PDA

View Full Version : Necessito di aiuto

Barbalbero
14-08-2007, 18:26
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19.18.03, on 14/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\acer\epm\epm-dm.exe
C:\Programmi\Google\Gmail Notifier\gnotify.exe
C:\Programmi\Launch Manager\QtZgAcer.EXE
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Stefano\Desktop\HiJackThis_v2.exe
C:\WINDOWS\exefnd\74437.exe
C:\WINDOWS\exefnd\77687.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 131.175.12.65:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: ContextualAds Class - {3AAC4C68-AFC8-11DB-80EF-8AF955D89593} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Alcohol Toolbar Helper - {8126A4A5-BFD3-46FE-BBDF-BFB5CF78E489} - C:\Programmi\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Alcohol Toolbar - {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - C:\Programmi\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Programmi\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmi\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Programmi\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programmi\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programmi\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A56CA5D-A513-48C8-89DB-62A90E5269AF}: NameServer = 192.168.0.1
O20 - AppInit_DLLs: ???C
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Unknown owner - C:\Programmi\iPod\bin\iPodService.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 8455 bytes


Norton è stato chiuso e sono stati cancellati gli eseguibili quali oscheck.exe.
Nel caso provo a reinstallarlo, non riesco perché quei files spariscono durante l'estrazione dal rar.
Ad-Aware se non trova niente.
All'avvio del sistema si formano 3 o più processi con nomi casuali inizianti per tilde che occupano tutta la cpu.
Se provo ad installare kaspersky esce ad un certo punto una schermata blu e il sistema si riavvia.
Non posso accedere alla modalità provvisoria poiché appare una schermata blu.

Non so che fare
Barbalbero
14-08-2007, 18:51
http://img265.imageshack.us/img265/2237/immaginedx9.jpg
yanoama
14-08-2007, 18:53
Vediamo di provare con una procedura manuale
Fixa queste stringhe in hijackthis

O2 - BHO: ContextualAds Class - {3AAC4C68-AFC8-11DB-80EF-8AF955D89593} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O20 - AppInit_DLLs: ???C


Preleva avenger da qui (http://swandog46.geekstogo.com/avenger.zip)
Scompattalo in una cartella a lui dedicata
Apri la cartella e lancia avenger
seleziona Input Script Manually, clicca sul pulsante con la lente e copiaincolla dentro alla finestra che ti si aprirà


Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Files to delete:
C:\WINDOWS\exefnd\74437.exe
C:\WINDOWS\exefnd\77687.exe

Fatto questo clicka sul pulsante Done, poi su quello col semaforo, e dai il consenso alle domande che ti verranno poste subito dopo; il pc si riavvierà automaticamente ( se non dovesse farlo riavvialo manualmente ).

Scarica anche ATF Cleaner (pulizia files temporanei)
http://www.atribune.org/ccount/click.php?id=1
Avvia ATF Cleaner.exe con un doppio click
clicca sul menu main
seleziona la casella Select All
clicca sul pulsante Empty selected
aspetta l'avviso Done Cleaning.

Bye
Barbalbero
14-08-2007, 19:06
Vediamo di provare con una procedura manuale
Fixa queste stringhe in hijackthis

O2 - BHO: ContextualAds Class - {3AAC4C68-AFC8-11DB-80EF-8AF955D89593} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O20 - AppInit_DLLs: ???C



Guarda..io mi sono fidato, anche perché non avevo alternativa :D
Però posso sapere cosa ho fatto? E come fai a sapere che va fixato questo?
Ora procedo con gli altri punti, grazie
Barbalbero
14-08-2007, 19:15
Fatto.
Ora ho i processi
wintems.exe
hidr.exe
che partono all'avvio di windows prendendosi la CPU. Li devo chiudere manualmente perché altrimenti non posso fare niente.
Poi parte un processo duecentomilaqualcosa.exe (non ricordo bene il numero) che prende il 99% della CPU e iexplore.exe anche se non apro internet.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 20.16.42, on 14/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\acer\epm\epm-dm.exe
C:\Programmi\Google\Gmail Notifier\gnotify.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\MSN Messenger\livecall.exe
C:\Documents and Settings\Stefano\Desktop\HiJackThis_v2.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 131.175.12.65:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Alcohol Toolbar Helper - {8126A4A5-BFD3-46FE-BBDF-BFB5CF78E489} - C:\Programmi\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Alcohol Toolbar - {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - C:\Programmi\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Programmi\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmi\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Programmi\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programmi\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programmi\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A56CA5D-A513-48C8-89DB-62A90E5269AF}: NameServer = 192.168.0.1
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Unknown owner - C:\Programmi\iPod\bin\iPodService.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 8279 bytes


:muro: :muro: :muro: :muro: :muro: :muro: :muro: :muro: :muro:
nV 25
14-08-2007, 19:18
Che sia il Bagle? :mbe: (il che spiegherebbe perchè ti si è disattivato l'AV...)

http://www.megalab.it/articoli.php?id=948 :read:

Segui cmq le indicazioni che ti ha dato yanoama...
nV 25
14-08-2007, 19:22
PS: su megalab è descritta tutta la procedura di rimozione...
Barbalbero
14-08-2007, 19:23
PS: su megalab è descritta tutta la procedura di rimozione...

Provo provo..
danke
yanoama
14-08-2007, 19:36
Che sia il Bagle? :mbe: (il che spiegherebbe perchè ti si è disattivato l'AV...)

http://www.megalab.it/articoli.php?id=948 :read:

Segui cmq le indicazioni che ti ha dato yanoama...

Potrebbe essere, anche se mi sembra pressochè impossibile che Norton non l'abbia intercettato, mai dire mai però ....:D
Se non riesci a debellarlo usando le informazioni fornite dal link di Nv25, bisognerebbe vedere dei log più approfonditi come gmer o Systemscan.
Comunque, fai anche questo tentativo, come suggerito dall'utente eraser in questo post
http://www.hwupgrade.it/forum/showthread.php?t=1142673
preleva il tool drwebCureit (lo trovi nel post di eraser), per mia esperienza personale questo tool, pur dando qualche falso positivo, è ottimo nella rimozione di malaware particolarmente ostinati.
Non necessita di installazione, basta scaricarlo e lanciarlo, all'inizio effetua una scansione veloce, terminata la quale devi selezionare i tuo hardisk ed effettuare uno scan completo.

Auguri :sperem:

Bye
Barbalbero
14-08-2007, 19:36
PS: su megalab è descritta tutta la procedura di rimozione...

Sì è questo! Bravo!
Però non c'è scritto come rimuoverlo...
Barbalbero
14-08-2007, 19:38
Sì è questo! Bravo!
Però non c'è scritto come rimuoverlo...

No scusa trovato...ora provo
Barbalbero
14-08-2007, 19:52
Ho obbedito. Ora non vedo più processi strani, ma Kaspersky non me lo installa lo stesso: schermata blu.
nV 25
14-08-2007, 19:55
sicuro di aver rimosso correttamente la componente rootkit del malware e i suoi file?
Hai seguito le istruzioni alla lettera?

Mi fai vedere uno screen di gmer? (tanto il programmino per fare le foto lo hai...)
Barbalbero
14-08-2007, 20:05
Gmer padre di Pdor? :D
No, scherzi a parte cos'è?

Io ho seguito le istruzioni copiando e incollando lo script di Avenger:

Files to delete:
%SystemDrive%:\Documents and Settings\%UserProfile%\Dati applicazioni\hidires\m_hook.sys
%SystemDrive%:\Documents and Settings\%UserProfile%\Dati applicazioni\hidires\hidr.exe
%SystemDrive%:\WINDOWS\system32\wintems.exe
%SystemDrive%:\WINDOWS\system32\hldrrr.exe

folders to delete:
%SystemDrive%:\Documents and Settings\%UserProfile%\Dati applicazioni\hidires
%SystemDrive%:\WINDOWS\exefld

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | hldrrr
yanoama
14-08-2007, 20:12
Credo che Nv25 volesse vedere un log di gmer
http://www.notrace.it/Download/Sicurezza/Anti-Rootkit/gmer.htm
in particolare i log
rootkit e autostart
che il programmino genera

Scusa la domanda banale, ma il Norton lo hai disinstallato completamente prima di installare il Kaspersky?
Sai ma disinstallare completamente una suite di sicurezza (in particolare Norton) è sempre un impresa abbastanza difficoltosa e qualche traccia rimane sempre.
Prova ad installare un altro antivirus, ad esempio Antivir o Avast e vedi se ti da lo stesso problema, il che potrebbe voler dire che beagle è ancora attivo.

Bye
Barbalbero
14-08-2007, 20:15
Norton l'ho disinstallato con l'apposito tool della symantech.
Provo ad installare altri antivirus e provvederò a postare il log di gmer
nV 25
14-08-2007, 20:18
Credo che Nv25 volesse vedere un log di gmer

infatti...

Se però si leggessero attentamente le risorse che vengono fornite (per es, il link a megalab...), probabilmente si evitava di fare domande retoriche....
La battuta, cmq, era carina...
Barbalbero
14-08-2007, 20:19
GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-08-14 21:18:07
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT 86583BE0 ZwEnumerateKey
SSDT 8658392C ZwEnumerateValueKey
SSDT 86583E80 ZwQueryDirectoryFile
SSDT 86584026 ZwQuerySystemInformation

---- Devices - GMER 1.0.13 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 873D01E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 873D01E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 873D01E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 873D01E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 873D01E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 873D01E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 873D01E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 873D01E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 873D01E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 873D01E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 873D01E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 873D01E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 873D01E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 873D01E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 873D01E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 873D01E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 873D01E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 873D01E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 873D01E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 873D01E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 873D01E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 873D01E8
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 8707F790
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE 8707F790
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 8707F790
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE 8707F790
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION 8707F790
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION 8707F790
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA 8707F790
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA 8707F790
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS 8707F790
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION 8707F790
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION 8707F790
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL 8707F790
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL 8707F790
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL 8707F790
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN 8707F790
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL 8707F790
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP 8707F790
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP 8707F790

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CREATE [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CREATE_NAMED_PIPE [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CLOSE [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_READ [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_WRITE [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_INFORMATION [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_INFORMATION [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_EA [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_EA [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_FLUSH_BUFFERS [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_VOLUME_INFORMATION [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_VOLUME_INFORMATION [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_DIRECTORY_CONTROL [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_FILE_SYSTEM_CONTROL [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_DEVICE_CONTROL [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_INTERNAL_DEVICE_CONTROL [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SHUTDOWN [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_LOCK_CONTROL [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CLEANUP [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CREATE_MAILSLOT [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_SECURITY [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_SECURITY [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_POWER [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SYSTEM_CONTROL [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_DEVICE_CHANGE [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_QUOTA [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_QUOTA [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CREATE [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CREATE_NAMED_PIPE [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CLOSE [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_READ [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_WRITE [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_INFORMATION [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_INFORMATION [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_EA [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_EA [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_FLUSH_BUFFERS [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_VOLUME_INFORMATION [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_VOLUME_INFORMATION [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_DIRECTORY_CONTROL [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_FILE_SYSTEM_CONTROL [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_DEVICE_CONTROL [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_INTERNAL_DEVICE_CONTROL [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SHUTDOWN [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_LOCK_CONTROL [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CLEANUP [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CREATE_MAILSLOT [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_SECURITY [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_SECURITY [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_POWER [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SYSTEM_CONTROL [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_DEVICE_CHANGE [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_QUOTA [F6883E00] SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_QUOTA [F6883E00] SynTP.sys

---- EOF - GMER 1.0.13 ----
sampei.nihira
14-08-2007, 20:31
Visto che il log di hijackthis postato inizialmente da questo utente risulti "pulito all'origine" nonostante siano presenti nel pc diversi problemi,colgo l'occasione per mettere all'attenzione un soft ( ma in versione beta) già messo in luce su vari siti internet:

http://www.runscanner.net/

Potrebbe essere l'occasione per una prova.
Ma ripeto sempre con molta cautela.
yanoama
14-08-2007, 20:37
Non sono espertissimo dei log di gmer, però ad una prima occhiata mi sembra pulito, se non altro perchè non si vedono processi hidden....
Nv25, tu che dici?
Posta anche un log Autostart, per farlo clicca in gmer in alto a sinistra sulle freccette a fianco alla scritta rootkit.
Ti si aprirà un nuovo menù, selezione autostart, metti il flag a show all e fai la scansione, poi posta il log.
yanoama
14-08-2007, 20:41
Visto che il log di hijackthis postato inizialmente da questo utente risulti "pulito all'origine" nonostante siano presenti nel pc diversi problemi,colgo l'occasione per mettere all'attenzione un soft ( ma in versione beta) già messo in luce su vari siti internet:

http://www.runscanner.net/

Potrebbe essere l'occasione per una prova.
Ma ripeto sempre con molta cautela.

Programmino molto interessante, non lo conoscevo, certo che ce n'è di cose nuove da imparare su questo forum:stordita: .

Bye
nV 25
14-08-2007, 20:47
...colgo l'occasione per mettere all'attenzione un soft ( ma in versione beta) già messo in luce su vari siti internet


wilders...ieri :D

Si, pare proprio molto interessante :)


Nv25, tu che dici?

sono meno esperto di te...
Non ravviso cmq nulla di grave nel log..

SynTP.sys *sembrerebbe* essere un driver del Touchpad Synaptics...
E' in C:\Windows\System32\drivers ?
Bugs Bunny
14-08-2007, 21:14
folders to delete:
%SystemDrive%:\Documents and Settings\%UserProfile%\Dati applicazioni\hidires
%SystemDrive%:\WINDOWS\exefld


guardando il log di hjt direi

folders to delete:
%SystemDrive%:\Documents and Settings\%UserProfile%\Dati applicazioni\hidires
%SystemDrive%:\WINDOWS\exefnd
Barbalbero
14-08-2007, 22:11
GMER 1.0.13.12551 - http://www.gmer.net
Autostart scan 2007-08-14 23:09:56
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@BootExecute = /*file not found*/

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>>
@UserinitC:\WINDOWS\system32\userinit.exe, = C:\WINDOWS\system32\userinit.exe,
@UIHostC:\WINDOWS\system32\logonuiX.exe = C:\WINDOWS\system32\logonuiX.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
AtiExtEvent@DLLName = Ati2evxx.dll
WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
anbmService /*Notebook Manager Service*/@ = C:\Acer\eManager\anbmServ.exe
aswUpdSv /*avast! iAVS4 Control Service*/@ = "C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe" /*file not found*/
avast! Antivirus /*avast! Antivirus*/@ = "C:\Programmi\Alwil Software\Avast4\ashServ.exe" /*file not found*/
btwdins /*Bluetooth Service*/@ = C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
EvtEng /*EvtEng*/@ = C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
RegSrvc /*RegSrvc*/@ = C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
S24EventMonitor /*Spectrum24 Event Monitor*/@ = C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
StarWindServiceAE /*StarWind AE Service*/@ = C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
StyleXPService /*StyleXPService*/@ = "C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@SynTPLprC:\Programmi\Synaptics\SynTP\SynTPLpr.exe = C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
@SynTPEnhC:\Programmi\Synaptics\SynTP\SynTPEnh.exe = C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
@ATIPTAC:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe = C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
@EPM-DMc:\acer\epm\epm-dm.exe = c:\acer\epm\epm-dm.exe
@ePowerManagementC:\Acer\ePM\ePM.exe boot = C:\Acer\ePM\ePM.exe boot
@{0228e555-4f9c-4e35-a3ec-b109a192b4c2}C:\Programmi\Google\Gmail Notifier\gnotify.exe = C:\Programmi\Google\Gmail Notifier\gnotify.exe
@LManagerC:\Programmi\Launch Manager\QtZgAcer.EXE = C:\Programmi\Launch Manager\QtZgAcer.EXE
@SunJavaUpdateSched"C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe" = "C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe"
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@UnlockerAssistant"C:\Programmi\Unlocker\UnlockerAssistant.exe" = "C:\Programmi\Unlocker\UnlockerAssistant.exe"
@MSConfigC:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
@avast!C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe /*file not found*/ = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@drvsyskitC:\WINDOWS\system32\drivers\hidr.exe = C:\WINDOWS\system32\drivers\hidr.exe
@hldrrrC:\WINDOWS\system32\hldrrr.exe /*file not found*/ = C:\WINDOWS\system32\hldrrr.exe /*file not found*/
@german.exeC:\WINDOWS\system32\wintems.exe /*file not found*/ = C:\WINDOWS\system32\wintems.exe /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@WPDShServiceObj = C:\WINDOWS\system32\WPDShServiceObj.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{2F603045-309F-11CF-9774-0020AFD0CFF6} /*Synaptics Control Panel*/C:\Programmi\Synaptics\SynTP\SynTPCpl.dll = C:\Programmi\Synaptics\SynTP\SynTPCpl.dll
@{2b45bd21-71f8-4c8c-a87a-7eeb25a1a3e0} /*EPM-PO Shell Extension*/epm-po.dll = epm-po.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Programmi\MSN Messenger\fsshext.8.1.0178.00.dll = C:\Programmi\MSN Messenger\fsshext.8.1.0178.00.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Programmi\Real\RealPlayer\rpshell.dll = C:\Programmi\Real\RealPlayer\rpshell.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@(null) =
@{6af09ec9-b429-11d4-a1fb-0090960218cb} /*My Bluetooth Places*/C:\WINDOWS\system32\btneighborhood.dll = C:\WINDOWS\system32\btneighborhood.dll
@{B327765E-D724-4347-8B16-78AE18552FC3} /*NeroDigitalIconHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{7F1CF152-04F8-453A-B34C-E609530A9DC8} /*NeroDigitalPropSheetHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft.XPS.Shell.Metadata.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
@{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft.XPS.Shell.Thumbnail.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} /*UnlockerShellExtension*/C:\Programmi\Unlocker\UnlockerCOM.dll = C:\Programmi\Unlocker\UnlockerCOM.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Programmi\Alwil Software\Avast4\ashShell.dll = C:\Programmi\Alwil Software\Avast4\ashShell.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
DAP_ShredMenu@{BED4C38B-F765-45AC-8C56-613F76BBF43E} = C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL
MyPhoneExplorer@{2D30AAA2-9084-4686-B8B9-B9B62EEFFD4E} = C:\Programmi\MyPhoneExplorer\DLL\ShellMgr.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
DAP_ShredMenu@{BED4C38B-F765-45AC-8C56-613F76BBF43E} = C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
UnlockerShellExtension@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = C:\Programmi\Unlocker\UnlockerCOM.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{055FD26D-3A88-4e15-963D-DC8493744B1D}C:\PROGRA~1\ICQTOO~1\toolbaru.dll = C:\PROGRA~1\ICQTOO~1\toolbaru.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll = C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
@{8126A4A5-BFD3-46FE-BBDF-BFB5CF78E489}C:\Programmi\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll = C:\Programmi\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
@{9030D464-4C02-4ABF-8ECC-5164760863C6}C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll = C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.it/ = http://www.google.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2A56CA5D-A513-48C8-89DB-62A90E5269AF} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress192.168.0.5 = 192.168.0.5
@NameServer192.168.0.1 = 192.168.0.1
@DefaultGateway192.168.0.1 = 192.168.0.1
@Domain =

C:\Documents and Settings\Stefano\Menu Avvio\Programmi\Esecuzione automatica = Adobe Gamma.lnk

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
BTTray.lnk = BTTray.lnk

---- EOF - GMER 1.0.13 ----


Ho installato Avast. Ho fatto una scansione prima di caricare windows. Ho caricato windows e...magia... l'eseguibile di Avast è stato "mangiato" dal virus :cry:
yanoama
14-08-2007, 23:02
Alcuni file infetti sembrano essere ancora presenti nel tuo log, sei sicuro di aver seguito scrupolosamente le istruzioni dell'articolo di megalab???


Fai una scansione con panda antirootkit
http://research.pandasoftware.com/blogs/research/archive/2007/04/02/Panda-AntiRootkit-Released.aspx

e col tool di drweb che ti ho indicato prima.

Bye
Barbalbero
15-08-2007, 09:04
wilders...ieri :D

Si, pare proprio molto interessante :)


sono meno esperto di te...
Non ravviso cmq nulla di grave nel log..

SynTP.sys *sembrerebbe* essere un driver del Touchpad Synaptics...
E' in C:\Windows\System32\drivers ?

Non so dove sia, ma è il mio touchpad

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Unknown owner - C:\Programmi\iPod\bin\iPodService.exe (file missing)

Come vedete, mi cancella ancora gli exe di Avast...
E cos'è l'ultima riga? iPod? io non ce l'ho mai avuta (e non ce l'ho nemmeno ora) quella cartella in Programmi...
Ora proseguo con gli altri consigli
Barbalbero
15-08-2007, 09:15
Visto che il log di hijackthis postato inizialmente da questo utente risulti "pulito all'origine" nonostante siano presenti nel pc diversi problemi,colgo l'occasione per mettere all'attenzione un soft ( ma in versione beta) già messo in luce su vari siti internet:

http://www.runscanner.net/

Potrebbe essere l'occasione per una prova.
Ma ripeto sempre con molta cautela.

Bel software...mi piace...
Runscanner logfile http://www.runscanner.net

000 General info
----------------
Computer name : HAL9000
Type of scan : Full scan
RunScanner Version : 0.9.6.1
Creation time : 15/08/2007 9.53.48
User rights : Administrator
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
User Language : Italiano (Italia)
IE version : 7.0.5730.11
Windows folder : C:\WINDOWS
Hosts file location : %SystemRoot%\System32\drivers\etc
Hosts <> 127.0.0.1 : 0

001 Running processes
---------------------
c:\programmi\tgtsoft\stylexp\stylexpservice.exe
c:\programmi\intel\wireless\bin\evteng.exe (Intel Corporation)
c:\programmi\intel\wireless\bin\s24evmon.exe (Intel Corporation)
c:\acer\emanager\anbmserv.exe (OSA Technologies Inc.)
* c:\programmi\synaptics\syntp\syntplpr.exe (Synaptics, Inc.)
* c:\programmi\synaptics\syntp\syntpenh.exe (Synaptics, Inc.)
c:\programmi\ati technologies\ati control panel\atiptaxx.exe (ATI Technologies, Inc.)
c:\acer\epm\epm-dm.exe (Acer Inc)
c:\programmi\google\gmail notifier\gnotify.exe (Google Inc.)
c:\programmi\launch manager\qtzgacer.exe (Dritek System Inc.)
* c:\programmi\java\jre1.6.0_02\bin\jusched.exe (Sun Microsystems, Inc.)
c:\programmi\quicktime\qttask.exe (Apple Inc.)
c:\programmi\unlocker\unlockerassistant.exe
c:\programmi\widcomm\software bluetooth\bin\btwdins.exe (Broadcom Corporation.)
c:\programmi\intel\wireless\bin\regsrvc.exe (Intel Corporation)
c:\programmi\alcohol soft\alcohol 120\starwind\starwindserviceae.exe (Rocket Division Software)
c:\programmi\widcomm\software bluetooth\bttray.exe (Broadcom Corporation.)
* c:\documents and settings\stefano\desktop\runscanner.exe (Runscanner.net)

002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
* c:\programmi\synaptics\syntp\syntplpr.exe (Synaptics, Inc.)
* c:\programmi\synaptics\syntp\syntpenh.exe (Synaptics, Inc.)
c:\programmi\ati technologies\ati control panel\atiptaxx.exe (ATI Technologies, Inc.)
c:\acer\epm\epm-dm.exe (Acer Inc)
c:\acer\epm\epm.exe (Acer Value Labs, Taiwan)
c:\programmi\google\gmail notifier\gnotify.exe (Google Inc.)
c:\programmi\launch manager\qtzgacer.exe (Dritek System Inc.)
* c:\programmi\java\jre1.6.0_02\bin\jusched.exe (Sun Microsystems, Inc.)
c:\programmi\quicktime\qttask.exe (Apple Inc.)
c:\programmi\unlocker\unlockerassistant.exe
- c:\progra~1\alwils~1\avast4\ashdisp.exe

004 C:\Documents and Settings\Stefano\Menu Avvio\Programmi\Esecuzione automatica
--------------------------------------------------------------------------------
c:\progra~1\fileco~1\adobe\calibr~1\adobeg~1.exe (Adobe Systems, Inc.)

005 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica
----------------------------------------------------------------------------------
c:\progra~1\adobe\acroba~1.0\reader\reader~1.exe (Adobe Systems Incorporated)
c:\progra~1\widcomm\softwa~1\bttray.exe (Broadcom Corporation.)

010 HKLM\SYSTEM\CurrentControlSet\Services (Services)
-----------------------------------------------------
c:\programmi\file comuni\adobe systems shared\service\adobelmsvc.exe (Adobe LM Service)
c:\acer\emanager\anbmserv.exe (Notebook Manager Service)
- c:\programmi\alwil software\avast4\aswupdsv.exe (avast! iAVS4 Control Service)
* C:\WINDOWS\system32\ati2evxx.exe (ATI External Event Utility EXE Module)
- c:\programmi\alwil software\avast4\ashserv.exe (avast! Antivirus)
- c:\programmi\alwil software\avast4\ashmaisv.exe (avast! Mail Scanner)
- c:\programmi\alwil software\avast4\ashwebsv.exe (avast! Web Scanner)
c:\programmi\widcomm\software bluetooth\bin\btwdins.exe (Bluetooth Service)
c:\programmi\intel\wireless\bin\evteng.exe (EvtEng)
c:\programmi\file comuni\installshield\driver\11\intel 32\idrivert.exe (InstallDriver Table Manager)
c:\windows\microsoft.net\framework\v3.0\windows communication foundation\infocard.exe (Windows CardSpace)
- c:\programmi\ipod\bin\ipodservice.exe (Servizio iPod)
c:\windows\microsoft.net\framework\v3.0\windows communication foundation\smsvchost.exe (Net.Tcp Port Sharing Service)
c:\programmi\intel\wireless\bin\regsrvc.exe (RegSrvc)
c:\programmi\intel\wireless\bin\s24evmon.exe (Spectrum24 Event Monitor)
c:\programmi\alcohol soft\alcohol 120\starwind\starwindserviceae.exe (StarWind AE Service)
c:\programmi\tgtsoft\stylexp\stylexpservice.exe (StyleXPService)
- c:\programmi\file comuni\symantec shared\ccpd-lc\symlcsvc.exe (Symantec Core LC)

011 HKLM\SYSTEM\CurrentControlSet\Services (drivers)
----------------------------------------------------
C:\WINDOWS\system32\drivers\aegisp.sys (AEGIS Protocol (IEEE 802.1x) v3.1.6.0)
* C:\WINDOWS\system32\drivers\anydvd.sys (AnyDVD)
* C:\WINDOWS\system32\drivers\ati2mtag.sys (Video)
* C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom 440x 10/100 Integrated Controller XP Driver)
C:\WINDOWS\system32\drivers\btaudio.sys (Periferica audio Bluetooth)
C:\WINDOWS\system32\drivers\btport.sys (Driver di comunicazioni virtuali Bluetooth)
C:\WINDOWS\system32\drivers\btkrnl.sys (Enumeratore bus Bluetooth)
- c:\windows\system32\drivers\btserial.sys (Bluetooth Serial Driver)
- c:\windows\system32\drivers\btslbcsp.sys (Bluetooth Port Client Driver)
C:\WINDOWS\system32\drivers\btwdndis.sys (Server di accesso alla rete LAN Bluetooth)
C:\WINDOWS\system32\drivers\btwhid.sys (Bluetooth Virtual HID Minidriver)
C:\WINDOWS\system32\drivers\btwusb.sys (WIDCOMM USB Bluetooth Driver)
* C:\WINDOWS\system32\drivers\camcaud.sys (Conexant AMC Audio)
* C:\WINDOWS\system32\drivers\camchal.sys (Conexant AmcHal Driver)
C:\WINDOWS\system32\drivers\dkbfltr.sys (Dritek HotKey Keyboard Filter Driver)
* C:\WINDOWS\system32\drivers\elbycdio.sys (ElbyCDIO Driver)
* C:\WINDOWS\system32\drivers\elbydelay.sys (ElbyDelay)
c:\windows\system32\drivers\epm-psd.sys (Acer EPM Power Scheme Driver)
c:\windows\system32\drivers\epm-shd.sys (Acer EPM System Hardware Driver)
- c:\programmi\file comuni\symantec shared\eengine\eraserutilrebootdrv.sys (EraserUtilRebootDrv)
C:\WINDOWS\system32\drivers\ggsemc.sys (Sony Ericsson USB Flash Driver)
C:\WINDOWS\system32\drivers\gmer.sys (Base)
* C:\WINDOWS\system32\drivers\hamachi.sys (Hamachi Network Interface)
* C:\WINDOWS\system32\drivers\hsfhwich.sys (HSFHWICH WDM driver)
* C:\WINDOWS\system32\drivers\hsf_dpv.sys (HSF_DP driver)
- c:\windows\system32\drivers\incdpass.sys (InCDPass)
- c:\windows\system32\drivers\incdrm.sys (InCD Reader)
* C:\WINDOWS\system32\drivers\mdmxsdk.sys (Diagnostic Interface DRIVER)
c:\windows\system32\drivers\osaio.sys (osaio)
c:\windows\system32\drivers\osanbm.sys (osanbm)
c:\windows\system32\drivers\pci32.sys (Derkz864)
* C:\WINDOWS\system32\drivers\ptilink.sys (Driver Direct Parallel Link)
C:\WINDOWS\system32\drivers\s24trans.sys (WLAN Transport)
C:\WINDOWS\system32\drivers\secdrv.sys (Secdrv)
C:\WINDOWS\system32\drivers\sptd.sys (Boot Bus Extender)
c:\windows\system32\drivers\srosa.sys (Megadrv3)
c:\programmi\tgtsoft\stylexp\stylexphelper.exe (StyleXPHelper)
* C:\WINDOWS\system32\drivers\syntp.sys (Synaptics TouchPad Driver)
C:\WINDOWS\system32\drivers\tap0801co.sys (TAP-Win32 Adapter V8 (coLinux))
c:\programmi\unlocker\unlockerdriver5.sys (unlockerdriver5.sys)
- c:\windows\system32\drivers\vmnetadapter.sys (VMware Virtual Ethernet Adapter Driver)
* C:\WINDOWS\system32\drivers\w29n51.sys (Driver di Intel(R) PRO/Wireless 2200BG Network Connection Driver per Windows XP)
* C:\WINDOWS\system32\drivers\hsf_cnxt.sys (HSF_CNXT driver)

030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter
------------------------------------------
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}

035 HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
-------------------------------------------------------------
c:\windows\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}

036 HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
----------------------------------------------------------------
About:Home

040 HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
------------------------------------------------------------
* c:\progra~1\icqtoo~1\toolbaru.dll (IE Toolbar) {855F3B16-6D32-4fe6-8A56-BBB695989046}

041 HKLM-HKCU\Software\Microsoft\Internet Explorer\Toolbar
----------------------------------------------------------
c:\programmi\alcohol toolbar\v3.2.0.0\alcohol_toolbar.dll {ED4BD629-C1B6-4399-8A34-02CCAA921DC9}
* c:\progra~1\icqtoo~1\toolbaru.dll (IE Toolbar) {855F3B16-6D32-4fe6-8A56-BBB695989046}

042 HKLM\Software\Microsoft\Internet Explorer\Extensions
--------------------------------------------------------
* c:\programmi\icq6\icq.exe (ICQ, Inc.) {E59EB121-F339-4851-A3BA-FE49C35617C2}

045 HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
----------------------------------------------------------------
c:\programmi\alcohol toolbar\v3.2.0.0\alcohol_toolbar.dll {ED4BD629-C1B6-4399-8A34-02CCAA921DC9}
* c:\progra~1\icqtoo~1\toolbaru.dll (IE Toolbar) {855F3B16-6D32-4FE6-8A56-BBB695989046}

048 ESC Trusted zones
---------------------
Zone: microsoft.com : no zone defined
Zone: *.update.microsoft.com : http://*.update.microsoft.com
Zone: *.update.microsoft.com : https://*.update.microsoft.com

052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
----------------------------------------------------------------------------------
* c:\progra~1\icqtoo~1\toolbaru.dll (IE Toolbar) {055FD26D-3A88-4e15-963D-DC8493744B1D}
* c:\programmi\java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.) {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
c:\programmi\alcohol toolbar\v3.2.0.0\alcohol_toolbar.dll {8126A4A5-BFD3-46FE-BBDF-BFB5CF78E489}

061 HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
----------------------------------------------------------------------------
- deskpan.dll {42071714-76d4-11d1-8b24-00a0c9068ff3}
* c:\windows\system32\hticons.dll (Hilgraeve, Inc.) {88895560-9AA2-1069-930E-00AA0030EBC8}
* c:\programmi\synaptics\syntp\syntpcpl.dll (Synaptics, Inc.) {2F603045-309F-11CF-9774-0020AFD0CFF6}
C:\WINDOWS\system32\epm-po.dll (Acer Labs USA) {2b45bd21-71f8-4c8c-a87a-7eeb25a1a3e0}
c:\programmi\real\realplayer\rpshell.dll (RealNetworks, Inc.) {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}
c:\programmi\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
c:\windows\system32\btneighborhood.dll (Broadcom Corporation.) {6af09ec9-b429-11d4-a1fb-0090960218cb}
c:\programmi\file comuni\ahead\lib\nerodigitalext.dll (Nero AG) {B327765E-D724-4347-8B16-78AE18552FC3}
c:\programmi\file comuni\ahead\lib\nerodigitalext.dll (Nero AG) {7F1CF152-04F8-453A-B34C-E609530A9DC8}
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000}
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79305-84BE-11CE-9641-444553540000}
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79306-84BE-11CE-9641-444553540000}
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79307-84BE-11CE-9641-444553540000}
c:\windows\system32\dfshim.dll (Microsoft Corporation) {e82a2d71-5b2f-43a0-97b8-81be15854de8}
c:\windows\system32\dfshim.dll (Microsoft Corporation) {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}
c:\programmi\unlocker\unlockercom.dll {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}
* c:\programmi\alwil software\avast4\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}

062 HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
-------------------------------------------------------
c:\programmi\file comuni\ahead\lib\nerodigitalext.dll (Nero AG) {7D4D6379-F301-4311-BEBA-E26EB0561882}
c:\programmi\adobe\acrobat 7.0\activex\pdfshell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}

066 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
---------------------------------------------------------------------
c:\windows\system32\logonuix.exe (Microsoft Corporation)

067 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
---------------------------------------------------------------------
* C:\WINDOWS\system32\ati2evxx.dll (ATI Technologies Inc.)

100 Internet Explorer settings
------------------------------
Start Page HKCU : http://www.google.it/
Start Page HKLM : http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
Search Page HKCU : http://www.google.com
Search Page HKLM : http://go.microsoft.com/fwlink/?LinkId=54896
Default_Page_URL HKLM : http://go.microsoft.com/fwlink/?LinkId=69157
Default_Search_URL HKLM : http://go.microsoft.com/fwlink/?LinkId=54896
SearchAssistant HKCU : http://www.google.com/ie
SearchAssistant HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
CustomizeSearch HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
ProxyServer HKCU : 131.175.12.65:8080
SearchUrl HKCU : http://www.google.com/keyword/%s

102 HKLM - HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars
------------------------------------------------------------------
GUID / CLSID not found {32683183-48a0-441b-a342-7c2a440a9478}

104 HKLM\Software\Microsoft\Code Store Database\Distribution Units
------------------------------------------------------------------
* c:\programmi\quicktime\qtplugin.ocx (Apple Inc.) {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
* c:\windows\system32\macromed\director\swdir.dll (Adobe Systems, Inc.) {166B1BCA-3F9C-11CF-8075-444553540000}
* c:\programmi\java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.) {8AD9C840-044E-11D1-B3E9-00805F499D93}
c:\programmi\java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc.) {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
* c:\programmi\java\jre1.5.0_10\bin\npjpi150_10.dll (Sun Microsystems, Inc.) {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}
* c:\programmi\java\jre1.5.0_11\bin\npjpi150_11.dll (Sun Microsystems, Inc.) {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}
* c:\programmi\java\jre1.6.0_01\bin\npjpi160_01.dll (Sun Microsystems, Inc.) {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
* c:\programmi\java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.) {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
* c:\programmi\java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.) {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
* c:\windows\system32\macromed\flash\flash9b.ocx (Adobe Systems, Inc.) {D27CDB6E-AE6D-11CF-96B8-444553540000}

106 HKLM\Software\Microsoft\Windows\CurrentVersion\URL
------------------------------------------------------
Default : http://
ftp : ftp://
gopher : gopher://
home : http://
mosaic : http://
www : http://

120 Domain/DNS hijacking
------------------------
NameServer {2A56CA5D-A513-48C8-89DB-62A90E5269AF} : 192.168.0.1

161 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
------------------------------------------------------------------
dontdisplaylastusername : 0
shutdownwithoutlogon : 1
undockwithoutlogon : 1

173 HKCR\*\shellex\ContextMenuHandlers
--------------------------------------
* c:\programmi\alwil software\avast4\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
c:\progra~1\dap\privac~1\dapctx~1.dll (Speedbit Ltd.) {BED4C38B-F765-45AC-8C56-613F76BBF43E}
GUID / CLSID not found {6B28C27B-8A75-4DB1-A08A-86C8CCEC3AF3}
c:\programmi\myphoneexplorer\dll\shellmgr.dll (F.J. Wechselberger) {2D30AAA2-9084-4686-B8B9-B9B62EEFFD4E}
c:\programmi\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000}
c:\programmi\nero\nero 7\nero backitup\nbshell.dll (Nero AG)

180 FileType Hijacking
----------------------
HKEY_CLASSES_ROOT batfile : "%1" %*
HKEY_CLASSES_ROOT cmdfile : "%1" %*
HKEY_CLASSES_ROOT comfile : "%1" %*
HKEY_CLASSES_ROOT exefile : "%1" %*
HKEY_CLASSES_ROOT htafile : C:\WINDOWS\system32\mshta.exe "%1" %*
HKEY_CLASSES_ROOT piffile : "%1" %*
HKEY_CLASSES_ROOT scrfile : "%1" /S


Io non ci vedo niente di maligno, però non sono esperto..
Barbalbero
15-08-2007, 09:57
Alcuni file infetti sembrano essere ancora presenti nel tuo log, sei sicuro di aver seguito scrupolosamente le istruzioni dell'articolo di megalab???


Fai una scansione con panda antirootkit
http://research.pandasoftware.com/blogs/research/archive/2007/04/02/Panda-AntiRootkit-Released.aspx

e col tool di drweb che ti ho indicato prima.

Bye

OK! Grande! dopo 2 scansioni di Panda, ora è ok!

Avast Inside!

GRAZIE A TUTTI
yanoama
15-08-2007, 16:16
Credo si trattasse di una variante nuova del beagle, per questo l'antivirus non lo ha bloccato.
Qui ci sono istruzioni aggiornate sulla rimozione
http://www.megalab.it/forum/viewtopic.php?t=34010
Comunque ottimo panda che l'ha rimosso.

Bye