Olimpo Informatico

Mau21 · Mortale devoto Registrato: 11/01/08 13:17 Messaggi: 13

Salve a tutti,sono nuova del forum.Vi ho trovati per caso,navigando in internet alla disperata ricerca di una soluzione per il mio problema.

Da alcuni giorni ho notato una particolare lentezza nella configurazione della pagina iniziale di internet explorer ed inoltre la connessione saltava di continuo.Dal momento che sono un'emerita analfabeta del pc,ho chiesto aiuto ad un conoscente che mi ha consigliato di scaricare la versione 7 di internet explore e di levare l'icona di google dalla barra strumenti.Le cose sono migliorate,ma nella cronologia giornaliera mi ritrovo puntualmente siti come doginhispen,skitodayplease con varie numerazioni,che purtroppo ho stupidamente cancellato...

Spero tanto possiate aiutarmi...Grazie!

Mau21 · Mortale devoto Registrato: 11/01/08 13:17 Messaggi: 13

Ho ricontrollato la cronologia dopo aver spento e riconnesso il computer e tra i siti visitati mi risultano nuovamente a.doginhispen.com b.skitodayplease.com 88.80.7.66.Aprendo queste pagine compare il numero 14400.

Vorrei riportare uno scan con hjiackthis,ma non so come effettuare il copia e incolla sul forum.Qualcuno può aiutarmi?

bdoriano

Ciao Mau21, Ciao

Segui le istruzioni di questo topic per postare il log di hijackthis.

PS: se vuoi, puoi presentarti qui

Mau21 · Mortale devoto Registrato: 11/01/08 13:17 Messaggi: 13

Ciao bdoriano,
per prima cosa ti voglio ringraziare per aver risposto al mio appello.Ho eseguito le operazioni che mi hai indicato con il link,ma non riesco ad incollare sul forum la schermata che ho ottenuto.Quale tasto devo calcare per incollare la schermata sul forum,dopo aver selezionato tutto il testo ottenuto?

Mau21 · Mortale devoto Registrato: 11/01/08 13:17 Messaggi: 13

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21.43.17, on 11/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\sistray.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Pinnacle\Shared Files\InstantCDDVD\bak\PCLETray.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O5 "LPT1:" /M "Stylus CX3600"
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series (Copia 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P36 "EPSON Stylus CX3600 Series (Copia 1)" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [InstantTray] C:\Programmi\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Programmi\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{87798516-BDD0-4E54-A2BB-AE0480A9DE7C}: NameServer = 62.211.69.150 212.48.4.15
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 4749 bytes

bdoriano

ll log di hijackthis sembra pulito.

Fai la scansione con FindAWF

PS: hai visto che non è difficile copiare-incollare? Wink

Mau21 · Mortale devoto Registrato: 11/01/08 13:17 Messaggi: 13

Magari sembra pulito,ma c'è qualcosa che non va perchè quei famosi siti ricompaiono sempre nella cronologia da una settimana ormai... Sad

Find AWF report by noahdfear ©2006
Version 1.40

bak folders found
~~~~~~~~~~~

Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 583F-6277

Directory di C:\WINDOWS\BAK

12/07/2002 11.15 106.496 SiSUSBrg.exe
1 File 106.496 byte
2 Directory 75.298.492.416 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 583F-6277

Directory di C:\PROGRA~1\MESSEN~1\BAK

0 File 0 byte
2 Directory 75.298.492.416 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 583F-6277

Directory di C:\WINDOWS\SYSTEM32\BAK

19/08/2004 15.39 15.360 ctfmon.exe
10/11/2003 15.06 406.016 PSDrvCheck.exe
2 File 421.376 byte
2 Directory 75.298.488.320 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 583F-6277

Directory di C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

31/07/2007 15.15 68.856 GoogleToolbarNotifier.exe
1 File 68.856 byte
2 Directory 75.298.488.320 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 583F-6277

Directory di C:\PROGRA~1\INCRED~1\BIN\BAK

07/12/2005 17.49 200.747 IncMail.exe
1 File 200.747 byte
2 Directory 75.298.488.320 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 583F-6277

Directory di C:\PROGRA~1\PINNACLE\SHARED~1\INSTAN~1\BAK

02/09/2004 09.37 770.048 PCLETray.exe
1 File 770.048 byte
2 Directory 75.298.488.320 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 583F-6277

Directory di C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

04/03/2004 04.00 98.304 E_FATI9BE.EXE
1 File 98.304 byte
2 Directory 75.298.488.320 byte disponibili

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

14348 6 Jan 2008 "C:\WINDOWS\SiSUSBrg.exe"
106496 12 Jul 2002 "C:\WINDOWS\bak\SiSUSBrg.exe"
15360 19 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 19 Aug 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
14348 6 Jan 2008 "C:\WINDOWS\system32\PSDrvCheck.exe"
406016 10 Nov 2003 "C:\WINDOWS\system32\bak\PSDrvCheck.exe"
14348 6 Jan 2008 "C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
68856 31 Jul 2007 "C:\Programmi\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
214456 30 Dec 2007 "C:\Programmi\IncrediMail\bin\IncMail.exe"
200747 7 Dec 2005 "C:\Programmi\IncrediMail\bin\bak\IncMail.exe"
214456 30 Dec 2007 "C:\Documents and Settings\Utente\Impostazioni locali\Temp\IncrediMail\IMInstall\binaries\IncMail.exe"
14348 6 Jan 2008 "C:\Programmi\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe"
770048 2 Sep 2004 "C:\Programmi\Pinnacle\Shared Files\InstantCDDVD\bak\PCLETray.exe"
14348 6 Jan 2008 "C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATI9BE.EXE"
98304 4 Mar 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_cx360043de\E_FATI9BE.EXE"
98304 4 Mar 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_FATI9BE.EXE"

end of report

bdoriano

Scarica avenger e scompattalo in una sua cartella non temporanea e non sul desktop

Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe (copia-incolla):

Mau21 · Mortale devoto Registrato: 11/01/08 13:17 Messaggi: 13

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\udehsnji

*******************

Script file located at: \??\C:\aramrher.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\SiSUSBrg.exe deleted successfully.
File C:\WINDOWS\system32\PSDrvCheck.exe deleted successfully.
File C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe deleted successfully.
File C:\Programmi\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe deleted successfully.
File C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATI9BE.EXE deleted successfully.
File move operation C:\WINDOWS\bak\SiSUSBrg.exe|C:\WINDOWS\SiSUSBrg.exe completed successfully.
File move operation C:\WINDOWS\system32\bak\PSDrvCheck.exe|C:\WINDOWS\system32\PSDrvCheck.exe completed successfully.
File move operation C:\Programmi\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe|C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe completed successfully.
File move operation C:\Programmi\Pinnacle\Shared Files\InstantCDDVD\bak\PCLETray.exe|C:\Programmi\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe completed successfully.
File move operation C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_FATI9BE.EXE|C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATI9BE.EXE completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Mau21 · Mortale devoto Registrato: 11/01/08 13:17 Messaggi: 13

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22.25.57, on 11/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\sistray.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O5 "LPT1:" /M "Stylus CX3600"
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series (Copia 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P36 "EPSON Stylus CX3600 Series (Copia 1)" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [InstantTray] C:\Programmi\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Programmi\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{87798516-BDD0-4E54-A2BB-AE0480A9DE7C}: NameServer = 62.211.69.150 212.48.4.15
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 4782 bytes

bdoriano

Scarica DelDomains sul desktop (clic con destro sul link e scegli Salva con nome)
Poi clic con destro sul file DelDomains che hai salvato sul desktop e seleziona Installa.

Collegati a Kaspersky on-line scanner e fai la scansione estesa, come indicato qui.
Salva il risultato della scansione in un file (in formato HTML), carica il file su Freefilehosting e posta qui il link che ti viene assegnato.

Mau21 · Mortale devoto Registrato: 11/01/08 13:17 Messaggi: 13

ComboFix 08-01-09.2 - Utente 2008-01-11 22.34.10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.198 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Utente\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((( Files Creati Da 2007-12-11 al 2008-01-11 )))))))))))))))))))))))))))))))))))
.

2008-01-11 22:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-11 22:25 . 2008-01-11 22:25 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-11 10:18 . 2008-01-11 10:18 <DIR> d-------- C:\Programmi\Trend Micro
2008-01-10 14:27 . 2008-01-10 14:27 <DIR> d-------- C:\Programmi\Alwil Software
2008-01-10 14:27 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-10 14:27 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-10 14:27 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-10 14:27 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-10 14:27 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-10 14:27 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-10 14:27 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-10 14:27 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-10 12:15 . 2008-01-10 12:49 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-01-10 11:04 . 2008-01-10 11:12 <DIR> d-------- C:\Programmi\XoftSpySE
2008-01-08 22:28 . 2008-01-08 22:28 <DIR> d-------- C:\WINDOWS\system32\it-it
2008-01-06 21:42 . 2008-01-11 22:22 <DIR> d-------- C:\WINDOWS\system32\bak
2008-01-06 21:42 . 2008-01-11 22:22 <DIR> d-------- C:\WINDOWS\bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 15:16 --------- d-----w C:\Programmi\Google
2008-01-09 19:20 --------- d-----w C:\Programmi\IncrediMail
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:27 727,552 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:42 1,292,800 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-25 09:00 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-07-05 06:58 41,736 ----a-w C:\Documents and Settings\Utente\Dati applicazioni\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 200,747 2005-12-07 16:49:28 C:\Programmi\IncrediMail\bin\bak\IncMail.exe
----a-w 214,456 2007-12-30 16:34:46 C:\Programmi\IncrediMail\bin\IncMail.exe

----a-w 15,360 2004-08-19 14:39:36 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-19 14:39:36 C:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:39 15360]
"InstantTray"="C:\Programmi\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe" [2004-09-02 09:37 770048]
"IncrediMail"="C:\Programmi\IncrediMail\bin\IncMail.exe" [2007-12-30 17:34 214456]
"SpybotSD TeaTimer"="C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 11:15 106496]
"SoundMan"="SOUNDMAN.EXE" [2004-07-27 10:01 68096 C:\WINDOWS\SOUNDMAN.EXE]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2003-11-10 15:06 406016]
"EPSON Stylus CX3600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.exe" [2004-03-04 04:00 98304]
"EPSON Stylus CX3600 Series (Copia 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.exe" [2004-03-04 04:00 98304]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:39 15360]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06]
Microsoft Office.lnk - C:\Programmi\Microsoft Office\Office10\OSA.EXE [2001-02-13 08:01:04]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-08-04 09:24:16]

R0 VOBID;VOBID;C:\WINDOWS\system32\DRIVERS\vobid.sys [2003-08-01 13:47]
R1 vobiw;vobiw;C:\WINDOWS\system32\drivers\vobiw.sys [2004-09-01 13:50]
R3 cdrdrv;Cdrdrv;C:\WINDOWS\system32\Drivers\Cdrdrv.sys [2004-08-03 10:10]
S3 usbscan;Driver scanner USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 21:58]

*Newly Created Service* - PROCEXP90
.
Contenuto della cartella 'Scheduled Tasks'
"2008-01-11 21:22:59 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Programmi\XoftSpySE\XoftSpy.exe
"2008-01-10 10:04:25 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Programmi\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 22:35:36
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-01-11 22.36.45
.
2008-01-09 16:23:30 --- E O F ---

Mau21 · Mortale devoto Registrato: 11/01/08 13:17 Messaggi: 13

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22.41.40, on 11/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\WINDOWS\system32\sistray.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmi\internet explorer\iexplore.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O5 "LPT1:" /M "Stylus CX3600"
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series (Copia 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P36 "EPSON Stylus CX3600 Series (Copia 1)" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [InstantTray] C:\Programmi\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Programmi\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{87798516-BDD0-4E54-A2BB-AE0480A9DE7C}: NameServer = 62.211.69.150 212.48.4.15
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 4676 bytes

bdoriano

I logs sembrano puliti.
Hai fatto questi passaggi:

Mau21 · Mortale devoto Registrato: 11/01/08 13:17 Messaggi: 13

Sto procedendo con Kaspersky come mi hai detto.Al termine dovrò disattivare avast e spybot (credo...).Come faccio a disattivarli?Grazie!

Inoltre nel cestino di avast ci sono 3 virus!

bdoriano

Dovrai disattivare solo Avast. Wink

Clicca con il tasto dx del mouse sull'icona vicino all'orologio e dovrebbe esserci una voce Disattiva o qualcosa di simile.
PS: non uso Avast.

Mau21 · Mortale devoto Registrato: 11/01/08 13:17 Messaggi: 13

Purtroppo la mia zona non è coperta da ADSL,dunque ho una connessione lenta e di conseguenza con il download di kaspersky sono solo al 40%... Se non puoi trattenerti lo capisco!

Mau21 · Mortale devoto Registrato: 11/01/08 13:17 Messaggi: 13

Ho eseguito tutta la procedura che mi hai richiesto e non sono state rilevate infezioni...
Ora,non so se questa cosa sia positiva o negativa Confused

Ho ricontrollato la cronologia,dopo aver fatto una pulitura con Cleaner e i famigerati siti malefici non risultano più,ma non compare più nemmeno la cronologia dei giorni precedenti ad oggi,sebbene io non l'abbia cancellata...

bdoriano

Mau21 · Mortale devoto Registrato: 11/01/08 13:17 Messaggi: 13

Attualmente non riscontro problemi e nella cronologia non sono ancora ricomparsi i siti incriminati,ma purtroppo la scorsa volta il problema è ricomparso nella cronologia a partire dai 2 giorni successivi alle operazioni che ho svolto su consiglio del mio amico.Dunque non mi resta che aspettare e vedere ciò che accadrà nei prossimi giorni.
Per il momento ti ringrazio per la tua disponibilità e infinita pazienza.Ti farò sapere presto! Ciao Ciao