-18 15:01 19,792 --a------ C:\Documents and Settings\Administrator\tipfrgkf.exe
2007-12-18 15:01 . 2007-12-18 15:01 19,792 --a------ C:\Documents and Settings\Administrator\rvruhgjr.exe
2007-12-18 07:57 . 2007-12-18 07:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-18 07:57 . 2007-12-18 07:57 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-17 09:22 . 2007-12-17 09:22 19,792 --a------ C:\Documents and Settings\Administrator\loypinlg.exe
2007-12-17 09:21 . 2007-12-17 09:26 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\ntr
2007-12-14 17:01 . 2007-12-18 15:11 377,805 --ahs---- C:\WINDOWS\system32\vvvwa.ini2
2007-12-14 16:25 . 2007-12-14 16:28 6,579 --ahs---- C:\WINDOWS\system32\qrqss.ini2
2007-12-14 08:19 . 2007-12-14 16:16 8,154 --ahs---- C:\WINDOWS\system32\xbadd.ini2
2007-12-12 15:18 . 2007-12-14 08:11 269,957 --ahs---- C:\WINDOWS\system32\ybeeg.ini2
2007-12-12 13:58 . 2007-12-19 12:18 <DIR> d-------- C:\Programmi\Spyware Doctor_5.1
2007-12-12 13:31 . 2007-12-12 13:53 <DIR> d-------- C:\Programmi\Crawler
2007-12-12 12:53 . 2007-12-18 15:15 <DIR> d-a------ C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2007-12-12 12:52 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-12 12:44 . 2007-12-12 12:45 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-12-12 11:33 . 2007-12-12 11:33 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Grisoft
2007-12-12 10:48 . 2007-12-12 10:48 <DIR> d-------- C:\Programmi\Alwil Software
2007-12-12 10:48 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-12 10:48 . 2005-02-18 20:47 367,104 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-12 10:48 . 2005-02-18 20:41 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-12-12 10:48 . 2005-02-19 09:52 13,440 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-12 10:32 . 2007-12-12 11:16 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-12 10:32 . 2007-12-12 11:16 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-12 08:52 . 2007-12-12 08:52 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Symantec
2007-12-12 08:50 . 2007-12-12 08:50 <DIR> d-------- C:\Programmi\Windows Sidebar
2007-12-12 08:49 . 2007-12-18 12:18 <DIR> d-------- C:\Programmi\Norton Internet Security
2007-12-12 08:48 . 2007-12-12 09:58 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-12 08:48 . 2007-12-12 09:58 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-12 08:48 . 2007-12-12 09:58 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-12 08:48 . 2007-12-12 09:58 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-11 17:08 . 2007-12-11 17:09 <DIR> d-------- C:\Programmi\WinAViVideoConverter
2007-12-11 16:29 . 2007-12-12 12:43 <DIR> d-------- C:\Programmi\RichVideoCodec
2007-12-11 16:07 . 2007-12-12 14:10 29,427 --ahs---- C:\WINDOWS\system32\qttss.ini2
2007-12-11 11:40 . 2007-12-11 11:40 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\STOIK
2007-12-11 11:33 . 2007-12-19 07:57 <DIR> d-------- C:\Programmi\WinAVI Video Converter
2007-12-11 11:30 . 2007-12-12 07:38 <DIR> d-------- C:\Programmi\FreeRIP2
2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 . 2007-11-30 23:57 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,545 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 . 2007-11-30 23:57 1,430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-19 11:49 --------- d-----w C:\Programmi\eMule
2007-12-19 06:37 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2007-12-19 06:31 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Symantec
2007-12-14 06:49 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\Skype
2007-12-12 08:59 --------- d-----w C:\Programmi\QuickTime
2007-12-12 08:58 --------- d-----w C:\Programmi\Symantec
2007-12-12 07:43 --------- d-----w C:\Programmi\Norton AntiVirus
2007-12-12 06:38 --------- d--h--w C:\Programmi\InstallShield Installation Information
2007-11-16 07:48 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\EPSON
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 11:23 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\GibbHill Properties Ltd
2007-10-29 07:39 --------- d-----w C:\Programmi\File comuni\Real
2007-10-28 16:06 --------- d-----w C:\Programmi\Real
2007-10-22 05:50 --------- d-----w C:\Programmi\Java
2007-05-21 05:54 3,017,328 ----a-w C:\Programmi\PolarWebLink2_4_0.exe
2007-02-14 07:17 3,534,076 ----a-w C:\Programmi\eMule0.47c-Installer.exe
2007-02-05 13:31 3,014,256 ----a-w C:\Programmi\Polar_WebLink_2_3_4.exe
2007-02-05 13:09 1,706,596 ----a-w C:\Programmi\Polar Uplink Tool setup.exe
2007-01-30 11:23 9,453,630 ----a-w C:\Programmi\vlc-0.8.6a-win32.exe
2006-12-20 10:12 5,713,840 ----a-w C:\Programmi\Firefox Setup 2.0.0.1.exe
2007-01-30 09:17 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 20:51 316784 --a------ C:\Programmi\File comuni\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-12-12 08:50 116088 --a------ C:\PROGRA~1\FILECO~1\SYMANT~1\IDS\IPSBHO.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93}
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Programmi\File comuni\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 20:51 316784]
[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Gestore icona firma digitale di AutoCAD]
@={36A21736-36C2-4C11-8ACB-D4136F2B57BD}
[HKEY_CLASSES_ROOT\CLSID\{36A21736-36C2-4C11-8ACB-D4136F2B57BD}]
2005-03-05 11:18 136312 --a------ C:\WINDOWS\system32\AcSignIcon.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 02:00]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-10-13 17:24]
"swg"="C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 07:38]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Programmi\File comuni\Symantec Shared\ccApp.exe" [2007-08-24 22:07]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 02:00]
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Tasto di scelta rapida per l'avvio di AutoCAD.lnk - C:\Programmi\File comuni\Autodesk Shared\acstart16.exe [2005-03-05 12:18:22]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwtrq]
byxwtrq.dll
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 pdfcDispatcher;PDF Document Manager;C:\Programmi\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService []
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 17:27]
S2 Utilità di pianificazione di LiveUpdate automatico;Utilità di pianificazione di LiveUpdate automatico;"C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2007-08-31 11:49]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2007-05-29 13:55]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 17:27]
S3 usbscan;Driver scanner USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
S3 USBSTOR;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b20ca11-22e7-11dc-9266-0019bbd68c70}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
*Newly Created Service* - COMHOST
.
Contenuto della cartella 'Scheduled Tasks'
"2007-12-18 06:09:36 C:\WINDOWS\Tasks\Norton Internet Security - Scansione completa sistema - Administrator.job"
- C:\Programmi\Norton Internet Security\Norton AntiVirus\Navw32.exei/TASK:
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-19 13:41:05
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="C:\Programmi\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
Ora fine scansione: 2007-12-19 13:41:34 - machine was rebooted
.
2007-12-12 08:53:13 --- E O F --- |
|
Top |
|
 |
bdoriano Amministratore


Registrato: 02/04/07 12:05 Messaggi: 14391 Residenza: 3° pianeta del sistema solare...
|
Inviato: 19 Dic 2007 18:06 Oggetto: |
|
|
Scarica avenger e scompattalo in una sua cartella non temporanea e non sul desktop
Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:
Citazione: | files to delete:
C:\WINDOWS\system32\mcrh.tmp
C:\Documents and Settings\Administrator\tipfrgkf.exe
C:\Documents and Settings\Administrator\rvruhgjr.exe
C:\Documents and Settings\Administrator\loypinlg.exe
C:\WINDOWS\system32\vvvwa.ini2
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\xbadd.ini2
C:\WINDOWS\system32\ybeeg.ini2
C:\WINDOWS\system32\qttss.ini2
registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwtrq |
Clicca su Done
Clicca sul semaforo
Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
Al termine dell'operazione, posta qui il risultato con un log aggiornato di hijackthis.
Dopo, collegati a Kaspersky on-line scanner e fai la scansione estesa, come indicato qui.
Salva il risultato della scansione in un file (in formato HTML), carica il file su Freefilehosting e posta qui il link che ti viene assegnato. |
|
Top |
|
 |
cuchucambiasso Mortale devoto

Registrato: 19/12/07 08:24 Messaggi: 12
|
Inviato: 19 Dic 2007 18:13 Oggetto: |
|
|
ho caricato quelle stringhe in avenger ma dopo aver cliccato sul semaforo esce il seguente mess. di errore: selected files does not appear to be a valid script... |
|
Top |
|
 |
bdoriano Amministratore


Registrato: 02/04/07 12:05 Messaggi: 14391 Residenza: 3° pianeta del sistema solare...
|
Inviato: 19 Dic 2007 18:21 Oggetto: |
|
|
Non mi pare che avenger faccia differenza tra maiuscole e minuscole.
Proviamo dalla modalità provvisoria.
Disabilita il ripristino di sistema e avvia il pc in modalità provvisoria
Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:
Citazione: | Files to delete:
C:\WINDOWS\system32\mcrh.tmp
C:\Documents and Settings\Administrator\tipfrgkf.exe
C:\Documents and Settings\Administrator\rvruhgjr.exe
C:\Documents and Settings\Administrator\loypinlg.exe
C:\WINDOWS\system32\vvvwa.ini2
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\xbadd.ini2
C:\WINDOWS\system32\ybeeg.ini2
C:\WINDOWS\system32\qttss.ini2
Registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwtrq |
Clicca su Done
Clicca sul semaforo
Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
Al termine dell'operazione, posta qui il risultato con un log aggiornato di hijackthis.
Se non dovesse funzionare anche stavolta, fai queste scansioni con GMER e posta i logs su FreeFileHosting come indicato qui. |
|
Top |
|
 |
cuchucambiasso Mortale devoto

Registrato: 19/12/07 08:24 Messaggi: 12
|
Inviato: 20 Dic 2007 08:56 Oggetto: |
|
|
niente da fare con avenger...
ho fatto le scansioni con gmer e questo e' il risultato, grazie...
gmer52.txt |
|
Top |
|
 |
bdoriano Amministratore


Registrato: 02/04/07 12:05 Messaggi: 14391 Residenza: 3° pianeta del sistema solare...
|
|
Top |
|
 |
cuchucambiasso Mortale devoto

Registrato: 19/12/07 08:24 Messaggi: 12
|
|
Top |
|
 |
bdoriano Amministratore


Registrato: 02/04/07 12:05 Messaggi: 14391 Residenza: 3° pianeta del sistema solare...
|
Inviato: 20 Dic 2007 23:58 Oggetto: |
|
|
Facciamo una prova:
scarica questo file (lo script è fatto apposta per te) e scompattalo in una sua cartella.
Avvia il programma AvRunner.exe, premi Invio, poi digita Y e accetta il reboot. Al riavvio si dovrebbe aprire lo script di Avenger con l´esito delle operazioni fatte. Se ti sembra che non abbia fatto nulla, cioè dopo la riga Beginning to process script file: non c´è scritto cosa ha fatto, ma solo Completed script processing., prova ad riavviare AvRunner ancora una volta. Vediamo se riesce a combinare qualcosa.
Se l'operazione va a buon fine, posta un log aggiornato di hijackthis. |
|
Top |
|
 |
cuchucambiasso Mortale devoto

Registrato: 19/12/07 08:24 Messaggi: 12
|
Inviato: 21 Dic 2007 08:21 Oggetto: |
|
|
ok...fatto tutto ciò che mi hai consigliato:
Ecco il log di avenger:
//////////////////////////////////////////
AvRunner - www.suspectfile.com
//////////////////////////////////////////
//////////////////////////////////////////
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kvdjappm
*******************
Script file located at: \??\C:\vmrpleyh.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\mcrh.tmp deleted successfully.
File C:\Documents and Settings\Administrator\tipfrgkf.exe deleted successfully.
File C:\Documents and Settings\Administrator\rvruhgjr.exe deleted successfully.
File C:\Documents and Settings\Administrator\loypinlg.exe deleted successfully.
File C:\WINDOWS\system32\vvvwa.ini2 deleted successfully.
File C:\WINDOWS\system32\qrqss.ini2 deleted successfully.
File C:\WINDOWS\system32\xbadd.ini2 deleted successfully.
File C:\WINDOWS\system32\ybeeg.ini2 deleted successfully.
File C:\WINDOWS\system32\qttss.ini2 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwtrq deleted successfully.
Completed script processing.
*******************
Finished! Terminate. |
|
Top |
|
 |
cuchucambiasso Mortale devoto

Registrato: 19/12/07 08:24 Messaggi: 12
|
Inviato: 21 Dic 2007 08:22 Oggetto: |
|
|
...e quello di hijack:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7.19.53, on 21/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\PDF Complete\pdfsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmi\HoverSnap (fotografa desktop)\HoverSnap.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Programmi\File comuni\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\FILECO~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O3 - Toolbar: Mostra Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Programmi\File comuni\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ccApp] C:\Programmi\File comuni\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Collegamento a HoverSnap.lnk = C:\Programmi\HoverSnap (fotografa desktop)\HoverSnap.exe
O4 - Global Startup: Tasto di scelta rapida per l'avvio di AutoCAD.lnk = C:\Programmi\File comuni\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{152DB784-17B6-44A3-BDAD-7F95A607995B}: NameServer = 151.99.125.2,151.99.125.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{152DB784-17B6-44A3-BDAD-7F95A607995B}: NameServer = 151.99.125.2,151.99.125.3
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Programmi\PDF Complete\pdfsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\FILECO~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Utilità di pianificazione di LiveUpdate automatico - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe
--
End of file - 8501 bytes |
|
Top |
|
 |
bdoriano Amministratore


Registrato: 02/04/07 12:05 Messaggi: 14391 Residenza: 3° pianeta del sistema solare...
|
Inviato: 22 Dic 2007 10:04 Oggetto: |
|
|
Il log di hijackthis sembra ok.
Per sicurezza, collegati a Kaspersky on-line scanner e fai la scansione estesa, come indicato qui.
Salva il risultato della scansione in un file (in formato HTML), carica il file su Freefilehosting e posta qui il link che ti viene assegnato. |
|
Top |
|
 |
|