Valutazione 4.87/ 5 (100.00%) 5838 voti

Condividi:        

apertura finestre pou-up

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: kadosh, Luke57

apertura finestre pou-up

Postdi lamù79 » 05/11/07 16:41

Ciao,ho un problema,è da un pò di giorni che navigando in internet mi si aprono in continuazione finestre pubblicitarie.Ho sul mio pc avast antivirus(ultima versione),ad-Aware 2007 e il firewall integrato nel router.Ho provato ad effettuare una scansione sia in modalità normale che provvisoria con Avg 7.5,Spy-bot,Ad.Aware e Avast! senza risultato.Ho poi effettuato una scansione anche con CWShredder ma niente.Alla fine ho scaricato hijackthis ed ho eseguito la scansione..ora il problema è che non so gestire i risultati..se posto il log qualcuno può aiutarmi?!Grazie!
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16.36.34, on 05/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE
C:\Programmi\Java\jre1.5.0\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Macrogaming\SweetIM\SweetIM.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Documents and Settings\bimba\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.it
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Class - {C5B99A52-24C6-1FF8-04CE-116E4195268D} - C:\WINDOWS\aoaqx1.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmi\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [EPSON Stylus DX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB001" /M "Stylus DX3800"
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [dwpm2.exe] C:\WINDOWS\Temp\dwpm2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SweetIM] C:\Programmi\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SweetIM] C:\Programmi\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [AliceMessenger] C:\Programmi\Alice Messenger\alicemessenger.exe
O4 - HKCU\..\Run: [MsnMsgr] ~"C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?
O4 - Global Startup: Photo Loader residente.lnk = C:\Programmi\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O20 - AppInit_DLLs:
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
lamù79
Newbie
 
Post: 5
Iscritto il: 05/11/07 16:12

Sponsor
 

Postdi Luke57 » 05/11/07 18:13

Ciao, sei affetto dal trojan linkoptimizer, per adesso scarica questi due tools:

prevx
http://www.prevx.com/gromozon.asp

Tool di rimozione della Symantec:
http://securityresponse.symantec.com/av ... inkopt.exe

Eseguili uno alla volta; disattiva il tuo antivirus durante la scansione.

Quello della prevx fa riavviare il computer e al riavvio viene completata la scansione, al termine della quale viene rilasciato un report che trovi in C:\Gromozon_Removal.log.

Poi esegui il tool della symantec (dalla modalità provvisoria; se
non sai come andarci, premi ripetutamente il tasto F8 all'accensione del computer prima che inizi a caricarsi windows; sulla schermata grigia che appare scegli modalità provvisoria spostandoti con le freccette e premendo invio).

Anche questo tool rilascia un rapporto della scansione nella cartella dove
hai messo il file (Fixlinkopt.log)
Invia anche questo rapporto.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Postdi lamù79 » 05/11/07 19:18

allora..ho fatto come mi ha detto ma entrambi i log mi dicono che non risulta infezione sul mio pc..:
Symantec Trojan.Linkoptimizer Removal Tool 1.0.8

Trojan.Linkoptimizer has not been found on your computer.

E la stessa cosa per Gromozon....che faccio allora?
lamù79
Newbie
 
Post: 5
Iscritto il: 05/11/07 16:12

Postdi Luke57 » 05/11/07 21:49

lamù79 ha scritto:allora..ho fatto come mi ha detto ma entrambi i log mi dicono che non risulta infezione sul mio pc..:
Symantec Trojan.Linkoptimizer Removal Tool 1.0.8

Trojan.Linkoptimizer has not been found on your computer.

E la stessa cosa per Gromozon....che faccio allora?

Ciao, non vuol dire che non ci sia l'infezione.
scarica systemscan (strumento di diagnosi), estrailo sul desktop, applcazioni e programmi chiusi, avvialo, metti la spunta a tutte le voci e premi "Scan". Al termine della scansione sarà rilasciato un log che troverai in C:\suspectfile -un file con estensione .zip (data+ora+.zip)
E' troppo lungo per inserirlo in un post, quindi vai su http://www.easy-share.com e carica lì il file
POi inserisci in un nuovo post il link per scaricarlo (solo quello per scaricarlo, non quello per eliminarlo dal sito di hosting)

Nel caso che systemscan non si avviasse per la mancanza di alcuni privilegi (il SeDebugPrivilege) scarica anche questo tool

http://download.bleepingcomputer.com/sU ... estore.exe

e usalo. Poi riavvia il pc, dopo di che systemscan dovrebbe funzionare.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Postdi lamù79 » 06/11/07 17:23

ok fatto!questo è il link del log:
http://w14.easy-share.com/9332951.html
lamù79
Newbie
 
Post: 5
Iscritto il: 05/11/07 16:12

Postdi Luke57 » 06/11/07 20:02

Ciao, scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
Decomprimi l'archivio
Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in neretto:

Files to delete:
C:\Documents and Settings\bimba\Impostazioni locali\Dati applicazioni\nmdciioocc.exe
C:\Programmi\Windows NT\Ace.exe
C:\Programmi\Windows NT\ADohM.exe
C:\Programmi\Windows NT\AnS.exe
C:\Programmi\Windows NT\awG.exe
C:\Programmi\Windows NT\BDJW.exe
C:\Programmi\Windows NT\BfM.exe
C:\Programmi\Windows NT\BqasFd.exe
C:\Programmi\Windows NT\bStQG.exe
C:\Programmi\Windows NT\CBV.exe
C:\Programmi\Windows NT\CCr.exe
C:\Programmi\Windows NT\dCZ.exe
C:\Programmi\Windows NT\DEi.exe
C:\Programmi\Windows NT\dHm.exe
C:\Programmi\Windows NT\DVI.exe
C:\Programmi\Windows NT\DXfs.exe
C:\Programmi\Windows NT\eenHa.exe
C:\Programmi\Windows NT\efG.exe
C:\Programmi\Windows NT\Ehh.exe
C:\Programmi\Windows NT\eoo.exe
C:\Programmi\Windows NT\EtQDpO.exe
C:\Programmi\Windows NT\faX.exe
C:\Programmi\Windows NT\FAxdoB.exe
C:\Programmi\Windows NT\FIB.exe
C:\Programmi\Windows NT\fNG.exe
C:\Programmi\Windows NT\frN.exe
C:\Programmi\Windows NT\FWZ.exe
C:\Programmi\Windows NT\Fyk.exe
C:\Programmi\Windows NT\gACUX.exe
C:\Programmi\Windows NT\GiL.exe
C:\Programmi\Windows NT\GlK.exe
C:\Programmi\Windows NT\gmQ.exe
C:\Programmi\Windows NT\GwBkO.exe
C:\Programmi\Windows NT\gYb.exe
C:\Programmi\Windows NT\GZY.exe
C:\Programmi\Windows NT\HdCUv.exe
C:\Programmi\Windows NT\HgaNyn.exe
C:\Programmi\Windows NT\HHm.exe
C:\Programmi\Windows NT\Hpk.exe
C:\Programmi\Windows NT\hyR.exe
C:\Programmi\Windows NT\IBuC.exe
C:\Programmi\Windows NT\iIe.exe
C:\Programmi\Windows NT\ItK.exe
C:\Programmi\Windows NT\JIy.exe
C:\Programmi\Windows NT\jnUg.exe
C:\Programmi\Windows NT\JTr.exe
C:\Programmi\Windows NT\Khr.exe
C:\Programmi\Windows NT\koqf.exe
C:\Programmi\Windows NT\kpwu.exe
C:\Programmi\Windows NT\kSXZcl.exe
C:\Programmi\Windows NT\KyXYmP.exe
C:\Programmi\Windows NT\LCPKQo.exe
C:\Programmi\Windows NT\lNd.exe
C:\Programmi\Windows NT\lOi.exe
C:\Programmi\Windows NT\lPR.exe
C:\Programmi\Windows NT\LZFE.exe
C:\Programmi\Windows NT\MJvoP.exe
C:\Programmi\Windows NT\mmC.exe
C:\Programmi\Windows NT\mWH.exe
C:\Programmi\Windows NT\mYV.exe
C:\Programmi\Windows NT\Mzri.exe
C:\Programmi\Windows NT\nJaxSs.exe
C:\Programmi\Windows NT\nkPqq.exe
C:\Programmi\Windows NT\nmJ.exe
C:\Programmi\Windows NT\OPXER.exe
C:\Programmi\Windows NT\OqV.exe
C:\Programmi\Windows NT\ORcB.exe
C:\Programmi\Windows NT\OZe.exe
C:\Programmi\Windows NT\pbfftb.exe
C:\Programmi\Windows NT\PTfbh.exe
C:\Programmi\Windows NT\pUm.exe
C:\Programmi\Windows NT\qaJ.exe
C:\Programmi\Windows NT\QCfaes.exe
C:\Programmi\Windows NT\qGnS.exe
C:\Programmi\Windows NT\qkJ.exe
C:\Programmi\Windows NT\qncaH.exe
C:\Programmi\Windows NT\rcs.exe
C:\Programmi\Windows NT\RGTuZS.exe
C:\Programmi\Windows NT\SAc.exe
C:\Programmi\Windows NT\Spj.exe
C:\Programmi\Windows NT\sUH.exe
C:\Programmi\Windows NT\TdQ.exe
C:\Programmi\Windows NT\tLg.exe
C:\Programmi\Windows NT\tnv.exe
C:\Programmi\Windows NT\trIr.exe
C:\Programmi\Windows NT\tVQ.exe
C:\Programmi\Windows NT\TyB.exe
C:\Programmi\Windows NT\TzR.exe
C:\Programmi\Windows NT\UrA.exe
C:\Programmi\Windows NT\urb.exe
C:\Programmi\Windows NT\VjaG.exe
C:\Programmi\Windows NT\Vjr.exe
C:\Programmi\Windows NT\vuQ.exe
C:\Programmi\Windows NT\wHI.exe
C:\Programmi\Windows NT\WHJ.exe
C:\Programmi\Windows NT\wMXjU.exe
C:\Programmi\Windows NT\wrmcn.exe
C:\Programmi\Windows NT\wwn.exe
C:\Programmi\Windows NT\xBl.exe
C:\Programmi\Windows NT\XeREy.exe
C:\Programmi\Windows NT\XGJi.exe
C:\Programmi\Windows NT\XhiSew.exe
C:\Programmi\Windows NT\xvqHeP.exe
C:\Programmi\Windows NT\xXdWD.exe
C:\Programmi\Windows NT\ycmp.exe
C:\Programmi\Windows NT\yGEqG.exe
C:\Programmi\Windows NT\YjY.exe
C:\Programmi\Windows NT\Yvj.exe
C:\Programmi\Windows NT\Yvt.exe
C:\Programmi\Windows NT\YWn.exe
C:\Programmi\Windows NT\yWwavj.exe
C:\Programmi\Windows NT\ZgCxEB.exe
C:\Programmi\Windows NT\zjWnx.exe
C:\Programmi\Windows NT\zLIF.exe
C:\Programmi\Windows NT\ZOo.exe
C:\Programmi\Windows NT\ZuD.exe
C:\WINDOWS\aoaqx1.dl

folders to delete:
C:\DOCUME~1\bimba\IMPOST~1\Temp
C:\WINDOWS\Temp


registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | dwpm2.exe

registry keys to delete;
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5B99A52-24C6-1FF8-04CE-116E4195268D}
HKEY_LOCAL_MACHINE\system\controlset002\services\LogUku
HKEY_LOCAL_MACHINE\system\controlset003\services\LogUku
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LogUku

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs


Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi due volte Yes
Il pc dovrebbe riavviarsi da solo, se così non fosse riavvialo manualmente.
Posta anche il log generato da avenger, lo trovi in C:\ è un file di testo.
Poi devo dire anche altre cose, adesso non ho tempo.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Postdi lamù79 » 06/11/07 20:35

Ciao,ok sono riuscita!ti posto il log di Avenger
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gahajgbu

*******************

Script file located at: \??\C:\WINDOWS\system32\vwicvhbh.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Documents and Settings\bimba\Impostazioni locali\Dati applicazioni\nmdciioocc.exe deleted successfully.
File C:\Programmi\Windows NT\Ace.exe deleted successfully.
File C:\Programmi\Windows NT\ADohM.exe deleted successfully.
File C:\Programmi\Windows NT\AnS.exe deleted successfully.
File C:\Programmi\Windows NT\awG.exe deleted successfully.
File C:\Programmi\Windows NT\BDJW.exe deleted successfully.
File C:\Programmi\Windows NT\BfM.exe deleted successfully.
File C:\Programmi\Windows NT\BqasFd.exe deleted successfully.
File C:\Programmi\Windows NT\bStQG.exe deleted successfully.
File C:\Programmi\Windows NT\CBV.exe deleted successfully.
File C:\Programmi\Windows NT\CCr.exe deleted successfully.
File C:\Programmi\Windows NT\dCZ.exe deleted successfully.
File C:\Programmi\Windows NT\DEi.exe deleted successfully.
File C:\Programmi\Windows NT\dHm.exe deleted successfully.
File C:\Programmi\Windows NT\DVI.exe deleted successfully.
File C:\Programmi\Windows NT\DXfs.exe deleted successfully.
File C:\Programmi\Windows NT\eenHa.exe deleted successfully.
File C:\Programmi\Windows NT\efG.exe deleted successfully.
File C:\Programmi\Windows NT\Ehh.exe deleted successfully.
File C:\Programmi\Windows NT\eoo.exe deleted successfully.
File C:\Programmi\Windows NT\EtQDpO.exe deleted successfully.
File C:\Programmi\Windows NT\faX.exe deleted successfully.
File C:\Programmi\Windows NT\FAxdoB.exe deleted successfully.
File C:\Programmi\Windows NT\FIB.exe deleted successfully.
File C:\Programmi\Windows NT\fNG.exe deleted successfully.
File C:\Programmi\Windows NT\frN.exe deleted successfully.
File C:\Programmi\Windows NT\FWZ.exe deleted successfully.
File C:\Programmi\Windows NT\Fyk.exe deleted successfully.
File C:\Programmi\Windows NT\gACUX.exe deleted successfully.
File C:\Programmi\Windows NT\GiL.exe deleted successfully.
File C:\Programmi\Windows NT\GlK.exe deleted successfully.
File C:\Programmi\Windows NT\gmQ.exe deleted successfully.
File C:\Programmi\Windows NT\GwBkO.exe deleted successfully.
File C:\Programmi\Windows NT\gYb.exe deleted successfully.
File C:\Programmi\Windows NT\GZY.exe deleted successfully.
File C:\Programmi\Windows NT\HdCUv.exe deleted successfully.
File C:\Programmi\Windows NT\HgaNyn.exe deleted successfully.
File C:\Programmi\Windows NT\HHm.exe deleted successfully.
File C:\Programmi\Windows NT\Hpk.exe deleted successfully.
File C:\Programmi\Windows NT\hyR.exe deleted successfully.
File C:\Programmi\Windows NT\IBuC.exe deleted successfully.
File C:\Programmi\Windows NT\iIe.exe deleted successfully.
File C:\Programmi\Windows NT\ItK.exe deleted successfully.
File C:\Programmi\Windows NT\JIy.exe deleted successfully.
File C:\Programmi\Windows NT\jnUg.exe deleted successfully.
File C:\Programmi\Windows NT\JTr.exe deleted successfully.
File C:\Programmi\Windows NT\Khr.exe deleted successfully.
File C:\Programmi\Windows NT\koqf.exe deleted successfully.
File C:\Programmi\Windows NT\kpwu.exe deleted successfully.
File C:\Programmi\Windows NT\kSXZcl.exe deleted successfully.
File C:\Programmi\Windows NT\KyXYmP.exe deleted successfully.
File C:\Programmi\Windows NT\LCPKQo.exe deleted successfully.
File C:\Programmi\Windows NT\lNd.exe deleted successfully.
File C:\Programmi\Windows NT\lOi.exe deleted successfully.
File C:\Programmi\Windows NT\lPR.exe deleted successfully.
File C:\Programmi\Windows NT\LZFE.exe deleted successfully.
File C:\Programmi\Windows NT\MJvoP.exe deleted successfully.
File C:\Programmi\Windows NT\mmC.exe deleted successfully.
File C:\Programmi\Windows NT\mWH.exe deleted successfully.
File C:\Programmi\Windows NT\mYV.exe deleted successfully.
File C:\Programmi\Windows NT\Mzri.exe deleted successfully.
File C:\Programmi\Windows NT\nJaxSs.exe deleted successfully.
File C:\Programmi\Windows NT\nkPqq.exe deleted successfully.
File C:\Programmi\Windows NT\nmJ.exe deleted successfully.
File C:\Programmi\Windows NT\OPXER.exe deleted successfully.
File C:\Programmi\Windows NT\OqV.exe deleted successfully.
File C:\Programmi\Windows NT\ORcB.exe deleted successfully.
File C:\Programmi\Windows NT\OZe.exe deleted successfully.
File C:\Programmi\Windows NT\pbfftb.exe deleted successfully.
File C:\Programmi\Windows NT\PTfbh.exe deleted successfully.
File C:\Programmi\Windows NT\pUm.exe deleted successfully.
File C:\Programmi\Windows NT\qaJ.exe deleted successfully.
File C:\Programmi\Windows NT\QCfaes.exe deleted successfully.
File C:\Programmi\Windows NT\qGnS.exe deleted successfully.
File C:\Programmi\Windows NT\qkJ.exe deleted successfully.
File C:\Programmi\Windows NT\qncaH.exe deleted successfully.
File C:\Programmi\Windows NT\rcs.exe deleted successfully.
File C:\Programmi\Windows NT\RGTuZS.exe deleted successfully.
File C:\Programmi\Windows NT\SAc.exe deleted successfully.
File C:\Programmi\Windows NT\Spj.exe deleted successfully.
File C:\Programmi\Windows NT\sUH.exe deleted successfully.
File C:\Programmi\Windows NT\TdQ.exe deleted successfully.
File C:\Programmi\Windows NT\tLg.exe deleted successfully.
File C:\Programmi\Windows NT\tnv.exe deleted successfully.
File C:\Programmi\Windows NT\trIr.exe deleted successfully.
File C:\Programmi\Windows NT\tVQ.exe deleted successfully.
File C:\Programmi\Windows NT\TyB.exe deleted successfully.
File C:\Programmi\Windows NT\TzR.exe deleted successfully.
File C:\Programmi\Windows NT\UrA.exe deleted successfully.
File C:\Programmi\Windows NT\urb.exe deleted successfully.
File C:\Programmi\Windows NT\VjaG.exe deleted successfully.
File C:\Programmi\Windows NT\Vjr.exe deleted successfully.
File C:\Programmi\Windows NT\vuQ.exe deleted successfully.
File C:\Programmi\Windows NT\wHI.exe deleted successfully.
File C:\Programmi\Windows NT\WHJ.exe deleted successfully.
File C:\Programmi\Windows NT\wMXjU.exe deleted successfully.
File C:\Programmi\Windows NT\wrmcn.exe deleted successfully.
File C:\Programmi\Windows NT\wwn.exe deleted successfully.
File C:\Programmi\Windows NT\xBl.exe deleted successfully.
File C:\Programmi\Windows NT\XeREy.exe deleted successfully.
File C:\Programmi\Windows NT\XGJi.exe deleted successfully.
File C:\Programmi\Windows NT\XhiSew.exe deleted successfully.
File C:\Programmi\Windows NT\xvqHeP.exe deleted successfully.
File C:\Programmi\Windows NT\xXdWD.exe deleted successfully.
File C:\Programmi\Windows NT\ycmp.exe deleted successfully.
File C:\Programmi\Windows NT\yGEqG.exe deleted successfully.
File C:\Programmi\Windows NT\YjY.exe deleted successfully.
File C:\Programmi\Windows NT\Yvj.exe deleted successfully.
File C:\Programmi\Windows NT\Yvt.exe deleted successfully.
File C:\Programmi\Windows NT\YWn.exe deleted successfully.
File C:\Programmi\Windows NT\yWwavj.exe deleted successfully.
File C:\Programmi\Windows NT\ZgCxEB.exe deleted successfully.
File C:\Programmi\Windows NT\zjWnx.exe deleted successfully.
File C:\Programmi\Windows NT\zLIF.exe deleted successfully.
File C:\Programmi\Windows NT\ZOo.exe deleted successfully.
File C:\Programmi\Windows NT\ZuD.exe deleted successfully.


File C:\WINDOWS\aoaqx1.dl not found!
Deletion of file C:\WINDOWS\aoaqx1.dl failed!

Could not process line:
C:\WINDOWS\aoaqx1.dl
Status: 0xc0000034

Folder C:\DOCUME~1\bimba\IMPOST~1\Temp deleted successfully.
Folder C:\WINDOWS\Temp deleted successfully.


Registry key HKEY_LOCAL_MACHINE\system\controlset002\services\LogUku not found!
Deletion of registry key HKEY_LOCAL_MACHINE\system\controlset002\services\LogUku failed!

Could not process line:
HKEY_LOCAL_MACHINE\system\controlset002\services\LogUku
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\system\controlset003\services\LogUku not found!
Deletion of registry key HKEY_LOCAL_MACHINE\system\controlset003\services\LogUku failed!

Could not process line:
HKEY_LOCAL_MACHINE\system\controlset003\services\LogUku
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LogUku deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|dwpm2.exe deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5B99A52-24C6-1FF8-04CE-116E4195268D} deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.

Grazie, sei gentilissimo!
lamù79
Newbie
 
Post: 5
Iscritto il: 05/11/07 16:12

Postdi Luke57 » 06/11/07 21:37

Ciao, lo script è andato a buon fine, i due tools si erano dimenticati di una sessantina di files infetti.

Riesegui avenger con questo script:

files to delete:
C:\Documents and Settings\bimba\Impostazioni locali\Dati applicazioni\nmdciioocc.dat
C:\Documents and Settings\bimba\Impostazioni locali\Dati applicazioni\nmdciioocc.exe
C:\Documents and Settings\bimba\Impostazioni locali\Dati applicazioni\nmdciioocc_nav.dat
C:\Documents and Settings\bimba\Impostazioni locali\Dati applicazioni\nmdciioocc_navps.dat
C:\WINDOWS\Prefetch\NMDCIIOOCC.EXE-0287CBBF.pf


Al riavvio, apri il registro di sistema:
start>esegui>regedit (lo digiti nello spazio)>OK
cliccando sul segno + accanto alle singole voci, segui questo percorso:
HKEY_CURRENT_USER
Software
Microsoft
Windows
CurrentVersion
Run
Click sulla cartella Run
sulla destra, tra le varie voci, se trovi
nmdciioocc
click tasto desto su di essa e scegli elimina.

Apri hiajckthis, premi "do a system scan only", cerchi e spunti la voce seguente:
R3 - Default URLSearchHook is missing
premi fix chexcked.

Inoltre, apri il file
C:\Windows\System32\Drivers\Etc\hosts
apri il file hosts con il blocco note, cancelli, selezionandolo e cancellando, tutto ciò che trovi sotto questa scritta (nel senso che il file deve contenere solo la seguente scritta):

# Copyright (c) 1993-1999 Microsoft Corp.
#
# Questo è un esempio di file HOSTS usato da Microsoft TCP/IP per Windows.
#
# Questo file contiene la mappatura degli indirizzi IP ai nomi host.
# Ogni voce dovrebbe occupare una singola riga. L'indirizzo IP dovrebbe
# trovarsi nella prima colonna seguito dal nome host corrispondente.
# L'indirizzo e il nome host dovrebbero essere separati da almeno uno spazio
# o punto di tabulazione.
#
# È inoltre possibile inserire commenti (come questi) nelle singole righe
# o dopo il nome del computer caratterizzato da un simbolo '#'.
#
# Per esempio:
#
# 102.54.94.97 rhino.acme.com # server origine
# 38.25.63.10 x.acme.com # client host x

127.0.0.1 localhost

lo salvi e barri l'opzione "solo lettura".
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Postdi lamù79 » 06/11/07 23:43

Ciao,allora..ho rieseguito avenger e questo è il log:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gmxdmanl

*******************

Script file located at: \??\C:\hgtocgot.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Documents and Settings\bimba\Impostazioni locali\Dati applicazioni\nmdciioocc.dat deleted successfully.


File C:\Documents and Settings\bimba\Impostazioni locali\Dati applicazioni\nmdciioocc.exe not found!
Deletion of file C:\Documents and Settings\bimba\Impostazioni locali\Dati applicazioni\nmdciioocc.exe failed!

Could not process line:
C:\Documents and Settings\bimba\Impostazioni locali\Dati applicazioni\nmdciioocc.exe
Status: 0xc0000034

File C:\Documents and Settings\bimba\Impostazioni locali\Dati applicazioni\nmdciioocc_nav.dat deleted successfully.
File C:\Documents and Settings\bimba\Impostazioni locali\Dati applicazioni\nmdciioocc_navps.dat deleted successfully.
File C:\WINDOWS\Prefetch\NMDCIIOOCC.EXE-0287CBBF.pf deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Poi come mi hai detto sono andata a cercare nella cartella Run nmdciioocc
trovato e eliminato.Ho avviato Hijackthis ed eseguito fixxaggio di R3 - Default URLSearchHook is missing...ok..l'unico intoppo l'ho trovato sul file hosts...ho aperto il file col blocco note, selezionato quello che mi hai detto e cancellato,ma quando è stato il momento di salvare mi ha detto che non potevo farlo..allora io non ho ben capito..il file di testo con cui ho aperto il file host rimane poi come file di txt nella cartella insieme al file originale o io devo andare proprio a sostituire il file originale?!scusa...sono un pò imbranata col pc..se non si era già capito!!
lamù79
Newbie
 
Post: 5
Iscritto il: 05/11/07 16:12

Postdi Luke57 » 07/11/07 08:14

Ciao, devi aprire il file originale con il blocco note (click tasto dx, scegli apri con), poi all'interno del file cancelli le scritte segnalate lasciando intatta la dicitura indicata nel post precedente, metti l'opzione "sola lettura", al momento di chiudere salvi le modifiche apportate.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10


Torna a Sicurezza e Privacy


Topic correlati a "apertura finestre pou-up":


Chi c’è in linea

Visitano il forum: Nessuno e 6 ospiti