Valutazione 4.87/ 5 (100.00%) 5838 voti

Condividi:        

topadwarereviews

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: kadosh, Luke57

topadwarereviews

Postdi TIMORIA74 » 14/03/06 08:48

ho un grosso problema.
il mio desktop è stato sostituito da un messaggio di WARNING e sono comparse due nuove icone (un triangolo e un cerchio) nello spazio dei programmi aperti.
mi continuano a dare messaggi che il mio pc è stato infettato da spyware e di collegarsi al sito TOPADWAREREVIEWS per eliminarli.
cosa devo fare ? (non sono molto esperto) :(
grazie a tutti
TIMORIA74
Utente Junior
 
Post: 24
Iscritto il: 14/03/06 08:42

Sponsor
 

HijackThis

Postdi TIMORIA74 » 14/03/06 09:56

se incollo il Logfile di HijackThis puo' essere d' aiuto ?
rispondete, vi prego.........
TIMORIA74
Utente Junior
 
Post: 24
Iscritto il: 14/03/06 08:42

Postdi Luke57 » 14/03/06 10:40

Ciao, SI' ;)
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

eccolo :

Postdi TIMORIA74 » 14/03/06 12:36

Logfile of HijackThis v1.99.1
Scan saved at 12.34.38, on 14/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\RAM Idle LE\RAM_XP.exe
C:\Programmi\PopUp Killer\PopUpKiller.EXE
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\Logitech\iTouch\iTouch.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmi\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Babylon\Babylon.exe
C:\Programmi\Eraser\eraser.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Documents and Settings\Pier\Menu Avvio\Programmi\Esecuzione automatica\msimn.exe
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\osaupd.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Pier\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gazzetta.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gazzetta.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {E8AFCB61-6F06-FFBA-4377-064A48C1DC3F} - (no file)
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Programmi\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Programmi\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Programmi\RAM Idle LE\RAM_XP.exe
O4 - HKLM\..\Run: [07052004slx1st12] c:\windows\d4d4.exe m
O4 - HKLM\..\Run: [CBAgent32] C:\WINDOWS\System32\CBAgent32.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Programmi\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O5 "LPT1:" /M "Stylus C86"
O4 - HKLM\..\Run: [nod32kui] C:\Programmi\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmi\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Programmi\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\Programmi\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\Programmi\PestPatrol\CookiePatrol.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Babylon Translator] C:\Programmi\Babylon\Babylon.exe
O4 - HKCU\..\Run: [Eraser] C:\Programmi\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Esplora risorse.lnk = C:\WINDOWS\explorer.exe
O4 - Startup: msimn.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Programmi\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Programmi\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} - http://secure2.comned.com/signuptemplat ... kurity.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pest ... stscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 4581895051
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comned.com/signuptemplat ... curity.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/ ... taller.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15021/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F864FA14-5D8C-4D56-91DB-FD4F58568E63}: NameServer = 85.37.17.40 151.99.125.1
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Programmi\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
TIMORIA74
Utente Junior
 
Post: 24
Iscritto il: 14/03/06 08:42

Postdi Luke57 » 14/03/06 13:15

Ciao, per prima cosa metti l’eseguibile di hijackthis (.exe) in una cartella del disco fisso, tipo C\HJT, non nel desktop come hai fatto tu, in modo che il programma possa fare un backup delle voci rimosse. Poi apri hijackthis (durante la scansione con HJT, chiudi la connessione con Internet, chiudi tutti i browser e le applicazioni aperte)
premi ” Open the misc tools section " e "Open Process Manager"
3.cerca il/i processo/i :
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
selezionali e clic su "kill process"
Premi “back”, “scan”, cerca nell'elenco le chiavi seguenti e spunta la casella a lato di ognuna
R3 - URLSearchHook: (no name) - {E8AFCB61-6F06-FFBA-4377-064A48C1DC3F} - (no file)
O4 - HKLM\..\Run: [07052004slx1st12] c:\windows\d4d4.exe
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} - http://secure2.comned.com/signuptemplat ... kurity.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} - http://secure2.comned.com/signuptemplat ... kurity.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} - http://secure2.comned.com/signuptemplat ... kurity.cab
premi "fix checked"
Riavvia in modalità provvisoria:
(Avviare il computer.Subito dopo il calcolo della RAM e prima che inizi a caricarsi Windows, iniziare a premere ripetutamente il tasto F8 sulla tastiera. Continuare a farlo fino a visualizzare il menu Opzioni avanzate di Windows. Usando i tasti freccia sulla tastiera, scorrere le opzioni e selezionare il menu Modalità Provvisoria, quindi premere Invio)
Apri risorse del computer, e imposta la visualizzazione completa dei file e cartelle nascoste: strumenti>Opzioni Cartella
Seleziona Visualizza
Spunta "mostra file e cartelle nascoste"
Togli la spunta da "nascondi file di sistema protetti"
Click Ok
cerca e cancella i seguenti file:
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
c:\windows\d4d4.exe
Da pannello di controllo, installazione applicazioni" rimuovi tutte le applicazioni che non conosci e che non hai installato tu
cancella i file temporanei di windows (temp e tmp) da start>cerca>tutti i file e cartelle, copi e incolli: *.temp; *.tmp ed elimini tutti quelli trovati
Sulle opzioni Internet cancella la cache di IE, i cookies , svuota il cestino
Riparti in modalità normale, fai girare HJT e posta il log
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

ecco

Postdi TIMORIA74 » 14/03/06 18:35

ho fatto quello che mi hai consigliato di fare
ecco il nuovo log :
Logfile of HijackThis v1.99.1
Scan saved at 18.32.38, on 14/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programmi\RAM Idle LE\RAM_XP.exe
C:\Programmi\PopUp Killer\PopUpKiller.EXE
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\Logitech\iTouch\iTouch.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmi\PestPatrol\PPControl.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\PestPatrol\PPMemCheck.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programmi\PestPatrol\CookiePatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Babylon\Babylon.exe
C:\Programmi\Eraser\eraser.exe
C:\Programmi\Logitech\MouseWare\system\em_exec.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\wupdmgr.exe
C:\Documents and Settings\Pier\Menu Avvio\Programmi\Esecuzione automatica\msimn.exe
C:\WINDOWS\osaupd.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gazzetta.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gazzetta.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Programmi\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Programmi\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Programmi\RAM Idle LE\RAM_XP.exe
O4 - HKLM\..\Run: [CBAgent32] C:\WINDOWS\System32\CBAgent32.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Programmi\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O5 "LPT1:" /M "Stylus C86"
O4 - HKLM\..\Run: [nod32kui] C:\Programmi\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmi\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Programmi\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\Programmi\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\Programmi\PestPatrol\CookiePatrol.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Babylon Translator] C:\Programmi\Babylon\Babylon.exe
O4 - HKCU\..\Run: [Eraser] C:\Programmi\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Esplora risorse.lnk = C:\WINDOWS\explorer.exe
O4 - Startup: msimn.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Programmi\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Programmi\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pest ... stscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 4581895051
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comned.com/signuptemplat ... curity.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/ ... taller.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15021/CTPID.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Programmi\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
TIMORIA74
Utente Junior
 
Post: 24
Iscritto il: 14/03/06 08:42

problema

Postdi TIMORIA74 » 14/03/06 18:41

quando ho evidenziato C:\WINDOWS\wupdmgr.exe e osaupd.exe è apparsa una finestra che diceva : THE SELECTED PROCESS COULD NOT BE KILLED. IT MAY BE PROTECTED BY WINDOWS.
TIMORIA74
Utente Junior
 
Post: 24
Iscritto il: 14/03/06 08:42

Postdi fabrizius » 14/03/06 19:16

Ciao,
prova a fare uno scan con Ewido--->é shareware ma dopo i 14 gg di prova,smetterà di funzionare solo la protezione in tempo reale, il programma potrai continuare ad aggiornarlo per fare lo scan del tuo pc...
fabrizius
Utente Senior
 
Post: 1220
Iscritto il: 20/05/05 13:55

Postdi fabrizius » 14/03/06 19:18

Alla fine posta i due log,ewido e hijackthis...
fabrizius
Utente Senior
 
Post: 1220
Iscritto il: 20/05/05 13:55

Re: problema

Postdi Luke57 » 14/03/06 19:39

TIMORIA74 ha scritto:quando ho evidenziato C:\WINDOWS\wupdmgr.exe e osaupd.exe è apparsa una finestra che diceva : THE SELECTED PROCESS COULD NOT BE KILLED. IT MAY BE PROTECTED BY WINDOWS.

Ciao, il file wupdmgr.exe legittimo è nella directory C\windows\system32\ e serve per gli aggiornamenti di windows.Il nostro wupdmgr.exe, collocato in C\windows è un trojan, mentre l'altro (osupd.exe) è collegato a spyfalcon.
Se con ewido non risolvi, scarica KILLBOX da qui
http://www.bleepingcomputer.com/files/s ... illBox.zip
- estrailo sul desktop e apri la cartella che lo contiene e quindi avvialo
- Seleziona l'opzione Delete on Reboot . Nello spazio scrivi il percorso dei file da eliminare
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
prima uno e poi l'altro, cliccando sulla crocetta rossa in campo bianco , in alto sulla destra e confermando il riavvio solo dopo aver inserito l'ultimo.
Al riavvio, elimina con hijackthis, con il procedimento spiegato prima, le voci:
R3 - URLSearchHook: (no name) - {E8AFCB61-6F06-FFBA-4377-064A48C1DC3F} - (no file)
O4 - HKLM\..\Run: [07052004slx1st12] c:\windows\d4d4.exe
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} - http://secure2.comned.com/signuptemplat ... kurity.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} - http://secure2.comned.com/signuptemplat ... kurity.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} - http://secure2.comned.com/signuptemplat ... kurity.cab
Elimina anche il file:
c:\windows\d4d4.exe
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Postdi TIMORIA74 » 15/03/06 12:49

ho fatto la scansione con EWIDO
è durata 1 ora e mezzo ma la situazione è migliorata
ecco il logfile :
Logfile of HijackThis v1.99.1
Scan saved at 12.44.44, on 15/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\Programmi\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programmi\RAM Idle LE\RAM_XP.exe
C:\Programmi\PopUp Killer\PopUpKiller.EXE
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\Logitech\iTouch\iTouch.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Babylon\Babylon.exe
C:\Programmi\Eraser\eraser.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\Logitech\MouseWare\system\em_exec.exe
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gazzetta.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gazzetta.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Programmi\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Programmi\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Programmi\RAM Idle LE\RAM_XP.exe
O4 - HKLM\..\Run: [CBAgent32] C:\WINDOWS\System32\CBAgent32.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Programmi\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O5 "LPT1:" /M "Stylus C86"
O4 - HKLM\..\Run: [nod32kui] C:\Programmi\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmi\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Babylon Translator] C:\Programmi\Babylon\Babylon.exe
O4 - HKCU\..\Run: [Eraser] C:\Programmi\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Esplora risorse.lnk = C:\WINDOWS\explorer.exe
O4 - Startup: msimn.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Programmi\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Programmi\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pest ... stscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 4581895051
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/ ... taller.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15021/CTPID.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmi\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Programmi\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

va tutto bene ?
come posso evitare di incappare ancora in quello che mi è successo ?
TIMORIA74
Utente Junior
 
Post: 24
Iscritto il: 14/03/06 08:42

Postdi fabrizius » 15/03/06 13:02

OK, ;) Ewido ha fatto il suo lavoro :D e ad eliminato le infezioni come pensavo...il log pare pulito,
Se questo non ti serve puoi anche cancellarlo:
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/ ... layer/Inst all3.0/Installer.exe

Per non incappare nella stessa situazione devi stare attento a dove clicchi e a cosa apri o scarichi....e al limite installare qualche programma per aumentare il tuo livello di sicurezza
fabrizius
Utente Senior
 
Post: 1220
Iscritto il: 20/05/05 13:55

Postdi TIMORIA74 » 15/03/06 14:16

grazie veramente di cuore.
puoi darmi dei suggerimenti su cosa installare per la mia salvaguardia ?
TIMORIA74
Utente Junior
 
Post: 24
Iscritto il: 14/03/06 08:42


Torna a Sicurezza e Privacy

Chi c’è in linea

Visitano il forum: Nessuno e 18 ospiti