Condividi:        

Virus allucinante

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

Postdi Luke57 » 05/03/07 08:26

Ciao, abbiamo saltato questa, ripeti Avenger inserendo solamente questo script:

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | ozxzta.exe


Fammi sapere se hai ancora problemi.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Sponsor
 

Postdi albertozan » 05/03/07 10:30

ciao, ecco il log:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\rcfryxhm

*******************

Script file located at: \??\C:\WINDOWS\system32\uatjgwmq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|ozxzta.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Volevo segnalarti che negli ultimi 2 giorni Kaspersky mi apre diverse volte questa finestra di dialogo dal titolo "anti-Hacker", "il file svchost.exe è stato modificato, dovrebbe avere accesso alla rete?"..se nego l'autorizzazione internet praticamente non mi va....cosa può significare?
albertozan
Utente Junior
 
Post: 22
Iscritto il: 23/02/07 16:32

Postdi Luke57 » 05/03/07 10:52

Ciao, riprova a usare systemscan (magari non spuntare l'opzione hijackthis).
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi albertozan » 05/03/07 20:32

non ci siamo ancora.....il bastardo è tornato sempre con l'icona a forma di bocca cambiando solo il nome (zzlnaa.exe). Quando avvio la scansione con Systemscan dopo pochi secondi di scansione mi si blocca il computer.. :cry:
albertozan
Utente Junior
 
Post: 22
Iscritto il: 23/02/07 16:32

Postdi albertozan » 07/03/07 14:41

ipgrade.....Ho appena avviato hijack sotto il log, qualcuno ha qualche idea? Luke?

Logfile of HijackThis v1.99.1
Scan saved at 14.14.03, on 07/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
c:\windows\system32\winlogon.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programmi\Acer\OrbiCam\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe
C:\Programmi\eMule\Incoming\DAEMON Tools\daemon.exe
C:\Programmi\File comuni\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Programmi\Roxio\Media Experience\DMXLauncher.exe
C:\Programmi\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\VEXPLITE\viritsvc.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Programmi\OpenOffice.org 2.0\program\soffice.exe
C:\Programmi\OpenOffice.org 2.0\program\soffice.BIN
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\DOCUME~1\Alberto\IMPOST~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Programmi\File comuni\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\PROGRA~1\IZARC\IZARC.EXE
C:\DOCUME~1\Alberto\IMPOST~1\Temp\ARC3\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.intl.acer.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://it.intl.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.intl.acer.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Programmi\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Programmi\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Programmi\Acer\OrbiCam\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Programmi\Acer\OrbiCam\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\eMule\Incoming\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Programmi\File comuni\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Programmi\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Programmi\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [kis] "C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [zzlnaa.exe] C:\WINDOWS\TEMP\zzlnaa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Programmi\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Aggiungi a Kaspersky Anti-Banner - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{585D92EE-3F6B-4BEB-9110-43AB0AA379F8}: NameServer = 151.99.125.1,151.1.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CB7EF48-041E-4456-BB38-181AB01E2959}: NameServer = 151.99.125.1,151.1.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{585D92EE-3F6B-4BEB-9110-43AB0AA379F8}: NameServer = 151.99.125.1,151.1.1.1
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Programmi\File comuni\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Programmi\File comuni\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Programmi\File comuni\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Programmi\File comuni\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Programmi\File comuni\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Programmi\File comuni\SureThing Shared\stllssvr.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas http://www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
albertozan
Utente Junior
 
Post: 22
Iscritto il: 23/02/07 16:32

Postdi Luke57 » 07/03/07 17:01

Ciao, in effetti è riapparso, posta nuovo scan di Gmer dalla posizione Autostart.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi albertozan » 07/03/07 20:15

Sempre grazie Luke, ecco:


HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{585D92EE-3F6B-4BEB-9110-43AB0AA379F8} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress192.168.0.55 = 192.168.0.55
@NameServer151.99.125.1,151.1.1.1 = 151.99.125.1,151.1.1.1
@DefaultGateway192.168.0.1 = 192.168.0.1
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7CB7EF48-041E-4456-BB38-181AB01E2959} /*Connessione alla rete locale (LAN) 2*/ >>>
@IPAddress192.168.0.56 = 192.168.0.56
@NameServer151.99.125.1,151.1.1.1 = 151.99.125.1,151.1.1.1
@DefaultGateway192.168.0.1 = 192.168.0.1
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001@LibraryPath = %SystemRoot%\system32\wshbth.dll

C:\Documents and Settings\Alberto\Menu Avvio\Programmi\Esecuzione automatica = OpenOffice.org 2.0.lnk

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Alice ti aiuta.lnk = Alice ti aiuta.lnk
Adobe Reader Speed Launch.lnk = Adobe Reader Speed Launch.lnk

---- EOF - GMER 1.0.12 ----
albertozan
Utente Junior
 
Post: 22
Iscritto il: 23/02/07 16:32

Postdi albertozan » 07/03/07 20:23

albertozan ha scritto:Sempre grazie Luke, ecco:


HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{585D92EE-3F6B-4BEB-9110-43AB0AA379F8} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress192.168.0.55 = 192.168.0.55
@NameServer151.99.125.1,151.1.1.1 = 151.99.125.1,151.1.1.1
@DefaultGateway192.168.0.1 = 192.168.0.1
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7CB7EF48-041E-4456-BB38-181AB01E2959} /*Connessione alla rete locale (LAN) 2*/ >>>
@IPAddress192.168.0.56 = 192.168.0.56
@NameServer151.99.125.1,151.1.1.1 = 151.99.125.1,151.1.1.1
@DefaultGateway192.168.0.1 = 192.168.0.1
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001@LibraryPath = %SystemRoot%\system32\wshbth.dll

C:\Documents and Settings\Alberto\Menu Avvio\Programmi\Esecuzione automatica = OpenOffice.org 2.0.lnk

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Alice ti aiuta.lnk = Alice ti aiuta.lnk
Adobe Reader Speed Launch.lnk = Adobe Reader Speed Launch.lnk

---- EOF - GMER 1.0.12 ----


scusa questo è quello giusto:
GMER 1.0.12.12027 - http://www.gmer.net
Autostart scan 2007-03-07 20:20:25
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\SYSTEM32\Userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
igfxcui@DLLName = igfxdev.dll
klogon@DLLName = C:\WINDOWS\system32\klogon.dll
WgaLogon@DLLName = WgaLogon.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AVP /*Kaspersky Internet Security 6.0*/@ = "C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r
AWService /*AdminWorks Agent X6*/@ = "C:\Acer\Empowering Technology\admServ.exe"
ehRecvr /*Media Center Receiver Service*/@ = C:\WINDOWS\eHome\ehRecvr.exe
ehSched /*Media Center Scheduler Service*/@ = C:\WINDOWS\eHome\ehSched.exe
EvtEng /*Intel(R) PROSet/Wireless Event Log*/@ = C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
Fax /*Fax*/@ = %systemroot%\system32\fxssvc.exe
LightScribeService /*LightScribeService Direct Disc Labeling Service*/@ = "C:\Programmi\File comuni\LightScribe\LSSrvc.exe"
LVPrcSrv /*Logitech Process Monitor*/@ = c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
McrdSvc /*Media Center Extender Service*/@ = C:\WINDOWS\ehome\mcrdsvc.exe
NVSvc /*NVIDIA Display Driver Service*/@ = %SystemRoot%\system32\nvsvc32.exe
RegSrvc /*Intel(R) PROSet/Wireless Registry Service*/@ = C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
Roxio Upnp Server 9 /*Roxio Upnp Server 9*/@ = "C:\Programmi\File comuni\Sonic Shared\RoxioUpnpService9.exe"
RoxLiveShare9 /*LiveShare P2P Server 9*/@ = "C:\Programmi\File comuni\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe"
RoxWatch9 /*Roxio Hard Drive Watcher 9*/@ = "C:\Programmi\File comuni\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe"
S24EventMonitor /*Intel(R) PROSet/Wireless Service*/@ = C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
viritsvclite /*Virit eXplorer Lite*/@ = C:\VEXPLITE\viritsvc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@igfxtrayC:\WINDOWS\system32\igfxtray.exe = C:\WINDOWS\system32\igfxtray.exe
@igfxhkcmdC:\WINDOWS\system32\hkcmd.exe = C:\WINDOWS\system32\hkcmd.exe
@igfxpersC:\WINDOWS\system32\igfxpers.exe = C:\WINDOWS\system32\igfxpers.exe
@BluetoothAuthenticationAgentrundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent = rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
@ehTrayC:\WINDOWS\ehome\ehtray.exe = C:\WINDOWS\ehome\ehtray.exe
@LaunchAppAlaunch = Alaunch
@RTHDCPLRTHDCPL.EXE = RTHDCPL.EXE
@SkyTelSkyTel.EXE = SkyTel.EXE
@AlcmtrALCMTR.EXE = ALCMTR.EXE
@AzMixerSelC:\Programmi\Realtek\InstallShield\AzMixerSel.exe = C:\Programmi\Realtek\InstallShield\AzMixerSel.exe
@SynTPEnhC:\Programmi\Synaptics\SynTP\SynTPEnh.exe = C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
@ntiMUIC:\Programmi\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe = C:\Programmi\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
@ /*file not found*/ = /*file not found*/
@ADMTray.exe"C:\Acer\Empowering Technology\admtray.exe" = "C:\Acer\Empowering Technology\admtray.exe"
@eDataSecurity LoaderC:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe = C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
@IMJPMIG8.1"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
@MSPY2002C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC = C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
@PHIME2002ASyncC:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
@PHIME2002AC:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
@nwiznwiz.exe /install = nwiz.exe /install
@NvMediaCenterRUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
@ePower_DMCC:\Acer\Empowering Technology\ePower\ePower_DMC.exe = C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
@Acer ePower ManagementC:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot /*file not found*/ = C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot /*file not found*/
@LManagerC:\PROGRA~1\LAUNCH~1\LManager.exe = C:\PROGRA~1\LAUNCH~1\LManager.exe
@eRecoveryServiceC:\Acer\Empowering Technology\eRecovery\Monitor.exe = C:\Acer\Empowering Technology\eRecovery\Monitor.exe
@LVCOMSXC:\WINDOWS\system32\LVCOMSX.EXE = C:\WINDOWS\system32\LVCOMSX.EXE
@LogitechCameraAssistantC:\Programmi\Acer\OrbiCam\CameraAssistant.exe = C:\Programmi\Acer\OrbiCam\CameraAssistant.exe
@LogitechVideo[inspector]C:\Programmi\Acer\OrbiCam\InstallHelper.exe /inspect = C:\Programmi\Acer\OrbiCam\InstallHelper.exe /inspect
@LogitechCameraService(E)C:\WINDOWS\system32\ElkCtrl.exe /automation = C:\WINDOWS\system32\ElkCtrl.exe /automation
@SunJavaUpdateSched"C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe" = "C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe"
@DAEMON Tools"C:\Programmi\eMule\Incoming\DAEMON Tools\daemon.exe" -lang 1033 = "C:\Programmi\eMule\Incoming\DAEMON Tools\daemon.exe" -lang 1033
@RoxWatchTray"C:\Programmi\File comuni\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" = "C:\Programmi\File comuni\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
@DMXLauncher"C:\Programmi\Roxio\Media Experience\DMXLauncher.exe" = "C:\Programmi\Roxio\Media Experience\DMXLauncher.exe"
@RoxioDragToDisc"C:\Programmi\Roxio\Drag-to-Disc\DrgToDsc.exe" = "C:\Programmi\Roxio\Drag-to-Disc\DrgToDsc.exe"
@kis"C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" = "C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k
@zzlnaa.exeC:\WINDOWS\TEMP\zzlnaa.exe /*file not found*/ = C:\WINDOWS\TEMP\zzlnaa.exe /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@MSMSGS"C:\Programmi\Messenger\msmsgs.exe" /background = "C:\Programmi\Messenger\msmsgs.exe" /background
@Skype"C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized = "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
@swgC:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe = C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{2F603045-309F-11CF-9774-0020AFD0CFF6} /*Synaptics Control Panel*/C:\Programmi\Synaptics\SynTP\SynTPCpl.dll = C:\Programmi\Synaptics\SynTP\SynTPCpl.dll
@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A48} /*nView Desktop Context Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{2b45bd21-71f8-4c8c-a87a-7eeb25a1a3e0} /*EPM-PO Shell Extension*/epm-po.dll = epm-po.dll
@{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} /*OpenOffice.org Column Handler*/"C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll"
@{087B3AE3-E237-4467-B8DB-5A38AB959AC9} /*OpenOffice.org Infotip Handler*/"C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll"
@{63542C48-9552-494A-84F7-73AA6A7C99C1} /*OpenOffice.org Property Sheet Handler*/"C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll"
@{3B092F0C-7696-40E3-A80F-68D74DA84210} /*OpenOffice.org Thumbnail Viewer*/"C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll"
@{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682} /*IZArc DragDrop Menu*/C:\Programmi\IZArc\IZArcCM.dll = C:\Programmi\IZArc\IZArcCM.dll
@{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5} /*IZArc Shell Context Menu*/C:\Programmi\IZArc\IZArcCM.dll = C:\Programmi\IZArc\IZArcCM.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft.XPS.Shell.Metadata.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
@{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft.XPS.Shell.Thumbnail.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
@{0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C} /*RXDCExtShlExt extension*/C:\Programmi\Roxio\Virtual Drive 9\DC_ShellExt.dll = C:\Programmi\Roxio\Virtual Drive 9\DC_ShellExt.dll
@{5E44E225-A408-11CF-B581-008029601108} /*Roxio DragToDisc Shell Extension*/C:\Programmi\Roxio\Drag-to-Disc\Shellex.dll = C:\Programmi\Roxio\Drag-to-Disc\Shellex.dll
@{85E0B171-04FA-11D1-B7DA-00A0C90348D6} /*Web Anti-Virus*/C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll = C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
EDSshellExt@{29FF7AB0-BE34-4992-A30B-53A9D86EE239} = C:\WINDOWS\system32\eDSshellExt.dll
IZArcCM@{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5} = C:\Programmi\IZArc\IZArcCM.dll
Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll
RXDCExtSvr@{0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C} = C:\Programmi\Roxio\Virtual Drive 9\DC_ShellExt.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
EDSshellExt@{29FF7AB0-BE34-4992-A30B-53A9D86EE239} = C:\WINDOWS\system32\eDSshellExt.dll
IZArcCM@{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5} = C:\Programmi\IZArc\IZArcCM.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll
RXDCExtSvr@{0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C} = C:\Programmi\Roxio\Virtual Drive 9\DC_ShellExt.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{02478D38-C3F9-4EFB-9B51-7695ECA05670}C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll = C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\Programmi\Spybot - Search & Destroy\SDHelper.dll = C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll = C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\programmi\google\googletoolbar3.dll = c:\programmi\google\googletoolbar3.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\system32\ssstars.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://it.intl.acer.yahoo.com = http://it.intl.acer.yahoo.com
@Start Pagehttp://it.intl.acer.yahoo.com = http://it.intl.acer.yahoo.com
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://it.intl.acer.yahoo.com/ = http://it.intl.acer.yahoo.com/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{585D92EE-3F6B-4BEB-9110-43AB0AA379F8} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress192.168.0.55 = 192.168.0.55
@NameServer151.99.125.1,151.1.1.1 = 151.99.125.1,151.1.1.1
@DefaultGateway192.168.0.1 = 192.168.0.1
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7CB7EF48-041E-4456-BB38-181AB01E2959} /*Connessione alla rete locale (LAN) 2*/ >>>
@IPAddress192.168.0.56 = 192.168.0.56
@NameServer151.99.125.1,151.1.1.1 = 151.99.125.1,151.1.1.1
@DefaultGateway192.168.0.1 = 192.168.0.1
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001@LibraryPath = %SystemRoot%\system32\wshbth.dll

C:\Documents and Settings\Alberto\Menu Avvio\Programmi\Esecuzione automatica = OpenOffice.org 2.0.lnk

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Alice ti aiuta.lnk = Alice ti aiuta.lnk
Adobe Reader Speed Launch.lnk = Adobe Reader Speed Launch.lnk

---- EOF - GMER 1.0.12 ----
albertozan
Utente Junior
 
Post: 22
Iscritto il: 23/02/07 16:32

Postdi Luke57 » 08/03/07 08:24

Ciao, riproviamo, c'è un valore di registro da eliminare.
Scarica CCleaner per la pulizia dei file temporanei da qui:
http://www.filehippo.com/download/dfd2c ... /download/
lo installi, nelle impostazioni di default togli la spunta a "installa la toolbar di Yahoo". Una volta nstallato, lo apri e nella opzione Avanzate togli la spunta a cancella files temp di windows solo se più vecchi di 48 ore".
Disconnesso da internet lo lanci, scegli avvia pulizia ed il proramma ripulisce il sistema e il browser dai files temp e tmp.
Poi riesegui Avenger inserendo questo script:

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | zzlnaa.exe
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi albertozan » 08/03/07 12:52

ringraziandoti sempre per il tempo che m dedichi ecco Luke il log di avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\noamlldb

*******************

Script file located at: \??\C:\WINDOWS\system32\tfvjwhbb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|zzlnaa.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
albertozan
Utente Junior
 
Post: 22
Iscritto il: 23/02/07 16:32

Postdi albertozan » 10/03/07 00:58

stavo quasi cantando vittoria quandosono ...è tornata la famigerata icona a forma di bocca dopo 2 giorni di silenzio....nuova nome tciwaa.exe....oramai le speranze cominciano a vacillare...ecco cmq il log di hijack...Luke?:

Logfile of HijackThis v1.99.1
Scan saved at 0.57.19, on 10/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
c:\windows\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\admServ.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\DOCUME~1\Alberto\IMPOST~1\Temp\RtkBtMnt.exe
C:\Programmi\Acer\OrbiCam\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe
C:\Programmi\eMule\Incoming\DAEMON Tools\daemon.exe
C:\Programmi\File comuni\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Programmi\Roxio\Media Experience\DMXLauncher.exe
C:\Programmi\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Programmi\OpenOffice.org 2.0\program\soffice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Programmi\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\eHome\ehSched.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\VEXPLITE\viritsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Programmi\File comuni\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\PROGRA~1\IZARC\IZARC.EXE
C:\DOCUME~1\Alberto\IMPOST~1\Temp\ARC2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.intl.acer.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://it.intl.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.intl.acer.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Programmi\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Programmi\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Programmi\Acer\OrbiCam\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Programmi\Acer\OrbiCam\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\eMule\Incoming\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Programmi\File comuni\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Programmi\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Programmi\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [tciwaa.exe] C:\WINDOWS\TEMP\tciwaa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Programmi\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{585D92EE-3F6B-4BEB-9110-43AB0AA379F8}: NameServer = 151.99.125.1,151.1.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CB7EF48-041E-4456-BB38-181AB01E2959}: NameServer = 151.99.125.1,151.1.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{E20A791B-319C-45E7-B1F1-9E76E0237F6F}: NameServer = 85.37.17.6 85.38.28.89
O17 - HKLM\System\CS1\Services\Tcpip\..\{585D92EE-3F6B-4BEB-9110-43AB0AA379F8}: NameServer = 151.99.125.1,151.1.1.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Programmi\File comuni\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Programmi\File comuni\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Programmi\File comuni\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Programmi\File comuni\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Programmi\File comuni\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Programmi\File comuni\SureThing Shared\stllssvr.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas http://www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
albertozan
Utente Junior
 
Post: 22
Iscritto il: 23/02/07 16:32

Postdi Luke57 » 10/03/07 08:58

Ciao, rifai un nuovo log di systemscan, indicanso il link dove poterlo scaricare.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi albertozan » 10/03/07 20:01

Luke57 ha scritto:Ciao, rifai un nuovo log di systemscan, indicanso il link dove poterlo scaricare.


ciao Luke, finalmente dopo diversi tentativi per miracolo mi è partito systemscan:

file url: http://w12.easy-share.com/921082.html
html code <a target="_blank" href="http://w12.easy-share.com/921082.html">download</a>
bb code

Use this url to delete this file: http://w12.easy-share.com/921082/del_buuvoca7y75javof
albertozan
Utente Junior
 
Post: 22
Iscritto il: 23/02/07 16:32

Postdi Luke57 » 10/03/07 21:15

Ciao, ho scorto solamente il famigerato file temp.
Con avenger inserisci questo script:


registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | tciwaa.exe

files to delete:
C:\WINDOWS\TEMP\tciwaa.exe


Poi aggiorna virit e fai una scnasione completa dalla mod.provvisoria.

Posta il log di virit e quello di avenger.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi albertozan » 11/03/07 23:50

ciao, ecco i due log:

Avenger

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\noamlldb

*******************

Script file located at: \??\C:\WINDOWS\system32\tfvjwhbb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|zzlnaa.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Virit:


11/03/2007 - 15:11:47

[SCANSIONE DEL REGISTRO]
OK

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK


[D:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK


[E:]


[F:]


Chiavi Registro infette: 0.
Files Infetti: 0.
Files Sospetti: 0.
albertozan
Utente Junior
 
Post: 22
Iscritto il: 23/02/07 16:32

Postdi albertozan » 13/03/07 21:21

prima della soluzione drastica :( ha qualche senso ripristinare il sistema? Luke?
albertozan
Utente Junior
 
Post: 22
Iscritto il: 23/02/07 16:32

Postdi Luke57 » 13/03/07 21:59

Ciao, ripristinare il sistema. ma a quale data? Non penso che serva. Fai un'altra scansione con i tools della prevx e della symantec, come ultima spiaggia.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi techdiscount » 14/03/07 00:02

Ciao Albverto,
come ripristinare il sistema? Non hai disabilitato il ripristino di sistema?
Ti consiglio di togliere l'antivirus che hai adesso...scaricare avg antivirus ed aggiornarlo...scaricare adaware ed aggiornarlo...poi...disabilitare il ripristino di sistema...poi cancellare tutti i file temporanei (cartella c:\windows\temp) cancella anche tutti i cookie, cronologia e file temporanei da internet explorer ...abilita la visualizzazione delle cartelle e dei file nascosti...
adesso riavvia in modalità provvisoria...non connettere il pc ad internet o eventualmente alla rete....fai partire la scansione del computer con avg e poi anche con adaware...
Fammi sapere...
Ciao ciao e buon giornata...
techdiscount
Utente Senior
 
Post: 244
Iscritto il: 29/01/07 12:49

Postdi Luke57 » 14/03/07 19:08

techdiscount ha scritto:Ciao Albverto,
come ripristinare il sistema? Non hai disabilitato il ripristino di sistema?
Ti consiglio di togliere l'antivirus che hai adesso...scaricare avg antivirus ed aggiornarlo...scaricare adaware ed aggiornarlo...poi...disabilitare il ripristino di sistema...poi cancellare tutti i file temporanei (cartella c:\windows\temp) cancella anche tutti i cookie, cronologia e file temporanei da internet explorer ...abilita la visualizzazione delle cartelle e dei file nascosti...
adesso riavvia in modalità provvisoria...non connettere il pc ad internet o eventualmente alla rete....fai partire la scansione del computer con avg e poi anche con adaware...
Fammi sapere...
Ciao ciao e buon giornata...

Ciao, se avesse disabilitato il sistema non potrebbe fare il ripristino, ma se non sai quando hai beccato l'infezione non serve ripristinare il sistema con una data a casaccio. Il ripristino di sistema va disabilitato solo quando hai ripulito il computer, per evitare di reinfettarsi se costretti ad usarlo. Ma può essere l'ultima spiaggia se non riesci a liberarti del malware ( e questo mi pare tosto perchè, almeno io, non capisco il motivo per cui si riforma) e se sai quando, più o meno, il tuo computer si è infettato.
Per questi tipi di malware la scansione con adware vale pochissimo ;)
Comunque, il tuo consiglio è di carattere generale, (scansione antivirus in mod.provvisoria), magari se leggevi tutta la discussione facevi un altro tipo di considerazione.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi techdiscount » 15/03/07 00:26

Per Luke...
ho consigliato di disattivare il ripristino di configurazione di sistema per i seguenti motivi:
1) quello che hai detto tu...se non sai a quale data risale l'infezione è inutile fare ripristini...
2) quando il ripristino è attivato...windows nega l'accesso alla cartella in cui vengono conservate le informazioni per il ripristino...questo significa che se fai le scansioni con il ripristino attivo l'antivirus non ha accesso alla cartella...quindi dopo aver debellato il virus...potresti ancora avere una bella copia di backup del virus nel pc...

Per quanto riguarda adaware...credo che...provare non costa niente...
Ciao ciao e buona serata.
techdiscount
Utente Senior
 
Post: 244
Iscritto il: 29/01/07 12:49

Precedente

Torna a Sicurezza e Privacy


Topic correlati a "Virus allucinante":

Virus o cosa?
Autore: danibi60
Forum: Sicurezza e Privacy
Risposte: 26

Chi c’è in linea

Visitano il forum: Nessuno e 60 ospiti