|
| Precedente :: Successivo |
| Autore |
Messaggio |
MaurizioPT
Mortale pio
Registrato: 15/01/08 17:02
Messaggi: 20
Residenza: Valdinievole
|
 Inviato: 15 Gen 2008 17:22 Oggetto: Aiuto! Mio PC infettato da BHO.AGENT.GX |
 |
|
Innanzitutto, da neoiscritto a questo Forum (anche se in passato l'ho consultato spesso), rivolgo un saluto a tutti!
Purtroppo questo mio post di esordio inizia subito con un problema:
qualche settimana fa, collegandomi ad un sito dove è possibile giocare a scacchi online contro un programma (URL: www.flashgames.it/easy.chess.html ), ho "contratto" quello che a me pare essere un trojan: BHO.AGENT.GX , perlomeno secondo il mio antivirus (avast), che mi segnala in modo ricorrente che il file C:\Windows\system32\apcupsv.dll è infetto, e mi chiede di bloccarlo.
Lo stesso antivirus non ha saputo tuttavia prevenirne l'infezione: immagino di averlo contratto prima che avast (che tengo quotidianamente aggiornato) rilasciasse lo specifico aggiornamento.
Nei giorni immediatamente successivi all'infezione, ho provato a ripristinare una configurazione del sistema precedente al momento in cui ho contratto il trojan, ma ho notato che tutti i punti di ripristino precedenti erano stati azzerati, e quindi mi è stato impossibile farlo.
Il trojan in questione viene rilevato anche da VirIT, scaricato dopo averlo visto consigliare su queste pagine, che però non riesce a rimuoverlo, così come non riesco a farlo io manualmente.
Sempre leggendo queste pagine e seguendo i vostri preziosi consigli, ho scaricato Combofix e Hijackthis, fatta la scansione del PC con entrambi e salvati i rispettivi logs, che sono in grado di postare se necessario.
In particolare, ComboFix mi dà questo risultato (riporto un estratto del logfile):
C:\WINDOWS\system32\apcupsv.dll . . . . Eliminazione Fallita
C:\WINDOWS\system32\dpv11p.dll . . . . Eliminazione Fallita
Le mie domande sono:
1) Avast, quando mi chiede di cliccare un bottone, nel qual caso dice che il "file non verrà attivato", è in grado per il momento perlomeno di evitare danni, anche se non è in grado di rimuovere il file?
2) che tipo di danni posso aspettarmi da tale trojan?
3) esiste una procedura efficace per l'eliminazione del problema? In caso affermativo, c'è qualcuno di voi che può aiutarmi?
Tenete conto che, anche se non del tutto analfabeta da un punto di vista informatico, le mie capacità sono quelle di un semplice utente e non certo quelle di un sistemista: vi chiedo perciò un poco di pazienza nelle vostre spiegazioni..
 |
|
| Top |
|
 |
Sante62
Dio maturo
Registrato: 27/06/07 17:55
Messaggi: 3477
Residenza: Floridia
|
| Inviato: 15 Gen 2008 20:17 Oggetto: |
|
|
Ciao MaurizioPT e benvenuto...
Posta i log che hai fatto. Per quello di HJT non postare quello che hai già salvato, ma fanne uno aggiornato... |
|
| Top |
|
|
MaurizioPT
Mortale pio
Registrato: 15/01/08 17:02
Messaggi: 20
Residenza: Valdinievole
|
| Inviato: 15 Gen 2008 23:16 Oggetto: |
|
|
Grazie per il benvenuto e anche per la speditezza nel replicare al mio quesito.
Nel frattempo ho letto anche le istruzioni che, nel thread apposito, bdoriano fornisce a chi, come me, avanza una richiesta di aiuto.
Ne tengo conto aggiungendo queste info sul mio PC:
S.O.:: Windows XP
Antivirus: Avast v.4.7 free
Antispyware: Spybot S & D v.1.4, ultimo aggiornamento 12/12/07 (ahimè...)
Firewall: solo quello integrato in Win XP
Ad oggi, solo Avast mi informa della presenza del trojan (presumo che lo farà anche Spybot una volta aggiornato, ma al momento non posso affermarlo con certezza.
Il log di HJT, appena eseguito come da istruzione fornitemi da Sante62:
Logfile of HijackThis v1.99.1
Scan saved at 22.00.59, on 15/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Programmi\HP\HP Software Update\HPwuSchd2.exe
C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\n5dbepqc.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HP\KBD\KBD.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\internet explorer\iexplore.exe
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\COMPAQ~1\IMPOST~1\Temp\Directory temporanea 2 per hijackthis_199.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/advanced_search?hl=it
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {470785E1-7CC6-4300-A2F4-110A1CA26E95} - C:\WINDOWS\system32\apcupsv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {917C5EA1-2FC3-432E-B8E8-2EB72DC8038E} - c:\windows\system32\dpv11p.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Programmi\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [n5dbepqc] C:\WINDOWS\system32\n5dbepqc.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [n5dbepqc] C:\WINDOWS\system32\n5dbepqc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Controllo del Calendario di Ulead Photo Express.lnk = C:\Programmi\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Guida alla connessione - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Guida alla connessione - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171042277281
O17 - HKLM\System\CCS\Services\Tcpip\..\{875FB104-57DF-49FD-A856-FF0315694BF5}: NameServer = 193.12.150.2 212.247.152.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: bdcogolu - C:\WINDOWS\SYSTEM32\dpv11p.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
Quello che riporto di seguito è invece il logfile di Combofix, eseguito questo pomeriggio:
ComboFix 08-01-09.2 - Compaq_Administrator 2008-01-15 15.29.59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.557 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\apcupsv.dll . . . . Eliminazione Fallita
C:\WINDOWS\system32\dpv11p.dll . . . . Eliminazione Fallita
.
((((((((((((((((((((((((( Files Creati Da 2007-12-15 al 2008-01-15 )))))))))))))))))))))))))))))))))))
.
2008-01-15 15:12 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-18 23:57 . 2007-12-18 23:57 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2007-12-18 23:57 . 2007-12-18 23:57 741,632 --a------ C:\WINDOWS\system32\rmwejywg.dat
2007-12-18 23:57 . 2007-12-18 23:57 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2007-12-18 23:57 . 2007-12-18 23:57 42,240 --a------ C:\WINDOWS\system32\fwvtvfyp.dat
2007-12-18 23:57 . 2008-01-12 18:53 36,608 --a------ C:\WINDOWS\system32\snxraxtv.dat
2007-12-18 23:57 . 2007-12-18 23:57 35,072 --a------ C:\WINDOWS\system32\upntlzff.dat
2007-12-18 02:43 . 2007-12-18 02:43 <DIR> d-------- C:\QUARANTENA_VIRIT
2007-12-18 02:03 . 2008-01-08 20:56 36,096 --a------ C:\WINDOWS\system32\drivers\VIRAGTLT.SYS
2007-12-18 02:02 . 2008-01-12 11:36 <DIR> d-------- C:\VEXPLITE
2007-12-17 23:53 . 2007-12-25 21:16 120,576 --a------ C:\WINDOWS\system32\zckcxumx.dat
2007-12-17 21:44 . 2007-12-23 21:07 84,992 --a------ C:\WINDOWS\system32\dpv11p.dll
2007-12-17 21:44 . 19,584 C:\WINDOWS\system32\drivers\ilhxoqfb.dat
2007-12-17 21:44 . 2007-05-06 20:26 16,896 --a------ C:\WINDOWS\system32\n5dbepqc.exe
2007-12-17 21:43 . 2004-09-06 22:00 84,992 --a------ C:\WINDOWS\system32\apcupsv.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 00:02 --------- d-----w C:\Programmi\mIRC
2007-12-18 01:55 --------- d-----w C:\Programmi\Google
2007-12-17 23:52 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-01 16:34 --------- d-----w C:\Programmi\WinMX
2007-12-01 16:33 --------- d-----w C:\Programmi\MXpie Patch
2007-04-25 15:54 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((( snapshot@2008-01-15_15.22.19.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-15 14:33:27 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_504.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{470785E1-7CC6-4300-A2F4-110A1CA26E95}]
2004-09-06 22:00 84992 --a------ C:\WINDOWS\system32\apcupsv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{917C5EA1-2FC3-432E-B8E8-2EB72DC8038E}]
2007-12-23 21:07 84992 --a------ c:\windows\system32\dpv11p.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Programmi\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"n5dbepqc"="C:\WINDOWS\system32\n5dbepqc.exe" [2007-05-06 20:26 16896]
"SpybotSD TeaTimer"="C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04 1415824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-17 22:40 64512]
"ftutil2"="ftutil2.dll" [2004-06-07 13:05 106496 C:\WINDOWS\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-22 00:56 16261632 C:\WINDOWS\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 16:19 77312 C:\WINDOWS\arpwrmsg.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 15:14 237568]
"PCDrProfiler"="" []
"HPBootOp"="C:\Programmi\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 15:34 249856]
"HP Software Update"="C:\Programmi\HP\HP Software Update\HPwuSchd2.exe" [2005-02-16 23:11 49152]
"SpeedTouch USB Diagnostics"="C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38 866816]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"Adobe Photo Downloader"="C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-07-07 17:41 57344]
"Adobe Reader Speed Launcher"="C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"TkBellExe"="C:\Programmi\File comuni\Real\Update_OB\realsched.exe" [2006-11-24 12:50 180269]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2007-10-19 20:16 286720]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"n5dbepqc"="C:\WINDOWS\system32\n5dbepqc.exe" [2007-05-06 20:26 16896]
"VIRIT LITE MONITOR"="C:\VEXPLITE\MONLITE.EXE" [2008-01-11 22:10 245760]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-09-06 22:00 397824]
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Controllo del Calendario di Ulead Photo Express.lnk - C:\Programmi\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe [2007-08-19 10:33:07]
EPSON Status Monitor 3 Environment Check(2).lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-02-09 19:03:40]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bdcogolu]
dpv11p.dll 2007-12-23 21:07 84992 C:\WINDOWS\system32\dpv11p.dll
R0 ehxheznv;ehxheznv;C:\WINDOWS\system32\drivers\ilhxoqfb.dat []
R0 VIRAGTLT;VIRAGTLT;C:\WINDOWS\system32\drivers\VIRAGTLT.SYS [2008-01-08 20:56]
R2 viritsvclite;Virit eXplorer Lite;C:\VEXPLITE\viritsvc.exe [2008-01-11 22:10]
R3 S6U12Scanner;MUSTEK 1200 CU Still Image Device Service;C:\WINDOWS\system32\drivers\usbscan.sys [2004-08-03 21:58]
R3 usbstor;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-09-06 22:00]
S2 jngmahqq; inoltratore traffico IPXSupport;C:\WINDOWS\System32\svchost.exe [2004-09-06 22:00]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
jngmahqq
.
Contenuto della cartella 'Scheduled Tasks'
"2008-01-14 20:00:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
"2007-12-17 23:52:08 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Programmi\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 15:34:39
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
Ora fine scansione: 2008-01-15 15:37:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-15 14:37:08
ComboFix2.txt 2008-01-15 14:22:44
.
2008-01-10 01:40:43 --- E O F ---
Preciso che, nel frattempo, ho provveduto a disinstallare VirIt. |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 16 Gen 2008 01:09 Oggetto: |
|
|
Sembrerebbero tracce di Virtumonde... 
Segui questo iter:
- Scarica VundoFix e VirtumundoBegone e salvali sul desktop.
- Avvia VundoFix
Seleziona Scan for Vundo e a scansione terminata scegli Remove Vundo.
Clicca Yes e alla richiesta di riavviare il Pc rispondi Ok.
Al riavvio dovrebbe comparire il blocco-note con dentro il log, copia e posta sul forum il contenuto.
- Ora avvia in modalità provvisoria
Avvia VirtumundoBeGone e segui le indicazioni a video.
riavvia il Pc in modalità normale e posta il log.
- Segui le istruzioni di questo topic per postare il log di combofix.
- Fai anche un nuovo log di HijackThis e mettilo qui.
|
|
| Top |
|
|
MaurizioPT
Mortale pio
Registrato: 15/01/08 17:02
Messaggi: 20
Residenza: Valdinievole
|
| Inviato: 16 Gen 2008 14:48 Oggetto: |
|
|
Grazie dei consigli: vedo di provvedere in giornata!
Nel frattempo ho fatto una scansione approfondita del PC con Avast free, ovviamente perfettamente aggiornato e (stranamente) non ha rilevato problemi ai files di cui avevo scritto in apertura, bensì ai files:
C:\windows\pchealth\errorrep\userdumps\winlogon.exe.200712
C:\windows\pchealth\errorrep\userdumps\winlogon.exe.200801
Avast attribuisce il problema al malware (trojan) Win32:delf.hpr [trj]
Però, almeno in questo caso, Avast sembra aver rimosso il problema, avendo cestinato con successo questi files. |
|
| Top |
|
|
MaurizioPT
Mortale pio
Registrato: 15/01/08 17:02
Messaggi: 20
Residenza: Valdinievole
|
| Inviato: 16 Gen 2008 15:21 Oggetto: |
|
|
Compiute le prime fasi.
VundoFix non ha trovato nulla (non ha neanche generato alcun log, ma il messaggio che mi ha dato al termine della scansione diceva che non aveva rilevato alcun problema).
Ora vado avanti con VirtumondoBeGone e poi riferisco sull'esito |
|
| Top |
|
|
MaurizioPT
Mortale pio
Registrato: 15/01/08 17:02
Messaggi: 20
Residenza: Valdinievole
|
| Inviato: 16 Gen 2008 15:59 Oggetto: |
|
|
OK, completato il lavoro suggeritomi da bdoriano!
Come ho scritto prima, VundoFix non ha trovato niente e non ha generato logs.
Virtumundo pure (almeno ai miei occhi da profano), e ha generato questo report:
[01/16/2008, 14:30:17] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Compaq_Administrator\Desktop\VirtumundoBeGone.exe" )
[01/16/2008, 14:30:25] - Detected System Information:
[01/16/2008, 14:30:26] - Windows Version: 5.1.2600, Service Pack 2
[01/16/2008, 14:30:26] - Current Username: Administrator (Admin)
[01/16/2008, 14:30:26] - Windows is in SAFE mode with Networking.
[01/16/2008, 14:30:26] - Searching for Browser Helper Objects:
[01/16/2008, 14:30:26] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Supporto di collegamento per Adobe PDF Reader)
[01/16/2008, 14:30:26] - BHO 2: {470785E1-7CC6-4300-A2F4-110A1CA26E95} ()
[01/16/2008, 14:30:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/16/2008, 14:30:26] - Checking for HKLM\...\Winlogon\Notify\apcupsv
[01/16/2008, 14:30:26] - Key not found: HKLM\...\Winlogon\Notify\apcupsv, continuing.
[01/16/2008, 14:30:26] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[01/16/2008, 14:30:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/16/2008, 14:30:26] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[01/16/2008, 14:30:26] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[01/16/2008, 14:30:26] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/16/2008, 14:30:26] - BHO 5: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[01/16/2008, 14:30:26] - BHO 6: {917C5EA1-2FC3-432E-B8E8-2EB72DC8038E} ()
[01/16/2008, 14:30:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/16/2008, 14:30:26] - Checking for HKLM\...\Winlogon\Notify\dpv11p
[01/16/2008, 14:30:26] - Key not found: HKLM\...\Winlogon\Notify\dpv11p, continuing.
[01/16/2008, 14:30:26] - Finished Searching Browser Helper Objects
[01/16/2008, 14:30:26] - Finishing up...
[01/16/2008, 14:30:26] - Nothing found! Exiting...
Combofix, utilizzato secondo le istruzioni, ha generato il seguente log:
ComboFix 08-01-09.2 - Compaq_Administrator 2008-01-16 14.35.27.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.593 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\apcupsv.dll . . . . Eliminazione Fallita
C:\WINDOWS\system32\dpv11p.dll . . . . Eliminazione Fallita
.
((((((((((((((((((((((((( Files Creati Da 2007-12-16 al 2008-01-16 )))))))))))))))))))))))))))))))))))
.
2008-01-16 13:52 . 2008-01-16 13:52 <DIR> d-------- C:\VundoFix Backups
2008-01-15 15:12 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-18 23:57 . 2007-12-18 23:57 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2007-12-18 23:57 . 2007-12-18 23:57 741,632 --a------ C:\WINDOWS\system32\rmwejywg.dat
2007-12-18 23:57 . 2007-12-18 23:57 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2007-12-18 23:57 . 2007-12-18 23:57 42,240 --a------ C:\WINDOWS\system32\fwvtvfyp.dat
2007-12-18 23:57 . 2008-01-12 18:53 36,608 --a------ C:\WINDOWS\system32\snxraxtv.dat
2007-12-18 23:57 . 2007-12-18 23:57 35,072 --a------ C:\WINDOWS\system32\upntlzff.dat
2007-12-18 02:43 . 2007-12-18 02:43 <DIR> d-------- C:\QUARANTENA_VIRIT
2007-12-18 02:03 . 2008-01-08 20:56 36,096 --a------ C:\WINDOWS\system32\drivers\VIRAGTLT.SYS
2007-12-18 02:02 . 2008-01-15 21:48 <DIR> d-------- C:\VEXPLITE
2007-12-17 23:53 . 2007-12-25 21:16 120,576 --a------ C:\WINDOWS\system32\zckcxumx.dat
2007-12-17 21:44 . 2007-12-23 21:07 84,992 --a------ C:\WINDOWS\system32\dpv11p.dll
2007-12-17 21:44 . 19,584 C:\WINDOWS\system32\drivers\ilhxoqfb.dat
2007-12-17 21:44 . 2007-05-06 20:26 16,896 --a------ C:\WINDOWS\system32\n5dbepqc.exe
2007-12-17 21:43 . 2004-09-06 22:00 84,992 --a------ C:\WINDOWS\system32\apcupsv.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 17:36 --------- d-----w C:\Programmi\mIRC
2007-12-18 01:55 --------- d-----w C:\Programmi\Google
2007-12-17 23:52 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-01 16:34 --------- d-----w C:\Programmi\WinMX
2007-12-01 16:33 --------- d-----w C:\Programmi\MXpie Patch
2007-04-25 15:54 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((( snapshot@2008-01-15_15.22.19.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-16 13:39:56 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_504.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{470785E1-7CC6-4300-A2F4-110A1CA26E95}]
2004-09-06 22:00 84992 --a------ C:\WINDOWS\system32\apcupsv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{917C5EA1-2FC3-432E-B8E8-2EB72DC8038E}]
2007-12-23 21:07 84992 --a------ c:\windows\system32\dpv11p.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Programmi\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"n5dbepqc"="C:\WINDOWS\system32\n5dbepqc.exe" [2007-05-06 20:26 16896]
"SpybotSD TeaTimer"="C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04 1415824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-17 22:40 64512]
"ftutil2"="ftutil2.dll" [2004-06-07 13:05 106496 C:\WINDOWS\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-22 00:56 16261632 C:\WINDOWS\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 16:19 77312 C:\WINDOWS\arpwrmsg.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 15:14 237568]
"PCDrProfiler"="" []
"HPBootOp"="C:\Programmi\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 15:34 249856]
"HP Software Update"="C:\Programmi\HP\HP Software Update\HPwuSchd2.exe" [2005-02-16 23:11 49152]
"SpeedTouch USB Diagnostics"="C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38 866816]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"Adobe Photo Downloader"="C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-07-07 17:41 57344]
"Adobe Reader Speed Launcher"="C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"TkBellExe"="C:\Programmi\File comuni\Real\Update_OB\realsched.exe" [2006-11-24 12:50 180269]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2007-10-19 20:16 286720]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"n5dbepqc"="C:\WINDOWS\system32\n5dbepqc.exe" [2007-05-06 20:26 16896]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-09-06 22:00 397824]
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Controllo del Calendario di Ulead Photo Express.lnk - C:\Programmi\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe [2007-08-19 10:33:07]
EPSON Status Monitor 3 Environment Check(2).lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-02-09 19:03:40]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bdcogolu]
dpv11p.dll 2007-12-23 21:07 84992 C:\WINDOWS\system32\dpv11p.dll
R0 ehxheznv;ehxheznv;C:\WINDOWS\system32\drivers\ilhxoqfb.dat []
R3 S6U12Scanner;MUSTEK 1200 CU Still Image Device Service;C:\WINDOWS\system32\drivers\usbscan.sys [2004-08-03 21:58]
R3 usbstor;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-09-06 22:00]
S2 jngmahqq; inoltratore traffico IPXSupport;C:\WINDOWS\System32\svchost.exe [2004-09-06 22:00]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
jngmahqq
.
Contenuto della cartella 'Scheduled Tasks'
"2008-01-14 20:00:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
"2007-12-17 23:52:08 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Programmi\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 14:41:02
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
Ora fine scansione: 2008-01-16 14:43:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-16 13:43:29
ComboFix2.txt 2008-01-15 14:37:11
ComboFix3.txt 2008-01-15 14:22:44
.
2008-01-10 01:40:43 --- E O F ---
In questo log di combofix, noto il permanere del passaggio (che era anche nel log precedente):
C:\WINDOWS\system32\apcupsv.dll . . . . Eliminazione Fallita
C:\WINDOWS\system32\dpv11p.dll . . . . Eliminazione Fallita
Come mai cerca di eliminare questi 2 files e non ci riesce?
Il primo di questi 2 files è lo stesso che Avast mi segnalava come infetto (anche se da ieri questa segnalazione non mi è più comparsa, nonostante il fatto che l'uso che faccio del PC sia lo stesso dei giorni passati).
Infine, HiJackThis, nella scansione che ho fatto poco fa, genera questo log:
Logfile of HijackThis v1.99.1
Scan saved at 14.46.12, on 16/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Programmi\HP\HP Software Update\HPwuSchd2.exe
C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\n5dbepqc.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HP\KBD\KBD.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\DOCUME~1\COMPAQ~1\IMPOST~1\Temp\Directory temporanea 1 per hijackthis_199.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/advanced_search?hl=it
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {470785E1-7CC6-4300-A2F4-110A1CA26E95} - C:\WINDOWS\system32\apcupsv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {917C5EA1-2FC3-432E-B8E8-2EB72DC8038E} - c:\windows\system32\dpv11p.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Programmi\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [n5dbepqc] C:\WINDOWS\system32\n5dbepqc.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [n5dbepqc] C:\WINDOWS\system32\n5dbepqc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Controllo del Calendario di Ulead Photo Express.lnk = C:\Programmi\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Guida alla connessione - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Guida alla connessione - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171042277281
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: bdcogolu - C:\WINDOWS\SYSTEM32\dpv11p.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
In quest'ultimo log noto con preoccupazione (del profano?!?) il seguente passaggio, dove ricompaiono i due files che mi preoccupano:
O2 - BHO: (no name) - {470785E1-7CC6-4300-A2F4-110A1CA26E95} - C:\WINDOWS\system32\apcupsv.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {917C5EA1-2FC3-432E-B8E8-2EB72DC8038E} - c:\windows\system32\dpv11p.dll
E' grave, dottore?
|
|
| Top |
|
|
MaurizioPT
Mortale pio
Registrato: 15/01/08 17:02
Messaggi: 20
Residenza: Valdinievole
|
| Inviato: 16 Gen 2008 23:43 Oggetto: |
|
|
Capisco che non mi chiamo "Venere" nè "Elisa" nè "Laetitia" (in effetti ho fatto un errore marchiano a scegliere un nick maschile!  ), però non dimenticatevi del mio problema..!
Scherzo, eh?
|
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 17 Gen 2008 14:22 Oggetto: |
|
|
Apri il notepad, e copia/incolla questo codice
| Citazione: | Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"n5dbepqc"=- |
Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:
| Citazione: | Files to delete:
C:\WINDOWS\system32\dpv11p.dll
C:\WINDOWS\system32\n5dbepqc.exe
C:\WINDOWS\system32\apcupsv.dll
C:\WINDOWS\system32\rmwejywg.dat
C:\WINDOWS\system32\fwvtvfyp.dat
C:\WINDOWS\system32\snxraxtv.dat
C:\WINDOWS\system32\upntlzff.dat
C:\WINDOWS\system32\zckcxumx.dat
C:\WINDOWS\system32\drivers\ilhxoqfb.dat
Registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{470785E1-7CC6-4300-A2F4-110A1CA26E95}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{917C5EA1-2FC3-432E-B8E8-2EB72DC8038E}
HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\bdcogolu
registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | n5dbepqc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | combofix
Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs |
Clicca su Done
Clicca sul semaforo
Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
Al termine dell'operazione, posta qui il risultato e un log aggiornato di hijackthis. |
|
| Top |
|
|
MaurizioPT
Mortale pio
Registrato: 15/01/08 17:02
Messaggi: 20
Residenza: Valdinievole
|
| Inviato: 17 Gen 2008 16:25 Oggetto: |
|
|
qui viene fuori tutta la mia ignoranza!
I miei dubbi:
1) Per "apri il notepad" intendi che devo avviare il blocco note oppure che devo aprire un file specifico? In tal caso quale?
2) Dopo aver incollato nel notepad il testo che indichi, come e dove devo salvarlo?
Mi scuso per tutte queste domande ma probabilmente, proprio perchè poco esperto, mi mancano alcuni passaggi che per le persone più esperte di me sono giustamente dati per scontati...
 |
|
| Top |
|
|
Orange
Dio maturo
Registrato: 18/02/07 13:20
Messaggi: 2224
Residenza: Roma
|
| Inviato: 18 Gen 2008 10:00 Oggetto: |
|
|
Ciao
rispondo io:
1. Il notepad è il blocco note, sì.
2. Qui ci è sfuggito un passaggio : salva il file col nome fix.reg in C:\ (importante! assicurati che l'estensione del file sia proprio .reg e NON .txt)
3. Utilizza Avenger con questo script:
| Citazione: | Files to delete:
C:\WINDOWS\system32\dpv11p.dll
C:\WINDOWS\system32\n5dbepqc.exe
C:\WINDOWS\system32\apcupsv.dll
C:\WINDOWS\system32\rmwejywg.dat
C:\WINDOWS\system32\fwvtvfyp.dat
C:\WINDOWS\system32\snxraxtv.dat
C:\WINDOWS\system32\upntlzff.dat
C:\WINDOWS\system32\zckcxumx.dat
C:\WINDOWS\system32\drivers\ilhxoqfb.dat
Registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{470785E1-7CC6-4300-A2F4-110A1CA26E95}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{917C5EA1-2FC3-432E-B8E8-2EB72DC8038E}
HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\bdcogolu
registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | n5dbepqc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | combofix
Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
Programs to launch on reboot:
C:\fix.reg |
Facci sapere |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 18 Gen 2008 17:05 Oggetto: |
|
|
Grazie Orange. 
@MaurizioPT, scusa avevo dimenticato un passaggio.  |
|
| Top |
|
|
MaurizioPT
Mortale pio
Registrato: 15/01/08 17:02
Messaggi: 20
Residenza: Valdinievole
|
| Inviato: 18 Gen 2008 19:41 Oggetto: |
|
|
| bdoriano ha scritto: | | Grazie Orange. |
Sono io quello che devo dei ringraziamenti, altrochè!
| bdoriano ha scritto: | | @MaurizioPT, scusa avevo dimenticato un passaggio. |
Con tutti gli utenti che, come me, vi pongono i problemi più disparati a cui non sappiamo far fronte da soli, ci credo che ogni tanto un passaggio possa anche sfuggire: a chi non accadrebbe?
Non ti devo scusare di nulla: semmai, devo ringraziare te e gli altri esperti per tutto quanto fate a titolo disinteressato!
Ora vedo di mettere in pratica i consigli che mi avete dato: vediamo cosa vien fuori !!
 |
|
| Top |
|
|
MaurizioPT
Mortale pio
Registrato: 15/01/08 17:02
Messaggi: 20
Residenza: Valdinievole
|
| Inviato: 18 Gen 2008 20:09 Oggetto: |
|
|
Allora, ho provato.
1) creato il file fix.reg sotto C:\ , utilizzando il notepad, con il testo indicato da bdoriano
2) avviato Avenger, seguita la procedura indicata, incollato il testo indicatomi e cliccato semaforo. Subito dopo ho avuto 3 messaggi di errore:
a) Syntax error in line --- No registri value to delete found
b) Line will be ignored
c) Error code: 1813 Line:
Al termine di questo tuttavia la procedura si è conclusa e mi ha chiesto di riavviare il PC, cosa che ho fatto.
Quello che posto di seguito è il report di attività che Avenger ha generato dopo il riavvio:
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Syntax error in line --- no registry value to delete found. Line will be ignored.
Error code: 1813
Line: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
//////////////////////////////////////////
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mfncmhgt
*******************
Script file located at: rrqiwylg
Could not open script file! Error
Could not open script file! Status: 0xc000003b Abort!
Quindi ho avviato HJT, che al termine mi ha fornito il seguente log:
Logfile of HijackThis v1.99.1
Scan saved at 18.58.31, on 18/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programmi\HP\HP Software Update\HPwuSchd2.exe
C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\n5dbepqc.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\HP\KBD\KBD.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\COMPAQ~1\IMPOST~1\Temp\Directory temporanea 2 per hijackthis_199.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/advanced_search?hl=it
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {470785E1-7CC6-4300-A2F4-110A1CA26E95} - C:\WINDOWS\system32\apcupsv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {917C5EA1-2FC3-432E-B8E8-2EB72DC8038E} - c:\windows\system32\dpv11p.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Programmi\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [n5dbepqc] C:\WINDOWS\system32\n5dbepqc.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [n5dbepqc] C:\WINDOWS\system32\n5dbepqc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Controllo del Calendario di Ulead Photo Express.lnk = C:\Programmi\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Guida alla connessione - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Guida alla connessione - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171042277281
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: bdcogolu - C:\WINDOWS\SYSTEM32\dpv11p.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
Francamente non riesco a capire il perchè della segnalazione dell'errore.
Mi sembra però (nella mia ignoranza in materia) che i files C:\WINDOWS\system32\dvp11p.dll e C:\WINDOWS\system32\apcupsv.dll ci siano ancora...
Voi che siete esperti cosa potete dirmi? |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 19 Gen 2008 16:04 Oggetto: |
|
|
| MaurizioPT ha scritto: | | Voi che siete esperti cosa potete dirmi? |
Che devo andare in pensione... 
Scusa, ho sbagliato una riga nelle istruzioni per Avenger... rifacciamo...
(hai ancora il file c:\fix.reg che ti abbiamo fatto creare, giusto?)
Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:
| Citazione: | Files to delete:
C:\WINDOWS\system32\dpv11p.dll
C:\WINDOWS\system32\n5dbepqc.exe
C:\WINDOWS\system32\apcupsv.dll
C:\WINDOWS\system32\rmwejywg.dat
C:\WINDOWS\system32\fwvtvfyp.dat
C:\WINDOWS\system32\snxraxtv.dat
C:\WINDOWS\system32\upntlzff.dat
C:\WINDOWS\system32\zckcxumx.dat
C:\WINDOWS\system32\drivers\ilhxoqfb.dat
Registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{470785E1-7CC6-4300-A2F4-110A1CA26E95}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{917C5EA1-2FC3-432E-B8E8-2EB72DC8038E}
HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\bdcogolu
registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | n5dbepqc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | combofix
Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
Programs to launch on reboot:
C:\fix.reg |
Clicca su Done
Clicca sul semaforo
Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
Al termine dell'operazione, posta qui il risultato e un log aggiornato di hijackthis. |
|
| Top |
|
|
MaurizioPT
Mortale pio
Registrato: 15/01/08 17:02
Messaggi: 20
Residenza: Valdinievole
|
| Inviato: 19 Gen 2008 16:33 Oggetto: |
|
|
Stavolta la procedura non ha dato messagi di errore in avvio, anche se dopo il reboot del PC mi chiedeva il disco di sistema...
Il report di Avenger, prodotto dopo il riavvio, stavolta è il seguente:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fwkrjxkr
*******************
Script file located at: \??\C:\WINDOWS\mjpyuurk.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Could not open file C:\WINDOWS\system32\dpv11p.dll for deletion
Deletion of file C:\WINDOWS\system32\dpv11p.dll failed!
Could not process line:
C:\WINDOWS\system32\dpv11p.dll
Status: 0xc0000022
File C:\WINDOWS\system32\n5dbepqc.exe deleted successfully.
Could not open file C:\WINDOWS\system32\apcupsv.dll for deletion
Deletion of file C:\WINDOWS\system32\apcupsv.dll failed!
Could not process line:
C:\WINDOWS\system32\apcupsv.dll
Status: 0xc0000022
File C:\WINDOWS\system32\rmwejywg.dat deleted successfully.
File C:\WINDOWS\system32\fwvtvfyp.dat deleted successfully.
File C:\WINDOWS\system32\snxraxtv.dat deleted successfully.
File C:\WINDOWS\system32\upntlzff.dat deleted successfully.
File C:\WINDOWS\system32\zckcxumx.dat deleted successfully.
Could not open file C:\WINDOWS\system32\drivers\ilhxoqfb.dat for deletion
Deletion of file C:\WINDOWS\system32\drivers\ilhxoqfb.dat failed!
Could not process line:
C:\WINDOWS\system32\drivers\ilhxoqfb.dat
Status: 0xc0000022
Could not open registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{470785E1-7CC6-4300-A2F4-110A1CA26E95} for deletion
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{470785E1-7CC6-4300-A2F4-110A1CA26E95} failed!
Status: 0xc0000022
Could not open registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{917C5EA1-2FC3-432E-B8E8-2EB72DC8038E} for deletion
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{917C5EA1-2FC3-432E-B8E8-2EB72DC8038E} failed!
Status: 0xc0000022
Could not open registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\bdcogolu for deletion
Deletion of registry key HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\bdcogolu failed!
Status: 0xc0000022
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|n5dbepqc deleted successfully.
Could not delete registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|combofix
Deletion of registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|combofix failed!
Status: 0xc0000034
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.
Program C:\fix.reg successfully set up to run once on reboot.
Completed script processing.
Il log di HiJackThis, fatto subito dopo il riavvio del Pc e senza applicazioni aperte, è invece il seguente:
Logfile of HijackThis v1.99.1
Scan saved at 15.24.42, on 19/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Programmi\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HP\KBD\KBD.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\DOCUME~1\COMPAQ~1\IMPOST~1\Temp\Directory temporanea 3 per hijackthis_199.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/advanced_search?hl=it
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {470785E1-7CC6-4300-A2F4-110A1CA26E95} - C:\WINDOWS\system32\apcupsv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {917C5EA1-2FC3-432E-B8E8-2EB72DC8038E} - c:\windows\system32\dpv11p.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Programmi\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Controllo del Calendario di Ulead Photo Express.lnk = C:\Programmi\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Guida alla connessione - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Guida alla connessione - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171042277281
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: bdcogolu - C:\WINDOWS\SYSTEM32\dpv11p.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
Mi preoccupa il permanere dei due files che ho contraddistinto con il carattere grande nel report di HJT.
Voi che ne pensate? |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 19 Gen 2008 16:58 Oggetto: |
|
|
Che dobbiamo trovare il modo giusto di estirpare il tuo amico. 
Scarica VirIt, installalo, aggiornalo (importante) e fai lo scan completo. |
|
| Top |
|
|
MaurizioPT
Mortale pio
Registrato: 15/01/08 17:02
Messaggi: 20
Residenza: Valdinievole
|
| Inviato: 19 Gen 2008 23:31 Oggetto: |
|
|
(ri)scaricato VirIt, installato, aggiornato, riavviato il PC, fatta la scansione di C:\ e...
non ha trovato files infetti!
Il log:
19/01/2008 - 21:56:17
[SCANSIONE DEL REGISTRO]
OK
[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
Chiavi Registro infette: 0.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 91930.
Files Totali: 91930.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.
Non so se essere contento per il fatto che il PC sembri "pulito" (in fondo, qualche giorno fa lo stesso VirIt, sebben non aggiornato, trovava il virus e non riusciva ad eliminarlo, come ho scritto nel mio post di apertura) oppure preoccupato...
Che ne dite? |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 20 Gen 2008 10:44 Oggetto: |
|
|
Scusa, non mi ricordavo che avevi già VirIT... tentiamo altre strade...
Scarica combofix aggiornato e salvalo sul desktop.
Crea un file di testo con le istruzioni nella forma seguente:
| Citazione: | File::
C:\WINDOWS\system32\dpv11p.dll
C:\WINDOWS\system32\apcupsv.dll
C:\WINDOWS\system32\drivers\ilhxoqfb.dat |
Salva il file sul desktop con il nome CFScript.txt e trascinalo sull'icona di ComboFix, come indicato in seguito:
Se non dovesse funzionare:
- Scarica UnLocker e installalo.
- Clicca con il destro sul file da eliminare (i 3 che ho indicato nell'elenco in alto), ci sarà la voce Unlocker, cliccala.
- Ti si aprirà una finestra con elencati i processi che utilizzano quel file.
- All'inizio prova Sblocca Tutto, se la finestra non si riaprirà puoi cancellare normalmente il file.
|
|
| Top |
|
|
MaurizioPT
Mortale pio
Registrato: 15/01/08 17:02
Messaggi: 20
Residenza: Valdinievole
|
| Inviato: 20 Gen 2008 20:32 Oggetto: |
 |
|
Che sono un ignorante in materia l'ho già scritto in precedenza, ma stavolta sembrerebbe che i files "incriminati" siano davvero spariti!
Spero proprio di non sbagliarmi...
Ho eseguito la prima delle due procedure illustrate da bdoriano (combofix aggiornato e integrato con il file di testo che bdoriano mi ha spiegato come costituire).
Nel momento in cui ho "trascinato" l'icona del file di testo dentro l'icona di combofix, quest'ultimo è partito automaticamente e, dopo aver eseguito l'intera procedura in modo automatico, ha riavviato il PC e generato il seguente log:
ComboFix 08-01-20.1 - Compaq_Administrator 2008-01-20 19.10.05.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.532 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Administrator\Desktop\CFScript.txt
* Creato nuovo punto di ripristino
FILE
C:\WINDOWS\system32\apcupsv.dll
C:\WINDOWS\system32\dpv11p.dll
C:\WINDOWS\system32\drivers\ilhxoqfb.dat
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\apcupsv.dll
C:\WINDOWS\system32\dpv11p.dll
C:\WINDOWS\system32\drivers\ilhxoqfb.dat.
((((((((((((((((((((((((( Files Creati Da 2007-12-20 al 2008-01-20 )))))))))))))))))))))))))))))))))))
.
2008-01-19 21:11 . 2008-01-19 21:11 63 --a------ C:\WINDOWS\WINHELP.BMK
2008-01-19 15:14 . 2008-01-19 15:14 121 --a------ C:\fix.reg
2008-01-16 13:52 . 2008-01-16 13:52 <DIR> d-------- C:\VundoFix Backups
2008-01-15 15:12 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 18:05 --------- d-----w C:\Programmi\mIRC
2007-12-18 01:55 --------- d-----w C:\Programmi\Google
2007-12-17 23:52 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-01 16:34 --------- d-----w C:\Programmi\WinMX
2007-12-01 16:33 --------- d-----w C:\Programmi\MXpie Patch
2007-04-25 15:54 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((( snapshot@2008-01-15_15.22.19.34 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-15 14:14:15 757,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-20 18:09:38 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-15 14:14:15 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-20 18:09:38 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-15 14:14:15 757,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-20 18:09:38 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-15 14:14:15 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-20 18:09:38 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-15 14:14:15 3,846,144 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-20 18:09:39 4,407,296 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-15 14:14:15 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-20 18:09:39 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-08 19:56:19 36,096 ----a-w C:\WINDOWS\system32\drivers\VIRAGTLT.SYS
+ 2007-10-10 08:00:36 36,096 ----a-w C:\WINDOWS\system32\drivers\VIRAGTLT.SYS
+ 2008-01-20 18:15:08 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4f0.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{470785E1-7CC6-4300-A2F4-110A1CA26E95}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{917C5EA1-2FC3-432E-B8E8-2EB72DC8038E}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Programmi\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"SpybotSD TeaTimer"="C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04 1415824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-17 22:40 64512]
"ftutil2"="ftutil2.dll" [2004-06-07 13:05 106496 C:\WINDOWS\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-22 00:56 16261632 C:\WINDOWS\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 16:19 77312 C:\WINDOWS\arpwrmsg.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 15:14 237568]
"PCDrProfiler"="" []
"HPBootOp"="C:\Programmi\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 15:34 249856]
"HP Software Update"="C:\Programmi\HP\HP Software Update\HPwuSchd2.exe" [2005-02-16 23:11 49152]
"SpeedTouch USB Diagnostics"="C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38 866816]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"Adobe Photo Downloader"="C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-07-07 17:41 57344]
"Adobe Reader Speed Launcher"="C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"TkBellExe"="C:\Programmi\File comuni\Real\Update_OB\realsched.exe" [2006-11-24 12:50 180269]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2007-10-19 20:16 286720]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"VIRIT LITE MONITOR"="C:\VEXPLITE\MONLITE.EXE" [2008-01-19 21:12 245760]
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Controllo del Calendario di Ulead Photo Express.lnk - C:\Programmi\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe [2007-08-19 10:33:07 69632]
EPSON Status Monitor 3 Environment Check(2).lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-02-09 19:03:40 135680]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bdcogolu]
R0 VIRAGTLT;VIRAGTLT;C:\WINDOWS\system32\drivers\VIRAGTLT.SYS [2007-10-10 09:00]
R2 viritsvclite;Virit eXplorer Lite;C:\VEXPLITE\viritsvc.exe [2008-01-19 21:12]
R3 S6U12Scanner;MUSTEK 1200 CU Still Image Device Service;C:\WINDOWS\system32\drivers\usbscan.sys [2004-08-03 21:58]
R3 usbstor;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-09-06 22:00]
S0 ehxheznv;ehxheznv;C:\WINDOWS\system32\drivers\ilhxoqfb.dat []
S2 jngmahqq; inoltratore traffico IPXSupport;C:\WINDOWS\System32\svchost.exe [2004-09-06 22:00]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
jngmahqq
.
Contenuto della cartella 'Scheduled Tasks'
"2008-01-14 20:00:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
"2007-12-17 23:52:08 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Programmi\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 19:15:46
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
Ora fine scansione: 2008-01-20 19:17:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-20 18:17:52
ComboFix2.txt 2008-01-16 13:43:33
ComboFix3.txt 2008-01-15 14:37:11
ComboFix4.txt 2008-01-15 14:22:44
.
2008-01-10 01:40:43 --- E O F ---
Nl log sopra ho enfatizzato in caratteri più grandi quella che a me è parsa la conferma dell'avvenuta eliminazione dei 3 files "sospetti".
Subito dopo, ho fatto la scansione dle PC con HJT, e stavolta mi pare che finalmente non abbia trovato i tre files maledetti (ma lascio giudicare a voi, che siete gli esperti); questo è il log di HiJackThis:
Logfile of HijackThis v1.99.1
Scan saved at 19.22.40, on 20/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\VEXPLITE\viritsvc.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Programmi\HP\HP Software Update\HPwuSchd2.exe
C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\VEXPLITE\MONLITE.EXE
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\HP\KBD\KBD.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\DOCUME~1\COMPAQ~1\IMPOST~1\Temp\Directory temporanea 1 per hijackthis_199.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/advanced_search?hl=it
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=IT_IT&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Programmi\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Controllo del Calendario di Ulead Photo Express.lnk = C:\Programmi\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Guida alla connessione - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Guida alla connessione - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171042277281
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
Voi che ne dite?
 |
|
| Top |
|
|
|
|
Non puoi inserire nuovi argomenti
Non puoi rispondere a nessun argomento
Non puoi modificare i tuoi messaggi
Non puoi cancellare i tuoi messaggi
Non puoi votare nei sondaggi
|
|
FAQ
Cerca
Lista utenti
Gruppi
Registrati
Profilo
Messaggi privati
Log in
