Condividi:        

Sono infettoooooo

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

Sono infettoooooo

Postdi uncasinomicidiale » 31/12/06 16:11

Premetto che mi sono letto quasi tutti i post per vedere se trovavo la soluzione senza rompere le p... di natale ma non ho sortito nulla se non una grande confusione, veniamo al dunque:

In installazione app. c'è un programma senza dettagli che si chiama "internetknight" se clicco su rimuovi mi si apre ie a questo indirizzo "http://notetol.com/uninstall.php" dove vi si trova un solo bottone su sfondo viola e dal codice html non si riesce a capire a cosa sia collegato (non ho provato a cliccarci sopra, forse ho fatto male?).

di seguito i log.

Logfile of HijackThis v1.99.1
Scan saved at 15.52.34, on 31/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
G:\PStart\PStart.exe
G:\PStart\Programmi\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {34E5E77E-85EC-AE3B-25A1-DD2AA29FE8AB} - C:\WINDOWS\pkece1.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F2F2B45-2027-4BC4-84D0-BCF980A25F0A}: NameServer = 80.20.6.36,212.216.112.112
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LoadDLLServ - Unknown owner - C:\Documents and Settings\giuliano\Dati applicazioni\SysServDLL32.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



StartupList report, 31/12/2006, 15.53.59
StartupList version: 1.52.2
Started from : G:\PStart\Programmi\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
G:\PStart\PStart.exe
C:\WINDOWS\system32\wuauclt.exe
G:\PStart\Programmi\HijackThis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ATIPTA = C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
Ptipbmf = rundll32.exe ptipbmf.dll,SetWriteCacheMode
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
HPDJ Taskbar Utility = C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
HP Software Update = "C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
SunJavaUpdateSched = C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
HP Component Manager = "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
Zone Labs Client = "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
swg = C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmarque.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\pkece1.dll (file missing) - {34E5E77E-85EC-AE3B-25A1-DD2AA29FE8AB}
(no name) - c:\programmi\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Download Program Files:

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/ ... mv9VCM.CAB

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

1 = C:\WINDOWS\service32.exe

--------------------------------------------------

End of report, 5.055 bytes
Report generated in 0,078 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only




Roba da matti , il pc in questione non è il mio ma di uno dei tanti amici che mi chiamano quando hanno problemi, qualche giorno fa seguendo il vostro forum ho risolto il problema di mio cognato ma questa volta non ce la faccio da solo e spero che mi possiate aiutare.
Siete veramente troppo forti.

Ps entranbe i pc si sono infettati pur avendo avast aggiornato e zone allarm e entrambe usano alice adsl flat

Bye bye
uncasinomicidiale
Utente Junior
 
Post: 14
Iscritto il: 31/12/06 15:52

Sponsor
 

Postdi Luke57 » 31/12/06 16:50

Ciao, sembri infetto da linkoptimizer.
Scarica questi due tools:

http://www.prevx.com/gromozon.asp

Tool di rimozione della Symantec:
http://smallbiz.symantec.com/security_r ... 16-4153-99

Eseguili uno alla volta; disattiva il tuo antivirus durante la scansione.

Quello della prevx fa riavviare il computer e al riavvio viene completata la scansione, al termine della quale viene rilasciato un report che trovi in C:\Gromozon_Removal.log.

Poi esegui il tool della symantec (dalla modalità provvisoria; se
non sai come andarci, premi ripetutamente il tasto F8 all'accensione del computer prima che inizi a caricarsi windows; sulla schermata grigia che appare scegli modalità provvisoria spostandoti con le freccette e premendo invio).

Anche questo tool rilascia un rapporto della scansione nella cartella dove
hai messo il file (Fixlinkopt.log)

Posta i report delle scansioni dei due tools.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi uncasinomicidiale » 01/01/07 02:18

Symantec Trojan.Linkoptimizer Removal Tool 1.0.8
Restored SeDebugPrivilege to Administrators group

C:\System Volume Information\_restore{042889CE-0812-437C-B57B-611C8CB2DA46}\RP298\A0106236.dll: (deleted)

Trojan.Linkoptimizer has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 51538
The number of deleted threat files: 1
The number of threat processes terminated: 0
The number of threat threads terminated: 0
The number of registry entries fixed: 0

The tool initiated a system reboot.

registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (cleared)


Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\ALXjR.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\AVm.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\bBGiW.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\bct.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\bHqSWE.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\BiqfB.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\BKqnW.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\bsL.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\BtC.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\CgW.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\ChMg.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\ckaxeL.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\cRoe.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\CSe.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\cTju.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\dmbxk.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\dmhR.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\DNQ.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\DUz.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\DxXw.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\edc.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\ehqw.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\EJe.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\EpLbZk.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\eRS.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\eWg.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\Fgi.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\fgiUur.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\fTO.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\GDq.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\gKk.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\gMv.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\GQR.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\GZWm.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\hcGD.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\HkUkVh.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\HTI.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\hul.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\hUzx.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\ILZ.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\iMge.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\iMQ.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\ISm.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\iWAw.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\iZV.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\JaUOL.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\jrK.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\JXi.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\jyW.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\KFE.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\KiMO.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\klQ.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\KmR.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\kNj.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\KRo.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\ksvGF.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\kztgP.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\lDf.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\LIC.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\lKlDY.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\lMa.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\Lva.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\lXr.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\lYEXbo.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\mje.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\MjV.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\mnaxN.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\MQR.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\mXNKm.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\nay.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\NJw.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\nlM.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\nrH.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\NUm.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\nVQMnf.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\OAm.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\oKW.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\oLL.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\oTw.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\oxk.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\pGS.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\Pjc.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\PvT.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\PvZ.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\QAw.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\qAZdBd.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\QmVJDp.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\qoO.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\Qyj.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\qZjY.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\rAbv.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\RdT.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\rOHdb.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\rYDvQ.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\SBD.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\SmF.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\tRn.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\TsV.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\TuEML.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\tvy.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\ueeXp.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\UhpH.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\ULFnl.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\VIO.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\vMX.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\vnqG.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\VQBF.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\WcfHRQ.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\wFD.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\wjm.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\xKqlTD.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\xKU.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\XwH.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\yBn.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\ydHyy.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\yWT.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\YyR.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\ZCreB.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\zIQ.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\zKa.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\znUXZi.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\zOzAyL.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\ZQxhBW.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\zUi.exe
Removing protected file: C:\Programmi\File comuni\Microsoft Shared\zYa.exe


Trojan.Gromozon Removed!
uncasinomicidiale
Utente Junior
 
Post: 14
Iscritto il: 31/12/06 15:52

Postdi uncasinomicidiale » 01/01/07 11:29

Aggiungo che come prima di aver effetuato le scansioni con i due tools il pc spesso e voletieri tramite una finestra di errore mi dice che il file service.exe (non sono totalamente sicuro di averlo trascritto corretamente) è stato terminato in maniera intattesa da "nt authority system" salvare tutto entro i 60 secondi perche il sistema verra chiuso.
Iiiiincredibbbbiiiiile.
uncasinomicidiale
Utente Junior
 
Post: 14
Iscritto il: 31/12/06 15:52

Postdi uncasinomicidiale » 01/01/07 13:44

e la cartella dal nome inpronunciabile in doc e set non è rimuovibile nemmeno con killbox :diavolo:
uncasinomicidiale
Utente Junior
 
Post: 14
Iscritto il: 31/12/06 15:52

ciao

Postdi anitapod » 01/01/07 14:56

ciao conosco questa pagina "http://notetol.com/uninstall.php" anche io un paio di mesi fa avevo un infezione simile da me si è installato anche un Dialer. Spero che risolvi presto
anitapod
Utente Junior
 
Post: 42
Iscritto il: 16/10/06 13:30

Postdi Luke57 » 01/01/07 15:54

Ciao, scarica system scan
http://www.suspectfile.com/upload/files ... emscan.exe
(disattiva momentaneamente l'antivirus)
spunta tutte le caselle e premi su scan now
Finita la scansione (ci vorrà un pò), salva il file di testo (report) qui:
http://www.mytempdir.com
( è molto lungo, non enterebbe in un post per intero)
per farlo
premi sfoglia, seleziona il file e poi premi "host it"
comparirà un link da cui accedere al file.
Scrivilo sul forum.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi uncasinomicidiale » 02/01/07 18:47

1145904 report.row
1145914 files.row

Sto valutando la possibilita di andare a vivere in un posto dove il primo computer si trovi ad almeno 10 giorni di cammello!!!!!!
uncasinomicidiale
Utente Junior
 
Post: 14
Iscritto il: 31/12/06 15:52

Postdi Luke57 » 02/01/07 19:28

uncasinomicidiale ha scritto:1145904 report.row
1145914 files.row

Sto valutando la possibilita di andare a vivere in un posto dove il primo computer si trovi ad almeno 10 giorni di cammello!!!!!!

Ciao, nei link di mytempdir metti i file in formato testo, per piacere ;)
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi uncasinomicidiale » 02/01/07 21:28

Volentieri se systemscan me lo salvasse alla fine ma non lo fa.
Al termine della scansione mi dice che il file non esiste e chiede se è necessario crearlo al che io confermo ma non lo crea.
Io ho aperto quello con l'editor di testo e ho visto talmente tanta roba che ho preso paura e lo ho richiuso subito!
uncasinomicidiale
Utente Junior
 
Post: 14
Iscritto il: 31/12/06 15:52

Postdi Luke57 » 03/01/07 08:34

uncasinomicidiale ha scritto:Volentieri se systemscan me lo salvasse alla fine ma non lo fa.
Al termine della scansione mi dice che il file non esiste e chiede se è necessario crearlo al che io confermo ma non lo crea.
Io ho aperto quello con l'editor di testo e ho visto talmente tanta roba che ho preso paura e lo ho richiuso subito!

Ciao, scusa è un semplice file di testo che devi caricare sul sito di mytempdir, è chiaro che c'è tanta roba ma fra l'altro non lo devi nemmeno leggere, lo faccio io per te quindi ....... niente paura ;)
A parte gli scherzi, fai come ti pare.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi uncasinomicidiale » 03/01/07 20:15

Nessun problema ma ribadisco che quello che ho caricato ora è "report.row" che ho aperto con un editor di testo e salvato come .txt ed è lo stesso che ho caricato in precedenza con id 1145904, forse non avevi letto il post?
Ora il numero id per scaricare il txt è 1147567 non so se possa andare bene ugualmente perche nell'interfaccia del prg in basso sta scritto che il report è savato in c:\suspectfile\ora_report.zip ma in realta in quella cartella vi sono solo due file, "report" e "files" tutti e due .row e nessun zip.
Sbaglio i forse qualche cosa?

Bye e grazie della pazienza.
uncasinomicidiale
Utente Junior
 
Post: 14
Iscritto il: 31/12/06 15:52

Postdi Luke57 » 04/01/07 10:46

Ciao, nessun sbaglio da parte tua, ti metto questo link:
http://www.mytempdir.com/1148343
trovi un file con le procedure da fare per le operazioni di pulizia.
Ci risentiamo
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi uncasinomicidiale » 04/01/07 19:19

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qcbiukvk

*******************

Script file located at: \??\C:\Program Files\pggpkdlt.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKLM\SYSTEM\CurrentControlSet\Services\LogQpx deleted successfully.


Registry key HKEY_LOCAL_MACHINE\system\controlset001\services\LogQpx not found!
Deletion of registry key HKEY_LOCAL_MACHINE\system\controlset001\services\LogQpx failed!

Could not process line:
HKEY_LOCAL_MACHINE\system\controlset001\services\LogQpx
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\system\controlset003\services\LogQpx deleted successfully.
Folder C:\documents and settings\YpSUkHpEycr deleted successfully.
File C:\Programmi\File comuni\Microsoft Shared\AYE.exe deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR10.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR11.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR12.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR13.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR14.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR15.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR16.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR17.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR18.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR19.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR1A.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR1B.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR1C.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR1D.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR1E.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR1F.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR2.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR20.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR21.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR22.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR23.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR24.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR25.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR26.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR27.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR28.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR29.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR2A.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR2B.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR2C.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR2D.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR2E.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR2F.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR3.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR30.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR31.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR32.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR33.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR34.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR35.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR36.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR37.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR38.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR39.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR3A.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR3B.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR3C.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR3D.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR3E.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR3F.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR4.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR40.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR41.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR42.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR43.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR44.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR45.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR46.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR47.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR48.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR49.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR4A.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR4B.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR4C.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR4D.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR4E.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR4F.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR5.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR50.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR51.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR52.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR53.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR54.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR55.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR56.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR57.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR58.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR59.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR5A.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR5B.tmp deleted successfully.


Could not open file C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR5C.tmp C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR5D.tmp for deletion
Deletion of file C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR5C.tmp C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR5D.tmp failed!

Could not process line:
C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR5C.tmp C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR5D.tmp
Status: 0xc0000033

File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR5E.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR5F.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR6.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR60.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR61.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR62.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR63.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR64.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR65.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR66.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR67.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR68.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR69.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR6A.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR6B.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR6C.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR6D.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR6E.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR6F.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR7.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR70.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR71.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR72.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR73.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR74.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR75.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR76.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR77.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR78.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR79.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR7A.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR7B.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR7C.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR7D.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR7E.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR8.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXR9.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXRA.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXRB.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXRC.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXRD.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXRE.tmp deleted successfully.
File C:\Documents and Settings\giuliano\Impostazioni locali\Temp\PXRF.tmp deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList|YpSUkHpEycr deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
uncasinomicidiale
Utente Junior
 
Post: 14
Iscritto il: 31/12/06 15:52

Postdi Luke57 » 04/01/07 19:33

Ciao, OK! Posta nuovo log di hijackthis per controllo.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi uncasinomicidiale » 04/01/07 20:38

Logfile of HijackThis v1.99.1
Scan saved at 20.43.21, on 04/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
C:\Programmi\Mozilla Firefox\firefox.exe
F:\Fabio\PStart\PStart.exe
G:\PStart\PStart.exe
G:\PStart\Programmi\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {34E5E77E-85EC-AE3B-25A1-DD2AA29FE8AB} - C:\WINDOWS\pkece1.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F2F2B45-2027-4BC4-84D0-BCF980A25F0A}: NameServer = 80.20.6.36,212.216.112.112
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LoadDLLServ - Unknown owner - C:\Documents and Settings\giuliano\Dati applicazioni\SysServDLL32.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
uncasinomicidiale
Utente Junior
 
Post: 14
Iscritto il: 31/12/06 15:52

Postdi Luke57 » 04/01/07 21:19

Ciao, con hiajckthis, premi " do a system scan only", cerca e spunta:
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {34E5E77E-85EC-AE3B-25A1-DD2AA29FE8AB} - C:\WINDOWS\pkece1.dll (file missing)
O23 - Service: LoadDLLServ - Unknown owner - C:\Documents and Settings\giuliano\Dati applicazioni\SysServDLL32.exe (file missing)

premi fix checked.

Per ulteriore sicurezza, riavvii Avenger, con le modalità note, inserendo questo script:

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{34E5E77E-85EC-AE3B-25A1-DD2AA29FE8AB}

files to delete:
C:\Documents and Settings\giuliano\Dati applicazioni\SysServDLL32.exe
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi uncasinomicidiale » 04/01/07 22:28

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ujnfksdm

*******************

Script file located at: \??\C:\Program Files\qwrxnysi.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\Documents and Settings\giuliano\Dati applicazioni\SysServDLL32.exe not found!
Deletion of file C:\Documents and Settings\giuliano\Dati applicazioni\SysServDLL32.exe failed!

Could not process line:
C:\Documents and Settings\giuliano\Dati applicazioni\SysServDLL32.exe
Status: 0xc0000034

Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{34E5E77E-85EC-AE3B-25A1-DD2AA29FE8AB} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Ps Ti ho inviato un messagio privato
uncasinomicidiale
Utente Junior
 
Post: 14
Iscritto il: 31/12/06 15:52

Postdi uncasinomicidiale » 04/01/07 23:12

Dimenticavo, riguardo al programma internetknigt che continua a figurare in inst. app. e che non riporta nessuna specifica il cui tasto di disinstallazione apre explorer alla pagina "http://notetol.com/uninstall.php" dove vi si trova un solo bottone su sfondo viola e dal codice html non si riesce a capire a cosa sia collegato, come mi conporto????
uncasinomicidiale
Utente Junior
 
Post: 14
Iscritto il: 31/12/06 15:52

Postdi Luke57 » 05/01/07 08:09

uncasinomicidiale ha scritto:Dimenticavo, riguardo al programma internetknigt che continua a figurare in inst. app. e che non riporta nessuna specifica il cui tasto di disinstallazione apre explorer alla pagina "http://notetol.com/uninstall.php" dove vi si trova un solo bottone su sfondo viola e dal codice html non si riesce a capire a cosa sia collegato, come mi conporto????

Ciao, va eliminata. Apri hijackthis, premi "open the misc tools section", "open process install manager", cerchi le seguenti applicazioni:
LinkOptimizer
-ConnectionService
-Power Verify
-StrongestGuard
-ConnectionKnight
-StrongestOptimizer
-SecurityOptimizer
-InternetOptimizer
-StrongestPaladin
-SecurityGuard
-InternerGuard
-InternetShield

la evidenzi e premi il tasto "delete this entry".
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10


Torna a Sicurezza e Privacy


Topic correlati a "Sono infettoooooo":


Chi c’è in linea

Visitano il forum: Nessuno e 49 ospiti