Olimpo Informatico

[bdoriano]

Dimenticavo:

1. grazie per la segnalazione. Appena posso, modifico la guida sull'uso di Kaspersky online.
   
2. Nel log di hijackthis ci sono un paio di voci che ti farò eliminare dopo aver visto il log di SystemScan.
   
3. Il log di Combofix è incompleto, puoi provare a ri-postarlo?
   
4. Per la lentezza vedremo cosa fare quando siamo sicuri di aver eliminato tutti gli ospiti indesiderati.

[LadyMya]

questo è il log di combofix


ComboFix 08-06-20.4 - Admin 2008-06-24 8:25:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.246 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Admin\Desktop\Combo-Fix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Admin\Impostazioni locali\Temporary Internet Files\sc
C:\Documents and Settings\Admin\Impostazioni locali\Temporary Internet Files\sc\console.html
C:\Documents and Settings\Admin\Impostazioni locali\Temporary Internet Files\sc\script0.html
C:\Documents and Settings\Admin\Impostazioni locali\Temporary Internet Files\sc\script1.html
C:\Documents and Settings\Admin\Impostazioni locali\Temporary Internet Files\temp1.htm
C:\WINDOWS\Downloaded Program Files\1bxnzvg
C:\WINDOWS\system32\plugin1.dat
C:\WINDOWS\system32\SysPr.prx

.
((((((((((((((((((((((((( Files Creati Da 2008-05-24 al 2008-06-24 )))))))))))))))))))))))))))))))))))
.

2008-06-23 20:44 . 2006-03-09 19:14 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di stampa
2008-06-23 20:44 . 2006-03-09 19:14 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di rete
2008-06-23 20:44 . 2006-03-09 19:14 <DIR> d-------- C:\Documents and Settings\Administrator\Preferiti
2008-06-23 20:44 . 2006-03-09 18:23 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2008-06-23 20:44 . 2006-03-09 19:14 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Avvio
2008-06-23 20:44 . 2008-06-24 08:28 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2008-06-23 20:44 . 2006-03-09 19:14 <DIR> d-------- C:\Documents and Settings\Administrator\Documenti
2008-06-23 20:44 . 2006-03-09 19:14 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dati applicazioni
2008-06-23 20:44 . 2008-06-23 20:44 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-23 16:18 . 2008-06-23 16:18 <DIR> d-------- C:\Programmi\Malwarebytes' Anti-Malware
2008-06-23 16:18 . 2008-06-23 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Malwarebytes
2008-06-23 16:18 . 2008-06-23 16:18 <DIR> d-------- C:\Documents and Settings\Admin\Dati applicazioni\Malwarebytes
2008-06-23 16:18 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-23 16:18 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-16 08:57 . 2008-06-16 08:56 502,208 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-06-16 08:57 . 2008-06-16 08:56 270,336 --a------ C:\WINDOWS\system32\imon.dll
2008-06-16 08:57 . 2008-06-16 08:57 0 --a------ C:\WINDOWS\system32\mapisvc.inf
2008-06-14 15:02 . 2008-06-14 19:59 272,768 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-14 15:02 . 2008-06-14 19:59 272,768 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-31 11:13 . 2008-05-31 11:13 <DIR> d-------- C:\Documents and Settings\Enrico\Dati applicazioni\Mp3tag
2008-05-30 17:01 . 2008-05-30 17:01 60 --a------ C:\WINDOWS\MTB40.INI
2008-05-30 17:00 . 2008-05-30 17:00 <DIR> d-------- C:\STELLAR2
2008-05-30 17:00 . 2008-05-30 17:00 <DIR> d-------- C:\Documents and Settings\Admin\WINDOWS
2008-05-30 17:00 . 2008-05-30 17:02 346 --a------ C:\WINDOWS\MICRON.INI
2008-05-30 17:00 . 2008-05-30 17:01 131 --a------ C:\WINDOWS\asym.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-24 06:25 --------- d-----w C:\Programmi\ESET
2008-06-24 06:11 --------- d-----w C:\Programmi\eMule
2008-06-15 16:00 --------- d-----w C:\Programmi\Norton Security Scan
2008-06-15 12:33 --------- d-----w C:\Programmi\Motive
2008-06-02 10:58 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:14 1,292,800 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-13 09:09 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 183,072 ----a-w C:\WINDOWS\system32\msjint40.dll
2006-11-13 19:20 81,920 ----a-w C:\Documents and Settings\Admin\Dati applicazioni\ezpinst.exe
2006-11-13 19:20 47,360 ----a-w C:\Documents and Settings\Admin\Dati applicazioni\pcouffin.sys
2004-12-07 09:11 258,352 ----a-w C:\Documents and Settings\Admin\unicows.dll
2004-08-03 21:58 61,440 ----a-w C:\Documents and Settings\Admin\MSVCRT40.DLL
2004-02-23 00:00 397,824 ----a-w C:\Documents and Settings\Admin\msrdo20.dll
2001-08-17 12:18 508,928 ----a-w C:\Documents and Settings\Admin\msde.dll
2001-08-17 12:18 118,784 ----a-w C:\Documents and Settings\Admin\msstdfmt.dll
2001-08-10 01:01 287,504 ----a-w C:\Documents and Settings\Admin\msxbse35.dll
2001-08-10 01:01 250,128 ----a-w C:\Documents and Settings\Admin\mspdox35.dll
2001-08-10 01:01 250,128 ----a-w C:\Documents and Settings\Admin\msexcl35.dll
2001-08-10 01:01 165,648 ----a-w C:\Documents and Settings\Admin\mstext35.dll
2001-08-09 22:50 24,848 ----a-w C:\Documents and Settings\Admin\MSJTER35.DLL
2001-08-09 21:53 1,046,288 ----a-w C:\Documents and Settings\Admin\Msjet35.dll
2001-08-09 21:50 123,664 ----a-w C:\Documents and Settings\Admin\Msjint35.dll
2001-04-27 15:17 309,760 ----a-w C:\Documents and Settings\Admin\jmail.dll
2001-03-13 12:53 77,824 ----a-w C:\Documents and Settings\Admin\msbind.dll
2000-08-02 00:00 151,552 ----a-w C:\Documents and Settings\Admin\rdocurs.dll
1999-04-02 00:38 28,944 ----a-w C:\Documents and Settings\Admin\Fm20ita.dll
1999-01-12 10:54 1,109,264 ----a-w C:\Documents and Settings\Admin\Fm20.dll
1998-08-05 00:00 34,304 ----a-w C:\Documents and Settings\Admin\MCIIT.dll
1998-08-05 00:00 21,504 ----a-w C:\Documents and Settings\Admin\MSMskIT.dll
1998-08-04 23:00 35,328 ----a-w C:\Documents and Settings\Admin\RchTxIT.dll
1998-08-04 23:00 150,528 ----a-w C:\Documents and Settings\Admin\MSCmCIT.dll
1998-08-04 22:00 33,792 ----a-w C:\Documents and Settings\Admin\CmDlgIT.dll
1998-06-18 00:00 89,360 ----a-w C:\Documents and Settings\Admin\Vb5db.dll
1998-04-24 23:00 368,912 ----a-w C:\Documents and Settings\Admin\vbar332.dll
1997-10-14 13:36 330,688 ----a-w C:\Documents and Settings\Admin\Setupapi.dll
1997-07-15 06:53 74,960 ----a-w C:\Documents and Settings\Admin\advpack.dll
1997-07-15 06:53 4,608 ----a-w C:\Documents and Settings\Admin\W95inf32.dll
1997-07-15 06:53 2,272 ----a-w C:\Documents and Settings\Admin\W95inf16.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0EC4E208-4333-2F29-F6B3-EE09D20590D3}]
C:\WINDOWS\lncdh1.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 14:00 15360]
"msnmsgr"="C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"SpybotSD TeaTimer"="C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"eMuleAutoStart"="C:\Programmi\eMule\emule.exe" [2007-05-13 16:57 5308416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Programmi\Analog Devices\Core\smax4pnp.exe" [2004-10-14 15:42 1404928]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 11:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 11:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 11:36 114688]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"P2P Networking"="C:\WINDOWS\system32\P2P Networking\P2P Networking.exe" [ ]
"TkBellExe"="C:\Programmi\File comuni\Real\Update_OB\realsched.exe" [2006-09-29 16:55 185784]
"PCSuiteTrayApplication"="C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"RemoteControl"="C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe" [2004-06-28 21:29 32768]
"Adobe Reader Speed Launcher"="C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"nod32kui"="C:\Programmi\Eset\nod32kui.exe" [2008-06-16 08:56 917504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2002-12-31 14:00 15360]
"Nokia.PCSync"="C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Ralink Wireless Utility.lnk - C:\Programmi\RALINK\Common\RaUI.exe [2007-03-30 16:03:00 614400]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\Messenger\\msmsgs.exe"=
"C:\\Programmi\\eMule\\emule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Programmi\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:emuletcp
"4672:UDP"= 4672:UDP:emuleudp

S2 SrvEiq;SrvEiq;"C:\Programmi\File comuni\System\bnUZD.exe" []

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{343798AF-F54F-CEC1-21D3-6344EBDA6E90}]
C:\WINDOWS\system32\wincool.exe s
.
Contenuto della cartella 'Scheduled Tasks'
"2008-06-22 16:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Programmi\Norton Security Scan\Nss.exe
"2008-06-23 20:52:02 C:\WINDOWS\Tasks\Verifica aggiornamenti per Windows Live Toolbar.job"
- C:\Programmi\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-24 08:29:07
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Programmi\Eset\pr_imon.dll
.
Ora fine scansione: 2008-06-24 8:30:45
ComboFix-quarantined-files.txt 2008-06-24 06:30:03

13 Directory 10,564,345,856 byte disponibili
17 Directory 10,764,914,688 byte disponibili

160 --- E O F --- 2008-06-22 16:06:12


non so come mai non abbia copiato tutto

ora provo a fare la scansione con l'altro coso

(grazie per la pazienza =P)

[LadyMya]

non mi parte sys..
mi esce quel messaggio di warning ma anche dopo aver scaricatro quel debug_qualcosa eccetera eccetera mi esce sempre lo stesso messaggio..

che fare?

[bdoriano]

Non ti preoccupare, problema noto, ed ecco la soluzione (spero!):

[LadyMya]

ecco acnhe il log si sys report.txt

[bdoriano]

Vedo rimasugli di Gromozon...
C'è da fare un pò di pulizia...

• Avvia nuovamente SystemScan
  
• metti il segno di spunta a I have read and agree. Please let me free to proceed e clicca su Proceed
  
  
• clicca su Removal Script
  
  
• Nel riquadro inserisci il seguente script:
  

  Codice:

  Files to delete: C:\WINDOWS\system32\wincool.exe C:\Programmi\File comuni\System\bnUZD.exe Registry keys to delete: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0EC4E208-4333-2F29-F6B3-EE09D20590D3} HKLM\SYSTEM\CurrentControlSet\Services\SrvEiq HKLM\SYSTEM\ControlSet002\Services\SrvEiq HKLM\software\microsoft\active setup\installed components\{343798AF-F54F-CEC1-21D3-6344EBDA6E90} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{45E178F8-71EA-5047-9DE0-AD0A0AAF2CDD}

  
  e clicca Proceed with removal
  
  
  ******
  Se dovessi ricevere l'errore Please copy and paste a valid script file, una volta incollato lo script in SystemScan (o Avenger), selezioni la prima riga, la cancelli e la ri-digiti. Fatto questo, dovrebbe tornare a funzionare.
  ******
  
  Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
  Al termine dell'operazione, posta qui il contenuto del file C:\Avenger.txt.

• Clicca Start
  
• Clicca Esegui...
  
• Digita:

  Codice:

  control userpasswords2

  
  
• Clicca su ok
  
• Seleziona l'utente qDGmRCl
  
• Clicca Rimuovi
  
• Clicca Si per confermare la rimozione

• Chiudi tutti i browser (IE, Opera, FireFox, etc...)
  
• esegui hijackthis
  
• clicca su do a system scan only
  
• metti il segno di spunta a questa voce:
  

  Citazione:

  O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF}

  
  
• clicca fix checked
  
• Rifai il log di hijackthis e postalo

[LadyMya]

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tncotvdd

*******************

Script file located at: \??\C:\Documents and Settings\lcvnhvhl.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\wincool.exe not found!
Deletion of file C:\WINDOWS\system32\wincool.exe failed!

Could not process line:
C:\WINDOWS\system32\wincool.exe
Status: 0xc0000034



File C:\Programmi\File comuni\System\bnUZD.exe not found!
Deletion of file C:\Programmi\File comuni\System\bnUZD.exe failed!

Could not process line:
C:\Programmi\File comuni\System\bnUZD.exe
Status: 0xc0000034

Registry key HKLM\SYSTEM\CurrentControlSet\Services\SrvEiq deleted successfully.
Registry key HKLM\SYSTEM\ControlSet002\Services\SrvEiq deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0EC4E208-4333-2F29-F6B3-EE09D20590D3} deleted successfully.


Registry key HKLM\software\microsoft\active setup\installed components\{343798AF-F54F-CEC1-21D3-6344EBDA6E90} not found!
Deletion of registry key HKLM\software\microsoft\active setup\installed components\{343798AF-F54F-CEC1-21D3-6344EBDA6E90} failed!
Status: 0xc0000034

Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{45E178F8-71EA-5047-9DE0-AD0A0AAF2CDD} deleted successfully.

Could not set up C:\Documents and Settings\Admin\Desktop\sys5421.exe to run on reboot
Run on reboot of program C:\Documents and Settings\Admin\Desktop\sys5421.exe failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

[LadyMya]

hjt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19.51.42, on 25/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\RALINK\Common\RaUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\Programmi\Windows Live Toolbar\msn_sl.exe
C:\Programmi\HiJackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0EC4E208-4333-2F29-F6B3-EE09D20590D3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Programmi\eMule\emule.exe -AutoStart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Programmi\RALINK\Common\RaUI.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmi\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141927831140
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45E16ED0-FC30-4025-B991-5B3E1EA9F5CD}: NameServer = 208.67.222.222,208.67.222.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{55971CF8-1118-495D-8CDD-1E4C7395734D}: NameServer = 151.99.125.1,151.99.250.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{DAFCF7B6-075D-40F8-9068-7F400D23DD50}: NameServer = 151.99.125.1,151.99.250.2
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servizio iPod (iPod Service) - Unknown owner - C:\Programmi\iPod\bin\iPodService.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8202 bytes

[bdoriano]

Che strano...
C'è ancora una chiave che ero convinto di averti fatto eliminare.

• Chiudi i browser
  
• esegui hijackthis
  
• clicca su do a system scan only
  
• metti il segno di spunta a questa voce:
  

  Citazione:

  O2 - BHO: (no name) - {0EC4E208-4333-2F29-F6B3-EE09D20590D3} - (no file)

  
  
• clicca fix checked
  
• rifai il log di hijackthis e postalo

Dopo, fai queste operazioni:

1. Pulizia dei files temporanei con ATF-Cleaner e/o CCleaner
   
2. Pulizia del registro con EUsingFreeRegistryCleaner o Wise Registry Cleaner e, infine, una passata con Auslogics Registry Defrag
   
3. Deframmentazione del disco

[LadyMya]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22.26.16, on 25/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\RALINK\Common\RaUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\Programmi\Windows Live\Messenger\msnmsgr.exe
C:\Programmi\Windows Live\Messenger\msnmsgr.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programmi\Windows Live Toolbar\msn_sl.exe
C:\Programmi\HiJackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Programmi\eMule\emule.exe -AutoStart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Programmi\RALINK\Common\RaUI.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmi\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141927831140
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45E16ED0-FC30-4025-B991-5B3E1EA9F5CD}: NameServer = 208.67.222.222,208.67.222.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{55971CF8-1118-495D-8CDD-1E4C7395734D}: NameServer = 151.99.125.1,151.99.250.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{DAFCF7B6-075D-40F8-9068-7F400D23DD50}: NameServer = 151.99.125.1,151.99.250.2
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servizio iPod (iPod Service) - Unknown owner - C:\Programmi\iPod\bin\iPodService.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8295 bytes

[bdoriano]

Il log mi sembra pulito.

Riscontri altri problemi?

[LadyMya]

no..e il computer già va molto più veloce..

ma adesso tutti quei programmi che ho scaricato li tengo o li cancello??

[LadyMya]

devo farti un altra domanda da un milione di dollari..

dopo aver fatto la scansione con quel wise registry..devo cancellare tutto??

[bdoriano]

Norman Malware Cleaner lo puoi cancellare senza problemi
SystemScan lo puoi cancellare senza problemi

Per disinstallare ComboFix, procedi così:
Clicca Start
Clicca Esegui...
Digita:

[LadyMya]

mi ha detto quel coso wise registry..che non è riuscito a cancellare dei file..
questo è il log
Time: 22.43.49 Problems:
=======================================================================
Key: HKEY_CLASSES_ROOT\mapifvbx.object.1
Reason: Remove Key failed.
ErrorCode:0
-----------------------------------------------------------------------
Time: 22.43.49 Problems:
=======================================================================
Key: HKEY_CLASSES_ROOT\mapifvbx.object
Reason: Remove Key failed.
ErrorCode:0
-----------------------------------------------------------------------
Time: 22.43.49 Problems:
=======================================================================
Key: HKEY_CLASSES_ROOT\MailFileAtt
Reason: Remove Key failed.
ErrorCode:0
-----------------------------------------------------------------------
Time: 22.43.49 Problems:
=======================================================================
Key: HKEY_CLASSES_ROOT\HeaderFooter.HeaderFooter.1
Reason: Remove Key failed.
ErrorCode:0
-----------------------------------------------------------------------
Time: 22.43.49 Problems:
=======================================================================
Key: HKEY_CLASSES_ROOT\DirectAnimation.StructuredGraphicsControl
Reason: Remove Key failed.
ErrorCode:0
-----------------------------------------------------------------------
Time: 22.43.49 Problems:
=======================================================================
Key: HKEY_CLASSES_ROOT\DirectAnimation.SpriteControl
Reason: Remove Key failed.
ErrorCode:0
-----------------------------------------------------------------------
Time: 22.43.49 Problems:
=======================================================================
Key: HKEY_CLASSES_ROOT\DirectAnimation.SequencerControl
Reason: Remove Key failed.
ErrorCode:0
-----------------------------------------------------------------------
Time: 22.43.49 Problems:
=======================================================================
Key: HKEY_CLASSES_ROOT\DirectAnimation.Sequence
Reason: Remove Key failed.
ErrorCode:0
-----------------------------------------------------------------------
Time: 22.43.49 Problems:
=======================================================================
Key: HKEY_CLASSES_ROOT\DirectAnimation.PathControl
Reason: Remove Key failed.
ErrorCode:0
-----------------------------------------------------------------------
Time: 22.43.49 Problems:
=======================================================================
Key: HKEY_CLASSES_ROOT\ADCS
Reason: Remove Key failed.
ErrorCode:0
-----------------------------------------------------------------------

è tutto normale??

[bdoriano]

Si, tutto normale.
Solitamente cerca di cancellare solo le voci identificate in verde.

[LadyMya]

ok..è che mi ero abituata alle guide dettagliate..anche se di solito mi fidavo

[LadyMya]

combofix al posto di eliminarlo mi fa partire la scansione se faccio come mi hai detto

[bdoriano]

Ops!

Ho sbagliato comando... usa quest'altro:

[LadyMya]

ok--

grazie mille per essermi stato dietro..mi rimangono solo le ultime due cose da fare ma domani torno all'uni..sono stata a casa solo un pò..

e quando torno tornerò anche a felicitarti con i problemi dall'altro pc!!!