View Full Version : aiuto, non so piu' che fare
Ciao!
Da parecchi giorni sto combattendo contro uno spyware invano....mi mette come pagina bianca un sito (search for...) e non riesco a levarlo dalle balle
Ho usato Spybot ultima versione, CWshredder ultima versione, AVG antivirus aggiornato, BHO, HSremove ecc
Tutti sembrano per un attimo toglierlo ma se aspetto un po' ricompare..
In tutti i casi compare sempre una dll che Avg la da come infettata...il programma la isola ma dopo un po' (anche dopo qualche ora) ne rimcompare un' altra
Logfile of HijackThis v1.98.0
Scan saved at 8.57.16, on 07/07/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
d:\AVG6\avgserv.exe
C:\Programmi\ISS\BlackICE\blackd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Programmi\ISS\BlackICE\blackice.exe
C:\Programmi\ICQ\ICQ.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
D:\mIRC\mirc.exe
C:\Programmi\emule\emule.exe
D:\Netscape\Netscp.exe
C:\Programmi\Winamp3\winamp3.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
D:\HackScan\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {488D68A7-EEE8-46B3-9DFC-35E82BF19731} - C:\WINNT\system32\jekhm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Programmi\ICQ\NDetect.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Programmi\ISS\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download using Download &Express - file://D:\Download Express\Add_Url.htm
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6701D5A5-BC37-4063-805E-7A9B3BB91AFA}: NameServer = 217.141.104.205 151.99.125.1
O18 - Filter: text/html - {6CE4A70F-1333-4340-90FA-1A7D333975EE} - C:\WINNT\system32\jekhm.dll
O18 - Filter: text/plain - {6CE4A70F-1333-4340-90FA-1A7D333975EE} - C:\WINNT\system32\jekhm.dll
Prima la dll era jil.dll, poi aoob.dll che ho in quarantena e ora questo jekhm.dll
:muro:
vediamo che succede
fixa
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
O2 - BHO: (no name) - {488D68A7-EEE8-46B3-9DFC-35E82BF19731} - C:\WINNT\system32\jekhm.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O18 - Filter: text/html - {6CE4A70F-1333-4340-90FA-1A7D333975EE} - C:\WINNT\system32\jekhm.dll
O18 - Filter: text/plain - {6CE4A70F-1333-4340-90FA-1A7D333975EE} - C:\WINNT\system32\jekhm.dll
riavvia in provvisorio elimina
C:\WINNT\system32\jekhm.dll
e svuota la cartella Temp
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp
e fai pulizia almeno con adware cwshredder e
http://www.trojaner-info.de/cgi-bin/download.cgi?file=sphjfix
e raivvia posta il log nuovo
Ciao
Forse forse ho risolto!
Anche io prima facevo cosi' ma dopo un po' ritornava tutto
Ho provato a fare uno scan con mcafee tramite internet e oltre a quella dll me ne ha trovata un'altra e un exe notepad.exe.tmp
ora li ho eliminati e pulito tutto
la cartella temp invece non riesco a svuotarla, mi dice che molto file sono in uso, altri potrebbero "danneggiare" il sistema ecc
anche da provvisoria non riuscivi a svuotarla?
Dalla modalità provvisoria nn ci ho provato :D
Ma devo eliminare tutto, anche le directory? ( cronologia, cookies ecc)
io ti consilgio di svuotarla..
ma se vuoi lasciati i cookie
della cronologia hai davvero bisogno?
comunque è strano quella cartella che ti ho indicato
non dovrebbe avere i temporanei di internet....
controlla che stiamo parlando della stessa temp
comunque se pensi di aver risolto potrebbe essere inutile...
magari posta un log fresco che ci diamo un'occhiata
ciau
cmq ci ho dato una ripulita
la temp e' quella giusta...stranamente all' interno ha anche delle cartelle doppione come cronologia, temp internet files, e mi dice che sono di sistema bla bla
ora ho provato a metterle tutte nel cestino mah
ecco il nuovo log
Logfile of HijackThis v1.98.0
Scan saved at 23.02.02, on 07/07/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
d:\AVG6\avgserv.exe
C:\Programmi\ISS\BlackICE\blackd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Programmi\ISS\BlackICE\blackice.exe
C:\Programmi\ICQ\ICQ.exe
D:\mIRC\mirc.exe
C:\Programmi\emule\emule.exe
D:\Netscape\Netscp.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
D:\HackScan\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Programmi\ICQ\NDetect.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Programmi\ISS\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download using Download &Express - file://D:\Download Express\Add_Url.htm
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
l'ultima riga riguarda un gioco online
ah... io ti avevo detto di toglierla... per sicurezza
errore mio...
comunque sembri pulito!!
auguri!
:happy:
oddio rieccolo :(
Logfile of HijackThis v1.98.0
Scan saved at 13.32.09, on 08/07/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
d:\AVG6\avgserv.exe
C:\Programmi\ISS\BlackICE\blackd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Programmi\ISS\BlackICE\blackice.exe
C:\Programmi\ICQ\ICQ.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
D:\HackScan\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {88FC01AE-AC33-434F-9263-400B0B07DFC1} - C:\WINNT\system32\odnkj.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Programmi\ICQ\NDetect.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Programmi\ISS\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download using Download &Express - file://D:\Download Express\Add_Url.htm
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O18 - Filter: text/html - {1844F067-0448-464F-A96B-FC01D86D29DF} - C:\WINNT\system32\odnkj.dll
O18 - Filter: text/plain - {1844F067-0448-464F-A96B-FC01D86D29DF} - C:\WINNT\system32\odnkj.dll
accidenti...
prova a fare tutto di nuovo
basta che aggiorni il nome della dll...
ma quel gioco online...
è sicuro?
comunque segui la procedura...
poi
ti consiglio di utilizzare o adwatch di adware o spywareblaster per proteggerti...
Ciao
Mannaggia quanto e' rognoso...il bello e' che ho deattivato con Bho la dll...pulito con CWshredder e poi questa volta sono andato in modlità provvisoria, ho eliminato la dll incriminata e per curiosità ho rifatto il log Hijackthis...di nuovo pieno!! anche in modalità provvisoria!! ripulito di nuovo, riavviato...fatto andare SpyBot e ho messo anche immunizza....bon speriamo :/
Il gioco dovrebbe essere sicuro...e' da mesi che lo uso
rieccolooooooo buahhhhhhhhhhhh
ora pero' ho anche la url, si sostituisce a msn search
http://s1di.d8t.biz/index.php?aid=20038
allora
evidentemente non bastta la provvisoria...
controlla una cosa in esegui digita msinfo32
e lì vai in ambiente software >> Moduli Caricati
e controlla che non ci sia una di quelle dll che orami sai riconoscere
fammi sapere
ti posto comunque cosa provare...
trovata la .dll incriminata segnati il nome
poniamo sia ghyth.dll
e provvedi ad aggiornare adware con le ultime definizioni
riavvia in PROMP DEI COMANDI (dos insomma)
qui sperando tu sia pratico del dos
cd\Windows\System32 (o dove si trova la dll)
fai dir ghyth.dll
(probabilmete avrà grandezza 57,344 bytes)
fai
ren ghyth.dll ghyth.bob
non cancellare il file
ora riavvia in provvisoria (windows si lamenterà di non trovare la dll)
ora ffai pulizia con adware... che dovrebbe trovarti anche la dll rinominata..
assicurati che tutte le impostazioni di scansione siano più profonde possibile
in particolare le directory
\Windows, \Program Files, e \My Documents
devono essere scandite
puoi anche far partire altri pulitori dopo
cwshredder, spybot
ora riavvia e vedi un po
eh ma come troco questa dll incriminata
c'e' una lista che n nfinisce piu'
tutte avevano una dimesione di 30kb ma non ne ho trovate cosi'
mettile in ordine di data
e controlla anche in driver sistema
lo so non è facile...
puoi anche provare a fare entrare in \Windows\System32 dal prompt e fai dir *.dll | more
e cerca quella di quella grandezza precisa..
ce ne saranno varie...
ma quella avrà un nome strano...
se proprio non riesci...
dovremmo ributtarci su HijackThis
e provare il procedimento con la dll che risulta lì
Ciao
Ora sono piu' fiducioso
Prima sono riuscito ad eliminare la dll senza riavviare il sistema, ho pulito con tutti gli spybot che avevo e adesso finalemente se sbaglio un indirizzo ritorna msn search
Prima per eliminare la dll dovevo disattivarla con BHO e riavviare...ma anche in modalità provvisoria la dll sembrava riattivarsi anche se potevo eliminarla! secondo me in quel momento iniziava a crearne un'altra...o qualcosa de genere :mc:
Speriamo sia davvero finita :muro:
grazie dell' aiuto ;)
Ciau
Ora sono meno fiducioso...non so come mai ma ogni tanto al posto di msn search compare quel sito quando sbaglio url
Se svuoto la cartella temp ritorna msn search
Chiudi tutte le applicazioni e non connesso fai un nuovo Scan con HJT, posta il risultato. Tieni presente che se riavvii dopo la scansione il nome della .dll potrebbe cambiare.
La dll per fortuna nn compare piu'
Logfile of HijackThis v1.98.0
Scan saved at 8.30.55, on 09/07/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
d:\AVG6\avgserv.exe
C:\Programmi\ISS\BlackICE\blackd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Programmi\ISS\BlackICE\blackice.exe
C:\Programmi\ICQ\ICQ.exe
C:\Programmi\emule\emule.exe
D:\HackScan\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Programmi\ICQ\NDetect.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Programmi\ISS\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download using Download &Express - file://D:\Download Express\Add_Url.htm
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6701D5A5-BC37-4063-805E-7A9B3BB91AFA}: NameServer = 217.141.104.205 151.99.125.1
rimane pero' quel O17 che ritorna anche se eliminato
ciao..
no lo o17
va bene... non è una riga pericolosa...
praticamente si tratta dei dns del tuo provider...
penso telecom?
comunque puoi postare la procedura che hai usato per pulire?
ciao
buaaaaaaaaaaaaaaaaaah
e' ritornato....basta, ci rinuncio..mi ha sconfitto :cry: :muro:
Logfile of HijackThis v1.98.0
Scan saved at 13.00.54, on 09/07/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
d:\AVG6\avgserv.exe
C:\Programmi\ISS\BlackICE\blackd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Programmi\ISS\BlackICE\blackice.exe
C:\Programmi\ICQ\ICQ.exe
C:\Programmi\emule\emule.exe
D:\mIRC\mirc.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
D:\HackScan\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6148ADB2-4D83-40DE-81AC-3D93F962837C} - C:\WINNT\system32\fkkbdp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Programmi\ICQ\NDetect.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Programmi\ISS\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download using Download &Express - file://D:\Download Express\Add_Url.htm
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O18 - Filter: text/html - {D102B0F7-97D7-4CDD-AF20-64A5D40B67E1} - C:\WINNT\system32\fkkbdp.dll
O18 - Filter: text/plain - {D102B0F7-97D7-4CDD-AF20-64A5D40B67E1} - C:\WINNT\system32\fkkbdp.dll
mannaggia...
senti prova a fare quel procedimento da dos
che ti ho detto
usando
C:\WINNT\system32\fkkbdp.dll
stai molto attento ai passaggi
e ricorda che adware si èaggiornato anche oggi!
dai anche un occhiata alle proprietà
di C:\WINNT\system32\RUNDLL32.EXE
il fatto che è tutta maiuscola non mi convince del tutto
Alt forse ci sono ( mah...e' la terza volta che lo dico)
Quando facevo lo scan con AVG non ho messo 2 o 3 cartelle del secondo HD che ritenevo sicure...una di queste era la cartella con dentro gli sbybot (CWshredder, Hijackthis, X cleaner ecc) e porca miseria AVG ha trovato una dll infettata anche li!! non so perche' ma c'era un backup di una dll (una infettata presumo)
Potrebbe essere quella la causa di tutto? dopo un po' ne creava un'altra in system e dava inzio alla catena?
Non capisco il perche' di un backup di quella dll
difficilmente sarà quella comunque... eliminala ovviamente...
purtroppo... se solo davanti al pc...
devi essere più che preciso a seguire le procedure...
possiamo provare un'altra cosa...
ma ti preannuncio che è complicata...
se ti va non perdere tempo...
scarica http://downloads.subratam.org/FINDnFIX.exe
si installarà in C:/FindnFix
da questa cartella fai partire !LOG!.BAT
aspetta l'analisi... e posta il log.txt generato
Eccolo
»»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»*** Read this first! ***»»»»»»»»»»»»»»»»
Due to errors on various message boards I made some changes.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
If you make a mistake or use the wrong guidance, it is completely
your responsibility and the helper that assists you.
If you are not sure about the nature of the file or how
to proceed, I suggest you research it first before attempting
to remove any *unknown file on your own.
*For Helpers and/or users that are not familiar with any of the
items on the scan results- I recommend using an alternative, once
you know what to look for!
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
--The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder
and is the destination for the file to be moved..
-*Previous directions will no longer work...
»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»
Microsoft Windows 2000 [Versione 5.00.2195]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q832894-Q831167
Il file system Š di tipo FAT32.
C: non Š danneggiata.
ven 09/07/2004
2:04pm up 0 days, 6:12
»»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/8)»»»»»»»»»»»»»»»»
Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...
C:\WINNT\System32\FAXCOM.DLL +++ File read error
\\?\C:\WINNT\System32\FAXCOM.DLL +++ File read error
»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT
FAXCOM.DLL Can't Open!
COM.DLL Can't Open!
»»»»» (*3*) »»»»»........
C:\WINNT\SYSTEM32\
com.dll Sun 4 Jul 2004 23.28.34 ....R 57.344 56,00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 57.344 bytes 56,00 K
unknown/hidden files...
No matches found.
»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Sniffed -> C:\WINNT\SYSTEM32\COM.DLL
»»»»»(*5*)»»»»»
**File C:\WINNT\SYSTEM32\DLLXXX.TXT
¯ Access denied ® ..................... FAXCOM.DLL .....80656 23.12.1999
¯ Access denied ® ..................... COM.DLL .....57344 04.07.2004
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»»Search by size...
C:\WINNT\SYSTEM32\
com.dll Sun 4 Jul 2004 23.28.34 ....R 57.344 56,00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 57.344 bytes 56,00 K
No matches found.
No matches found.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Sniffed -> C:\WINNT\SYSTEM32\COM.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448
»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
»»Security settings for 'Windows' key:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER
Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
»»Member of...: (Admin logon required!)
User is a member of group GIULIO-7MKLCW9D\Nessuno.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group \LOCALE.
»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...
[SC] GetServiceKeyName FAILED 1060:
Il servizio specificato non esiste come servizio installato.
[SC] GetServiceDisplayName FAILED 1060:
Il servizio specificato non esiste come servizio installato.
»»Notepad check....
C:\WINNT\
notepad.exe Sun 4 Jul 2004 23.28.22 A.... 51.984 50,77 K
1 item found: 1 file, 0 directories.
Total of file sizes: 51.984 bytes 50,77 K
C:\WINNT\SYSTEM32\
notepad.exe Thu 23 Dec 1999 0.00.00 A.... 51.984 50,77 K
1 item found: 1 file, 0 directories.
Total of file sizes: 51.984 bytes 50,77 K
C:\WINNT\SYSTEM32\DLLCACHE\
notepad.exe Thu 23 Dec 1999 0.00.00 A.... 51.984 50,77 K
1 item found: 1 file, 0 directories.
Total of file sizes: 51.984 bytes 50,77 K
--a-- W32i APP ITA 5.0.2140.1 shp 51,984 12-23-1999 notepad.exe
Language 0x0410 (Italiano (Italia))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Blocco note
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Sistema operativo Microsoft(R) Windows 2000(R)
ProductVersion 5.00.2140.1
FileVersion 5.00.2140.1
LegalCopyright Copyright (C) Microsoft Corp. 1981-1999
VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050000:085c0001 (5.0:2140.1)
ProdVer: 00050000:085c0001 (5.0:2140.1)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000
»»»»»»Backups created...»»»»»»
2:05pm up 0 days, 6:12
ven 09/07/2004
A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-09-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-09-2004 winkey.reg
C:\FINDNFIX\
JUNKXXX Fri 9 Jul 2004 14.04.42 .D... <Dir>
1 item found: 0 files, 1 directory.
»»Performing string scan....
00001150: ?
00001190: 0 x @
000011D0: vk 4 0 AppInit_DLLs0 0 C : \ W I N N T \ s
00001210:y s t e m 3 2 \ c o m . d l l vk ` H DeviceNo
00001250:tSelectedTimeout 1 5 H h vk ' /
00001290:GDIProcessHandleQuota , vk , Spooler y e
000012D0:s 0 0 vk e swapdisk vk 0
00001310: , TransmissionRetryTimeout 9 0 vk '
00001350: 0 USERProcessHandleQuotaH
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
00001590:
000015D0:
---------- WIN.TXT
AppInit_DLLs0
--------------
--------------
C:\WINNT\system32\com.dll
--------------
--------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 52 bytes, including the 2 for string termination.
[AppInitDLLs]
Ansi string : "C:\WINNT\system32\com.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 4e 00 54 00 | C.:.\.W.I.N.N.T.
0010 5c 00 73 00 79 00 73 00 74 00 65 00 6d 00 33 00 | \.s.y.s.t.e.m.3.
0020 32 00 5c 00 63 00 6f 00 6d 00 2e 00 64 00 6c 00 | 2.\.c.o.m...d.l.
0030 6c 00 00 00 | l...
�
PROCEDURA SBAGLIATA CHE SI RIFERISCE AL PROGRAMMA VECCHIO
allora segui questa procedura
apri "FINDnFIX\Keys1" Subfolder
trova "MOVEit.bat" ,
clicca col destro e fai modifica
dovrebbe essere vuoto
incollaci questa linea
move C:\WINNT\SYSTEM32\COM.DLL C:\junkxxx\COM.DLL
Salva e chiudi.
Preparati a riavviare
Nella stessa directory di prima fa ipartire "FIX.bat".
Raivvierà in 15 secondi
Al riavvio: C:\FINDnFIX\
fai partire "RESTORE.bat" file.
farà il nuvo log (log1.txt) e postalo!
vai
»»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»
ven 09/07/2004
5:46pm up 0 days, 0:01
Microsoft Windows 2000 [Versione 5.00.2195]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q832894-Q831167
Il file system Š di tipo FAT32.
C: non Š danneggiata.
»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»
Scanning for file(s) in System32...
»»»»»»» (1) »»»»»»»
* result\\?\C:\WINNT\System32\COM.DLL
»»»»»»» (2) »»»»»»»
**File C:\FINDnFIX\LIST.TXT
»»»»»»» (3) »»»»»»»
C:\WINNT\SYSTEM32\
com.dll Sun 4 Jul 2004 23.28.34 ....R 57.344 56,00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 57.344 bytes 56,00 K
Unknown/hidden files...
No matches found.
»»»»»»» (4) »»»»»»»
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Sniffed -> C:\WINNT\SYSTEM32\COM.DLL
»»»»»(5)»»»»»
**File C:\WINNT\SYSTEM32\DLLXXX.TXT
»»»»»»» Search by size...
C:\WINNT\SYSTEM32\
com.dll Sun 4 Jul 2004 23.28.34 ....R 57.344 56,00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 57.344 bytes 56,00 K
No matches found.
No matches found.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Sniffed -> C:\WINNT\SYSTEM32\COM.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
»»»*»»» Scanning for moved file... »»»*»»»
No matches found.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
fgrep: no files found for C:\FINDNFIX\JUNKXXX\*.*
Impossibile trovare il file - C:\FINDnFIX\junkxxx\*.*
»»Permissions:
File esauriti.
ERROR: File esauriti.
Directory "C:\FINDnFIX\junkxxx\."
Permissions:
NA
Auditing:
NA
Owner: \Everyone
Primary Group: \Everyone
Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
NA
Auditing:
NA
Owner: \Everyone
Primary Group: \Everyone
»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450
»»Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =
»»Security settings for 'Windows' key:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER
Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
»»Notepad check....
C:\WINNT\
notepad.exe Sun 4 Jul 2004 23.28.22 A.... 51.984 50,77 K
1 item found: 1 file, 0 directories.
Total of file sizes: 51.984 bytes 50,77 K
C:\WINNT\SYSTEM32\
notepad.exe Thu 23 Dec 1999 0.00.00 A.... 51.984 50,77 K
1 item found: 1 file, 0 directories.
Total of file sizes: 51.984 bytes 50,77 K
C:\WINNT\SYSTEM32\DLLCACHE\
notepad.exe Thu 23 Dec 1999 0.00.00 A.... 51.984 50,77 K
1 item found: 1 file, 0 directories.
Total of file sizes: 51.984 bytes 50,77 K
--a-- W32i APP ITA 5.0.2140.1 shp 51,984 12-23-1999 notepad.exe
Language 0x0410 (Italiano (Italia))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Blocco note
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Sistema operativo Microsoft(R) Windows 2000(R)
ProductVersion 5.00.2140.1
FileVersion 5.00.2140.1
LegalCopyright Copyright (C) Microsoft Corp. 1981-1999
VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050000:085c0001 (5.0:2140.1)
ProdVer: 00050000:085c0001 (5.0:2140.1)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000
00001150: ?
00001190: H
000011D0: vk H DeviceNotSelectedTimeout 1 5
00001210:H h vk ' / GDIProcessHandleQuota , vk
00001250: h , Spooler y e s 0 0 vk
00001290: e swapdisk vk , TransmissionRetryTimeout
000012D0: 9 0 vk ' 0 USERProcessHandleQuotaH
00001310: vk s AppInit_DLLs2 \
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
---------- NEWWIN.TXT
AppInit_DLLs2
--------------
--------------
--------------
No strings found.
per me c'e' ancora qualcosa che nn quadra
infatti.. dici che ti mancava moveit...
eh avevo il riferimento ad una vecchia versione del prog...
allora
allora segui questa procedura
Preparati a riavviare
in C:\FINDnFIX\keys1
fai partire "FIX.bat".
Raivvierà in 15 secondi
Al riavvio:
apri la ricerca dei file e inserisci com.dll
si troverà in system32
ora devi spostare (spostare) questo file nella cartella
C:\FINDnFIX\junkxxx
dai ok se ti dice che è sola lettura
fatto questo
C:\FINDnFIX\
fai partire "RESTORE.bat" file.
farà il nuvo log (log1.txt) e postalo!
ok
rieccomi
»»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»
ven 09/07/2004
6:10pm up 0 days, 0:25
Microsoft Windows 2000 [Versione 5.00.2195]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q832894-Q831167
Il file system Š di tipo FAT32.
C: non Š danneggiata.
»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»
Scanning for file(s) in System32...
»»»»»»» (1) »»»»»»»
»»»»»»» (2) »»»»»»»
**File C:\FINDnFIX\LIST.TXT
»»»»»»» (3) »»»»»»»
No matches found.
Unknown/hidden files...
No matches found.
»»»»»»» (4) »»»»»»»
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
»»»»»(5)»»»»»
**File C:\WINNT\SYSTEM32\DLLXXX.TXT
»»»»»»» Search by size...
No matches found.
No matches found.
No matches found.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
»»»*»»» Scanning for moved file... »»»*»»»
* result\\?\C:\FINDnFIX\junkxxx\COM.222
C:\FINDNFIX\JUNKXXX\
com.222 Sun 4 Jul 2004 23.28.34 A.... 57.344 56,00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 57.344 bytes 56,00 K
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Sniffed -> C:\FINDNFIX\JUNKXXX\COM.222
**File C:\FINDNFIX\JUNKXXX\COM.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.
A----- COM .222 0000E000 23:28.34 04/07/2004
--a-- W32i - - - - 57,344 07-04-2004 com.222
A C:\FINDnFIX\junkxxx\com.222
File: <C:\FINDnFIX\junkxxx\com.222>
CRC-32 : D5C9FB2E
MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249
»»Permissions:
C:\FINDnFIX\junkxxx\com.222
C:\FINDnFIX\junkxxx\com.222 No permissions are set. All user have full control.
Directory "C:\FINDnFIX\junkxxx\."
Permissions:
NA
Auditing:
NA
Owner: \Everyone
Primary Group: \Everyone
Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
NA
Auditing:
NA
Owner: \Everyone
Primary Group: \Everyone
File "C:\FINDnFIX\junkxxx\com.222"
Permissions:
NA
Auditing:
NA
Owner: \Everyone
Primary Group: \Everyone
»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450
»»Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =
»»Security settings for 'Windows' key:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER
Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
»»Notepad check....
C:\WINNT\
notepad.exe Sun 4 Jul 2004 23.28.22 A.... 51.984 50,77 K
1 item found: 1 file, 0 directories.
Total of file sizes: 51.984 bytes 50,77 K
C:\WINNT\SYSTEM32\
notepad.exe Thu 23 Dec 1999 0.00.00 A.... 51.984 50,77 K
1 item found: 1 file, 0 directories.
Total of file sizes: 51.984 bytes 50,77 K
C:\WINNT\SYSTEM32\DLLCACHE\
notepad.exe Thu 23 Dec 1999 0.00.00 A.... 51.984 50,77 K
1 item found: 1 file, 0 directories.
Total of file sizes: 51.984 bytes 50,77 K
--a-- W32i APP ITA 5.0.2140.1 shp 51,984 12-23-1999 notepad.exe
Language 0x0410 (Italiano (Italia))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Blocco note
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Sistema operativo Microsoft(R) Windows 2000(R)
ProductVersion 5.00.2140.1
FileVersion 5.00.2140.1
LegalCopyright Copyright (C) Microsoft Corp. 1981-1999
VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050000:085c0001 (5.0:2140.1)
ProdVer: 00050000:085c0001 (5.0:2140.1)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000
00001150: ?
00001190: H
000011D0: vk H DeviceNotSelectedTimeout 1 5
00001210:H h vk ' / GDIProcessHandleQuota , vk
00001250: h , Spooler y e s 0 0 vk
00001290: e swapdisk vk , TransmissionRetryTimeout
000012D0: 9 0 vk ' 0 USERProcessHandleQuotaH
00001310: vk s AppInit_DLLs2 \
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
---------- NEWWIN.TXT
AppInit_DLLs2
--------------
--------------
--------------
attrib.exe
okay.. va iche forse è fatta...
ultimo passaggio
FINDnFIX\Files2
fai partire ZIPZAP.bat
farà il resto della pulizia e forse ti proporrà di inviare via e-mail i file infetti... fai come credi... serve per analizzarli...
fatto questo riavvia e cancella la cartella FINDnFIX
ora posta il log hijckthis...
Fatto
spedito anche la mail...speriamo
MIiiiiiiiiiiiiiiii che rottura
ti metto il log di Hijackthis ma era pulito anche prima...per me mancava solo quelal dll impestata
devo cancellare altro?
Logfile of HijackThis v1.98.0
Scan saved at 18.17.33, on 09/07/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
d:\AVG6\avgserv.exe
C:\Programmi\ISS\BlackICE\blackd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Programmi\ISS\BlackICE\blackice.exe
C:\Programmi\ICQ\ICQ.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\emule\emule.exe
D:\HackScan\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Programmi\ICQ\NDetect.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Programmi\ISS\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download using Download &Express - file://D:\Download Express\Add_Url.htm
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6701D5A5-BC37-4063-805E-7A9B3BB91AFA}: NameServer = 217.141.104.205 151.99.125.1
bhè sembra pulito come il culetto di un poppante dopo il bagnetto...
speriamo...
ciao... e spero di esserti stato utile
Speriamooo
Ammazza quanto era impestato!!
Grazie! :)
vBulletin® v3.6.4, Copyright ©2000-2025, Jelsoft Enterprises Ltd.