Condividi:        

c'è qualcosa che non va........aiutatemi

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

c'è qualcosa che non va........aiutatemi

Postdi alemao » 16/08/06 11:28

Il computer è lento e poi l'antivirus rileva l'esistenza del virus paea che non riesco a togliere. per favore aiutatemi
Scan saved at 12.13.35, on 16/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
C:\Programmi\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\WINDOWS\Temp\paea3.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
C:\Programmi\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Oliva Alessio\Impostazioni locali\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgilio.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gw.aliceadsl.it/home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Alice
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Class - {F267F347-F76D-85A6-6CA5-DBE7845D12F3} - C:\WINDOWS\paqha1.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmi\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [rock] rock.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Controllo del Calendario di Ulead Photo Express] C:\Programmi\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Programmi\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [paea2.exe] C:\WINDOWS\Temp\paea2.exe
O4 - HKLM\..\Run: [paea3.exe] C:\WINDOWS\Temp\paea3.exe
O4 - HKLM\..\Run: [paea4.exe] C:\WINDOWS\Temp\paea4.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Programmi\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Programmi\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programmi\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programmi\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Alice - {BDE8DE80-DF59-4B58-9025-7649445CF9F1} - http://gw.aliceadsl.it/alice (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://gw.aliceadsl.it/home
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{180E4D09-3205-48F0-B772-FC22F599323D}: NameServer = 85.37.17.11 85.38.28.69
O17 - HKLM\System\CS1\Services\Tcpip\..\{180E4D09-3205-48F0-B772-FC22F599323D}: NameServer = 85.37.17.11 85.38.28.69
O17 - HKLM\System\CS2\Services\Tcpip\..\{180E4D09-3205-48F0-B772-FC22F599323D}: NameServer = 85.37.17.11 85.38.28.69
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
alemao
Utente Junior
 
Post: 88
Iscritto il: 16/08/06 11:18

Sponsor
 

Postdi Luke57 » 16/08/06 12:55

Ciao, Scarica Gmer :
http://www.gmer.net/gmer110.zip
Dopo averlo scompattato, lo avvii, selezioni "Rootkit"
Clicca su "Scan"
Attendi la fine della scansione e clicca su "Copy"
Apri il block notes di windows clicca su modifica e seleziona incolla
Adesso seleziona tutto il contenuto del block notes e fai un copia e incolla nel forum

Allega anche il log fatto dalla posizione Autostart, con le stesse procedure del precedente.

Torna in cima
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi sabazio » 16/08/06 13:06

Allora...innanzitutto è disponibile una versione piu' recente del service pack, che migliorerebbe certamente la sicurezza del tuo sistema. Scarica la versione piu' nuova del service pack dal sito Microsoft Windowsupdate.

La versione (6.00.2600.0000) è ormai superata. Utilizza Windowsupdate per aggiornare Internet Explorer.

Io eliminerei questa applicazione:
C:\WINDOWS\Temp\paea3.exe

e fixerei queste voci:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Class - {F267F347-F76D-85A6-6CA5-DBE7845D12F3} - C:\WINDOWS\paqha1.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [rock] rock.exe
O4 - HKLM\..\Run: [paea2.exe] C:\WINDOWS\Temp\paea2.exe
O4 - HKLM\..\Run: [paea3.exe] C:\WINDOWS\Temp\paea3.exe
O4 - HKLM\..\Run: [paea4.exe] C:\WINDOWS\Temp\paea4.exe
O4 - HKLM\..\Run: [paea4.exe] C:\WINDOWS\Temp\paea4.exe
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

Non è normale che la voce 017 compaia tre volte...ma se il Dominio (87....etc...) è quello del tuo Provider internet non dovrebbero esserci problemi...al limite elimina i cloni.
Prima di fixare le voci accertati che hjiackthis ne faccia un backup automatico (per farlo l'applicazione deve essere contenuta in una cartella apposita... fixa prima soltanto una voce...ad esempio la 03 che è certamente fixabile...chiudi l'applicazione...se nella sezione backup è stata salvata procedi con le altre), anche perché io non sono un esperto informatico e mi posso anche sbagliare. Buona fortuna
sabazio
sabazio
Utente Junior
 
Post: 37
Iscritto il: 06/08/06 04:17

Postdi alemao » 16/08/06 13:52

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-16 14:31:16
Windows 5.1.2600


---- Devices - GMER 1.0.10 ----

Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_DEVICE_CONTROL [F7075856] BsUDF.SYS
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_DEVICE_CONTROL [F7075856] BsUDF.SYS
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL [F7075856] BsUDF.SYS
---- Processes - GMER 1.0.10 ----

Library C:\WINDOWS\paqha1.dll (*** hidden *** ) @ C:\Programmi\Internet Explorer\iexplore.exe [2668] 0x010E0000 <-- ROOTKIT !!!

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{190C612B-81CA-405B-B858-06019946E169}
File C:\WINDOWS\paqha1.dll

---- EOF - GMER 1.0.10 ----
fatto il rootkit
alemao
Utente Junior
 
Post: 88
Iscritto il: 16/08/06 11:18

Postdi Luke57 » 16/08/06 15:00

Ciao, devi incollare anche un log di GMer fatto dalla posizione Autostart.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi alemao » 16/08/06 15:40

GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-08-16 14:36:32
Windows 5.1.2600


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\ >>>
Winlogon@Userinit = C:\WINDOWS\SYSTEM32\Userinit.exe,
Windows@AppInit_DLLs = C:\:hcjzfz.nxt

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aswUpdSv /*avast! iAVS4 Control Service*/@ = "C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe"
avast! Antivirus /*avast! Antivirus*/@ = "C:\Programmi\Alwil Software\Avast4\ashServ.exe"
C-DillaCdaC11BA /*C-DillaCdaC11BA*/@ = C:\WINDOWS\System32\drivers\CDAC11BA.EXE
LogZiv /*LogZiv*/@ = "C:\Programmi\File comuni\System\Jsk.exe"
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe"
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UleadBurningHelper /*Ulead Burning Helper*/@ = C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\System32\wdfmgr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@NeroCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@avast!C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
@InCDC:\Programmi\Ahead\InCD\InCD.exe = C:\Programmi\Ahead\InCD\InCD.exe
@AdslTaskBarrundll32.exe stmctrl.dll,TaskBar = rundll32.exe stmctrl.dll,TaskBar
@rockrock.exe /*file not found*/ = rock.exe /*file not found*/
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@Controllo del Calendario di Ulead Photo ExpressC:\Programmi\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe = C:\Programmi\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
@Ulead AutoDetectorC:\Programmi\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe = C:\Programmi\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
@paea2.exeC:\WINDOWS\Temp\paea2.exe = C:\WINDOWS\Temp\paea2.exe
@paea3.exeC:\WINDOWS\Temp\paea3.exe = C:\WINDOWS\Temp\paea3.exe
@paea4.exeC:\WINDOWS\Temp\paea4.exe = C:\WINDOWS\Temp\paea4.exe
RunOnceEx@ = /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\System32\ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
@MSMSGS"C:\Programmi\Messenger\msmsgs.exe" /background = "C:\Programmi\Messenger\msmsgs.exe" /background
@MsnMsgr"C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background /*file not found*/ = "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\Office10\msohev.dll = C:\Programmi\Microsoft Office\Office10\msohev.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Programmi\Alwil Software\Avast4\ashShell.dll = C:\Programmi\Alwil Software\Avast4\ashShell.dll
@{acb4a560-3606-11d3-aef4-00104bd0f92d} /*KodakShellExtension*/C:\Programmi\File comuni\Kodak\ifscore\KodakShX.dll = C:\Programmi\File comuni\Kodak\ifscore\KodakShX.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
@{F267F347-F76D-85A6-6CA5-DBE7845D12F3}C:\WINDOWS\paqha1.dll = C:\WINDOWS\paqha1.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\ssstars.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://gw.aliceadsl.it/home = http://gw.aliceadsl.it/home
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.virgilio.it/ = http://www.virgilio.it/
@Local PageC:\WINDOWS\System32\blank.htm = C:\WINDOWS\System32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Programmi\File comuni\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\System32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\System32\msvidctl.dll
vnd.ms.radio@CLSID = C:\WINDOWS\System32\msdxm.ocx

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Kodak EasyShare software.lnk = Kodak EasyShare software.lnk
Kodak software updater.lnk = Kodak software updater.lnk
Microsoft Office.lnk = Microsoft Office.lnk
WinZip Quick Pick.lnk = WinZip Quick Pick.lnk

---- EOF - GMER 1.0.10 ----
alemao
Utente Junior
 
Post: 88
Iscritto il: 16/08/06 11:18

Postdi Luke57 » 16/08/06 16:00

Ciao, esegui queste operazioni:

1)Da risorse del computer>pannello di controllo>installazioni/applicazioni, verifica la presenza di LinkOptimizer; se ci fosse non provare a disistallarlo.

2)Scarica MyUninstaller da qui:

http://www.nirsoft.net/utils/myuninst.html

con questo programmino potrai disistallare LinkOptimizer.

Apri il programma (click su myuninst.exe, attendi che vengono elencate le applicazioni presenti, evidenzi Linkoptimizer, click con il dx e scegli Delected)



3) start>esegui>control userpassword2>OK
nella finestra Account Utente, verifica le utenze (Administrators, Utente, Aspnet sono regolari), se la trovi una con nome casuale, tipo XPGZQ e via dicendo segnati il nome ed eliminala, ciccando con il tasto dx e scegliendo elimina

4)Rendi visibili file e cartelle nascosti:

da gestione del computer>strumenti>Opzioni Cartella
Seleziona Visualizza
Spunta "mostra file e cartelle nascoste"
Togli la spunta da "nascondi file protetti di sistema (consigliato)
Premi OK
Vai in C:\Documents and Settings, dovresti trovare una cartella con lo stesso nome dell'utenza, elimina anch'essa.

5) Vai in C:\programmi\file comuni\system, comunica se ci sono altri file colorati in verde (vuol dire che sono criptati)

6)scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
scompatta il file.zip
Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in neretto:


Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\LogZiv
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\rock.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\paea2.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\paea3.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\paea4.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{F267F347-F76D-85A6-6CA5-DBE7845D12F3}

Files to delete:
C:\WINDOWS\paqha1.dll
C:\WINDOWS\Temp\paea2.exe
C:\WINDOWS\Temp\paea3.exe
C:\WINDOWS\Temp\paea4.exe
C:\Programmi\File comuni\System\Jsk.exe


Clicca sul pulsante Done
Clicca 2 volte sull'icona del semaforo verde
Rispondi due volte Yes o Sì
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente


Posta il log di Avenger (C:/avenger.txt) con l´esito dello script
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi alemao » 16/08/06 17:02

non riesco a fare l'operazione al punto 2...
faccio start poi esegui poi?

grazie per l'aiuto
alemao
Utente Junior
 
Post: 88
Iscritto il: 16/08/06 11:18

Postdi alemao » 16/08/06 17:03

al punto 3
alemao
Utente Junior
 
Post: 88
Iscritto il: 16/08/06 11:18

Postdi Luke57 » 16/08/06 17:14

Ciao, scusa non l'ho specificato, nello spazio bianco scrivi:
control userpasswords2 e poi OK
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi alemao » 16/08/06 17:50

linkoptimer risulta ancora in installazioni applicazioni...ho provato a disinstallarlo normalmente ma mi ha fatto collegare ad un sito...e non credo ci sia riuscito...poi all'interno della cartella file comuni ci sono ancora applicazioni in verde....infine avenger mi ha comunicato una serie di errori...cosa posso fare ancora??? grazie
Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\rock.exe


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\paea2.exe


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\paea3.exe


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\paea4.exe


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: {F267F347-F76D-85A6-6CA5-DBE7845D12F3}


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\rhohjist

*******************

Script file located at: \??\C:\Program Files\uruytcnq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKLM\SYSTEM\CurrentControlSet\Services\LogZiv deleted successfully.
File C:\WINDOWS\paqha1.dll deleted successfully.
File C:\WINDOWS\Temp\paea2.exe deleted successfully.
File C:\WINDOWS\Temp\paea3.exe deleted successfully.
File C:\WINDOWS\Temp\paea4.exe deleted successfully.


File C:\Programmi\File comuni\System\Jsk.exe not found!
Deletion of file C:\Programmi\File comuni\System\Jsk.exe failed!

Could not process line:
C:\Programmi\File comuni\System\Jsk.exe
Status: 0xc0000034

Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
alemao
Utente Junior
 
Post: 88
Iscritto il: 16/08/06 11:18

Postdi Luke57 » 16/08/06 18:25

Ciao, te l'avevo detto di non disistallare linkoptimizer dal pannello di controllo :x , può darsi che adesso ti abbia installato il rootkit.
Posta due nuovi log di Gmer e i nomi esatti dei file di colore verde trovati nella cartella (indicami il percorso preciso dei file)
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi alemao » 16/08/06 19:44

scusami....GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-16 20:40:54
Windows 5.1.2600


---- Devices - GMER 1.0.10 ----

Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_DEVICE_CONTROL [F6CAA856] BsUDF.SYS
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_DEVICE_CONTROL [F6CAA856] BsUDF.SYS
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL [F6CAA856] BsUDF.SYS

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{190C612B-81CA-405B-B858-06019946E169}

---- EOF - GMER 1.0.10 ----
alemao
Utente Junior
 
Post: 88
Iscritto il: 16/08/06 11:18

Postdi alemao » 16/08/06 19:45

GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-08-16 20:43:14
Windows 5.1.2600


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\SYSTEM32\Userinit.exe,

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aswUpdSv /*avast! iAVS4 Control Service*/@ = "C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe"
avast! Antivirus /*avast! Antivirus*/@ = "C:\Programmi\Alwil Software\Avast4\ashServ.exe"
C-DillaCdaC11BA /*C-DillaCdaC11BA*/@ = C:\WINDOWS\System32\drivers\CDAC11BA.EXE
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe"
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UleadBurningHelper /*Ulead Burning Helper*/@ = C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\System32\wdfmgr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@NeroCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@avast!C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
@InCDC:\Programmi\Ahead\InCD\InCD.exe = C:\Programmi\Ahead\InCD\InCD.exe
@AdslTaskBarrundll32.exe stmctrl.dll,TaskBar = rundll32.exe stmctrl.dll,TaskBar
@rockrock.exe /*file not found*/ = rock.exe /*file not found*/
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@Controllo del Calendario di Ulead Photo ExpressC:\Programmi\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe = C:\Programmi\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
@Ulead AutoDetectorC:\Programmi\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe = C:\Programmi\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
@paea2.exeC:\WINDOWS\Temp\paea2.exe /*file not found*/ = C:\WINDOWS\Temp\paea2.exe /*file not found*/
@paea3.exeC:\WINDOWS\Temp\paea3.exe /*file not found*/ = C:\WINDOWS\Temp\paea3.exe /*file not found*/
@paea4.exeC:\WINDOWS\Temp\paea4.exe /*file not found*/ = C:\WINDOWS\Temp\paea4.exe /*file not found*/
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k
RunOnceEx@ = /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\System32\ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
@MSMSGS"C:\Programmi\Messenger\msmsgs.exe" /background = "C:\Programmi\Messenger\msmsgs.exe" /background
@MsnMsgr"C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background /*file not found*/ = "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\Office10\msohev.dll = C:\Programmi\Microsoft Office\Office10\msohev.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Programmi\Alwil Software\Avast4\ashShell.dll = C:\Programmi\Alwil Software\Avast4\ashShell.dll
@{acb4a560-3606-11d3-aef4-00104bd0f92d} /*KodakShellExtension*/C:\Programmi\File comuni\Kodak\ifscore\KodakShX.dll = C:\Programmi\File comuni\Kodak\ifscore\KodakShX.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\ssstars.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://gw.aliceadsl.it/home = http://gw.aliceadsl.it/home
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.virgilio.it/ = http://www.virgilio.it/
@Local PageC:\WINDOWS\System32\blank.htm = C:\WINDOWS\System32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Programmi\File comuni\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\System32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\System32\msvidctl.dll
vnd.ms.radio@CLSID = C:\WINDOWS\System32\msdxm.ocx

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Kodak EasyShare software.lnk = Kodak EasyShare software.lnk
Kodak software updater.lnk = Kodak software updater.lnk
Microsoft Office.lnk = Microsoft Office.lnk
WinZip Quick Pick.lnk = WinZip Quick Pick.lnk

---- EOF - GMER 1.0.10 ----
alemao
Utente Junior
 
Post: 88
Iscritto il: 16/08/06 11:18

Postdi alemao » 16/08/06 19:51

i file di colore verde sono:BTK, Dhe,DjS,fokbyo,gBwn,IYX,jCT,KcB,NvI,PsDL ed infine yaD
alemao
Utente Junior
 
Post: 88
Iscritto il: 16/08/06 11:18

Postdi Luke57 » 16/08/06 19:59

Ciao, sì, ma in quale cartella? C:\programmi\System opppure C:\programmi ?
Con il prossimo passaggio dovremmo aver finito.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi alemao » 16/08/06 20:13

C programmi, file comuni, system
alemao
Utente Junior
 
Post: 88
Iscritto il: 16/08/06 11:18

Postdi alemao » 16/08/06 20:15

luke sei gentilissimo grazie
alemao
Utente Junior
 
Post: 88
Iscritto il: 16/08/06 11:18

Postdi alemao » 16/08/06 20:31

luke ci sei?
alemao
Utente Junior
 
Post: 88
Iscritto il: 16/08/06 11:18

Postdi Luke57 » 16/08/06 20:32

Ciao, allora riavvia Avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in neretto:



Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\rock.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\paea2.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\paea3.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\paea4.exe


Files to delete:
C:\Programmi\File comuni\System\Jsk.exe
C:\Programmi\File comuni\System\BTK.exe
C:\Programmi\File comuni\System\Dhe.exe
C:\Programmi\File comuni\System\DjS.exe
C:\Programmi\File comuni\System\fokbyo.exe
C:\Programmi\File comuni\System\gBwn.exe
C:\Programmi\File comuni\System\IYX.exe
C:\Programmi\File comuni\System\jCT.exe
C:\Programmi\File comuni\System\KcB.exe
C:\Programmi\File comuni\System\NvI.exe
C:\Programmi\File comuni\System\PsDL.exe
C:\Programmi\File comuni\System\yAD.exe



Clicca sul pulsante Done
Clicca 2 volte sull'icona del semaforo verde
Rispondi due volte Yes o Sì
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente


Posta il log di Avenger (C:/avenger.txt) con l´esito dello script


Apri hijackthis, premi “do a system scan only”, cerchi e spunti:
R3 - Default URLSearchHook is missing
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
premi fix checked.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Prossimo

Torna a Sicurezza e Privacy


Topic correlati a "c'è qualcosa che non va........aiutatemi":


Chi c’è in linea

Visitano il forum: Nessuno e 45 ospiti