| Precedente :: Successivo |
| Autore |
Messaggio |
minnolo
Mortale pio
Registrato: 29/12/07 00:29
Messaggi: 16
|
 Inviato: 29 Dic 2007 12:07 Oggetto: si apre IE ed altro |
 |
|
Salve a tutti, sn nuovissimo del forum. Ho un problema con il mio pc, poichè ci sono delle aperture indesiderate di Explorer, penso sia qualche spyware, ma in ogni caso vi posto il mio log.
| Citazione: |
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:02, on 2007-12-28
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Programmi\RealVNC\VNC4\WinVNC4.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\2pbqjp.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\user\Desktop\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscalinet.it
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {4220B1F5-31BA-4B59-A179-F10EB151D48A} - c:\windows\system32\dswavek.dll
O2 - BHO: (no name) - {5E6D061E-9E32-4E6B-B4D9-672E97CB9F74} - C:\WINDOWS\System32\acctresd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [2pbqjp] C:\WINDOWS\system32\2pbqjp.exe
O4 - HKCU\..\Run: [2pbqjp] C:\WINDOWS\system32\2pbqjp.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .nmz: C:\Programmi\Internet Explorer\Plugins\NPScr32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscalinet.it
O15 - Trusted Zone: www.698698698.info
O15 - Trusted Zone: www.pornoaccesso.com
O15 - Trusted Zone: www.sgnappo.com
O15 - Trusted Zone: www.whatsnew.name
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://mirka86.spaces.live.com/PhotoUpload/MsnPUpld.cab
O20 - Winlogon Notify: objzwalv - C:\WINDOWS\SYSTEM32\dswavek.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Programmi\RealVNC\VNC4\WinVNC4.exe
O24 - Desktop Component 0: (no name) - http://www.windoweb.it/desktop_foto/foto_montagne/foto_montagne_41x.jpg
O24 - Desktop Component 1: (no name) - http://www.google.it/intl/it_it/images/logo.gif
--
End of file - 5641 bytes
|
Io stavo per eliminare queste
O15 - Trusted Zone: www.698698698.info
O15 - Trusted Zone: www.pornoaccesso.com
O15 - Trusted Zone: www.sgnappo.com
O15 - Trusted Zone: www.whatsnew.name
ma aspetto prima voi Grazie......... |
|
| Top |
|
 |
Sante62
Dio maturo
Registrato: 27/06/07 17:55
Messaggi: 3477
Residenza: Floridia
|
| Inviato: 29 Dic 2007 12:27 Oggetto: |
|
|
Ciao Minnolo 
disattiva il ripristino di sistema e avvia il PC in modalità provvisoria.
Avvia Hijackthis e seleziona a sinistra queste righe:
| Citazione: | O2 - BHO: (no name) - {4220B1F5-31BA-4B59-A179-F10EB151D48A} - c:\windows\system32\dswavek.dll
O2 - BHO: (no name) - {5E6D061E-9E32-4E6B-B4D9-672E97CB9F74} - C:\WINDOWS\System32\acctresd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - (no file)
O4 - HKLM\..\Run: [2pbqjp] C:\WINDOWS\system32\2pbqjp.exe
O4 - HKCU\..\Run: [2pbqjp] C:\WINDOWS\system32\2pbqjp.exe
O15 - Trusted Zone: www.698698698.info
O15 - Trusted Zone: www.pornoaccesso.com
O15 - Trusted Zone: www.sgnappo.com
O15 - Trusted Zone: www.whatsnew.name
O20 - Winlogon Notify: objzwalv - C:\WINDOWS\SYSTEM32\dswavek.dll |
Clicca fix Checked e rispondi si.
Riavvia il PC alla modalità normale e guarda questa discussione relativa a Combofix, scaricalo e fagli fare la scansione del PC postando il risultato come indicato. Fai passare anche Virit
Aggiornalo mediante l'icona della parabola posta nella barra in alto e fagli fare la scansione completa del PC.
Fai in modo che rimuova automaticamente i file infetti trovati.
Non dimenticare di disattivare momentaneamente il tuo antivirus.
Incolla poi quì il risultato. Alla fine posta un nuovo log di HJT.
Al più presto scaricati Service Pack 2 altrimenti avrai sempre dei "buchi" pericolosi. |
|
| Top |
|
|
minnolo
Mortale pio
Registrato: 29/12/07 00:29
Messaggi: 16
|
| Inviato: 29 Dic 2007 12:42 Oggetto: |
|
|
| ciao Sante, ho provato ad avviare il pc in modalità provvisoria ma quando mi appare la schermata delle varie modalità, dopo che la seleziono il computer si riavvia e mi dice che è stato impossibile avviare windows in modalità provvisoria....sai perchè? |
|
| Top |
|
|
Sante62
Dio maturo
Registrato: 27/06/07 17:55
Messaggi: 3477
Residenza: Floridia
|
| Inviato: 29 Dic 2007 13:03 Oggetto: |
|
|
| Salta quel passaggio e passa dalla scansione con Combofix in poi. |
|
| Top |
|
|
minnolo
Mortale pio
Registrato: 29/12/07 00:29
Messaggi: 16
|
| Inviato: 29 Dic 2007 13:19 Oggetto: |
|
|
combofix ha fatto la scansione, ma non mi ha lasciato nessun log, vi posto quello di Hk aggiornato
| Citazione: |
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:17, on 2007-12-29
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\internet explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscalinet.it
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {4220B1F5-31BA-4B59-A179-F10EB151D48A} - c:\windows\system32\dswavek.dll
O2 - BHO: (no name) - {5E6D061E-9E32-4E6B-B4D9-672E97CB9F74} - C:\WINDOWS\System32\acctresd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .nmz: C:\Programmi\Internet Explorer\Plugins\NPScr32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscalinet.it
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://mirka86.spaces.live.com/PhotoUpload/MsnPUpld.cab
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Programmi\RealVNC\VNC4\WinVNC4.exe
O24 - Desktop Component 0: (no name) - http://www.windoweb.it/desktop_foto/foto_montagne/foto_montagne_41x.jpg
O24 - Desktop Component 1: (no name) - http://www.google.it/intl/it_it/images/logo.gif
--
End of file - 5020 bytes
|
|
|
| Top |
|
|
Sante62
Dio maturo
Registrato: 27/06/07 17:55
Messaggi: 3477
Residenza: Floridia
|
| Inviato: 29 Dic 2007 14:04 Oggetto: |
|
|
| minnolo ha scritto: | combofix ha fatto la scansione, ma non mi ha lasciato nessun log
|
Lo trovi su C:\Combofix.txt...
Fai adesso la scansione con Virit come ti è stato spiegato sopra... |
|
| Top |
|
|
minnolo
Mortale pio
Registrato: 29/12/07 00:29
Messaggi: 16
|
| Inviato: 29 Dic 2007 14:38 Oggetto: |
|
|
ecco il report della scansione con combofix.
| Citazione: |
ComboFix 07-12-29.5 - user 2007-12-28 12:09:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1040.18.87 [GMT 1:00]
Eseguito da: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Menu Avvio\Programmi.\WebMediaPlayer
C:\Documents and Settings\All Users\Menu Avvio\Programmi.\WebMediaPlayer\Privacy Policy.lnk
C:\Documents and Settings\All Users\Menu Avvio\Programmi.\WebMediaPlayer\Terms and conditions.lnk
C:\Documents and Settings\All Users\Menu Avvio\Programmi.\WebMediaPlayer\Website.lnk
C:\Documents and Settings\All Users\Menu Avvio\Programmi\WebMediaPlayer\Privacy Policy.lnk
C:\Documents and Settings\All Users\Menu Avvio\Programmi\WebMediaPlayer\Terms and conditions.lnk
C:\Documents and Settings\All Users\Menu Avvio\Programmi\WebMediaPlayer\Website.lnk
c:\Documents and Settings\user\Impostazioni locali\Dati applicazioni\nygcuogc.dat
C:\Documents and Settings\user\Impostazioni locali\Dati applicazioni\nygcuogc.exe
c:\Documents and Settings\user\Impostazioni locali\Dati applicazioni\nygcuogc_nav.dat
c:\Documents and Settings\user\Impostazioni locali\Dati applicazioni\nygcuogc_navps.dat
C:\Programmi\webmediaplayer
C:\Programmi\webmediaplayer\Privacy Policy.url
C:\Programmi\webmediaplayer\resources\languages_v2.xml
C:\Programmi\webmediaplayer\resources\webmedias
C:\Programmi\webmediaplayer\skins\classic.skn
C:\Programmi\webmediaplayer\sqlite3.dll
C:\Programmi\webmediaplayer\Terms and conditions.url
C:\Programmi\webmediaplayer\uninst.exe
C:\Programmi\webmediaplayer\Website.url
C:\WINDOWS\exefld
C:\WINDOWS\system32\nvs2.inf
C:\WINDOWS\system32\pfxzmtaim.dll
C:\WINDOWS\system32\pfxzmtgtal.dll
C:\WINDOWS\system32\pfxzmticq.dll
C:\WINDOWS\system32\pfxzmtymsg.dll
C:\WINDOWS\system32\sfxzmtforum.dll
C:\WINDOWS\system32\sfxzmtsmt.dll
C:\WINDOWS\system32\sfxzmtsmtspm.dll
C:\WINDOWS\system32\sfxzmtwbmail.dll
C:\WINDOWS\system32\acctresd.dll . . . . Eliminazione Fallita
C:\WINDOWS\System32\dswavek.dll . . . . Eliminazione Fallita
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CPOLIVUE
-------\LEGACY_LDRSVC
-------\LEGACY_M_HOOK
-------\cpolivue
-------\ldrsvc
((((((((((((((((((((((((( Files Creati Da 2007-11-28 al 2007-12-29 )))))))))))))))))))))))))))))))))))
.
2007-12-10 17:02 . 2007-12-10 17:02 741,632 --a------ C:\WINDOWS\system32\erykagcy.dat
2007-12-10 17:02 . 2007-12-17 20:54 42,240 --a------ C:\WINDOWS\system32\czahybep.dat
2007-12-10 17:02 . 2007-12-15 20:43 36,096 --a------ C:\WINDOWS\system32\rsetumrj.dat
2007-12-10 17:02 . 2007-12-10 17:02 35,072 --a------ C:\WINDOWS\system32\evhitnpw.dat
2007-12-09 16:59 . 2007-12-27 12:51 120,576 --a------ C:\WINDOWS\system32\aqxpvywm.dat
2007-12-09 16:53 . 2007-12-29 12:12 84,992 --a------ C:\WINDOWS\system32\dswavek.dll
2007-12-09 16:53 . 2007-12-15 20:43 82,944 --a------ C:\WINDOWS\system32\dswavek.dll.bak
2007-12-09 16:53 . 19,584 C:\WINDOWS\system32\drivers\shyijcmr.dat
2007-12-09 16:53 . 2007-12-07 18:56 16,384 --a------ C:\WINDOWS\system32\2pbqjp.exe
2007-12-09 16:52 . 2002-09-10 13:00 84,992 --a------ C:\WINDOWS\system32\acctresd.dll
2007-12-09 15:06 . 2007-12-09 15:06 <DIR> d-------- C:\Programmi\RealVNC
2007-12-07 18:56 . 2007-12-07 18:56 <DIR> d-------- C:\Programmi\TVAnts
2007-12-07 13:11 . 2007-12-07 13:11 <DIR> d-------- C:\Documents and Settings\user\Dati applicazioni\wsInspector
2007-12-07 13:04 . 2007-12-07 13:15 <DIR> d-------- C:\Programmi\Startup Inspector for Windows
2007-12-07 12:16 . 2007-12-07 12:37 <DIR> d-------- C:\Programmi\TuneUp Utilities 2004
2007-12-07 12:16 . 2007-12-07 12:16 <DIR> d-------- C:\Documents and Settings\user\Dati applicazioni\TuneUp Software
2007-12-07 12:16 . 2007-12-07 12:16 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\TuneUp Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-22 16:58 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Google Updater
2007-12-10 16:09 --------- d-----w C:\Programmi\DivX
2007-12-08 15:13 --------- d-----w C:\Documents and Settings\user\Dati applicazioni\SopCast
2007-12-07 11:37 --------- d-----w C:\Programmi\File comuni\Wise Installation Wizard
2007-12-06 17:27 --------- d-----w C:\Documents and Settings\user\Dati applicazioni\vlc
2007-12-06 17:26 --------- d-----w C:\Programmi\VideoLAN
2007-12-06 17:17 --------- d-----w C:\Programmi\PaintStar
2007-12-06 17:11 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2007-12-06 17:10 --------- d-----w C:\Programmi\Advanced GIF Animator
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-28 22:57 --------- d--h--w C:\Programmi\InstallShield Installation Information
2007-11-28 22:57 --------- d-----w C:\Programmi\EA GAMES
2007-06-17 18:40 13 ---h--w C:\Documents and Settings\All Users\Dati applicazioni\ÝÙÃÄ3113?.sys
2007-06-03 11:26 27,528 ----a-w C:\Documents and Settings\user\Dati applicazioni\GDIPFONTCACHEV1.DAT
2007-05-03 19:48 11,596 --sha-w C:\WINDOWS\system32\orqss.ini2
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4220B1F5-31BA-4B59-A179-F10EB151D48A}]
2007-12-29 12:12 84992 --a------ c:\windows\system32\dswavek.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E6D061E-9E32-4E6B-B4D9-672E97CB9F74}]
2002-09-10 13:00 84992 --a------ C:\WINDOWS\System32\acctresd.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-05 07:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"Motive SmartBridge"="C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe" [2006-04-22 04:41]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-10 13:00]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2002-11-28 00:11 C:\WINDOWS\system32\narrator.exe]
La chiave di registro SafeBoot ha bisogno di essere riparata. Questo pc non pu? avviarsi in Modalit? Provvisoria.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!!!!01234-aaaasmsana-gr]
C:\DOCUME~1\user\DATIAP~1\SMSANI~1.EXE /ns
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!!!AAAA-aaaasmsanimsnchmescom]
C:\DOCUME~1\user\DATIAP~1\SMSANI~2.EXE /ns
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Programmi\Messenger\msmsgs.exe /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zzz025v]
c:\windows\mp3.exe r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"Messenger"=2 (0x2)
"LmHosts"=2 (0x2)
"Alerter"=3 (0x3)
R0 tffkadhk;tffkadhk;C:\WINDOWS\System32\drivers\shyijcmr.dat []
R3 usb_rndis;Pirelli Alice Gate W2+ USB;C:\WINDOWS\System32\DRIVERS\usb8023.sys [2002-09-10 13:00]
R3 USBSTOR;Driver archiviazione di massa USB;C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2002-08-29 14:32]
S2 CoachCap;FUJIFILM EX-10/EX-20 PC V1.00;C:\WINDOWS\System32\drivers\CoachCap.sys [2002-03-04 01:26]
S3 pctvnet;Pinnacle PCTV Sat Ethernet Driver;C:\WINDOWS\System32\DRIVERS\pctvnet.sys [2001-11-20 21:55]
S3 pctvvbi;PCTVVBI;C:\WINDOWS\System32\DRIVERS\pctvvbi.sys [2001-10-24 10:25]
S3 urusbc;NEC 228 CONTROL Driver;C:\WINDOWS\System32\DRIVERS\urusbc.sys [2004-06-09 15:00]
S3 urusbe;NEC 228 ENUMERATION Driver;C:\WINDOWS\System32\DRIVERS\urusbe.sys [2004-06-09 15:00]
S3 urusbm;NEC 228 Modem Driver;C:\WINDOWS\System32\DRIVERS\urusbm.sys [2004-06-09 15:00]
S3 urusbo;NEC 228 OBEX Port Driver;C:\WINDOWS\System32\DRIVERS\urusbo.sys [2004-06-09 15:00]
S3 usbscan;Driver scanner USB;C:\WINDOWS\System32\DRIVERS\usbscan.sys [2002-08-29 01:48]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
Contenuto della cartella 'Scheduled Tasks'
"2007-12-07 11:16:56 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Programmi\TuneUp Utilities 2004\SystemOptimizer.exe
"2007-05-12 10:43:52 C:\WINDOWS\Tasks\cfodau.job"
- c:\windows\system32\srvtaebp.exe
"2007-05-09 16:47:33 C:\WINDOWS\Tasks\ckkgbiu.job"
- c:\windows\system32\srvtaebp.exe
"2007-05-01 19:35:45 C:\WINDOWS\Tasks\cmoqetql.job"
|
qui invece il risultato della scansione con virit:
| Citazione: |
http://img293.imageshack.us/my.php?image=vircr5.jpg
|
ed infine il log di hk:
| Citazione: |
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 13:35, on 2007-12-29
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\VEXPLITE\MONLITE.EXE
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\VEXPLITE\viritsvc.exe
C:\Programmi\RealVNC\VNC4\WinVNC4.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\internet explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\user\Desktop\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscalinet.it
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {4220B1F5-31BA-4B59-A179-F10EB151D48A} - c:\windows\system32\dswavek.dll
O2 - BHO: (no name) - {5E6D061E-9E32-4E6B-B4D9-672E97CB9F74} - C:\WINDOWS\System32\acctresd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .nmz: C:\Programmi\Internet Explorer\Plugins\NPScr32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscalinet.it
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://mirka86.spaces.live.com/PhotoUpload/MsnPUpld.cab
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Programmi\RealVNC\VNC4\WinVNC4.exe
O24 - Desktop Component 0: (no name) - http://www.windoweb.it/desktop_foto/foto_montagne/foto_montagne_41x.jpg
O24 - Desktop Component 1: (no name) - http://www.google.it/intl/it_it/images/logo.gif
--
End of file - 5144 bytes
|
|
|
| Top |
|
|
Sante62
Dio maturo
Registrato: 27/06/07 17:55
Messaggi: 3477
Residenza: Floridia
|
| Inviato: 29 Dic 2007 17:43 Oggetto: |
|
|
Avvia HJT e seleziona a sinistra queste righe:
| Citazione: | O2 - BHO: (no name) - {4220B1F5-31BA-4B59-A179-F10EB151D48A} - c:\windows\system32\dswavek.dll
O2 - BHO: (no name) - {5E6D061E-9E32-4E6B-B4D9-672E97CB9F74} - C:\WINDOWS\System32\acctresd.dll |
Clicca fix Checked e rispondi si.
Scarica The Avenger
Scompattalo in una sua cartella in c:\
Avvialo
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:
| Citazione: | Files to delete:
C:\WINDOWS\system32\erykagcy.dat
C:\WINDOWS\system32\czahybep.dat
C:\WINDOWS\system32\rsetumrj.dat
C:\WINDOWS\system32\evhitnpw.dat
C:\WINDOWS\system32\aqxpvywm.dat
C:\WINDOWS\system32\dswavek.dll
C:\WINDOWS\system32\dswavek.dll.bak
C:\WINDOWS\system32\drivers\shyijcmr.dat
C:\WINDOWS\system32\2pbqjp.exe
C:\WINDOWS\system32\acctresd.dll
c:\windows\mp3.exe r
C:\Documents and Settings\All Users\Dati applicazioni\ÝÙÃÄ3113?.sys
C:\WINDOWS\system32\orqss.ini2
C:\WINDOWS\Tasks\cfodau.job
c:\windows\system32\srvtaebp.exe
C:\WINDOWS\Tasks\ckkgbiu.job
c:\windows\system32\srvtaebp.exe
C:\WINDOWS\Tasks\cmoqetql.job
Registry keys to delete:
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4220B1F5-31BA-4B59-A179-F10EB151D48A}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E6D061E-9E32-4E6B-B4D9-672E97CB9F74}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zzz025v |
Clicca su Done
Clicca sul semaforo
Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
Al termine dell'operazione, posta qui il risultato con un log aggiornato di hijackthis. |
|
| Top |
|
|
minnolo
Mortale pio
Registrato: 29/12/07 00:29
Messaggi: 16
|
| Inviato: 29 Dic 2007 18:07 Oggetto: |
|
|
ecco cosa è successo.
| Citazione: |
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gwvfrsqb
*******************
Script file located at: bbcybnln
Could not open script file! Error
Could not open script file! Status: 0xc000003b Abort!
|
ed ecco il log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17:04, on 2007-12-29
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\setup\avast.setup
C:\WINDOWS\system32\ati2sgag.exe
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\VEXPLITE\MONLITE.EXE
C:\VEXPLITE\viritsvc.exe
C:\Programmi\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\user\Desktop\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscalinet.it
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {4220B1F5-31BA-4B59-A179-F10EB151D48A} - c:\windows\system32\dswavek.dll
O2 - BHO: (no name) - {5E6D061E-9E32-4E6B-B4D9-672E97CB9F74} - C:\WINDOWS\System32\acctresd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .nmz: C:\Programmi\Internet Explorer\Plugins\NPScr32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscalinet.it
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://mirka86.spaces.live.com/PhotoUpload/MsnPUpld.cab
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Programmi\RealVNC\VNC4\WinVNC4.exe
O24 - Desktop Component 0: (no name) - http://www.windoweb.it/desktop_foto/foto_montagne/foto_montagne_41x.jpg
O24 - Desktop Component 1: (no name) - http://www.google.it/intl/it_it/images/logo.gif
--
End of file - 5138 bytes |
|
| Top |
|
|
Sante62
Dio maturo
Registrato: 27/06/07 17:55
Messaggi: 3477
Residenza: Floridia
|
| Inviato: 29 Dic 2007 18:18 Oggetto: |
|
|
| Sei sicuro di aver inserito correttamente lo script di avenger contenuto nel box bianco compreso anche "files to delete?". Riprova ad eseguirlo in questo modo ma prima fixa con HJT quelle righe che ti ho indicato qualche post fa. |
|
| Top |
|
|
minnolo
Mortale pio
Registrato: 29/12/07 00:29
Messaggi: 16
|
| Inviato: 29 Dic 2007 18:29 Oggetto: |
|
|
l'ho rifatto:
ma al riavvio mi da un errore cmd e mi dice impossibile trovare il disco
| Citazione: |
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\erykagcy.dat deleted successfully.
File C:\WINDOWS\system32\czahybep.dat deleted successfully.
File C:\WINDOWS\system32\rsetumrj.dat deleted successfully.
File C:\WINDOWS\system32\evhitnpw.dat deleted successfully.
File C:\WINDOWS\system32\aqxpvywm.dat deleted successfully.
Could not open file C:\WINDOWS\system32\dswavek.dll for deletion
Deletion of file C:\WINDOWS\system32\dswavek.dll failed!
Could not process line:
C:\WINDOWS\system32\dswavek.dll
Status: 0xc0000022
Could not open file C:\WINDOWS\system32\dswavek.dll.bak for deletion
Deletion of file C:\WINDOWS\system32\dswavek.dll.bak failed!
Could not process line:
C:\WINDOWS\system32\dswavek.dll.bak
Status: 0xc0000022
Could not open file C:\WINDOWS\system32\drivers\shyijcmr.dat for deletion
Deletion of file C:\WINDOWS\system32\drivers\shyijcmr.dat failed!
Could not process line:
C:\WINDOWS\system32\drivers\shyijcmr.dat
Status: 0xc0000022
File C:\WINDOWS\system32\2pbqjp.exe deleted successfully.
Could not open file C:\WINDOWS\system32\acctresd.dll for deletion
Deletion of file C:\WINDOWS\system32\acctresd.dll failed!
Could not process line:
C:\WINDOWS\system32\acctresd.dll
Status: 0xc0000022
|
|
|
| Top |
|
|
Sante62
Dio maturo
Registrato: 27/06/07 17:55
Messaggi: 3477
Residenza: Floridia
|
| Inviato: 29 Dic 2007 19:13 Oggetto: |
|
|
Manca l'ultima parte di avenger e cioè quella di "Registry Keys to delete".
Comunque andiamo avanti. Fai questi passaggi:
Scansione con GMER |
|
| Top |
|
|
minnolo
Mortale pio
Registrato: 29/12/07 00:29
Messaggi: 16
|
| Inviato: 29 Dic 2007 23:11 Oggetto: |
|
|
| Sante62 ha scritto: | Manca l'ultima parte di avenger e cioè quella di "Registry Keys to delete".
Comunque andiamo avanti. Fai questi passaggi:
Scansione con GMER |
ecco Sante
http://www.freefilehosting.net/download/39je7
http://www.freefilehosting.net/download/39je8 |
|
| Top |
|
|
Sante62
Dio maturo
Registrato: 27/06/07 17:55
Messaggi: 3477
Residenza: Floridia
|
| Inviato: 30 Dic 2007 10:10 Oggetto: |
|
|
C'è ancora qualcosa che non vuole farsi eliminare...
Collegati a Kaspersky online scanner
Quando sta scaricando i file necessari, disattiva momentaneamente l'antivirus ed eventualmente anche il firewall. Non appena inizia la scansione del PC disconnettiti da internet.
Alla fine carica il risultato su www.freefilehosting.net, riportando quì il link che ti viene assegnato, e posta anche un nuovo log di HJT. |
|
| Top |
|
|
minnolo
Mortale pio
Registrato: 29/12/07 00:29
Messaggi: 16
|
| Inviato: 30 Dic 2007 16:42 Oggetto: |
|
|
http://www.freefilehosting.net/download/39k91 cmq grazie per quello che stai facendo Sante 
HK http://www.freefilehosting.net/download/39k94 |
|
| Top |
|
|
Sante62
Dio maturo
Registrato: 27/06/07 17:55
Messaggi: 3477
Residenza: Floridia
|
| Inviato: 30 Dic 2007 17:07 Oggetto: |
|
|
Scarica The Avenger
Scompattalo in una sua cartella in c:\
Avvialo
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:
| Citazione: | files to delete:
C:\Programmi\RealVNC\VNC4\vncconfig.exe
C:\Programmi\RealVNC\VNC4\vncviewer.exe
C:\Programmi\RealVNC\VNC4\winvnc4.exe
C:\Programmi\RealVNC\VNC4\wm_hooks.dll
C:\QooBox\Quarantine\C\DOCUME~1\user\IMPOST~1\DATIAP~1\Microsoft\Internet Explorer\Filters\MSIEHelper.dll.vir C:\QooBox\Quarantine\C\DOCUME~1\user\IMPOST~1\DATIAP~1\Microsoft\Internet Explorer\Filters\prx475a.dll.vir
C:\QooBox\Quarantine\C\DOCUME~1\user\IMPOST~1\DATIAP~1\Microsoft\Internet Explorer\Filters\prx475c.dll.vir
C:\QooBox\Quarantine\C\DOCUME~1\user\IMPOST~1\DATIAP~1\Microsoft\Internet Explorer\prndrv.dll.vir
C:\QooBox\Quarantine\catchme2007-12-29_121415.82.zip
C:\WINDOWS\dsb.exe
C:\WINDOWS\system32\fshets.dll |
Clicca su Done
Clicca sul semaforo
Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
Al termine dell'operazione, posta qui il risultato di Avenger. Avvia poi HJT e selezione a sinistra queste righe se presenti:
| Citazione: | O2 - BHO: (no name) - {4220B1F5-31BA-4B59-A179-F10EB151D48A} - c:\windows\system32\dswavek.dll
O2 - BHO: (no name) - {5E6D061E-9E32-4E6B-B4D9-672E97CB9F74} - C:\WINDOWS\System32\acctresd.dll
|
Clicca fix Checked e rispondi si. Alla fine allega un log aggiornato di HJT così controlliano se sono andare via. Elimina anche i vari programmini che abbiamo utilizzato per fare le scansioni |
|
| Top |
|
|
minnolo
Mortale pio
Registrato: 29/12/07 00:29
Messaggi: 16
|
| Inviato: 30 Dic 2007 17:15 Oggetto: |
|
|
| Ciao sante, cmq vnc è un file lecito, si tratta di un programma che ho installato per tenermi in contatto con un altro pc, quando questo è collegato alla rete |
|
| Top |
|
|
minnolo
Mortale pio
Registrato: 29/12/07 00:29
Messaggi: 16
|
| Inviato: 30 Dic 2007 17:31 Oggetto: |
|
|
ecco cosa succede al riavvio!!
http://www.freefilehosting.net/download/39ka6 |
|
| Top |
|
|
Sante62
Dio maturo
Registrato: 27/06/07 17:55
Messaggi: 3477
Residenza: Floridia
|
| Inviato: 30 Dic 2007 18:34 Oggetto: |
|
|
| minnolo ha scritto: | ecco cosa succede al riavvio!!
http://www.freefilehosting.net/download/39ka6 |
OK, riprova a farlo senza ovviamente i file VNC e tieni disattivato momentaneamente il tuo antivirus ed eventuali altri moduli, e stai disconnesso da internet. Assicurati inoltre che lo script contenuto nel box bianco sopra sia inserito completo.
Per quanto riguarda i file leciti, OK, hai fatto bene a controllare, perchè Kaspersky li da come infetti. |
|
| Top |
|
|
minnolo
Mortale pio
Registrato: 29/12/07 00:29
Messaggi: 16
|
| Inviato: 30 Dic 2007 19:25 Oggetto: |
 |
|
stessa cosa!!!  |
|
| Top |
|
|
|
FAQ
Cerca
Lista utenti
Gruppi
Registrati
Profilo
Messaggi privati
Log in
