Dialer maledetto

[dipettatony]

Ho un dialer con icona a forma di bocca che si avvia all'accensione del computer. Non riesco a debellarlo (adware e Spy-bot). Mi aiutate, cortesemente...Questo il log:

Logfile of HijackThis v1.99.1
Scan saved at 9.06.50, on 24/02/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\windows\system32\svchost.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programmi\Sony Corporation\Image Transfer\SonyTray.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Programmi\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Programmi\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmi\Real\RealPlayer\RealPlay.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\hijack\HijackThis.exe
C:\Programmi\Adobe\Acrobat 4.0\Reader\AcroRd32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Programmi\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Programmi\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Programmi\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/293d2c3aebe ... 601_it.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 1487335417
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B0E5787-F498-49F6-A444-4B07CD83725E}: NameServer = 151.99.0.100,151.99.125.1
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe

[paperino70]

dal log non si vede ma io credo che sia il clicker inizia a fare una scansione con shopos

http://www.sophos.it/products/free-tool ... otkit.html

[zena]

ciao, ho il tuo stesso problema con il dialer che ha per icona della labbra... non sono ancora riuscito a levarlo, cioè non definitivamente, perchè ogni volta che lo cancello poi lui si ricrea con un altro nome... volevo sapere se te sei riuscito a eliminarlo del tutto...grazie! ciao

[BilloKenobi]

paperino70 ha ragione. si dovrebbe trattare di un clicker (chiamato anche dial call)

scarica [url]systemscan[/url], estrailo, avvialo, metti la spunta a tutte le voci e premi scan. vai su http://www.easy-share.com e allega il suo log (che trovi in C:\suspectfile\report.txt). dacci poi il link per scaricare il file

ciao

[BilloKenobi]

emmm scusa. ecco il link

http://www.suspectfile.com/systemscan

[dipettatony]

FILE URL: http://w12.easy-share.com/898501.html

HTML CODE: <a target="_blank" href="http://w12.easy-share.com/898501.html">download</a>

BB CODE: download

Use this url to delete this file:
http://w12.easy-share.com/898501/del_d503282lzd6n3dhy

[Luke57]

@ Billo Kenobi
Ciao, l'ho guardato io...tanto tu avrai da studiare
P.S. complimenti per la guida ad Avenger, l'ho letta solo recentemente, è scritta molto bene, secondo me.
@dipettatony
Ciao, scarica AVENGER e decomprimilo sul desktop (estrai i file nel desktop)
http://swandog46.geekstogo.com/avenger.zip

- con un doppio click avvia il file avenger.exe
- Seleziona "Input Script Manually"
- Clicca sulla lente di ingrandimento

- Nella finestra che si aprirà "View/edit script"
- copia / incolla (Ctrl+V) quanto segue:


registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\SrvGex
HKLM\SYSTEM\CurrentControlSet\Services\UWHOFNXRBDQBC

registry values to delete:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | NxT
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | fimkaa.exe

folders to delete:
C:\documents and settings\NxT
C:\WINDOWS\TEMP

files to delete:
C:\21783152.dll
C:\WINDOWS\ctfmon32.dll
C:\WINDOWS\omsnlog.dll
C:\WINDOWS\1781713952.exe
C:\WINDOWS\service32.exe
C:\WINDOWS\115252174116.exe
C:\Programmi\File comuni\System\nul.exe
C:\WINDOWS\winsys.exe
C:\DOCUME~1\Standard\IMPOST~1\Temp\UWHOFNXRBDQBC.exe


Clicca sul tasto Done
- Poi sull'icona del semaforo
- Rispondi Yes
Il pc dovrebbe riavviarsi ( se così non fosse, fallo tu)
Posta il log che verrà creato in C:\Avenger

[BilloKenobi]

@ Billo Kenobi
Ciao, l'ho guardato io...tanto tu avrai da studiare
P.S. complimenti per la guida ad Avenger, l'ho letta solo recentemente, è scritta molto bene, secondo me.

effettivamente mi ci devo mettere a studiare

grazie per i complimenti. giusto per completezza, tanto il relativo file verrebbe cancellato comunque, hai dimenticato questo valore

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run | 1

ciao

[dipettatony]

Ecco il post di AVENGER:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kojtdkgw

*******************

Script file located at: \??\C:\WINDOWS\oikiryaw.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKLM\SYSTEM\CurrentControlSet\Services\SrvGex deleted successfully.
Registry key HKLM\SYSTEM\CurrentControlSet\Services\UWHOFNXRBDQBC deleted successfully.
Folder C:\documents and settings\NxT deleted successfully.
Folder C:\WINDOWS\TEMP deleted successfully.
File C:\21783152.dll deleted successfully.
File C:\WINDOWS\ctfmon32.dll deleted successfully.
File C:\WINDOWS\omsnlog.dll deleted successfully.
File C:\WINDOWS\1781713952.exe deleted successfully.
File C:\WINDOWS\service32.exe deleted successfully.
File C:\WINDOWS\115252174116.exe deleted successfully.


File C:\Programmi\File comuni\System\nul.exe not found!
Deletion of file C:\Programmi\File comuni\System\nul.exe failed!

Could not process line:
C:\Programmi\File comuni\System\nul.exe
Status: 0xc0000034

File C:\WINDOWS\winsys.exe deleted successfully.


File C:\DOCUME~1\Standard\IMPOST~1\Temp\UWHOFNXRBDQBC.exe not found!
Deletion of file C:\DOCUME~1\Standard\IMPOST~1\Temp\UWHOFNXRBDQBC.exe failed!

Could not process line:
C:\DOCUME~1\Standard\IMPOST~1\Temp\UWHOFNXRBDQBC.exe
Status: 0xc0000034

Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList|NxT deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|fimkaa.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[Luke57]

Ciao, per completare l'opera, come ha detto giustamente Billo Kenobi, riutilizza Avenger, inserendo questa volta l'unico script seguente:

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run | 1