Olimpo Informatico

[luludi]

ciao anch'io ho gli stessi problemi che ho letto nel forum riguardo doginhispen.com e skitodayplease.com, vi
Posto il logfile di Hijack..

Logfile of HijackThis v1.99.1
Scan saved at 1.15.55, on 18/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Programmi\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\Jones\IMPOST~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6A4942A-A2DC-4B73-95DF-A915EA0E6D3F}: NameServer = 213.205.32.70 213.205.36.70
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmi\File comuni\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\FILECO~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SPTISRV.exe

[bdoriano]

Ciao luludi,

Fai questa scansione con FindAWF

Scarica la versione aggiornata di hijackthis e salvalo in una sua cartella non temporanea e non sul desktop.

PS: se vuoi, puoi presentarti qui

[luludi]

Intanto grazie di aver risposto. Sono andata a presentarmi nel topic benvenuto!
ho fatto tutto e ti possto i logfile

Find AWF report by noahdfear ©2006
Version 1.40



bak folders found
~~~~~~~~~~~

Il volume nell'unit? C ? 200GB
Numero di serie del volume: 7CAA-B4F7

Directory di C:\PROGRA~1\MESSEN~1\BAK

0 File 0 byte
2 Directory 164.126.990.336 byte disponibili
Il volume nell'unit? C ? 200GB
Numero di serie del volume: 7CAA-B4F7

Directory di C:\PROGRA~1\QUICKT~1\BAK

29/06/2007 06.24 286.720 qttask.exe
1 File 286.720 byte
2 Directory 164.126.990.336 byte disponibili
Il volume nell'unit? C ? 200GB
Numero di serie del volume: 7CAA-B4F7

Directory di C:\WINDOWS\SYSTEM32\BAK

19/08/2004 14.39 15.360 ctfmon.exe
09/07/2001 10.50 155.648 NeroCheck.exe
2 File 171.008 byte
2 Directory 164.126.986.240 byte disponibili
Il volume nell'unit? C ? 200GB
Numero di serie del volume: 7CAA-B4F7

Directory di C:\PROGRA~1\AHEAD\INCD\BAK

16/09/2003 20.56 1.212.466 InCD.exe
1 File 1.212.466 byte
2 Directory 164.126.973.952 byte disponibili
Il volume nell'unit? C ? 200GB
Numero di serie del volume: 7CAA-B4F7

Directory di C:\PROGRA~1\DIGICOMT\MICHEL~1\BAK

29/10/2003 14.11 462.848 CnxDslTb.exe
1 File 462.848 byte
2 Directory 164.126.973.952 byte disponibili
Il volume nell'unit? C ? 200GB
Numero di serie del volume: 7CAA-B4F7

Directory di C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

14/11/2007 22.36 68.856 GoogleToolbarNotifier.exe
1 File 68.856 byte
2 Directory 164.126.973.952 byte disponibili
Il volume nell'unit? C ? 200GB
Numero di serie del volume: 7CAA-B4F7

Directory di C:\PROGRA~1\MICROS~2\OFFICE12\BAK

26/10/2006 23.47 31.016 GrooveMonitor.exe
1 File 31.016 byte
2 Directory 164.126.973.952 byte disponibili


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

286720 29 Jun 2007 "C:\Programmi\QuickTime\bak\qttask.exe"
15360 19 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 19 Aug 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
14348 12 Jan 2008 "C:\WINDOWS\system32\NeroCheck.exe"
155648 9 Jul 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
14348 12 Jan 2008 "C:\Programmi\Ahead\InCD\InCD.exe"
1212466 16 Sep 2003 "C:\Programmi\Ahead\InCD\bak\InCD.exe"
14348 12 Jan 2008 "C:\Programmi\digicomt\Michelangelo USB ADSL\CnxDslTb.exe"
462848 29 Oct 2003 "C:\Programmi\digicom\Michelangelo USB ADSL\Common\CnxDslTb.exe"
462848 29 Oct 2003 "C:\Programmi\digicom\Michelangelo USB ADSL\Wan\CnxDslTb.exe"
462848 29 Oct 2003 "C:\Programmi\digicomt\Michelangelo USB ADSL\bak\CnxDslTb.exe"
14348 12 Jan 2008 "C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
68856 14 Nov 2007 "C:\Programmi\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
65824 26 Oct 2006 "C:\Programmi\Microsoft Office\Office12\GrooveAuditService.exe"
31016 26 Oct 2006 "C:\Programmi\Microsoft Office\Office12\bak\GrooveMonitor.exe"


end of report


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23.24.07, on 18/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NeroCheck.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Programmi\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmi\HiJackThisv2\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6A4942A-A2DC-4B73-95DF-A915EA0E6D3F}: NameServer = 213.205.32.70 213.205.36.70
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 5110 bytes

[Orange]

Benvenuto anche da parte mia

scarica Avenger e scompattalo sul desktop
avvialo, seleziona Input script manually
clicca sulla lente d'ingrandimento
nella finestra che si apre View/Edit scrit copia/incolla queste righe:

[luludi]

Fatto tutto orange, grazie!

eccoti il logfile

/////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not create zip file.
Error code: 0


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\dwyrqhaf

*******************

Script file located at: \??\C:\WINDOWS\system32\uxigkbps.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\NeroCheck.exe deleted successfully.
File C:\Programmi\Ahead\InCD\InCD.exe deleted successfully.
File C:\Programmi\digicomt\Michelangelo USB ADSL\CnxDslTb.exe deleted successfully.
File C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe deleted successfully.


File C:\WINDOWS\system32\bak\NeroCheck.exe not found!
File move operation C:\WINDOWS\system32\bak\NeroCheck.exe|C:\WINDOWS\system32\NeroCheck.exe failed!

Could not process line:
C:\WINDOWS\system32\bak\NeroCheck.exe|C:\WINDOWS\system32\NeroCheck.exe
Status: 0xc0000034



File C:\Programmi\Ahead\InCD\bak\InCD.exe not found!
File move operation C:\Programmi\Ahead\InCD\bak\InCD.exe|C:\Programmi\Ahead\InCD\InCD.exe failed!

Could not process line:
C:\Programmi\Ahead\InCD\bak\InCD.exe|C:\Programmi\Ahead\InCD\InCD.exe
Status: 0xc0000034



File C:\Programmi\digicomt\Michelangelo USB ADSL\bak\CnxDslTb.exe not found!
File move operation C:\Programmi\digicomt\Michelangelo USB ADSL\bak\CnxDslTb.exe|C:\Programmi\digicomt\Michelangelo USB ADSL\CnxDslTb.exe failed!

Could not process line:
C:\Programmi\digicomt\Michelangelo USB ADSL\bak\CnxDslTb.exe|C:\Programmi\digicomt\Michelangelo USB ADSL\CnxDslTb.exe
Status: 0xc0000034



File C:\Programmi\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe not found!
File move operation C:\Programmi\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe|C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe failed!

Could not process line:
C:\Programmi\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe|C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

[bdoriano]

Avenger non è riuscito a completare l'operazione.

Rifai la scansione con FindAWF.

Poi, collegati a Kaspersky on-line scanner e fai la scansione estesa, come indicato qui.
Salva il risultato della scansione in un file (in formato HTML), carica il file su Freefilehosting e posta qui il link che ti viene assegnato.

[luludi]

Grazie ancora!
Ho fatto tutto, questo è il link che mi ha dato freefilehosting siccome sono inesperta e non so cosa ti serve di preciso, ti riporto tutto:

Forum Link: kaspersky report 190108.html

e poi ti posto il logfile di awf

Find AWF report by noahdfear ©2006
Version 1.40



bak folders found
~~~~~~~~~~~

Il volume nell'unit? C ? 200GB
Numero di serie del volume: 7CAA-B4F7

Directory di C:\PROGRA~1\MESSEN~1\BAK

0 File 0 byte
2 Directory 160.403.718.144 byte disponibili
Il volume nell'unit? C ? 200GB
Numero di serie del volume: 7CAA-B4F7

Directory di C:\PROGRA~1\QUICKT~1\BAK

29/06/2007 06.24 286.720 qttask.exe
1 File 286.720 byte
2 Directory 160.403.718.144 byte disponibili
Il volume nell'unit? C ? 200GB
Numero di serie del volume: 7CAA-B4F7

Directory di C:\WINDOWS\SYSTEM32\BAK

19/08/2004 14.39 15.360 ctfmon.exe
1 File 15.360 byte
2 Directory 160.403.714.048 byte disponibili
Il volume nell'unit? C ? 200GB
Numero di serie del volume: 7CAA-B4F7

Directory di C:\PROGRA~1\AHEAD\INCD\BAK

0 File 0 byte
2 Directory 160.403.714.048 byte disponibili
Il volume nell'unit? C ? 200GB
Numero di serie del volume: 7CAA-B4F7

Directory di C:\PROGRA~1\DIGICOMT\MICHEL~1\BAK

0 File 0 byte
2 Directory 160.403.714.048 byte disponibili
Il volume nell'unit? C ? 200GB
Numero di serie del volume: 7CAA-B4F7

Directory di C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

0 File 0 byte
2 Directory 160.403.714.048 byte disponibili
Il volume nell'unit? C ? 200GB
Numero di serie del volume: 7CAA-B4F7

Directory di C:\PROGRA~1\MICROS~2\OFFICE12\BAK

26/10/2006 23.47 31.016 GrooveMonitor.exe
1 File 31.016 byte
2 Directory 160.403.714.048 byte disponibili


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

286720 29 Jun 2007 "C:\Programmi\QuickTime\bak\qttask.exe"
15360 19 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 19 Aug 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
65824 26 Oct 2006 "C:\Programmi\Microsoft Office\Office12\GrooveAuditService.exe"
31016 26 Oct 2006 "C:\Programmi\Microsoft Office\Office12\bak\GrooveMonitor.exe"


end of report

[Sante62]

disattiva il ripristino di sistema
Utilizza Avenger con questo script:

[luludi]

Intanto grazie mille anche a te!
Ho fatto tutto ma quando avenger tanta di avviare l'operazione compaiono diverse finestre di errore.
Ti posto il logfile e di seguito quello di hijacktihis

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not create zip file.
Error code: 0


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\oftntfha

*******************

Script file located at: \??\C:\wdknmdlh.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe not found!
Deletion of file C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe failed!

Could not process line:
C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23.41.13, on 19/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programmi\Winamp\winampa.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\HiJackThisv2\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6A4942A-A2DC-4B73-95DF-A915EA0E6D3F}: NameServer = 213.205.32.70 213.205.36.70
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 4695 bytes

[Sante62]

Avenger non è riuscito a completare il lavoro...
Cerca manualmente quel file e prova ad eliminarlo.
Mettiti anche un firewall urgentemente tramite questa discussione.

[luludi]

Ho trovato il file e l'ho eliminato manualmente poi ho scaricato Jetico personal firewall ma, scusa l'ignoranza, non so proprio come usarlo... Appena istallato mi ha chiesto di riavviare il computer dopodichè si è attivato automaticamente. Dato che sono circa 5 ore che viaggia mi chiedo...devo tenerlo sempre attivo? Inoltre navigando mi si aprono delle finestre in cui mi chiede se permettere o meno certe operazioni è normale?
Ho letto quello che ho trovato sul forum ma ho trovato solo recensioni dei vari firewall...il problema è che io non so propio come funzioni e a cosa serva un firewall!!!

[Sante62]

[luludi]

Ok grazie mille!!
Che dici provo a fare un'altra scansione con avenger per vedere se la porta a termine?...cmq da stamattina non sono più ricomparsi nè doghinispen nè skytodayplease

[Sante62]

OK, riutilizza Avenger e mettici questo script:

[luludi]

Fatto e stavolta non mi ha dato errori, ecco il log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ummfhllg

*******************

Script file located at: \??\C:\WINDOWS\system32\dmkrctjt.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe not found!
Deletion of file C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe failed!

Could not process line:
C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe
Status: 0xc0000034



Could not open file C:\Programmi\Microsoft Office\Office12\bak\GrooveMonitor.exe for move operation
File move operation C:\Programmi\Microsoft Office\Office12\bak\GrooveMonitor.exe|C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe failed!

Could not process line:
C:\Programmi\Microsoft Office\Office12\bak\GrooveMonitor.exe|C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe
Status: 0xc000003a


Completed script processing.

*******************

Finished! Terminate.

[Sante62]

Si, però non riesce a completare il lavoro, cioè non trova i file indicati...
Per cortesia fai una scansione con Systemscan e posta il log generato come
indicato quì

[luludi]

Fatto eccoti il risultato di freefilehosting:

report35.txt

mi pare d'aver capito che non vuoi anche il report di systemscan giusto?

[Sante62]

Non mi convince il file Hosts.
Puoi controllarlo tu stesso nel log di systemscan. Scorri il log fino alla voce Hosts, puoi usare anche la funzione Trova del Blocco Note; noterai un sacco di siti contenuti e non credo siano stati volutamente inseriti da te.
Scarica Hoster
Avvialo, clicca su "Restore Microsoft's Original Hosts File"
clicca su "Make Host Read Only"
e chiudilo. Installati anche un firewall al più presto.

[luludi]

Ho dato un occhiata ai file hosts sicuramente non li ho inseriti tutti io ma non saprei cosa eliminare ho paura di fare casino...
Ho installato ed avviato Hoster ho cliccato su Restore Microsoft's Original Hosts File e mi è comparsa la finestra di errore con il messaggio:
ERROR:Cannot create file C:\WINDOWS\system32\DRIVERS\ETC\hosts
e il programma si è chiuso
Il firewall l'ho messo, Jetico..non ti ricordi mi hai anche spiegato come usarlo!

[Sante62]