Condividi:        

OHPE ver 4.12_23

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

Postdi Maax » 23/09/06 10:08

ciao a tutti.
Ho fatto galleggiare questo topic perchè ho lo stesso problema anch'io.
Ho provato a seguire i vostri consigli ma non ne sono venuto a capo.
Premetto che ho Win2000 Pro e non XP, quindi il path in cui cercare mssearch non è c:\windows\system32 perchè io ho ....\winnt.
Posto il log di HIJ, vi ringrazio per qualunque aiuto.

Logfile of HijackThis v1.99.0
Scan saved at 11.08.21, on 23/09/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\PC-CILLIN NT\ntrtscan.exe
C:\PC-CILLIN NT\OfcPfwSvc.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\RCSERV.EXE
C:\PC-CILLIN NT\tmlisten.exe
C:\WINNT\system32\TpKmpSVC.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\TEMP\ZQAD6D.EXE
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Programmi\Media-Codec\pmsngr.exe
C:\Programmi\Media-Codec\pmmon.exe
C:\Programmi\Media-Codec\isamonitor.exe
C:\Programmi\Media-Codec\isamini.exe
C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
C:\WINNT\system32\TpShocks.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\rundll32.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\PRPCUI.exe
C:\Programmi\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Programmi\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJTRAY.EXE
C:\WINNT\AGRSMMSG.exe
C:\Programmi\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Programmi\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Programmi\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PC-CILLIN NT\pccntmon.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
C:\Programmi\VoiceAge\Common\VaCtrl.exe
C:\WINNT\Temp\mvfp1.exe
C:\WINNT\system32\internat.exe
C:\Programmi\Everest Labs\Spydefense\sdc.exe
C:\Programmi\Microsoft AntiSpyware\gcasDtServ.exe
C:\winstall.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Programmi\VoiceAge\Common\VaLangInterf.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\WINNT\system32\svchost.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\U102141\Impostazioni locali\Temp\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.libero.it
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\U06802~1.GVC\IMPOST~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.its.it/pac/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {0CF8C87F-1838-83B3-4E60-8A33F29D0D02} - C:\WINNT\jenup1.dll (file missing)
O2 - BHO: (no name) - {1da7dbe8-c51b-4ae4-bc6e-21863349b0b4} - C:\Programmi\Media-Codec\isaddon.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Programmi\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programmi\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programmi\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [EZEJTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJTRAY.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Programmi\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCTray] C:\Programmi\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLIcon] C:\Programmi\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\PC-CILLIN NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [lcfep] "C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [VaCtrl] C:\Programmi\VoiceAge\Common\VaCtrl.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\private.exe internat.dll,LoadMouseCarpetProfile
O4 - HKLM\..\Run: [mvfp1.exe] C:\WINNT\Temp\mvfp1.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [SpyDefense] C:\Programmi\Everest Labs\Spydefense\sdc.exe /service
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.libero.it
O15 - Trusted Zone: http://www.playitalia.com
O15 - Trusted Zone: http://www.skymasters.biz
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E6E8129-117D-4892-8C61-99F2AD673B63} - http://xearl.com/72e6ff00/52102/1/xp/FreeAccess.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6694349930
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.compani ... 3_18_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gvm.fiatcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{3163A52C-F880-4C54-A9DF-D95A88201465}: NameServer = 62.211.69.150 212.48.4.15
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gvm.fiatcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gvcorp.globalvalue.it,its.it,iveco.com,cnh.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gvm.fiatcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = gvcorp.globalvalue.it,its.it,iveco.com,cnh.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gvcorp.globalvalue.it,its.it,iveco.com,cnh.com
O21 - SSODL: hubbsi - {7b1eeccd-0a6d-4ad5-8ac1-4af5722b3885} - C:\WINNT\system32\vwlummc.dll (file missing)
O23 - Service: Atheros Configuration Service - Unknown - C:\Programmi\80211abg\acs.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Servizio amministrativo di Gestione disco logico - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service - Unknown - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: Tivoli Endpoint - Unknown - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Programmi\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\PC-CILLIN NT\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall - Trend Micro Inc. - C:\PC-CILLIN NT\OfcPfwSvc.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tivoli Remote Control Service - Unknown - C:\WINNT\RCSERV.EXE
O23 - Service: OfficeScanNT Listener - Trend Micro Inc. - C:\PC-CILLIN NT\tmlisten.exe
O23 - Service: IBM KCU Service - Unknown - C:\WINNT\system32\TpKmpSVC.exe
Maax
Newbie
 
Post: 5
Iscritto il: 23/09/06 09:37

Sponsor
 

Postdi Luke57 » 23/09/06 10:25

Ciao, scarica SmitFraudfix e decomprimilo in una cartella a tua scelta estraendo tutti i file:
http://siri.urz.free.fr/Fix/SmitfraudFix.zip


Scarica Ewido antispyware da qui:
http://www.alwaysecure.net/ewidoantispyware-51.html
(trial gratuito 30gg)
Installalo e aggiorna le definizioni

Scarica ATF Cleaner da qui:
http://www.atribune.org/ccount/click.php?id=1
(per eliminare file temporanei di windows e IE)


Riavvia in modalità provvisoria

Apri la cartella che contiene SmitfraudFix avvia smitfraudfix.cmd
Seleziona opzione #2 - Clean cliccando sul 2 e premi Invio.
Riceverai questo messaggio: Registry cleaning - Do you want to clean the registry ?
Rispondi Sì cliccando Y e premi invio.
Rispondi Sì (Y) ad eventuali altre domande

Esegui uno scan completo con Ewido

Avvia ATF cleaner, clicca sul menu "main" e poi seleziona la casella "Select All". Adesso clicca sul pulsante "Empty selected" e aspetta il messaggio "Done Cleaning!".


riavvia il pc normalmente, posta:

report di smitfraudfix, nuovo log di hiajckthis
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi Maax » 24/09/06 23:29

Luke grazie per le indicazioni..
Non sono sparito, il fatto è che riesco a collegarmi per pochi minuti e poi il pc rallenta fino a farmi sclerare oppure si blocca tutto...
C'è anche un dialer che ogni tanto mi scollega e mi ritrovo con questo che tenta di fare il numero..
Ho scaricato Smitfraud, con Ewido h avuto qualche problema sulla pagina che mi hai indicato: ma dove è il sw??
Mille grazie, spero di riuscire a stare tuned abbastanza... :-?
Maax
Newbie
 
Post: 5
Iscritto il: 23/09/06 09:37

Postdi Maax » 26/09/06 14:25

eccomi!
Ho seguito le tue indicazioni, non trovavo il sw di ewido perchè il puntatore non evidenziava il link (e nemmeno lo rilevava sulla barra applic...).
Qui sotto posto i log di smitfraudfix e di hijackthis richiesti.

Grazie!! :)

SmitFraudFix v2.99

Scan done at 12.37.46,01, mar 26/09/2006
Run from D:\Smitfraud\SmitfraudFix
OS: Microsoft Windows 2000 [Versione 5.00.2195] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"hubbsi"="{7b1eeccd-0a6d-4ad5-8ac1-4af5722b3885}"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINNT\system32\dial23.exe Deleted
C:\DOCUME~1\ALLUSE~1\MENUAV~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\MENUAV~1\Security Troubleshooting.url Deleted
C:\Programmi\Media-Codec\ Deleted
C:\Programmi\ZipCodec\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


----------------------------------------------------

Logfile of HijackThis v1.99.0
Scan saved at 15.17.20, on 26/09/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\Ewido\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\PC-CILLIN NT\ntrtscan.exe
C:\PC-CILLIN NT\OfcPfwSvc.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\RCSERV.EXE
C:\PC-CILLIN NT\tmlisten.exe
C:\WINNT\system32\TpKmpSVC.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\TEMP\MLA10E.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
C:\WINNT\system32\TpShocks.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\rundll32.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Programmi\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programmi\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Programmi\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJTRAY.EXE
C:\WINNT\AGRSMMSG.exe
C:\Programmi\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Programmi\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Programmi\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PC-CILLIN NT\pccntmon.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
C:\Programmi\VoiceAge\Common\VaCtrl.exe
C:\WINNT\Temp\mvfp1.exe
C:\Programmi\VoiceAge\Common\VaLangInterf.exe
C:\Programmi\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
D:\Ewido\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\internat.exe
C:\Programmi\Everest Labs\Spydefense\sdc.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\U102141\Impostazioni locali\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.its.it/pac/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {0CF8C87F-1838-83B3-4E60-8A33F29D0D02} - C:\WINNT\jenup1.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Programmi\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programmi\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programmi\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [EZEJTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJTRAY.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Programmi\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCTray] C:\Programmi\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLIcon] C:\Programmi\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\PC-CILLIN NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [lcfep] "C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [VaCtrl] C:\Programmi\VoiceAge\Common\VaCtrl.exe
O4 - HKLM\..\Run: [mvfp1.exe] C:\WINNT\Temp\mvfp1.exe
O4 - HKLM\..\Run: [!ewido] "D:\Ewido\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [SpyDefense] C:\Programmi\Everest Labs\Spydefense\sdc.exe /service
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.libero.it
O15 - Trusted Zone: http://www.playitalia.com
O15 - Trusted Zone: http://www.skymasters.biz
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E6E8129-117D-4892-8C61-99F2AD673B63} - http://xearl.com/72e6ff00/52102/1/xp/FreeAccess.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6694349930
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.compani ... 3_18_0.cab
O23 - Service: Atheros Configuration Service - Unknown - C:\Programmi\80211abg\acs.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Servizio amministrativo di Gestione disco logico - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Ewido\ewido anti-spyware 4.0\guard.exe
O23 - Service: IBM PM Service - Unknown - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: Tivoli Endpoint - Unknown - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Programmi\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\PC-CILLIN NT\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall - Trend Micro Inc. - C:\PC-CILLIN NT\OfcPfwSvc.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tivoli Remote Control Service - Unknown - C:\WINNT\RCSERV.EXE
O23 - Service: OfficeScanNT Listener - Trend Micro Inc. - C:\PC-CILLIN NT\tmlisten.exe
O23 - Service: IBM KCU Service - Unknown - C:\WINNT\system32\TpKmpSVC.exe
Maax
Newbie
 
Post: 5
Iscritto il: 23/09/06 09:37

Postdi Luke57 » 26/09/06 14:38

Ciao, per prima cosa scarica questo tool:
http://www.prevx.com/gromozon.asp
Disativa l’antivirus ed eseguilo, dopo averlo scaricato. Al riavvio del computer, il programma terminerà la scansione delle altre cartelle di windows. Puoi rispondere NO alla richiesta di installare prevx al termine.
Sarà rilasciato un report in C:\Gromozon_removal.log.
Copia e incolla il report in un post.


Inoltre scarica
http://www.gmer.net/gmer111.zip

Dopo averlo scompattato, lo avvii, premendo il tab>>>> entri in Avanzate, selezioni il tab "Rootkit"
Clicca su "Scan" (spunta anche la casella ADS)

Attendi la fine della scansione e clicca su "Copy"
Apri il block notes di windows, clicca su modifica e seleziona incolla

Poi fai una scansione con GMer dalla posizione Autostart (spunta la casella Show All), con le stesse procedure del precedente. Incolli il log generato nel suddetto block notes e poi incolli i due log in un post nel forum.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi Maax » 26/09/06 15:10

Luke, il primo link non funziona
http://www.prevx.com/gromozon.asp
Maax
Newbie
 
Post: 5
Iscritto il: 23/09/06 09:37

Postdi Luke57 » 26/09/06 16:35

Ciao, a me funziona, ascolta con Google scrivi
Gromozon removal tool e vedrai che ti indirizza a quel link.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi Luke57 » 26/09/06 18:50

Ciao, faccio presente, per gentile dritta degli amici di Suspecfile, che è una accanita variante del trojan a inibire l'azione del tool, così come fa con Gmer e con Avenger. Appena posso, adesso non ho tempo, ti informo sul da farsi.
Qui la discussione in merito:
http://forum.html.it/forum/showthread.p ... id=1033826
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi Maax » 27/09/06 07:56

ciao, grazie per il suggermento.
COnfermo che la pagina di prevx è inibita (almeno a me) e non riesco neppure ad aprire il file dopo averlo scaricato da qui http://www.mytempdir.com/948254 e rinominato...

..è più impestato del previsto.... :evil:
Maax
Newbie
 
Post: 5
Iscritto il: 23/09/06 09:37

Postdi Luke57 » 27/09/06 09:08

Maax ha scritto:ciao, grazie per il suggermento.
COnfermo che la pagina di prevx è inibita (almeno a me) e non riesco neppure ad aprire il file dopo averlo scaricato da qui http://www.mytempdir.com/948254 e rinominato...

..è più impestato del previsto.... :evil:

Ciao, Scarica Virit da qui:
http://www.tgsoft.it/italy/index_ita.html
versione prova 30 gg., lo aggiorni alle ultime definizioni e fai una scansione dalla modalità provvisoria.
Posta il report dello scan.
Poi riprova a utilizzare Gmer e il link del tool di rimozione.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Precedente

Torna a Sicurezza e Privacy


Topic correlati a "OHPE ver 4.12_23":

OHPE ver 4.12_23
Autore: svasthya
Forum: Sicurezza e Privacy
Risposte: 8
cos'è OHPE 4.12_23?
Autore: pieroz
Forum: Sicurezza e Privacy
Risposte: 2

Chi c’è in linea

Visitano il forum: Nessuno e 31 ospiti