Olimpo Informatico

[motopneus]

Buon giorno mi trovo qeste due cartelle nella cronologia e il computer si collega a internet da solo.
Qualcuno ne sà qualcosa?.potete aiutarmi
ho messo il log su freefilehosting,qesto è il link: log16.txt

grazie

[bdoriano]

Ciao motopneus,

Innanzitutto, complimenti, hai capito subito di quale log c'era bisogno.

Scarica avenger e scompattalo in una sua cartella non temporanea e non sul desktop

Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:

[motopneus]

Carissimo Bdoriano
sono tornato ora da fuori ed ho eseguito quello che mi hai indicato, ottenendo questo log da AVENGER:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\cvkwhsgp

*******************

Script file located at: \??\C:\Documents and Settings\mjqjtewn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\SiSUSBrg.exe deleted successfully.
File C:\Programmi\Microsoft IntelliType Pro\itype.exe deleted successfully.
File C:\Programmi\Microsoft IntelliPoint\ipoint.exe deleted successfully.
File C:\Programmi\QuickTime\qttask.exe deleted successfully.
File C:\WINDOWS\system32\keyhook.exe deleted successfully.
File C:\WINDOWS\system32\NeroCheck.exe deleted successfully.
File C:\Programmi\Analog Devices\SoundMAX\SMTray.exe deleted successfully.
File C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe deleted successfully.
File C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe deleted successfully.
File move operation C:\WINDOWS\bak\SiSUSBrg.exe|C:\WINDOWS\SiSUSBrg.exe completed successfully.
File move operation C:\Programmi\Microsoft IntelliType Pro\bak\itype.exe|C:\Programmi\Microsoft IntelliType Pro\itype.exe completed successfully.
File move operation C:\Programmi\Microsoft IntelliPoint\bak\ipoint.exe|C:\Programmi\Microsoft IntelliPoint\ipoint.exe completed successfully.
File move operation C:\Programmi\QuickTime\bak\qttask.exe|C:\Programmi\QuickTime\qttask.exe completed successfully.
File move operation C:\WINDOWS\system32\bak\keyhook.exe|C:\WINDOWS\system32\keyhook.exe completed successfully.
File move operation C:\WINDOWS\system32\bak\NeroCheck.exe|C:\WINDOWS\system32\NeroCheck.exe completed successfully.
File move operation C:\Programmi\Analog Devices\SoundMAX\bak\SMTray.exe|C:\Programmi\Analog Devices\SoundMAX\SMTray.exe completed successfully.
File move operation C:\Programmi\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe|C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe completed successfully.
File move operation C:\Programmi\Java\jre1.6.0_03\bin\bak\jusched.exe|C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe completed successfully.

Completed script processing.

Cosa ne pensi?

appena potrò, riverificherò se si ricollega da solo al sito del virus e te lo farò sapere. grazie fin d'ora,

Paolo

[bdoriano]

Posta un log aggiornato di hijackthis.

Collegati a Kaspersky on-line scanner e fai la scansione estesa, come indicato qui.
Salva il risultato della scansione in un file (in formato HTML), carica il file su Freefilehosting e posta qui il link che ti viene assegnato.

[motopneus]

mentre ho potuto eseguire hijackthis -vedi log seguente- non mi è permesso fare l'online di Kaspersky perchè dice che la licenza è scaduta (credo che sia già stato utilizzato da questo comp). Cosa posso fare?
ciao, Paolo

Logfile of HijackThis v1.99.1
Scan saved at 11.15.15, on 18/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Programmi\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Programmi\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\keyhook.exe
C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Microsoft IntelliType Pro\itype.exe
C:\Programmi\Microsoft IntelliPoint\ipoint.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Microsoft Office\Office\1040\OLFSNT40.EXE
C:\WINDOWS\system32\sistray.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PR\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [smapp] C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [itype] "C:\Programmi\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmi\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Porta Symantec Fax Starter Edition.lnk = C:\Programmi\Microsoft Office\Office\1040\OLFSNT40.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'avsda.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103819076937
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir PersonalEdition Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: AntiVir PersonalEdition Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: AntiVir PersonalEdition Premium Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: AntiVir PersonalEdition Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\system32\schdsrvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Utilità di pianificazione di LiveUpdate automatico - Unknown owner - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

[Orange]