Condividi:        

E1XPLORER

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

E1XPLORER

Postdi albertok » 06/09/06 18:52

ciao a tutti ho contratto il virus e1xplorer che mi sta incasinando il pc!
qualcuno potrebbe darmi gentilemente una mano questo è il mio file log di hjiack:


--------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 22.43.26, on 05/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\service.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\programmi\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\drivers\STDSB.exe
C:\WINDOWS\system32\drivers\Icon.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Apps\Powercinema\PCMService.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Lexmark 2300 Series\lxcgmon.exe
C:\Programmi\Lexmark 2300 Series\ezprint.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\system32\funk.exe
C:\WINDOWS\system32\bikini.exe
C:\WINDOWS\system32\ntsystem.exe
C:\Documents and Settings\mupa80\Dati applicazioni\ratorefaci\sysrtmvs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cmd.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Documents and Settings\mupa80\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/r ... key=SEARCH
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\it.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://format.packardbell.com/cgi-bin/r ... 6&key=OEM4
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - {20929603-21DB-477C-BA6F-0B8E70B3C8A0} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\system32\drivers\STDSB.exe
O4 - HKLM\..\Run: [Icon] C:\WINDOWS\system32\drivers\Icon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Programmi\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Programmi\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Programmi\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [funk] funk.exe
O4 - HKLM\..\Run: [bikini] bikini.exe
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
O4 - HKLM\..\Run: [Windows Installer] C:\WINDOWS\system32\ntdll.exe
O4 - HKLM\..\Run: [aouei] C:\Documents and Settings\mupa80\Dati applicazioni\ratorefaci\sysrtmvs.exe
O4 - HKLM\..\Run: [checkrun] c:\windows\system32\elitelos32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\it.htm
O15 - Trusted Zone: http://www.adslconnection.name
O15 - Trusted Zone: http://www.archiviosex.net
O15 - Trusted Zone: http://www.otherchance.com
O15 - Trusted Zone: http://www.redfunny.com
O15 - Trusted Zone: http://www.softlab.name
O15 - Trusted Zone: http://www.xxx-content.name
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: lxcg_device - Unknown owner - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Service Manager (WSCM) - Unknown owner - C:\WINDOWS\System32\service.exe

-------------------------------

grazie
albertok
Newbie
 
Post: 7
Iscritto il: 05/09/06 21:47

Sponsor
 

Postdi andorra24 » 06/09/06 19:25

Ciao, apri hijackthis, premi su ''open the misc tools section'', poi premi ''open process manager'', individua le voci indicate sotto e premi ''kill process'':

C:\WINDOWS\System32\service.exe (da NON confondere con il legittimo services.exe con la s finale)
C:\WINDOWS\system32\funk.exe
C:\WINDOWS\system32\bikini.exe
C:\WINDOWS\system32\ntsystem.exe
C:\Documents and Settings\mupa80\Dati applicazioni\ratorefaci\sysrtmvs.exe

Poi vai in basso e premi il tasto back e subito dopo il tasto scan. Metti la spunta nella casellina accanto alle voci indicate sotto e premi ''fix checked'' :

R3 - URLSearchHook: (no name) - {20929603-21DB-477C-BA6F-0B8E70B3C8A0} - (no file)
O4 - HKLM\..\Run: [funk] funk.exe
O4 - HKLM\..\Run: [bikini] bikini.exe
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
O4 - HKLM\..\Run: [Windows Installer] C:\WINDOWS\system32\ntdll.exe
O4 - HKLM\..\Run: [aouei] C:\Documents and Settings\mupa80\Dati applicazioni\ratorefaci\sysrtmvs.exe
O4 - HKLM\..\Run: [checkrun] c:\windows\system32\elitelos32.exe
O15 - Trusted Zone: http://www.adslconnection.name
O15 - Trusted Zone: http://www.archiviosex.net
O15 - Trusted Zone: http://www.otherchance.com
O15 - Trusted Zone: http://www.redfunny.com
O15 - Trusted Zone: http://www.softlab.name
O15 - Trusted Zone: http://www.xxx-content.name
O23 - Service: Windows Service Manager (WSCM) - Unknown owner - C:\WINDOWS\System32\service.exe

Vai su start/risorse del computer/strumenti/opzioni cartella/visualizzazione e metti la spunta su visualizza cartelle file nascosti e togli la spunta da ''nascondi i file protetti di sistema''.

Scarica killbox da qui: http://www.killbox.net/downloads/KillBox.exe
con killbox elimina i seguenti files:
C:\WINDOWS\System32\service.exe (da NON confondere con il legittimo services.exe con la s finale)
C:\WINDOWS\system32\funk.exe
C:\WINDOWS\system32\bikini.exe
C:\WINDOWS\system32\ntsystem.exe
C:\Documents and Settings\mupa80\Dati applicazioni\ratorefaci\sysrtmvs.exe (dopo aver eliminato il file exe elimina anche la cartella ratorefaci)
C:\WINDOWS\system32\ntdll.exe
c:\windows\system32\elitelos32.exe

Poi devi fare un controllo su due files scansionandoli su http://www.virustotal.com :
C:\WINDOWS\system32\drivers\STDSB.exe
C:\WINDOWS\system32\drivers\Icon.exe
fammi sapere l'esito della scansione su virustotal

Infine fai una scansione con superantispyware:
http://www.superantispyware.com/downloa ... PYWAREFREE
andorra24
Utente Senior
 
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

e1xplorer

Postdi albertok » 06/09/06 20:36

grazie per le info adesso mi metto al lavoro:

ho provato ma C:\windows\system32\service.exe mi da un messaggio di errore quando provo a fare kill process in hjiackthis.

mi dice il file può essere chiuso o protetto da windows!
continuo lo stesso?
grazie ancora
albertok
Newbie
 
Post: 7
Iscritto il: 05/09/06 21:47

e1xplorer

Postdi albertok » 06/09/06 20:44

a dire il vero in hjackthis nella parte kill process non ho trovato neppure questi:

C:\WINDOWS\system32\ntsystem.exe
C:\Documents and Settings\mupa80\Dati applicazioni\ratorefaci\sysrtmvs.exe

Ho fatto alcune scansioni con spybot e ad-aware magari li ho cancellati
magari riallego il log di hijack aggiornato :

Logfile of HijackThis v1.99.1
Scan saved at 21.40.45, on 06/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\service.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\drivers\STDSB.exe
C:\WINDOWS\system32\drivers\Icon.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Apps\Powercinema\PCMService.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Lexmark 2300 Series\lxcgmon.exe
C:\Programmi\Lexmark 2300 Series\ezprint.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Documents and Settings\mupa80\Dati applicazioni\ratorefaci\sysrtmvs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\mupa80\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/r ... key=SEARCH
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\it.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://format.packardbell.com/cgi-bin/r ... 6&key=OEM4
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - {20929603-21DB-477C-BA6F-0B8E70B3C8A0} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\system32\drivers\STDSB.exe
O4 - HKLM\..\Run: [Icon] C:\WINDOWS\system32\drivers\Icon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Programmi\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Programmi\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Programmi\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [funk] funk.exe
O4 - HKLM\..\Run: [bikini] bikini.exe
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
O4 - HKLM\..\Run: [aouei] C:\Documents and Settings\mupa80\Dati applicazioni\ratorefaci\sysrtmvs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\it.htm
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: lxcg_device - Unknown owner - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Service Manager (WSCM) - Unknown owner - C:\WINDOWS\System32\service.exe
albertok
Newbie
 
Post: 7
Iscritto il: 05/09/06 21:47

Postdi andorra24 » 06/09/06 20:57

apri hijackthis, premi su ''open the misc tools section'', poi premi ''open process manager'', individua le voci indicate sotto e premi ''kill process'':

C:\WINDOWS\System32\service.exe (da non confondere con il legittimo services.exe!!!! )
C:\Documents and Settings\mupa80\Dati applicazioni\ratorefaci\sysrtmvs.exe

Poi vai in basso e premi il tasto back e subito dopo il tasto scan. Metti la spunta nella casellina accanto alle voci indicate sotto e premi ''fix checked'' :

R3 - URLSearchHook: (no name) - {20929603-21DB-477C-BA6F-0B8E70B3C8A0} - (no file)
O4 - HKLM\..\Run: [funk] funk.exe
O4 - HKLM\..\Run: [bikini] bikini.exe
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
O4 - HKLM\..\Run: [aouei] C:\Documents and Settings\mupa80\Dati applicazioni\ratorefaci\sysrtmvs.exe
O23 - Service: Windows Service Manager (WSCM) - Unknown owner - C:\WINDOWS\System32\service.exe

NB: Vai su start/risorse del computer/strumenti/opzioni cartella/visualizzazione e metti la spunta su visualizza cartelle file nascosti e togli la spunta da ''nascondi i file protetti di sistema (consigliato)''.

Elimina i seguenti files (se presenti) :
C:\WINDOWS\System32\service.exe (da non confondere con il legittimo services.exe!!!! )
C:\Documents and Settings\mupa80\Dati applicazioni\ratorefaci\sysrtmvs.exe (dopo elimina la cartella ratorefaci)
C:\WINDOWS\system32\funk.exe
C:\WINDOWS\system32\bikini.exe
C:\WINDOWS\system32\ntsystem.exe

Scansiona su http://www.virustotal.com i seguenti files e fammi sapere se sono puliti o no:
C:\WINDOWS\system32\drivers\STDSB.exe
C:\WINDOWS\system32\drivers\Icon.exe


Fai la scansione con superantispyware.

ps: sto uscendo.
andorra24
Utente Senior
 
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi albertok » 06/09/06 21:23

ciao andorra ho seguito alla lettera le tue dritte però su virus total c'è una coda di 40 minuti per ottenere informazioni sui virus.adesso faccio una scansione con superantyspyware...

alla fine come faccio ad avere le garanzie pratiche che sia stato debellato?
albertok
Newbie
 
Post: 7
Iscritto il: 05/09/06 21:47

Postdi andorra24 » 06/09/06 22:05

albertok ha scritto:ciao andorra ho seguito alla lettera le tue dritte però su virus total c'è una coda di 40 minuti per ottenere informazioni sui virus.adesso faccio una scansione con superantyspyware...

alla fine come faccio ad avere le garanzie pratiche che sia stato debellato?

Quando avrai eliminato tutte le voci che ti ho indicato e avrai completato la scansione con superantispyware potrai postare un nuovo log per un nuovo controllo.
andorra24
Utente Senior
 
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi albertok » 06/09/06 22:42

a me sembra a posto

ho installato avast come antivirus.come firewall e protezioni varie cosa mi consigli?
ecco il log..sperando di non cantar vittoria..

-----------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 23.40.50, on 06/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\drivers\STDSB.exe
C:\WINDOWS\system32\drivers\Icon.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Apps\Powercinema\PCMService.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Lexmark 2300 Series\lxcgmon.exe
C:\Programmi\Lexmark 2300 Series\ezprint.exe
C:\DOCUME~1\mupa80\IMPOST~1\Temp\20069623612_mcinfo.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\mupa80\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/r ... key=SEARCH
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\it.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://format.packardbell.com/cgi-bin/r ... 6&key=OEM4
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\system32\drivers\STDSB.exe
O4 - HKLM\..\Run: [Icon] C:\WINDOWS\system32\drivers\Icon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Programmi\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Programmi\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Programmi\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\mupa80\IMPOST~1\Temp\20069623612_mcinfo.exe /insfin
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\it.htm
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: lxcg_device - Unknown owner - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Service Manager (WSCM) - Unknown owner - C:\WINDOWS\System32\service.exe (file missing)

---------------------------------------------------------


grazie infinite
albertok
Newbie
 
Post: 7
Iscritto il: 05/09/06 21:47

Postdi andorra24 » 06/09/06 22:59

Siamo quasi alla fine, mancano ancora un paio di cose. Con hijackthis elimina queste 2 voci premendo fix checked:

O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
O23 - Service: Windows Service Manager (WSCM) - Unknown owner - C:\WINDOWS\System32\service.exe (file missing)

Visualizza cartelle e file nascosti come ti ho indicato nel post precedente e cerca ed elimina (se presente) il seguente file:
C:\WINDOWS\system32\ntsystem.exe

Poi fai questa piccola operazione:

start>esegui>sc stop WSCM>OK
start>esegui>sc delete WSCM>OK

Infine dovresti scansionare su http://www.virustotal.com questi 2 files (te l'avevo gia' detto in precedenza) :
C:\WINDOWS\system32\drivers\STDSB.exe
C:\WINDOWS\system32\drivers\Icon.exe
se risulteranno puliti non toccarli, se invece dovessero essere infetti allora eliminali come hai gia' fatto con gli altri files precedenti.
andorra24
Utente Senior
 
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi albertok » 06/09/06 23:03

ok a momenti ti darò l'esito del tutto e dei virus su virus planet
albertok
Newbie
 
Post: 7
Iscritto il: 05/09/06 21:47

Postdi andorra24 » 06/09/06 23:06

albertok ha scritto:a me sembra a posto

ho installato avast come antivirus.come firewall e protezioni varie cosa mi consigli?


Come firewall potresti mettere i classici zone alarm, kerio o outpost oppure il nuovo Comodo Personal Firewall di cui si dicono cose molto positive in rete. Come programmi di protezione potresti mettere SpywareBlaster per immunizzare il sistema, poi superantispyware va benissimo per fare regolari scansioni al tuo pc, usa un buon cleaner come CCleaner per eliminare files temp,cache,cookies,cronologia e per dare una ripulita al registro.
Ultima modifica di andorra24 su 06/09/06 23:26, modificato 2 volte in totale.
andorra24
Utente Senior
 
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi andorra24 » 06/09/06 23:07

albertok ha scritto:ok a momenti ti darò l'esito del tutto e dei virus su virus planet

ok, comunque se non riesco a guardarlo stasera lo faro' domattina. ;)
andorra24
Utente Senior
 
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi albertok » 06/09/06 23:12

andorra senti un pò una cosa...io ti ringrazio veramente..
sei geniale e credimi senza leccare grazie a persone come te che la rete va avanti grazie infinite..
albertok
Newbie
 
Post: 7
Iscritto il: 05/09/06 21:47

Postdi andorra24 » 06/09/06 23:16

albertok ha scritto:andorra senti un pò una cosa...io ti ringrazio veramente..
sei geniale e credimi senza leccare grazie a persone come te che la rete va avanti grazie infinite..

Grazie, sei molto gentile. ;)
andorra24
Utente Senior
 
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo


Torna a Sicurezza e Privacy


Topic correlati a "E1XPLORER":

e1xplorer
Autore: Zaba
Forum: Sicurezza e Privacy
Risposte: 4

Chi c’è in linea

Visitano il forum: Nessuno e 37 ospiti