PDA

View Full Version : dirottamento del browser

gaeperri
13-11-2004, 22:07
Ho provato di tutto, anche quanto consigliato nel forum. Vi listo la "Stratuplist" AIUTATEMIIIIIIIIIIII.

StartupList report, 13/11/2004, 14.44.42
StartupList version: 1.52
Started from : C:\DOCUME~1\GAETAN~1\IMPOST~1\Temp\StartupList.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
F:\PROGRAMMI\NORTON\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Programmi\File comuni\WinTools\WToolsS.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
F:\PROGRAMMI\NORTON\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Programmi\MSN Apps\Updater\01.02.3000.1001\it\msnappau.exe
C:\WINDOWS\system32\letsroll.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\SYSTEM32\qttask.exe
C:\Programmi\File comuni\WinTools\WToolsA.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\Toolbar\PIB.exe
C:\Programmi\Nikon\NkView6\NkvMon.exe
C:\Programmi\File comuni\WinTools\WSup.exe
C:\Programmi\Microsoft Office\Office\1040\msoffice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Messenger\msmsgs.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\GAETAN~1\IMPOST~1\Temp\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Gaetano PERROTTA\Menu Avvio\Programmi\Esecuzione automatica]
Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
NkvMon.exe.lnk = C:\Programmi\Nikon\NkView6\NkvMon.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica]
Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
GSICONEXE = GSICON.EXE
DSLAGENTEXE = dslagent.exe USB
msnappau = "C:\Programmi\MSN Apps\Updater\01.02.3000.1001\it\msnappau.exe"
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
system = C:\WINDOWS\system32\letsroll.exe
ccApp = "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
URLLSTCK.exe = F:\PROGRAMMI\NORTON\UrlLstCk.exe
SSC_UserPrompt = C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
QuickTime Task = "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
WinTools = C:\Programmi\File comuni\WinTools\WToolsA.exe
TBPS = C:\Programmi\Toolbar\TBPS.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
msnmsgr = "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
Symantec NetDriver Warning = C:\PROGRA~1\SYMNET~1\SNDWarn.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Programmi\NewDotNet\newdotnet6_38.dll - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\PROGRA~1\FILECO~1\WinTools\WToolsB.dll - {87766247-311C-43B4-8499-3D5FEC94A183}
(no name) - C:\Programmi\Toolbar\toolbar.dll - {8952A998-1E7E-4716-B23D-3DBE03910972}
(no name) - C:\Programmi\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll - {9394EDE7-C8B5-483E-8773-474BF36AF6E4}
Web assistant - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll - {9ECB9560-04F9-4bbc-943D-298DDF1699E1}
(no name) - C:\Programmi\MSN Apps\MSN Toolbar\01.02.3000.1001\it\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
NAV Helper - F:\PROGRAMMI\NORTON\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Avvio ottimizzazione applicazione.job
Utilità di pianificazione di Prevenzione e risoluzione dei problemi per Raccolta dati.job
Symantec NetDetect.job
{0DBB8607-2469-4604-9C2C-08B9D316121A}_Default.job
{4D4F8DD4-0648-4ED6-8509-B243F036266D}_Default.job
{80180815-867D-4D13-9E78-FB7D8A080389}_Default.job
{8D150EEB-D55C-400D-BC06-60680B6180A0}_Gaetano PERROTTA.job
{1C654E7A-C328-45A7-835A-28CDC47A7C6C}_Gaetano PERROTTA.job
{A329ADB7-71EB-46C0-B4C0-B97B1746CE7E}_Gaetano PERROTTA.job
Disinstalla Promemoria scadenza.job

--------------------------------------------------

Enumerating Download Program Files:

[Yahoo! Audio Conferencing]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YACSCOM.DLL
CODEBASE = http://cs6.chat.yahoo.com/v43/yacscom.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37919.1735416667

[MSN Photo Upload Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNPUPLD.DLL
CODEBASE = http://communities.msn.it/scr/MsnPUpld.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\GAETAN~1\IMPOST~1\Temp\~611026.tmp


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

UPnPMonitor: C:\WINDOWS\system32\upnpui.dll
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 7.950 bytes
Report generated in 0,180 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
:muro:
Dëck†
13-11-2004, 23:23
Prova a dare una ripulita con questo:

http://www.intermute.com/spysubtract/cwshredder_download.html

ricorda di disabilitare il system restore e di chiudere tutte le finestre di explorer prima...
gaeperri
13-11-2004, 23:44
Ho provato ma nulla da fare. Il file in questione che non riesco a cancellare è:

C:\Programmi\File comuni\WinTools\WToolsS.exe

Come posso fare?
wgator
14-11-2004, 00:12
Ciao,

la tua "startup list" indica parecchi processi legati a toolbar e schifezze assortite. I processi seguenti andrebbero tutti eliminati, unitamente alle cartelle "toolbar" e "wintools", naturalmente riavviando in modalità provvisoria.


C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Programmi\File comuni\WinTools\WToolsS.exe
C:\Programmi\File comuni\WinTools\WToolsA.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Programmi\Toolbar\PIB.exe
C:\Programmi\File comuni\WinTools\WSup.exe

Naturalmente devi attivare la visualizzazione di file e cartelle nascoste e di sistema, devi cancellare tutti i file temporanei, i temporanei di internet e disattivare il system restore.

Il log però dovresti generarlo con hijackthis (http://www.majorgeeks.com/download3155.html) che fornisce un quadro molto più completo