View Full Version : HiJackThis - Analisi Log - leggere Regole di Sezione
bReAkDoWn
07-11-2006, 20:44
gromozon removal tool mi dice questo :
The Trojan.Gromozon rootkit component was not found on the system.
Do you wish to continue anyway ?
quindi io dico no...ho provato anche ad andare avanti quindi mi fa riavviare e poi nn succede nulla....
questo lo faccio sempre in mod. provvisoria ??
questo è indifferente..
TuLKaS85
07-11-2006, 21:16
allora :
eliminate quelle chiavi...con hijackthis
poi
in servizi connessioni ci sono un casino di servizi di rete e sistema locale, ma ho beccato anche il possibile problema, c'è una voce che si chiama .\OUrNkcZShjVt faccio proprietà ed esce avvia automatico, inutile dire che non me lo fa disabilitare (nemmeno in provvisoria).
lo genera un certo file copio il percorso "C:\Programmi\File comuni\System\ibL.exe" in quella cartella system ce ne sono altri di file strani... alcuni sn riuscito a cancellarli ma questo ibl.exe anche rinominandolo non và via !! ho provato anche killbox facendo remove on rebot....
come faccio ???
ma soprattutto come succedono ste cose ??
ho il mio bel antivirus l'antispyware zone alarm :cry:
bReAkDoWn
07-11-2006, 21:41
allora :
eliminate quelle chiavi...con hijackthis
poi
in servizi connessioni ci sono un casino di servizi di rete e sistema locale, ma ho beccato anche il possibile problema, c'è una voce che si chiama .\OUrNkcZShjVt faccio proprietà ed esce avvia automatico, inutile dire che non me lo fa disabilitare (nemmeno in provvisoria).
lo genera un certo file copio il percorso "C:\Programmi\File comuni\System\ibL.exe" in quella cartella system ce ne sono altri di file strani... alcuni sn riuscito a cancellarli ma questo ibl.exe anche rinominandolo non và via !! ho provato anche killbox facendo remove on rebot....
come faccio ???
ma soprattutto come succedono ste cose ??
ho il mio bel antivirus l'antispyware zone alarm :cry:
Allora innanzitutto quei file possono cambiare ad ogni reboot, quindi ogni volta devi controllare nei servizi se il nome del file cambia. Tu hai provato a rinominarlo, riavviare e cancellarlo dopo il reboot? Non a rinominarlo e a cancellarlo subito..
Quindi in generale ogni volta che provi parti sempre da services, e guarda il nome nome del file su cui devi lavorare.
TuLKaS85
07-11-2006, 21:53
si ho rinominato riavviato riprovato a cancellare ma mi dice impossibile il disco è pieno
stessa cosa da modalità provvisoria
in services mi dice che il file eseguibile è sempre lo stesso.... cioè quello di partenza... ora xò ha un nome diverso!
il servizio si chiama NetRco lo stato non è su avviato cmq....
bReAkDoWn
07-11-2006, 21:56
si ho rinominato riavviato riprovato a cancellare ma mi dice impossibile il disco è pieno
stessa cosa da modalità provvisoria
http://www.nod32.it/cgi-bin/mapdl.pl?tool=Agent.VP
prova con questo tool. Lo esegui, e selezioni il file in questione.
TuLKaS85
07-11-2006, 22:05
http://www.nod32.it/cgi-bin/mapdl.pl?tool=Agent.VP
prova con questo tool. Lo esegui, e selezioni il file in questione.
ok il tool lo ha eliminato.... ora sn andato in services ed ho disabilitato quello incriminato.... ora ?? (leggendo cosa avrebbe dovuto fare quella voce, diceva ke si occupava del ripristino della conf. di sistema...)
se provo a cancellare le cartelle che ad ogni riavvio ricompaiono dovrei avere successo stavolta ??
bReAkDoWn
07-11-2006, 22:15
ok il tool lo ha eliminato.... ora sn andato in services ed ho disabilitato quello incriminato.... ora ?? (leggendo cosa avrebbe dovuto fare quella voce, diceva ke si occupava del ripristino della conf. di sistema...)
se provo a cancellare le cartelle che ad ogni riavvio ricompaiono dovrei avere successo stavolta ??
Adesso dovresti ricontrollare in services il nome del servizio, aprire un prompt dei comandi (start menu -> esegui -> cmd) e digitare sc delete nomeservizio
Poi riavviare e verificare che: in services.msc non siano ricomparsi servizi con nomi casuali nel campo connessione.
Fare un log con hijackthis e magari ripostarlo qua.
Scaricare gmer (www.gmer.net) e fare due log: rootkit e autostart e incollarli qua come per hijackthis.
Poi siamo vicini alla fine :)
TuLKaS85
07-11-2006, 22:27
il servizio incrimintao è saprito dopo il riavvio..... ecco il log hijackthis :
Logfile of HijackThis v1.99.1
Scan saved at 23.25.54, on 07/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmi\SpamWeed\spamweed.exe
C:\Programmi\SpamWeed\swengine.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.EXE
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Fabio\Desktop\setup_2006\hijackthis1991\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Hotplug] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe
O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SpamWeed.lnk = C:\Programmi\SpamWeed\spamweed.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ARCGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Programmi\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Programmi\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
bReAkDoWn
07-11-2006, 22:32
il servizio incrimintao è saprito dopo il riavvio.....
Il log è pulito. Controlla se quelle cartelle ricompaiono o meno, poi se vuoi controllare più approfonditamente fai i log con gmer, altrimenti aspetta e vedi se si presentano altri sintomi nei prossimi giorni. A te la scelta, ciao!
TuLKaS85
07-11-2006, 22:38
autostart con GMER (per il rootkit devo copiare tutto il casino che è uscito al termine della scansione ????):
GMER 1.0.12.11889 - http://www.gmer.net
Autostart scan 2006-11-07 23:36:48
Windows 5.1.2600 Service Pack 2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@BootExecute = autocheck autochk * /*file not found*/
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\SYSTEM\CurrentControlSet\Control\WOW@cmdline = %SystemRoot%\system32\ntvdm.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>>
@UserinitC:\WINDOWS\system32\userinit.exe, = C:\WINDOWS\system32\userinit.exe,
@ShellExplorer.exe = Explorer.exe
@System =
@UIHostlogonui.exe = logonui.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
AtiExtEvent@DLLName = Ati2evxx.dll
crypt32chain@DLLName = crypt32.dll
cryptnet@DLLName = cryptnet.dll
cscdll@DLLName = cscdll.dll
ScCertProp@DLLName = wlnotify.dll
Schedule@DLLName = wlnotify.dll
sclgntfy@DLLName = sclgntfy.dll
SensLogn@DLLName = WlNotify.dll
termsrv@DLLName = wlnotify.dll
wlballoon@DLLName = wlnotify.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs =
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AntiVirScheduler /*AntiVir PersonalEdition Classic Scheduler*/@ = C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
AntiVirService /*AntiVir PersonalEdition Classic Guard*/@ = C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
ARCGIS License Manager /*ARCGIS License Manager*/@ = C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
ATI Smart /*ATI Smart*/@ = C:\WINDOWS\system32\ati2sgag.exe
AudioSrv /*Audio Windows*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
AVG Anti-Spyware Guard /*AVG Anti-Spyware Guard*/@ = C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
Browser /*Browser di computer*/@ = %SystemRoot%\system32\svchost.exe -k netsvcs
CryptSvc /*Servizi di crittografia*/@ = %SystemRoot%\system32\svchost.exe -k netsvcs
DcomLaunch /*Utilità di avvio processo server DCOM*/@ = %SystemRoot%\system32\svchost -k DcomLaunch
Dhcp /*Client DHCP*/@ = %SystemRoot%\system32\svchost.exe -k netsvcs
dmserver /*Gestione dischi logici*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Dnscache /*Client DNS*/@ = %SystemRoot%\system32\svchost.exe -k NetworkService
ERSvc /*Servizio di segnalazione errori*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Eventlog /*Registro eventi*/@ = %SystemRoot%\system32\services.exe
helpsvc /*Guida in linea e supporto tecnico*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
HidServ /*HID Input Service*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
lanmanserver /*Server*/@ = %SystemRoot%\system32\svchost.exe -k netsvcs
lanmanworkstation /*Workstation*/@ = %SystemRoot%\system32\svchost.exe -k netsvcs
LmHosts /*Helper NetBIOS di TCP/IP*/@ = %SystemRoot%\system32\svchost.exe -k LocalService
matlabserver /*MATLAB Server*/@ = C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
PlugPlay /*Plug and Play*/@ = %SystemRoot%\system32\services.exe
PolicyAgent /*Servizi IPSEC*/@ = %SystemRoot%\system32\lsass.exe
ProtectedStorage /*Archiviazione protetta*/@ = %SystemRoot%\system32\lsass.exe
RemoteRegistry /*Registro di sistema remoto*/@ = %SystemRoot%\system32\svchost.exe -k LocalService
RpcSs /*RPC (Remote Procedure Call)*/@ = %SystemRoot%\system32\svchost -k rpcss
SamSs /*Gestione account di protezione (SAM)*/@ = %SystemRoot%\system32\lsass.exe
Schedule /*Utilità di pianificazione*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
seclogon /*Accesso secondario*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
SENS /*Notifica eventi di sistema*/@ = %SystemRoot%\system32\svchost.exe -k netsvcs
sfrem01 /*SF FrontLine Drivers Auto Removal (v1)*/@ = %SystemRoot%\system32\sfrem01.exe svc
SharedAccess /*Windows Firewall / Condivisione connessione Internet (ICS)*/@ = %SystemRoot%\system32\svchost.exe -k netsvcs
ShellHWDetection /*Rilevamento hardware shell*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
SoundMAX Agent Service (default) /*SoundMAX Agent Service*/@ = C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
srservice /*Servizio Ripristino configurazione di sistema*/@ = %SystemRoot%\system32\svchost.exe -k netsvcs
stisvc /*Acquisizione di immagini di Windows (WIA)*/@ = %SystemRoot%\system32\svchost.exe -k imgsvc
Themes /*Temi*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
TrkWks /*Manutenzione collegamenti distribuiti client*/@ = %SystemRoot%\system32\svchost.exe -k netsvcs
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
W32Time /*Ora di Windows*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
WebClient /*WebClient*/@ = %SystemRoot%\system32\svchost.exe -k LocalService
winmgmt /*Strumentazione gestione Windows*/@ = %systemroot%\system32\svchost.exe -k netsvcs
wscsvc /*Centro sicurezza PC*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
wuauserv /*Aggiornamenti automatici*/@ = %systemroot%\system32\svchost.exe -k netsvcs
WZCSVC /*Zero Configuration reti senza fili*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@HotplugC:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe = C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe
@SiSRaidC:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe = C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
@SoundMAXPnPC:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe = C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
@SoundMAX"C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray = "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
@Zone Labs ClientC:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe = C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
@avgnt"C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min = "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
@!AVG Anti-Spyware"C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized = "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
@NWEReboot /*file not found*/ = /*file not found*/
@SunJavaUpdateSched"C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe" = "C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@MSMSGS"C:\Programmi\Messenger\msmsgs.exe" /background = "C:\Programmi\Messenger\msmsgs.exe" /background
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad >>>
@PostBootReminder%SystemRoot%\system32\SHELL32.dll = %SystemRoot%\system32\SHELL32.dll
@CDBurn%SystemRoot%\system32\SHELL32.dll = %SystemRoot%\system32\SHELL32.dll
@WebCheck%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@SysTrayC:\WINDOWS\system32\stobject.dll = C:\WINDOWS\system32\stobject.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler >>>
@{438755C2-A8BA-11D1-B96B-00A0C90312E1}%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{8C7461EF-2B13-11d2-BE35-3078302C2030}%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
HKLM\Software\Classes\Folder\shell\open\command@ = %SystemRoot%\Explorer.exe /idlist,%I,%L
HKLM\Software\Classes\Folder\shell\explore\command@ = %SystemRoot%\Explorer.exe /e,/idlist,%I,%L
HKLM\Software\Classes\ >>>
.exe@ = "%1" %*
.com@ = "%1" %*
.cmd@ = "%1" %*
.bat@ = "%1" %*
.pif@ = "%1" %*
.scr@ = "%1" /S
.hta@ = C:\WINDOWS\system32\mshta.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
@{AEB6717E-7E19-11d0-97EE-00C04FD91972}shell32.dll = shell32.dll
@{57B86673-276A-48B2-BAE7-C6DBB3020EB8}C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll = C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{00022613-0000-0000-C000-000000000046} /*Proprietà dei file Multimedia*/mmsys.cpl = mmsys.cpl
@{176d6597-26d3-11d1-b350-080036a75b03} /*Gestore scanner ICM*/icmui.dll = icmui.dll
@{1F2E5C40-9550-11CE-99D2-00AA006E086C} /*Pagina di protezione NTFS*/rshx32.dll = rshx32.dll
@{3EA48300-8CF6-101B-84FB-666CCB9BCD32} /*Pagina di proprietà di Docfile OLE*/docprop.dll = docprop.dll
@{40dd6e20-7c17-11ce-a804-00aa003ca9f6} /*Estensioni shell per la condivisione*/ntshrui.dll = ntshrui.dll
@{41E300E0-78B6-11ce-849B-444553540000} /*PlusPack CPL Extension*/%SystemRoot%\system32\themeui.dll = %SystemRoot%\system32\themeui.dll
@{42071712-76d4-11d1-8b24-00a0c9068ff3} /*Estensione scheda video del Pannello di controllo*/deskadp.dll = deskadp.dll
@{42071713-76d4-11d1-8b24-00a0c9068ff3} /*Estensione monitor del Pannello di controllo*/deskmon.dll = deskmon.dll
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{4E40F770-369C-11d0-8922-00A024AB2DBB} /*Pagina di protezione DS*/dssec.dll = dssec.dll
@{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} /*Pagina compatibilità*/SlayerXP.dll = SlayerXP.dll
@{56117100-C0CD-101B-81E2-00AA004AE837} /*Gestore dati dei ritagli di shell*/shscrap.dll = shscrap.dll
@{59099400-57FF-11CE-BD94-0020AF85B590} /*Estensione copia dischi*/diskcopy.dll = diskcopy.dll
@{59be4990-f85c-11ce-aff7-00aa003ca9f6} /*Estensioni shell per oggetti Rete Microsoft Windows*/ntlanui2.dll = ntlanui2.dll
@{5DB2625A-54DF-11D0-B6C4-0800091AA605} /*Gestore monitor ICM*/%SystemRoot%\System32\icmui.dll = %SystemRoot%\System32\icmui.dll
@{675F097E-4C4D-11D0-B6C1-0800091AA605} /*Gestore stampante ICM*/%SystemRoot%\system32\icmui.dll = %SystemRoot%\system32\icmui.dll
@{764BF0E1-F219-11ce-972D-00AA00A14F56} /*Estensioni shell per la compressione dei file*/(null) =
@{77597368-7b15-11d0-a0c2-080036af3f03} /*Estensione shell per la stampante Web*/printui.dll = printui.dll
@{7988B573-EC89-11cf-9C00-00AA00A14F56} /*Disk Quota UI*/dskquoui.dll = dskquoui.dll
@{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} /*Menu di scelta rapida di crittografia*/(null) =
@{85BBD920-42A0-1069-A2E4-08002B30309D} /*Sincronia file*/syncui.dll = syncui.dll
@{88895560-9AA2-1069-930E-00AA0030EBC8} /*Estensione di icona di HyperTerminal*/C:\WINDOWS\system32\hticons.dll = C:\WINDOWS\system32\hticons.dll
@{BD84B380-8CA2-1069-AB1D-08000948F534} /*Tipi di carattere*/fontext.dll = fontext.dll
@{DBCE2480-C732-101B-BE72-BA78E9AD5B27} /*Profilo ICC*/%SystemRoot%\system32\icmui.dll = %SystemRoot%\system32\icmui.dll
@{F37C5810-4D3F-11d0-B4BF-00AA00BBB723} /*Pagina di protezione della stampante*/rshx32.dll = rshx32.dll
@{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} /*Estensioni shell per la condivisione*/ntshrui.dll = ntshrui.dll
@{f92e8c40-3d33-11d2-b1aa-080036a75b03} /*Display TroubleShoot CPL Extension*/deskperf.dll = deskperf.dll
@{7444C717-39BF-11D1-8CD9-00C04FC29D45} /*Estensione Crypto PKO*/C:\WINDOWS\system32\cryptext.dll = C:\WINDOWS\system32\cryptext.dll
@{7444C719-39BF-11D1-8CD9-00C04FC29D45} /*Estensione firma crittografata*/C:\WINDOWS\system32\cryptext.dll = C:\WINDOWS\system32\cryptext.dll
@{7007ACC7-3202-11D1-AAD2-00805FC1270E} /*Connessioni di rete*/C:\WINDOWS\system32\NETSHELL.dll = C:\WINDOWS\system32\NETSHELL.dll
@{992CFFA0-F557-101A-88EC-00DD010CCC48} /*Connessioni di rete*/C:\WINDOWS\system32\NETSHELL.dll = C:\WINDOWS\system32\NETSHELL.dll
@{E211B736-43FD-11D1-9EFB-0000F8757FCD} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{905667aa-acd6-11d2-8080-00805f6596d2} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{3F953603-1008-4f6e-A73A-04AAC7A992F1} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{83bbcbf3-b28a-4919-a5aa-73027445d672} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{F0152790-D56E-4445-850E-4F3117DB740C} /*Remote Sessions CPL Extension*/C:\WINDOWS\system32\remotepg.dll = C:\WINDOWS\system32\remotepg.dll
@{60254CA5-953B-11CF-8C96-00AA00B8708C} /*Estensione shell per Windows Script Host*/C:\WINDOWS\system32\wshext.dll = C:\WINDOWS\system32\wshext.dll
@{2206CDB2-19C1-11D1-89E0-00C04FD7A829} /*Microsoft Data Link*/C:\Programmi\File comuni\system\ole db\oledb32.dll = C:\Programmi\File comuni\system\ole db\oledb32.dll
@{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF} /*Tasks Folder Icon Handler*/C:\WINDOWS\system32\mstask.dll = C:\WINDOWS\system32\mstask.dll
@{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF} /*Tasks Folder Shell Extension*/C:\WINDOWS\system32\mstask.dll = C:\WINDOWS\system32\mstask.dll
@{D6277990-4C6A-11CF-8D87-00AA0060F5BF} /*Operazioni pianificate*/C:\WINDOWS\system32\mstask.dll = C:\WINDOWS\system32\mstask.dll
@{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0} /*Set Program Access and Defaults*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{5F327514-6C5E-4d60-8F16-D07FA08A78ED} /*Auto Update Property Sheet Extension*/C:\WINDOWS\system32\wuaucpl.cpl = C:\WINDOWS\system32\wuaucpl.cpl
@{0DF44EAA-FF21-4412-828E-260A8728E7F1} /*Barra delle applicazioni e menu di avvio*/(null) =
@{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0} /*Cerca*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0} /*Guida in linea e supporto tecnico*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0} /*Guida in linea e supporto tecnico*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0} /*Esegui...*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0} /*Internet*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0} /*Posta elettronica*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{D20EA4E1-3957-11d2-A40B-0C5020524152} /*Tipi di carattere*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{D20EA4E1-3957-11d2-A40B-0C5020524153} /*Strumenti di amministrazione*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{875CB1A1-0F29-45de-A1AE-CFB4950D0B78} /*Audio Media Properties Handler*/%SystemRoot%\system32\shmedia.dll = %SystemRoot%\system32\shmedia.dll
@{40C3D757-D6E4-4b49-BB41-0E5BBEA28817} /*Video Media Properties Handler*/%SystemRoot%\system32\shmedia.dll = %SystemRoot%\system32\shmedia.dll
@{E4B29F9D-D390-480b-92FD-7DDB47101D71} /*Wav Properties Handler*/%SystemRoot%\system32\shmedia.dll = %SystemRoot%\system32\shmedia.dll
@{87D62D94-71B3-4b9a-9489-5FE6850DC73E} /*Avi Properties Handler*/%SystemRoot%\system32\shmedia.dll = %SystemRoot%\system32\shmedia.dll
@{A6FD9E45-6E44-43f9-8644-08598F5A74D9} /*Midi Properties Handler*/%SystemRoot%\system32\shmedia.dll = %SystemRoot%\system32\shmedia.dll
@{c5a40261-cd64-4ccf-84cb-c394da41d590} /*Video Thumbnail Extractor*/%SystemRoot%\system32\shmedia.dll = %SystemRoot%\system32\shmedia.dll
@{5E6AB780-7743-11CF-A12B-00AA004AE837} /*Barra degli strumenti Microsoft Internet*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{22BF0C20-6DA7-11D0-B373-00A0C9034938} /*Stato del download*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{91EA3F8B-C99B-11d0-9815-00C04FD91972} /*Shell Folder accresciuto*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{6413BA2C-B461-11d1-A18A-080036B11A03} /*Shell Folder 2 accresciuto*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{F61FFEC1-754F-11d0-80CA-00AA005B4383} /*BandProxy*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{7BA4C742-9E81-11CF-99D3-00AA004AE837} /*Microsoft BrowserBand*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*SearchBand*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{169A0691-8DF9-11d1-A1C4-00C04FD75D13} /*Ricerca all'interno*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{07798131-AF23-11d1-9111-00A0C98BA67D} /*Ricerca Web*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{AF4F6510-F982-11d0-8595-00AA004CD6D8} /*Utilità opzioni della struttura del Registro di sistema*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{01E04581-4EEE-11d0-BFE9-00AA005B4383} /*&Indirizzo*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{A08C11D2-A228-11d0-825B-00AA005B4383} /*Address EditBox*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{00BB2763-6A77-11D0-A535-00C04FD7D062} /*Completamento automatico Microsoft*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{7376D660-C583-11d0-A3A5-00C04FD706EC} /*TridentImageExtractor*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{6756A641-DE71-11d0-831B-00AA005B4383} /*Elenco di Completamento automatico MRU*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A} /*Elenco di Completamento automatico MRU personalizzato*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{7e653215-fa25-46bd-a339-34a2790f3cb7} /*Accessibile*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{acf35015-526e-4230-9596-becbe19f0ac9} /*Indicatore di avanzamento popup*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{00BB2764-6A77-11D0-A535-00C04FD7D062} /*Elenco di Completamento automatico della Cronologia di Microsoft*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{03C036F1-A186-11D0-824A-00AA005B4383} /*Elenco di Completamento automatico di Shell Folder di Microsoft*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{00BB2765-6A77-11D0-A535-00C04FD7D062} /*Contenitore dell'elenco di Completamento automatico multiplo Microsoft*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{ECD4FC4E-521C-11D0-B792-00A0C90312E1} /*Shell Band Site Menu*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{3CCF8A41-5C85-11d0-9796-00AA00B90ADF} /*Shell DeskBarApp*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{ECD4FC4C-521C-11D0-B792-00A0C90312E1} /*Shell DeskBar*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{ECD4FC4D-521C-11D0-B792-00A0C90312E1} /*Shell Rebar BandSite*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{DD313E04-FEFF-11d1-8ECD-0000F87A470C} /*Assistenza utente*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11} /*Impostazioni cartella globale*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{EFA24E61-B078-11d0-89E4-00C04FC9E26E} /*Favorites Band*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{0A89A860-D7B1-11CE-8350-444553540000} /*Shell Automation Inproc Service*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{A5E46E3A-8849-11D1-9D8C-00C04FC99D61} /*Microsoft Browser Architecture*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/shdocvw.dll = shdocvw.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Servizio Cronologia Url Microsoft*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*Cronologia*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*File temporanei Internet*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*File temporanei Internet*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Hook per la ricerca di URL Microsoft*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC} /*Schermata iniziale applicazioni Internet Explorer 4*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{67EA19A0-CCEF-11d0-8024-00C04FD75D13} /*CDF Extension Copy Hook*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{131A6951-7F78-11D0-A979-00C04FD705A2} /*ISFBand OC*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{9461b922-3c5a-11d2-bf8b-00c04fb93661} /*Search Assistant OC*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*Internet*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{EFA24E64-B078-11d0-89E4-00C04FC9E26E} /*Explorer Band*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} /*Sendmail service*/C:\WINDOWS\system32\sendmail.dll = C:\WINDOWS\system32\sendmail.dll
@{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} /*Sendmail service*/C:\WINDOWS\system32\sendmail.dll = C:\WINDOWS\system32\sendmail.dll
@{88C6C381-2E85-11D0-94DE-444553540000} /*Cartella cache ActiveX*/%SystemRoot%\system32\occache.dll = %SystemRoot%\system32\occache.dll
@{E6FB5E20-DE35-11CF-9C87-00AA005127ED} /*WebCheck*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE} /*Subscription Mgr*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{F5175861-2688-11d0-9C5E-00AA00A45957} /*Cartella Subscription*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{08165EA0-E946-11CF-9C87-00AA005127ED} /*WebCheckWebCrawler*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB} /*WebCheckChannelAgent*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7} /*TrayAgent*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{7D559C10-9FE9-11d0-93F7-00AA0059CE02} /*Code Download Agent*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{E6CC6978-6B6E-11D0-BECA-00C04FD940BE} /*ConnectionAgent*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{D8BD2030-6FC9-11D0-864F-00AA006809D9} /*PostAgent*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB} /*WebCheck SyncMgr Handler*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{352EC2B7-8B9A-11D1-B8AE-006008059382} /*Gestione applicazioni shell*/%SystemRoot%\system32\appwiz.cpl = %SystemRoot%\system32\appwiz.cpl
@{0B124F8F-91F0-11D1-B8B5-006008059382} /*Enumeratore applicazioni installate*/%SystemRoot%\system32\appwiz.cpl = %SystemRoot%\system32\appwiz.cpl
@{CFCCC7A0-A282-11D1-9082-006008059382} /*Darwin App Publisher*/%SystemRoot%\system32\appwiz.cpl = %SystemRoot%\system32\appwiz.cpl
@{e84fda7c-1d6a-45f6-b725-cb260c236066} /*Shell Image Verbs*/%SystemRoot%\system32\shimgvw.dll = %SystemRoot%\system32\shimgvw.dll
@{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178} /*Shell Image Data Factory*/%SystemRoot%\system32\shimgvw.dll = %SystemRoot%\system32\shimgvw.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{3F30C968-480A-4C6C-862D-EFC0897BB84B} /*GDI + programma di estrazione file in anteprima*/C:\WINDOWS\system32\shimgvw.dll = C:\WINDOWS\system32\shimgvw.dll
@{9DBD2C50-62AD-11d0-B806-00C04FD706EC} /*Summary Info Thumbnail handler (DOCFILES)*/C:\WINDOWS\system32\shimgvw.dll = C:\WINDOWS\system32\shimgvw.dll
@{EAB841A0-9550-11cf-8C16-00805F1408F3} /*Programma di estrazione pagine HTML in anteprima*/C:\WINDOWS\system32\shimgvw.dll = C:\WINDOWS\system32\shimgvw.dll
@{eb9b1153-3b57-4e68-959a-a3266bc3d7fe} /*Shell Image Property Handler*/%SystemRoot%\system32\shimgvw.dll = %SystemRoot%\system32\shimgvw.dll
@{CC6EEFFB-43F6-46c5-9619-51D571967F7D} /*Pubblicazione guidata sul Web*/%SystemRoot%\system32\netplwiz.dll = %SystemRoot%\system32\netplwiz.dll
@{add36aa8-751a-4579-a266-d66f5202ccbb} /*Ordinazione di stampe tramite Web*/%SystemRoot%\system32\netplwiz.dll = %SystemRoot%\system32\netplwiz.dll
@{6b33163c-76a5-4b6c-bf21-45de9cd503a1} /*Oggetto Pubblicazione guidata sul Web*/%SystemRoot%\system32\netplwiz.dll = %SystemRoot%\system32\netplwiz.dll
@{58f1f272-9240-4f51-b6d4-fd63d1618591} /*Creazione guidata profilo Passport*/%SystemRoot%\system32\netplwiz.dll = %SystemRoot%\system32\netplwiz.dll
@{7A9D77BD-5403-11d2-8785-2E0420524153} /*Account utente*/(null) =
@{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31} /*Cartella compressa*/%SystemRoot%\system32\zipfldr.dll = %SystemRoot%\system32\zipfldr.dll
@{BD472F60-27FA-11cf-B8B4-444553540000} /*Compressed (zipped) Folder Right Drag Handler*/%SystemRoot%\system32\zipfldr.dll = %SystemRoot%\system32\zipfldr.dll
@{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} /*Compressed (zipped) Folder SendTo Target*/%SystemRoot%\system32\zipfldr.dll = %SystemRoot%\system32\zipfldr.dll
@{f39a0dc0-9cc8-11d0-a599-00c04fd64433} /*File del canale*/%SystemRoot%\system32\cdfview.dll = %SystemRoot%\system32\cdfview.dll
@{f3aa0dc0-9cc8-11d0-a599-00c04fd64434} /*Collegamento al canale*/%SystemRoot%\system32\cdfview.dll = %SystemRoot%\system32\cdfview.dll
@{f3ba0dc0-9cc8-11d0-a599-00c04fd64435} /*Channel Handler Object*/%SystemRoot%\system32\cdfview.dll = %SystemRoot%\system32\cdfview.dll
@{f3da0dc0-9cc8-11d0-a599-00c04fd64437} /*Channel Menu*/%SystemRoot%\system32\cdfview.dll = %SystemRoot%\system32\cdfview.dll
@{f3ea0dc0-9cc8-11d0-a599-00c04fd64438} /*Channel Properties*/%SystemRoot%\system32\cdfview.dll = %SystemRoot%\system32\cdfview.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{63da6ec0-2e98-11cf-8d82-444553540000} /*FTP Folders Webview*/C:\WINDOWS\system32\msieftp.dll = C:\WINDOWS\system32\msieftp.dll
@{883373C3-BF89-11D1-BE35-080036B11A03} /*Microsoft DocProp Shell Ext*/C:\WINDOWS\system32\docprop2.dll = C:\WINDOWS\system32\docprop2.dll
@{A9CF0EAE-901A-4739-A481-E35B73E47F6D} /*Microsoft DocProp Inplace Edit Box Control*/C:\WINDOWS\system32\docprop2.dll = C:\WINDOWS\system32\docprop2.dll
@{8EE97210-FD1F-4B19-91DA-67914005F020} /*Microsoft DocProp Inplace ML Edit Box Control*/C:\WINDOWS\system32\docprop2.dll = C:\WINDOWS\system32\docprop2.dll
@{0EEA25CC-4362-4A12-850B-86EE61B0D3EB} /*Microsoft DocProp Inplace Droplist Combo Control*/C:\WINDOWS\system32\docprop2.dll = C:\WINDOWS\system32\docprop2.dll
@{6A205B57-2567-4A2C-B881-F787FAB579A3} /*Microsoft DocProp Inplace Calendar Control*/C:\WINDOWS\system32\docprop2.dll = C:\WINDOWS\system32\docprop2.dll
@{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33} /*Microsoft DocProp Inplace Time Control*/C:\WINDOWS\system32\docprop2.dll = C:\WINDOWS\system32\docprop2.dll
@{8A23E65E-31C2-11d0-891C-00A024AB2DBB} /*Directory Query UI*/%SystemRoot%\system32\dsquery.dll = %SystemRoot%\system32\dsquery.dll
@{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} /*Shell properties for a DS object*/%SystemRoot%\system32\dsquery.dll = %SystemRoot%\system32\dsquery.dll
@{163FDC20-2ABC-11d0-88F0-00A024AB2DBB} /*Directory Object Find*/%SystemRoot%\system32\dsquery.dll = %SystemRoot%\system32\dsquery.dll
@{F020E586-5264-11d1-A532-0000F8757D7E} /*Directory Start/Search Find*/%SystemRoot%\system32\dsquery.dll = %SystemRoot%\system32\dsquery.dll
@{0D45D530-764B-11d0-A1CA-00AA00C16E65} /*Directory Property UI*/%SystemRoot%\system32\dsuiext.dll = %SystemRoot%\system32\dsuiext.dll
@{62AE1F9A-126A-11D0-A14B-0800361B1103} /*Directory Context Menu Verbs*/%SystemRoot%\system32\dsuiext.dll = %SystemRoot%\system32\dsuiext.dll
@{ECF03A33-103D-11d2-854D-006008059367} /*MyDocs Copy Hook*/%SystemRoot%\system32\mydocs.dll = %SystemRoot%\system32\mydocs.dll
@{ECF03A32-103D-11d2-854D-006008059367} /*MyDocs Drop Target*/%SystemRoot%\system32\mydocs.dll = %SystemRoot%\system32\mydocs.dll
@{4a7ded0a-ad25-11d0-98a8-0800361b1103} /*MyDocs Properties*/%SystemRoot%\system32\mydocs.dll = %SystemRoot%\system32\mydocs.dll
@{750fdf0e-2a26-11d1-a3ea-080036587f03} /*Offline Files Menu*/%SystemRoot%\System32\cscui.dll = %SystemRoot%\System32\cscui.dll
@{10CFC467-4392-11d2-8DB4-00C04FA31A66} /*Offline Files Folder Options*/%SystemRoot%\System32\cscui.dll = %SystemRoot%\System32\cscui.dll
@{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E} /*Cartella file non in linea*/%SystemRoot%\System32\cscui.dll = %SystemRoot%\System32\cscui.dll
@{143A62C8-C33B-11D1-84FE-00C04FA34A14} /*Microsoft Agent Character Property Sheet Handler*/C:\WINDOWS\msagent\agentpsh.dll = C:\WINDOWS\msagent\agentpsh.dll
@{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6} /*DfsShell*/C:\WINDOWS\system32\dfsshlex.dll = C:\WINDOWS\system32\dfsshlex.dll
@{60fd46de-f830-4894-a628-6fa81bc0190d} /*%DESC_PublishDropTarget%*/%SystemRoot%\system32\photowiz.dll = %SystemRoot%\system32\photowiz.dll
@{7A80E4A8-8005-11D2-BCF8-00C04F72C717} /*MMC Icon Handler*/%SystemRoot%\System32\mmcshext.dll = %SystemRoot%\System32\mmcshext.dll
@{0CD7A5C0-9F37-11CE-AE65-08002B2E1262} /*.CAB file viewer*/cabview.dll = cabview.dll
@{32714800-2E5F-11d0-8B85-00AA0044F941} /*&Contatti...*/C:\Programmi\Outlook Express\wabfind.dll = C:\Programmi\Outlook Express\wabfind.dll
@{8DD448E6-C188-4aed-AF92-44956194EB1F} /*Windows Media Player Play as Playlist Context Menu Handler*/C:\WINDOWS\system32\wmpshell.dll = C:\WINDOWS\system32\wmpshell.dll
@{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C} /*Windows Media Player Burn Audio CD Context Menu Handler*/C:\WINDOWS\system32\wmpshell.dll = C:\WINDOWS\system32\wmpshell.dll
@{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD} /*Windows Media Player Add to Playlist Context Menu Handler*/C:\WINDOWS\system32\wmpshell.dll = C:\WINDOWS\system32\wmpshell.dll
@{1D2680C9-0E2A-469d-B787-065558BC7D43} /*Fusion Cache*/C:\WINDOWS\system32\mscoree.dll = C:\WINDOWS\system32\mscoree.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} /*Shell Extension for Malware scanning*/C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll = C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Programmi\MSN Messenger\fsshext.8.0.0812.00.dll = C:\Programmi\MSN Messenger\fsshext.8.0.0812.00.dll
@{32020A01-506E-484D-A2A8-BE3CF17601C3} /*AlcoholShellEx*/C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll = C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll
@{B327765E-D724-4347-8B16-78AE18552FC3} /*NeroDigitalIconHandler*/C:\Programmi\File comuni\Ahead\lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\lib\NeroDigitalExt.dll
@{7F1CF152-04F8-453A-B34C-E609530A9DC8} /*NeroDigitalPropSheetHandler*/C:\Programmi\File comuni\Ahead\lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\lib\NeroDigitalExt.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{640167b4-59b0-47a6-b335-a6b3c0695aea} /*Portable Media Devices*/%SystemRoot%\system32\Audiodev.dll = %SystemRoot%\system32\Audiodev.dll
@{cc86590a-b60a-48e6-996b-41d25ed39a1e} /*Portable Media Devices Menu*/%SystemRoot%\system32\Audiodev.dll = %SystemRoot%\system32\Audiodev.dll
@{6B19FEC2-A45B-11CF-9045-00A0C9039735} /*Registered ActiveX Controls*/C:\Programmi\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL = C:\Programmi\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL
@{D545EBD1-BD92-11CF-8772-00A0C9039735} /*Developer Studio Components*/C:\Programmi\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL = C:\Programmi\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL
@{8F7261D0-D2B9-11D2-9909-00605205B24C} /*CuteFTP Shell Extension*/C:\Programmi\GlobalSCAPE\CuteFTP\Cuteshell.dll = C:\Programmi\GlobalSCAPE\CuteFTP\Cuteshell.dll
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\context.dll
CuteFTP@{8f7261d0-d2b9-11d2-9909-00605205b24c} = C:\Programmi\GlobalSCAPE\CuteFTP\Cuteshell.dll
Offline Files@{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
Open With@{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
Open With EncryptionMenu@{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} = %SystemRoot%\system32\SHELL32.dll
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\context.dll
CuteFTP@{8f7261d0-d2b9-11d2-9909-00605205b24c} = C:\Programmi\GlobalSCAPE\CuteFTP\Cuteshell.dll
EncryptionMenu@{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
Offline Files@{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
Sharing@{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\system32\logon.scr
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.it/ = http://www.google.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm
HKLM\Software\Classes\PROTOCOLS\Filter\ >>>
application/octet-stream@CLSID = C:\WINDOWS\system32\mscoree.dll
application/x-complus@CLSID = C:\WINDOWS\system32\mscoree.dll
application/x-msdownload@CLSID = C:\WINDOWS\system32\mscoree.dll
Class Install Handler@CLSID = C:\WINDOWS\system32\urlmon.dll
deflate@CLSID = C:\WINDOWS\system32\urlmon.dll
gzip@CLSID = C:\WINDOWS\system32\urlmon.dll
lzdhtml@CLSID = C:\WINDOWS\system32\urlmon.dll
text/webviewhtml@CLSID = %SystemRoot%\system32\SHELL32.dll
text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
about@CLSID = %SystemRoot%\system32\mshtml.dll
cdl@CLSID = C:\WINDOWS\system32\urlmon.dll
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
file@CLSID = C:\WINDOWS\system32\urlmon.dll
ftp@CLSID = C:\WINDOWS\system32\urlmon.dll
gopher@CLSID = C:\WINDOWS\system32\urlmon.dll
http@CLSID = C:\WINDOWS\system32\urlmon.dll
https@CLSID = C:\WINDOWS\system32\urlmon.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
javascript@CLSID = %SystemRoot%\system32\mshtml.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
local@CLSID = C:\WINDOWS\system32\urlmon.dll
mailto@CLSID = %SystemRoot%\system32\mshtml.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
mk@CLSID = C:\WINDOWS\system32\urlmon.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
res@CLSID = %SystemRoot%\system32\mshtml.dll
sysimage@CLSID = %SystemRoot%\system32\mshtml.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
vbscript@CLSID = %SystemRoot%\system32\mshtml.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@Domain =
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ >>>
000000000001@LibraryPath = %SystemRoot%\System32\mswsock.dll
000000000002@LibraryPath = %SystemRoot%\System32\winrnr.dll
000000000003@LibraryPath = %SystemRoot%\System32\mswsock.dll
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000002@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000003@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000004@PackedCatalogItem = %SystemRoot%\system32\rsvpsp.dll
000000000005@PackedCatalogItem = %SystemRoot%\system32\rsvpsp.dll
000000000006@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000007@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000008@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000009@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000010@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000011@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000012@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
SpamWeed.lnk = SpamWeed.lnk
---- EOF - GMER 1.0.12 ----
TuLKaS85
07-11-2006, 22:42
cavoli che log esagerato, nn penso ke nessuno si metterà a controllarlo mai !!
spero di aver copiato la cosa giusta... cmq ora stacco domani come dico di solito mi tocca svegliare il gallo !! :D :D
grazie ancora !!
bReAkDoWn
07-11-2006, 22:49
autostart con GMER (per il rootkit devo copiare tutto il casino che è uscito al termine della scansione ????):
---
Di solito non viene enorme. Controlla che l'opzione "show all" non sia selezionata e prova a rifare la scansione chiudendo tutte le applicazioni aperte ed evitando di fare qualsiasi cosa finchè non sia terminata. Poi posta il risultato sul forum, se entra in un messaggio :)
TuLKaS85
08-11-2006, 14:47
ecco il log dell'autostart con gmer ....
GMER 1.0.12.11889 - http://www.gmer.net
Autostart scan 2006-11-08 15:46:08
Windows 5.1.2600 Service Pack 2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@DLLName = Ati2evxx.dll
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AntiVirScheduler /*AntiVir PersonalEdition Classic Scheduler*/@ = C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
AntiVirService /*AntiVir PersonalEdition Classic Guard*/@ = C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
ARCGIS License Manager /*ARCGIS License Manager*/@ = C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
ATI Smart /*ATI Smart*/@ = C:\WINDOWS\system32\ati2sgag.exe
AVG Anti-Spyware Guard /*AVG Anti-Spyware Guard*/@ = C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
matlabserver /*MATLAB Server*/@ = C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
sfrem01 /*SF FrontLine Drivers Auto Removal (v1)*/@ = %SystemRoot%\system32\sfrem01.exe svc
SoundMAX Agent Service (default) /*SoundMAX Agent Service*/@ = C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@HotplugC:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe = C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe
@SiSRaidC:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe = C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
@SoundMAXPnPC:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe = C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
@SoundMAX"C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray = "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
@Zone Labs ClientC:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe = C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
@avgnt"C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min = "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
@!AVG Anti-Spyware"C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized = "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
@NWEReboot /*file not found*/ = /*file not found*/
@SunJavaUpdateSched"C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe" = "C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@MSMSGS"C:\Programmi\Messenger\msmsgs.exe" /background = "C:\Programmi\Messenger\msmsgs.exe" /background
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{57B86673-276A-48B2-BAE7-C6DBB3020EB8} = C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} /*Shell Extension for Malware scanning*/C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll = C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Programmi\MSN Messenger\fsshext.8.0.0812.00.dll = C:\Programmi\MSN Messenger\fsshext.8.0.0812.00.dll
@{32020A01-506E-484D-A2A8-BE3CF17601C3} /*AlcoholShellEx*/C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll = C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll
@{B327765E-D724-4347-8B16-78AE18552FC3} /*NeroDigitalIconHandler*/C:\Programmi\File comuni\Ahead\lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\lib\NeroDigitalExt.dll
@{7F1CF152-04F8-453A-B34C-E609530A9DC8} /*NeroDigitalPropSheetHandler*/C:\Programmi\File comuni\Ahead\lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\lib\NeroDigitalExt.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{6B19FEC2-A45B-11CF-9045-00A0C9039735} /*Registered ActiveX Controls*/C:\Programmi\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL = C:\Programmi\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL
@{D545EBD1-BD92-11CF-8772-00A0C9039735} /*Developer Studio Components*/C:\Programmi\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL = C:\Programmi\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL
@{8F7261D0-D2B9-11D2-9909-00605205B24C} /*CuteFTP Shell Extension*/C:\Programmi\GlobalSCAPE\CuteFTP\Cuteshell.dll = C:\Programmi\GlobalSCAPE\CuteFTP\Cuteshell.dll
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\context.dll
CuteFTP@{8f7261d0-d2b9-11d2-9909-00605205b24c} = C:\Programmi\GlobalSCAPE\CuteFTP\Cuteshell.dll
Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\context.dll
CuteFTP@{8f7261d0-d2b9-11d2-9909-00605205b24c} = C:\Programmi\GlobalSCAPE\CuteFTP\Cuteshell.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\system32\logon.scr
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.it/ = http://www.google.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm
HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\system32\wiascr.dll
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
SpamWeed.lnk = SpamWeed.lnk
---- EOF - GMER 1.0.12 ----
TuLKaS85
08-11-2006, 14:48
per l'analisi del rootkit ho inserito tutte le partizioni e spuntato (come di default) tutte le voci :
GMER 1.0.12.11889 - http://www.gmer.net
Rootkit scan 2006-11-08 15:54:26
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT a347bus.sys ZwClose
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT a347bus.sys ZwCreatePagingFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT a347bus.sys ZwEnumerateKey
SSDT a347bus.sys ZwEnumerateValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT a347bus.sys ZwOpenKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT a347bus.sys ZwQueryKey
SSDT a347bus.sys ZwQueryValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT a347bus.sys ZwSetSystemPowerState
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
---- Kernel code sections - GMER 1.0.12 ----
.text ntoskrnl.exe!ZwYieldExecution + 13B 804E4FFC 8 Bytes
.text ntoskrnl.exe!ZwYieldExecution + 177 804E5038 8 Bytes
---- Devices - GMER 1.0.12 ----
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 8679F290
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 86562AA0
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [B7AE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [B7AE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [B7AE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [B7AE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [B7AE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [B7AE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [B7AE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [B7AE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [B7AE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [B7AE8230] vsdatant.sys
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 86275B48
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 86275B48
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 863A5F88
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 86275B48
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 86275B48
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 86275D08
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_READ 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA 86275D08
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_CREATE 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_CREATE_NAMED_PIPE 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_CLOSE 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_READ 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_WRITE 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_QUERY_INFORMATION 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_SET_INFORMATION 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_QUERY_EA 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_SET_EA 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_FLUSH_BUFFERS 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_QUERY_VOLUME_INFORMATION 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_SET_VOLUME_INFORMATION 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_DIRECTORY_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_FILE_SYSTEM_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_DEVICE_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_SHUTDOWN 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_LOCK_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_CLEANUP 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_CREATE_MAILSLOT 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_QUERY_SECURITY 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_SET_SECURITY 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_POWER 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_SYSTEM_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_DEVICE_CHANGE 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_QUERY_QUOTA 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_SET_QUOTA 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 IRP_MJ_PNP 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE_NAMED_PIPE 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CLOSE 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_READ 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_WRITE 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_INFORMATION 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_INFORMATION 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_EA 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_EA 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_FLUSH_BUFFERS 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_VOLUME_INFORMATION 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_VOLUME_INFORMATION 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DIRECTORY_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_FILE_SYSTEM_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DEVICE_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_INTERNAL_DEVICE_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SHUTDOWN 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_LOCK_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CLEANUP 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE_MAILSLOT 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_SECURITY 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_SECURITY 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_POWER 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SYSTEM_CONTROL 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DEVICE_CHANGE 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_QUOTA 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_QUOTA 86275D08
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_PNP 86275D08
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ 85D77CD0
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [B7AE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [B7AE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [B7AE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [B7AE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [B7AE8230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [B7AE8230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [B7AE8230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [B7AE8230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [B7AE8230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [B7AE8230] vsdatant.sys
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 86321AD8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [B7AE8230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [B7AE8230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [B7AE8230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [B7AE8230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [B7AE8230] vsdatant.sys
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 86321AD8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 863A2E90
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 863A19D8
Device \Driver\SiSRaid2 \Device\Scsi\SiSRaid21 IRP_MJ_INTERNAL_DEVICE_CONTROL 8679E668
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE_NAMED_PIPE 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CLOSE 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_READ 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_WRITE 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_INFORMATION 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_INFORMATION 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_EA 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_EA 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_FLUSH_BUFFERS 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_VOLUME_INFORMATION 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_VOLUME_INFORMATION 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DIRECTORY_CONTROL 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_FILE_SYSTEM_CONTROL 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DEVICE_CONTROL 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SHUTDOWN 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_LOCK_CONTROL 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CLEANUP 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE_MAILSLOT 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_SECURITY 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_SECURITY 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_POWER 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SYSTEM_CONTROL 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DEVICE_CHANGE 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_QUOTA 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_QUOTA 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_PNP 86006E38
Device \Driver\SiSRaid2 \Device\Scsi\SiSRaid21Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8679E668
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_CREATE 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_CREATE_NAMED_PIPE 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_CLOSE 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_READ 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_WRITE 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_QUERY_INFORMATION 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_SET_INFORMATION 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_QUERY_EA 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_SET_EA 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_FLUSH_BUFFERS 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_QUERY_VOLUME_INFORMATION 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_SET_VOLUME_INFORMATION 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_DIRECTORY_CONTROL 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_FILE_SYSTEM_CONTROL 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_SHUTDOWN 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_LOCK_CONTROL 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_CLEANUP 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_CREATE_MAILSLOT 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_QUERY_SECURITY 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_SET_SECURITY 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_POWER 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_DEVICE_CHANGE 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_QUERY_QUOTA 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_SET_QUOTA 86006E38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_PNP 86006E38
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 86562AA0
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ 862B0148
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_READ 862B0148
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ 862B0148
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ 862B0148
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ 862B0148
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 8636C9E0
---- Modules - GMER 1.0.12 ----
Module _________ F776B000
---- Files - GMER 1.0.12 ----
ADS C:\Documents and Settings\All Users\Dati applicazioni\TEMP:2A81F9CE
ADS C:\Documents and Settings\Fabio\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\miryvip@hotmail.it\SharingMetadata\veshaj@hotmail.it\DFSR\Staging\CS{4B644863-A00E-7CB5-69AB-221F3EC938FF}\01\10-{4B644863-A00E-7CB5-69AB-221F3EC938FF}-v1-{F34975D2-EF18-4B6C-A79E-8087628FCF2F}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
---- EOF - GMER 1.0.12 ----
Confermo quello che gli avevi detto tu:
inetnum: 85.255.112.0 - 85.255.127.255
netname: inhoster
descr: Inhoster hosting company
descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
quelli andavano assolutamente fixati.
Ciao!
Non volevo mettere in dubbio il vostro aiuto,non mi permetterei mai data la mia ridotta conoscenza di HiJack.Cmq anche inserendo i dns di alice 4 mega funziona.Peccato che il mio problema di ricerca su google persista...nella sezione "immagini" ho notato che non mi reindirizza su strani siti,in quella "web" ai primi 4-5 tentativi si.Ciaoo
bReAkDoWn
08-11-2006, 17:33
per l'analisi del rootkit ho inserito tutte le partizioni e spuntato (come di default) tutte le voci :
ADS C:\Documents and Settings\All Users\Dati applicazioni\TEMP:2A81F9CE ADS C:\Documents and Settings\Fabio\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\miryvip@hotmail.it\SharingMetadata\veshaj@hotmail.it\DFSR\Staging\CS{4B644863-A00E-7CB5-69AB-221F3EC938FF}\01\10-{4B644863-A00E-7CB5-69AB-221F3EC938FF}-v1-{F34975D2-EF18-4B6C-A79E-8087628FCF2F}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Ci sono questi due ads (è come se fossero file "nascosti" dentro ad altri file) che sono rimasti. Quello chiamato 2A81F9CE puoi toglierlo, l'altro non so cosa sia.
Il programma per gestirli è http://www.merijn.org/programs.php#adsspy
Devi fare una scansione selezionando solo l'opzione di mezzo (Ignore system info ecc.)
2A81F9CE rimuovilo e basta, mentre prova a cliccare con il dx sull'altro e guardane il contenuto le per vedere se all'interno ci fossero informazioni comprensibili. Altrimenti puoi salvarlo (prima view, poi save to disk) e darlo in pasto ad analizzatori online tipo www.virustotal.com
Cmq già a questo punto il tuo sistema dovrebbe essere pulito da infezioni attive, queste sono soltanto "rifiniture".
Hai notato se la velocità di navigazione è tornata come prima?
Che faccio, devo cancellare il file sospetto?
qui il log hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 16.04.52, on 08/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\DAEMON Tools\daemon.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\DOCUME~1\barboon\IMPOST~1\Temp\pgpr1.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\Programmi\PeerGuardian2\pg2.exe
C:\DOCUME~1\barboon\IMPOST~1\Temp\Rar$EX00.297\RMClock.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\barboon\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\Programmi\TEXTware\QUICKfind\PlugIns\IEHelp.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [kav] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [pgpr1.exe] C:\DOCUME~1\barboon\IMPOST~1\Temp\pgpr1.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Programmi\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [RMClock] C:\DOCUME~1\barboon\IMPOST~1\Temp\Rar$EX00.297\RMClock.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINDOWS\system32\textwareilluminatorbaseProtocol.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SysRit - Unknown owner - C:\DOCUME~1\barboon\IMPOST~1\Temp\30.tmp (file missing)
bReAkDoWn
08-11-2006, 17:42
Non volevo mettere in dubbio il vostro aiuto,non mi permetterei mai data la mia ridotta conoscenza di HiJack.Cmq anche inserendo i dns di alice 4 mega funziona.Peccato che il mio problema di ricerca su google persista...nella sezione "immagini" ho notato che non mi reindirizza su strani siti,in quella "web" ai primi 4-5 tentativi si.Ciaoo
Ciao bordo83, non preoccuparti, io perlomeno non mi sono sentito affatto messo in dubbio; quella sui dns era una verifica che abbiamo fatto io e FoxyLady. Quindi veniamo al problema. Se hai ancora problemi di reindirizzamento, vediamo di indagare un pò più a fondo. Dovresti:
Scaricare gmer (www.gmer.net) e fare due scansioni: rootkit e autostart, copiare i risultati (gmer ha direttamente il pulsante copy) e incollarli in un messaggio qua sul forum. Assicurati che in entrambe le scansioni NON sia selezionata l'opzione show all. Infine, mentre fai la scansione rootkit non utilizzare il pc e chiudi tutte le applicazioni che puoi.
TuLKaS85
08-11-2006, 17:50
ADS C:\Documents and Settings\All Users\Dati applicazioni\TEMP:2A81F9CE ADS C:\Documents and Settings\Fabio\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\miryvip@hotmail.it\SharingMetadata\veshaj@hotmail.it\DFSR\Staging\CS{4B644863-A00E-7CB5-69AB-221F3EC938FF}\01\10-{4B644863-A00E-7CB5-69AB-221F3EC938FF}-v1-{F34975D2-EF18-4B6C-A79E-8087628FCF2F}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Ci sono questi due ads (è come se fossero file "nascosti" dentro ad altri file) che sono rimasti. Quello chiamato 2A81F9CE puoi toglierlo, l'altro non so cosa sia.
Il programma per gestirli è http://www.merijn.org/programs.php#adsspy
Devi fare una scansione selezionando solo l'opzione di mezzo (Ignore system info ecc.)
2A81F9CE rimuovilo e basta, mentre prova a cliccare con il dx sull'altro e guardane il contenuto le per vedere se all'interno ci fossero informazioni comprensibili. Altrimenti puoi salvarlo (prima view, poi save to disk) e darlo in pasto ad analizzatori online tipo www.virustotal.com
Cmq già a questo punto il tuo sistema dovrebbe essere pulito da infezioni attive, queste sono soltanto "rifiniture".
Hai notato se la velocità di navigazione è tornata come prima?
scusami quale programma da quel sito devo prendere ?? ibprocman ??
cmq sembra un pò + veloce il browser , xò vedo una cosa strana...sarà xkè ho troppi programmi installati, ho un casino di processi attivi e il task manager non è stabile nel dire l'utilizzo della cpu oscilla sempre 2-3-4 % mentre diciamo che di solito era inchiodato sull'1% o quasi....
TuLKaS85
08-11-2006, 18:00
ho fatto una ricerca con ads spy ma ha trovato solo il primo ads....
l'ho eliminato come suggeritomi...
Astrolina
08-11-2006, 18:06
ecco qui... con l'aiuto di alcuni di voi ho fatto passi da gigante con la rimozione di hacktool.rootkit. Il pc è comunque un po' instabile (più lento e soggetto a recepire schifezze) rispetto a prima e mi è stato consigliato di pubblicare qui il log che riporto di seguito. Temo che non sia ancora tutto a posto... ringrazio tutti per l'aiuto!
Logfile of HijackThis v1.99.1
Scan saved at 19.01.44, on 08/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Norton Internet Security\NISSERV.EXE
C:\Programmi\Norton Internet Security\SymProxySvc.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Programmi\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\Programmi\FotoStation Easy\FotoStation Easy AutoLaunch.exe
C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\MOTTAA~1\IMPOST~1\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://edit.europe.yahoo.com/config/mail?.intl=it
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iamapp] C:\Programmi\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: gwum.lnk = C:\Programmi\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Programmi\File comuni\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Programmi\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Programmi\Norton Internet Security\NISUM.EXE
O23 - Service: Rilevamento Plug&Play (rltpp) - Unknown owner - C:\WINDOWS\downlo~1\zqrfkl\lacy1rj.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
bReAkDoWn
08-11-2006, 21:41
ho fatto una ricerca con ads spy ma ha trovato solo il primo ads....
l'ho eliminato come suggeritomi...
Riguardo al secondo ads non ho informazioni sicure: ho trovato qualche log che presenta lo stesso ads sempre legato a messenger ed è anche possibile che sia legittimo. Al massimo potresti cercare un log di gmer di qualcuno con la tua stessa versione di messenger per vedere se qualcosa di simile è presente anche lì, o postare un messaggio sul forum chiedendo info direttamente su quell'ads. Comunque gli ultimi tuoi log sono puliti e anche se l'ads fosse dannoso non risulta attivo, non ci sono segni di infezioni attive, quindi per la cpu che oscilla non mi preoccuperei più di tanto. Tieni Windows sempre aggiornato e a meno di sintomi nuovi vai tranquillo, antivirus e firewall li hai già.
Se scoprissi qualcosa te lo farò sapere.
TuLKaS85
08-11-2006, 21:48
Riguardo al secondo ads non ho informazioni sicure: ho trovato qualche log che presenta lo stesso ads sempre legato a messenger ed è anche possibile che sia legittimo. Al massimo potresti cercare un log di gmer di qualcuno con la tua stessa versione di messenger per vedere se qualcosa di simile è presente anche lì, o postare un messaggio sul forum chiedendo info direttamente su quell'ads. Comunque gli ultimi tuoi log sono puliti e anche se l'ads fosse dannoso non risulta attivo, non ci sono segni di infezioni attive, quindi per la cpu che oscilla non mi preoccuperei più di tanto. Tieni Windows sempre aggiornato e a meno di sintomi nuovi vai tranquillo, antivirus e firewall li hai già.
Se scoprissi qualcosa te lo farò sapere.
rimane solo il problema di una cartella in programmi :
windows nt che si elima solo da mod.provvisoria, non sembra contenere alcun file ma ha 2 sottodirectory una pinball l'altra accessori.
c'è qualkosa che la ricrea ad ogni avvio
Per Astrolina: Non so se sta bene ora il sistema però so che come antivirus norton è uno dei peggiori perchè rallenta il 50% del pc,non aggiorna spesso le definizioni,non trova le minaccie più recenti,il firewall è sufficiente per la protezione ecc...
Il pc per stare completamente bene devi tenere un antivirus come kaspersky o nod32 (a pagamento) e come antispyware adware se personal e spybot search & destroy(gratuiti).
Poi avvolte devi eseguire delle puliture disco,delle deframmentazioni e degli scan disk. E per finire installati anche un programma molto buono che serve per eliminare i file inutili che occupano solo memoria e l'instabilità del sistema questo programma si chiama CCLEANER scaricabile gratuitamente.
Spero possa esserti d'aiuto
scusate ma credo di avere qualcosa di grave nel mio pc...controllate per favore se sono presenti in background programmi dannosi (trojan o altro)
ditemi se devo eliminare qualcosa
grazie anticipatamente :)
Logfile of HijackThis v1.99.1
Scan saved at 23.05.56, on 08/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Programmi\Winamp\winampa.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Programmi\ATI Technologies\ATI.ACE\CLI.EXE
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programmi\PowerMenu\PowerMenu.exe
C:\Programmi\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\UPHClean\uphclean.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Winamp\winamp.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Toro\Documenti\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programmi\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: PowerMenu.lnk = C:\Programmi\PowerMenu\PowerMenu.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Programmi\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Programmi\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Programmi\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Programmi\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Programmi\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Programmi\ieSpell\iespell.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: @C:\Programmi\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Programmi\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AB7A99F-929C-43B2-B017-A97611C05E07}: NameServer = 85.37.17.49 85.38.28.91
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exe
bReAkDoWn
08-11-2006, 22:09
rimane solo il problema di una cartella in programmi :
windows nt che si elima solo da mod.provvisoria, non sembra contenere alcun file ma ha 2 sottodirectory una pinball l'altra accessori.
c'è qualkosa che la ricrea ad ogni avvio
E' vero! L'avevo dimenticato.. :) Uhmm.. è una cosa curiosa, soprattutto per il fatto che non ha file al proprio interno.. Prova questo: scarica http://www.microsoft.com/technet/sysinternals/SystemInformation/Handle.mspx estrailo in una cartella, ad esempio, per far prima, direttamente in c:\
poi apri un prompt dei comandi (start menu -> esegui -> cmd) da lì esegui
c: invio
cd \ invio
e poi handle "c:\programmi\windows nt\pinball"
oppure hanfle "c:\programmi\windows nt\accessori"
insomma esegui il comando handle con i nomi delle cartelle incriminate, e lui dovrebbe dirti che processo le sta utilizzando.
TuLKaS85
08-11-2006, 22:29
E' vero! L'avevo dimenticato.. :) Uhmm.. è una cosa curiosa, soprattutto per il fatto che non ha file al proprio interno.. Prova questo: scarica http://www.microsoft.com/technet/sysinternals/SystemInformation/Handle.mspx estrailo in una cartella, ad esempio, per far prima, direttamente in c:\
poi apri un prompt dei comandi (start menu -> esegui -> cmd) da lì esegui
c: invio
cd \ invio
e poi handle "c:\programmi\windows nt\pinball"
oppure hanfle "c:\programmi\windows nt\accessori"
insomma esegui il comando handle con i nomi delle cartelle incriminate, e lui dovrebbe dirti che processo le sta utilizzando.
niente dice handle non è riconosciuto come comando
schumy2006
08-11-2006, 22:30
Ciao,
se posso inserirmi brevemente vorrei chiedere a breakdown che differenza c'e' tra Handle e Process Explorer di Sysinternals...
Ho capito solo che il primo si usa via prompt, il secondo ha l'interfaccia grafica utente...
Ma come funzioni sono uguali o Process Explorer ha qualcosa in + ?
GRAZIE in anticipo !!
bReAkDoWn
08-11-2006, 22:31
niente dice handle non è riconosciuto come comando
assicurati che handle.exe sia in c:\ e che nel prompt dei comandi ogni volta che premi invio compaia c:\>
bReAkDoWn
08-11-2006, 22:37
Ciao,
se posso inserirmi brevemente vorrei chiedere a breakdown che differenza c'e' tra Handle e Process Explorer di Sysinternals...
Ho capito solo che il primo si usa via prompt, il secondo ha l'interfaccia grafica utente...
Ma come funzioni sono uguali o Process Explorer ha qualcosa in + ?
GRAZIE in anticipo !!
penso nessuna, e hai fatto bene a suggerirmelo. Era più semplice utilizzare la funzione find handle di process explorer.. se mi fosse venuto in mente :D
TuLKaS85
08-11-2006, 22:42
assicurati che handle.exe sia in c:\ e che nel prompt dei comandi ogni volta che premi invio compaia c:\>
allego il risultato avuto dal cmd...non mi sembra abbia avuto successo comunque :doh:
TuLKaS85
08-11-2006, 22:52
ho provato con process explorer find handle....
metto il percorso c:\programmi
e mi escono varie ddl e handle ma tra questi non c'è la mia windows nt
metto il percorso c:\programmi\windows nt
e non trova niente
metto c:\programmi|windows nt\pinball
e ancora non trova niente
delle volte si blocca xò e devo chiuderlo....
bReAkDoWn
08-11-2006, 22:53
allego il risultato avuto dal cmd...non mi sembra abbia avuto successo comunque :doh:
Il tentativo giusto è quello con le "", però dice error loading driver.. Ora il problema sarà capire perchè fa così. Nel frattempo se vuoi provare con il tool process explorer che fa più o meno la stessa cosa.
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx
e la funzione è find handle or dll dal menu find. Senza apici "" questa volta.
TuLKaS85
08-11-2006, 22:54
Il tentativo giusto è quello con le "", però dice error loading driver.. Ora il problema sarà capire perchè fa così. Nel frattempo se vuoi provare con il tool process explorer che fa più o meno la stessa cosa.
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx
e la funzione è find handle or dll dal menu find. Senza apici "" questa volta.
già fatto....vedi il mio ultimo post...
bReAkDoWn
08-11-2006, 22:54
ho provato con process explorer find handle....
metto il percorso c:\programmi
e mi escono varie ddl e handle ma tra questi non c'è la mia windows nt
metto il percorso c:\programmi\windows nt
e non trova niente
metto c:\programmi|windows nt\pinball
e ancora non trova niente
delle volte si blocca xò e devo chiuderlo....
E quando vai a cancellare queste cartelle che messaggio ti compare di preciso?
TuLKaS85
08-11-2006, 22:56
impossibile eliminare file già in uso da un altro utente o programma
bReAkDoWn
08-11-2006, 23:01
impossibile eliminare file già in uso da un altro utente o programma
questo anche provando a cancellarle individualmente? tipo solo pinball ad esempio? e scrivendo in find handle solo pinball, senza riferimenti a c:\programmi ecc. trova niente?
TuLKaS85
08-11-2006, 23:10
questo anche provando a cancellarle individualmente? tipo solo pinball ad esempio? e scrivendo in find handle solo pinball, senza riferimenti a c:\programmi ecc. trova niente?
esattamente, nulla
ho trovato una mezza cosa su google
ho cercato windows nt\pinball la prima ricerca nella descrizione sembra il mio stesso problema, xò non riesco a trovare il post completo quando premo sul titolo cercato da google mi esce un casino di messaggi :cry:
TuLKaS85
08-11-2006, 23:14
non può essere proprio il gioco pinball.exe di windows ???
magari io da modalità provvisoria cancellandolo ho perso i file ke queste cartelle contenevano... ora all'avvio mi vengono ricreati i percorsi ovviamente senza ripristinare i file, infatti se provo a lanciare il pinball da giochi mi dice file mancante......
può darsi ke tenevo installato il pinball in programmi :confused:
bReAkDoWn
08-11-2006, 23:16
esattamente, nulla
ho trovato una mezza cosa su google
ho cercato windows nt\pinball la prima ricerca nella descrizione sembra il mio stesso problema, xò non riesco a trovare il post completo quando premo sul titolo cercato da google mi esce un casino di messaggi :cry:
la pagina che ti serve allora è questa: http://www.mvps.org/ecvogel/kb/XP_remove_progs.htm
ci sono arrivato partendo dal tuo link e utilizzando la copia cache di google.
Comunque sembrerebbe dovuto al fatto che pinball viene considerato un componente di windows. Quindi niente virus perlomeno. Questa cosa proprio non la sapevo.. si impara sempre ;)
bReAkDoWn
08-11-2006, 23:37
scusate ma credo di avere qualcosa di grave nel mio pc...controllate per favore se sono presenti in background programmi dannosi (trojan o altro)
ditemi se devo eliminare qualcosa
grazie anticipatamente :)
log pulito.. non conosco PowerMenu, al quale ci sono alcuni riferimenti. Se è un programma che hai installato tu allora non c'è altro.
gianninicp
09-11-2006, 01:03
Un saluto a tutti.
Dopo :( lunghe lotte con mostri paurosi, vorrei :help: un buon parere sul log, sperando che sia OK!
So di un paio di residui di McAfee (cattiva disinstallazione?): basta fixare le voci o devo fare un search nel registry delle varie occorrenze e cancellarle?
Spero di non trasgredire :banned: troppo, ma aggiungo una ventina di righe selezionate dall'autostart di Gmer (se poi dovesse servire, manderò il resto!)
Grazie :)
Clemente
Logfile of HijackThis v1.99.1
Scan saved at 1.46.05, on 09/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
c:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mnmsrvc.exe
C:\Programmi\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programmi\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programmi\Nero\Nero 7\InCD\InCD.exe
C:\Programmi\Winamp\winampa.exe
C:\Programmi\File comuni\Nokia\NCLTools\NclTray.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Lexmark X5100 Series\lxbabmgr.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\Lexmark X5100 Series\lxbabmon.exe
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\PROGRA~1\FILECO~1\Nokia\Services\SERVIC~1.EXE
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
c:\PROGRA~1\WIDCOMM\SOFTWA~1\BTSTAC~1.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.virgilio.it/free
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Programmi\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmi\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Programmi\File comuni\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Programmi\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\Programmi\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Programmi\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [kis] "C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download with GetRight Pro - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - c:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Programmi\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Programmi\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.virgilio.it/free
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/it/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130556323671
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4871/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66605F77-8B81-4B6B-88FB-4A01B58CF9FE}: NameServer = 85.37.17.11 85.38.28.69
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - AppInit_DLLs: ProvaAppInit_DLLs.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - c:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programmi\HPQ\SHARED\HPQWMI.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programmi\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Servizio iPod (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBackMonitor - Unknown owner - C:\Programmi\McAfee\MBK\MBackMonitor.exe (file missing)
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Programmi\Agnitum\Outpost Firewall\outpost.exe
GMER 1.0.12.11879 - http://www.gmer.net
Autostart scan 2006-11-09 02:26:08
Windows 5.1.2600 Service Pack 2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@BootExecute = autocheck autochk * /*file not found*/
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>>
@UserinitC:\WINDOWS\system32\userinit.exe, = C:\WINDOWS\system32\userinit.exe,
@ShellExplorer.exe = Explorer.exe
@System =
@UIHostlogonui.exe = logonui.exe
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
OutpostFirewall /*Outpost Firewall Service*/@ = C:\Programmi\Agnitum\Outpost Firewall\outpost.exe /service /*file not found*/
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CpqsetC:\Programmi\HPQ\Default Settings\cpqset.exe ? ??? V??????| ???? ??B ? ??H<C ? ????� = C:\Programmi\HPQ\Default Settings\cpqset.exe ? ??? V??????| ???? ??B ? ??H<C ? ????�
@eabconfg.cplC:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe /Start /*file not found*/ = C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe /Start /*file not found*/
@Outpost FirewallC:\Programmi\Agnitum\Outpost Firewall\outpost.exe /waitservice /*file not found*/ = C:\Programmi\Agnitum\Outpost Firewall\outpost.exe /waitservice /*file not found*/
@OutpostFeedBackC:\Programmi\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup /*file not found*/ = C:\Programmi\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup /*file not found*/
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{0DF44EAA-FF21-4412-828E-260A8728E7F1} /*Barra delle applicazioni e menu di avvio*/(null) = (nella schermata di Gmer si legge file not found)
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@InCDShellExt extension /*{CAE3251E-9B15-4810-B268-852AD9792A59}*/(null) =
@{32020A01-506E-484D-A2A8-BE3CF17601C3} /*AlcoholShellEx*/(null) =
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@Domain =
---- EOF - GMER 1.0.12 ----
log pulito.. non conosco PowerMenu, al quale ci sono alcuni riferimenti. Se è un programma che hai installato tu allora non c'è altro.
si è un programma installato da chi mi ha formattato il pc poco tempo fà, è un utility per gestire le applicazioni sulla barra, poi nn sò altro :p
cmq ho trovato questo
http://www.veridicus.com/tummy/programming/powermenu/
se qualcuno è cos' gentile da spiegarmi meglio a che serva, gliene sarei grato :D
grazie, ora mi sento più tranquillo!
TuLKaS85
09-11-2006, 07:29
la pagina che ti serve allora è questa: http://www.mvps.org/ecvogel/kb/XP_remove_progs.htm
ci sono arrivato partendo dal tuo link e utilizzando la copia cache di google.
Comunque sembrerebbe dovuto al fatto che pinball viene considerato un componente di windows. Quindi niente virus perlomeno. Questa cosa proprio non la sapevo.. si impara sempre ;)
grazie mille!!! :)
nessunopiu
09-11-2006, 09:13
Ciao a tutti, vorei chiedervi un parere, nella precedente (pochi giorni) scansione con HijackThis erano presenti due voci :
09 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINNT\web\related.htm
09 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
oggi nn sono più presenti. Guardando la guida di Hijackthis il gruppo
d' appartenenza riguarda "voci nuove nel menù strumenti di IE".
Non ho fatto nessuna modifica al browser e nn capisco l'attinenza.
Potreste raguagliarmi e soprattutto dirmi se la mancaza delle voci può
influire positivamente/negativamente sulla navigazione.
Anche le voci qui sotto sono regolari ?
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
Eseguo regolari controlli con Ad-aware, Spybot, CCleaner,
su Windows 2000 professional IE 6
GRAZIE
Scaricare gmer (www.gmer.net) e fare due scansioni: rootkit e autostart, copiare i risultati (gmer ha direttamente il pulsante copy) e incollarli in un messaggio qua sul forum. Assicurati che in entrambe le scansioni NON sia selezionata l'opzione show all. Infine, mentre fai la scansione rootkit non utilizzare il pc e chiudi tutte le applicazioni che puoi.
Grazie del consiglio,ecco qui le due scansioni:
GMER 1.0.12.11889 - http://www.gmer.net
Rootkit scan 2006-11-09 12:44:14
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT \SystemRoot\System32\drivers\klif.sys ZwClose
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT a347bus.sys ZwCreatePagingFile
SSDT \SystemRoot\System32\drivers\klif.sys ZwCreateProcess
SSDT \SystemRoot\System32\drivers\klif.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\drivers\klif.sys ZwCreateSection
SSDT \SystemRoot\System32\drivers\klif.sys ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT a347bus.sys ZwEnumerateKey
SSDT a347bus.sys ZwEnumerateValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT a347bus.sys ZwOpenKey
SSDT \SystemRoot\System32\drivers\klif.sys ZwOpenProcess
SSDT \SystemRoot\System32\drivers\klif.sys ZwQueryInformationFile
SSDT a347bus.sys ZwQueryKey
SSDT \SystemRoot\System32\drivers\klif.sys ZwQuerySystemInformation
SSDT a347bus.sys ZwQueryValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\drivers\klif.sys ZwResumeThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\drivers\klif.sys ZwSetInformationProcess
SSDT a347bus.sys ZwSetSystemPowerState
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\drivers\klif.sys ZwSuspendThread
SSDT \SystemRoot\System32\drivers\klif.sys ZwTerminateProcess
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[284]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[285]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[286]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[287]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[288]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[289]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[290]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[291]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[292]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[293]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[294]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[295]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[296]
---- Kernel code sections - GMER 1.0.12 ----
.text ntoskrnl.exe!KiDispatchInterrupt + BA 804DB92E 7 Bytes JMP BA4A8310 \SystemRoot\System32\drivers\klif.sys
.text ntoskrnl.exe!_abnormal_termination + 1D5 804E2831 3 Bytes
.text hidir.sys F7BFEB8E 1 Byte
---- User code sections - GMER 1.0.12 ----
.text D:\Programmi\eMule\emule.exe[328] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 01015B5A
.text D:\Programmi\eMule\emule.exe[328] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 01015D3A
.text D:\Programmi\eMule\emule.exe[328] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 01015EB0
.text D:\Programmi\eMule\emule.exe[328] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 010161EE
.text D:\Programmi\eMule\emule.exe[328] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 010160ED
.text D:\Programmi\eMule\emule.exe[328] ntdll.dll!NtQueryValueKey 7C91E1FE 5 Bytes JMP 01015FC3
.text D:\Programmi\eMule\emule.exe[328] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 01015C2D
.text C:\WINDOWS\system32\ati2evxx.exe[496] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 009C5B5A
.text C:\WINDOWS\system32\ati2evxx.exe[496] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 009C5D3A
.text C:\WINDOWS\system32\ati2evxx.exe[496] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 009C5EB0
.text C:\WINDOWS\system32\ati2evxx.exe[496] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 009C61EE
.text C:\WINDOWS\system32\ati2evxx.exe[496] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 009C60ED
.text C:\WINDOWS\system32\ati2evxx.exe[496] ntdll.dll!NtQueryValueKey 7C91E1FE 5 Bytes JMP 009C5FC3
.text C:\WINDOWS\system32\ati2evxx.exe[496] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 009C5C2D
.text C:\WINDOWS\explorer.exe[572] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 00A87600
.text C:\WINDOWS\explorer.exe[572] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 009D5D3A
.text C:\WINDOWS\explorer.exe[572] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 009D5EB0
.text C:\WINDOWS\explorer.exe[572] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 009D61EE
.text C:\WINDOWS\explorer.exe[572] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 009D60ED
.text C:\WINDOWS\explorer.exe[572] ntdll.dll!NtQueryValueKey 7C91E1FE 5 Bytes JMP 009D5FC3
.text C:\WINDOWS\explorer.exe[572] ntdll.dll!NtResumeThread 7C91E45F 5 Bytes JMP 00A87650
.text C:\WINDOWS\explorer.exe[572] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 009D5C2D
.text C:\WINDOWS\ehome\ehtray.exe[800] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 003B5B5A
.text C:\WINDOWS\ehome\ehtray.exe[800] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 003B5D3A
.text C:\WINDOWS\ehome\ehtray.exe[800] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 003B5EB0
.text C:\WINDOWS\ehome\ehtray.exe[800] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 003B61EE
.text C:\WINDOWS\ehome\ehtray.exe[800] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 003B60ED
.text C:\WINDOWS\ehome\ehtray.exe[800] ntdll.dll!NtQueryValueKey 7C91E1FE 5 Bytes JMP 003B5FC3
.text C:\WINDOWS\ehome\ehtray.exe[800] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 003B5C2D
.text C:\WINDOWS\system32\rundll32.exe[824] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 009A5B5A
.text C:\WINDOWS\system32\rundll32.exe[824] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 009A5D3A
.text C:\WINDOWS\system32\rundll32.exe[824] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 009A5EB0
.text C:\WINDOWS\system32\rundll32.exe[824] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 009A61EE
.text C:\WINDOWS\system32\rundll32.exe[824] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 009A60ED
.text C:\WINDOWS\system32\rundll32.exe[824] ntdll.dll!NtQueryValueKey 7C91E1FE 5 Bytes JMP 009A5FC3
.text C:\WINDOWS\system32\rundll32.exe[824] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 009A5C2D
.text D:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe[844] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 003E5B5A
.text D:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe[844] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 003E5D3A
.text D:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe[844] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 003E5EB0
.text D:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe[844] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 003E61EE
.text D:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe[844] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 003E60ED
.text D:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe[844] ntdll.dll!NtQueryValueKey 7C91E1FE 5 Bytes JMP 003E5FC3
.text D:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe[844] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 003E5C2D
.text C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe[1028] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 00395B5A
.text C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe[1028] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 00395D3A
.text C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe[1028] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 00395EB0
.text C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe[1028] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 003961EE
.text C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe[1028] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 003960ED
.text C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe[1028] ntdll.dll!NtQueryValueKey 7C91E1FE 5 Bytes JMP 00395FC3
.text C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe[1028] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 00395C2D
.text C:\WINDOWS\system32\ctfmon.exe[1052] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 003E5B5A
.text C:\WINDOWS\system32\ctfmon.exe[1052] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 003E5D3A
.text C:\WINDOWS\system32\ctfmon.exe[1052] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 003E5EB0
.text C:\WINDOWS\system32\ctfmon.exe[1052] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 003E61EE
.text C:\WINDOWS\system32\ctfmon.exe[1052] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 003E60ED
.text C:\WINDOWS\system32\ctfmon.exe[1052] ntdll.dll!NtQueryValueKey 7C91E1FE 5 Bytes JMP 003E5FC3
.text C:\WINDOWS\system32\ctfmon.exe[1052] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 003E5C2D
.text C:\WINDOWS\system32\winlogon.exe[1076] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 00BF5B5A
.text C:\WINDOWS\system32\winlogon.exe[1076] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 00BF5D3A
.text C:\WINDOWS\system32\winlogon.exe[1076] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 00BF5EB0
.text C:\WINDOWS\system32\winlogon.exe[1076] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 00BF61EE
.text C:\WINDOWS\system32\winlogon.exe[1076] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 00BF60ED
.text C:\WINDOWS\system32\winlogon.exe[1076] ntdll.dll!NtQueryValueKey 7C91E1FE 5 Bytes JMP 00BF5FC3
.text C:\WINDOWS\system32\winlogon.exe[1076] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 00BF5C2D
.text C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe[1172] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 009A5B5A
.text C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe[1172] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 009A5D3A
.text C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe[1172] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 009A5EB0
.text C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe[1172] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 009A61EE
.text C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe[1172] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 009A60ED
.text C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe[1172] ntdll.dll!NtQueryValueKey 7C91E1FE 5 Bytes JMP 009A5FC3
.text C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe[1172] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 009A5C2D
.text F:\Backup\Doc\Installazioni\gmer.exe[2468] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 009F5B5A
.text F:\Backup\Doc\Installazioni\gmer.exe[2468] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 009F5D3A
.text F:\Backup\Doc\Installazioni\gmer.exe[2468] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 009F5EB0
.text F:\Backup\Doc\Installazioni\gmer.exe[2468] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 009F61EE
.text F:\Backup\Doc\Installazioni\gmer.exe[2468] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 009F60ED
.text F:\Backup\Doc\Installazioni\gmer.exe[2468] ntdll.dll!NtQueryValueKey 7C91E1FE 5 Bytes JMP 009F5FC3
.text F:\Backup\Doc\Installazioni\gmer.exe[2468] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 009F5C2D
.text D:\Programmi\AltDvb\AltDVB.exe[2976] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 01035B5A
.text D:\Programmi\AltDvb\AltDVB.exe[2976] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 01035D3A
.text D:\Programmi\AltDvb\AltDVB.exe[2976] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 01035EB0
.text D:\Programmi\AltDvb\AltDVB.exe[2976] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 010361EE
.text D:\Programmi\AltDvb\AltDVB.exe[2976] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 010360ED
.text D:\Programmi\AltDvb\AltDVB.exe[2976] ntdll.dll!NtQueryValueKey 7C91E1FE 5 Bytes JMP 01035FC3
.text D:\Programmi\AltDvb\AltDVB.exe[2976] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 01035C2D
---- Devices - GMER 1.0.12 ----
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 867E3338
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [BA6A6230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [BA6A6230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [BA6A6230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [BA6DBBF6] klmc.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [BA6A6230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [BA6A6230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [BA6A6230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [BA6A6230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [BA6DBBF6] klmc.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [BA6A6230] vsdatant.sys
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 86680118
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 86680118
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 861716F0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 86680118
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 86680118
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 86680008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE_NAMED_PIPE 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLOSE 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_READ 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_WRITE 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_EA 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_EA 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_FLUSH_BUFFERS 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_VOLUME_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_VOLUME_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DIRECTORY_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_FILE_SYSTEM_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SHUTDOWN 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_LOCK_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLEANUP 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE_MAILSLOT 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_SECURITY 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_SECURITY 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_POWER 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SYSTEM_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CHANGE 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_QUOTA 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_QUOTA 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_PNP 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_READ 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA 86680008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE_NAMED_PIPE 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CLOSE 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_READ 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_WRITE 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_EA 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_EA 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_FLUSH_BUFFERS 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_VOLUME_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_VOLUME_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DIRECTORY_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_FILE_SYSTEM_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DEVICE_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_INTERNAL_DEVICE_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SHUTDOWN 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_LOCK_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CLEANUP 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE_MAILSLOT 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_SECURITY 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_SECURITY 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_POWER 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SYSTEM_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DEVICE_CHANGE 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_QUOTA 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_QUOTA 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_PNP 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CREATE 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CREATE_NAMED_PIPE 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CLOSE 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_READ 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_WRITE 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_EA 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_EA 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_FLUSH_BUFFERS 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_VOLUME_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_VOLUME_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_DIRECTORY_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_FILE_SYSTEM_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_DEVICE_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_INTERNAL_DEVICE_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SHUTDOWN 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_LOCK_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CLEANUP 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CREATE_MAILSLOT 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_SECURITY 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_SECURITY 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_POWER 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SYSTEM_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_DEVICE_CHANGE 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_QUOTA 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_QUOTA 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_PNP 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CREATE 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CREATE_NAMED_PIPE 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CLOSE 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_READ 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_WRITE 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_EA 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_EA 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_FLUSH_BUFFERS 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_VOLUME_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_VOLUME_INFORMATION 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_DIRECTORY_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_FILE_SYSTEM_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_DEVICE_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_INTERNAL_DEVICE_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SHUTDOWN 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_LOCK_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CLEANUP 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CREATE_MAILSLOT 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_SECURITY 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_SECURITY 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_POWER 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SYSTEM_CONTROL 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_DEVICE_CHANGE 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_QUOTA 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_QUOTA 86680008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_PNP 86680008
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_NAMED_PIPE 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_INFORMATION 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_INFORMATION 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_EA 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_EA 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_VOLUME_INFORMATION 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_VOLUME_INFORMATION 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DIRECTORY_CONTROL 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FILE_SYSTEM_CONTROL 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_LOCK_CONTROL 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLEANUP 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_MAILSLOT 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_SECURITY 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_SECURITY 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CHANGE 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_QUOTA 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_QUOTA 86680118
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 86680118
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ 85836D60
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [BA6A6230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [BA6A6230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [BA6A6230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [BA6DBBF6] klmc.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [BA6A6230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [BA6A6230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [BA6A6230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [BA6A6230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [BA6DBBF6] klmc.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [BA6A6230] vsdatant.sys
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 8616D840
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [BA6A6230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [BA6A6230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [BA6A6230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [BA6DBBF6] klmc.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [BA6A6230] vsdatant.sys
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 8616D840
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 864F1B78
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 864F59C0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CREATE 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CREATE_NAMED_PIPE 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CLOSE 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_READ 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_WRITE 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_INFORMATION 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_INFORMATION 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_EA 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_EA 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_FLUSH_BUFFERS 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_VOLUME_INFORMATION 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_VOLUME_INFORMATION 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_DIRECTORY_CONTROL 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_FILE_SYSTEM_CONTROL 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SHUTDOWN 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_LOCK_CONTROL 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CLEANUP 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CREATE_MAILSLOT 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_SECURITY 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_SECURITY 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_POWER 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CHANGE 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_QUOTA 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_QUOTA 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_PNP 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE_NAMED_PIPE 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CLOSE 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_READ 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_WRITE 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_INFORMATION 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_INFORMATION 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_EA 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_EA 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_FLUSH_BUFFERS 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_VOLUME_INFORMATION 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_VOLUME_INFORMATION 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DIRECTORY_CONTROL 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_FILE_SYSTEM_CONTROL 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DEVICE_CONTROL 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SHUTDOWN 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_LOCK_CONTROL 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CLEANUP 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE_MAILSLOT 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_SECURITY 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_SECURITY 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_POWER 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SYSTEM_CONTROL 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DEVICE_CHANGE 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_QUOTA 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_QUOTA 864AB158
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_PNP 864AB158
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ 864EFEA0
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_READ 864EFEA0
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ 864EFEA0
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ 864EFEA0
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ 864EFEA0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 85F672B0
---- Modules - GMER 1.0.12 ----
Module _________ F7749000
---- Threads - GMER 1.0.12 ----
Thread 4:172 86635950
Thread 4:176 86615C60
Thread 4:180 86615C60
Thread 4:492 86635950
Thread 4:652 86635950
Thread 4:812 86635950
Thread 4:532 85612560
---- Registry - GMER 1.0.12 ----
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{49B04671-A35E-4B20-A081-5098BAD95445}
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins@}93BD440D5EAB-2F6B-BF24-8328-274F3DFB{ 0xB4 0x24 0x00 0x00 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins@gvvmd 0x77 0x0A 0x00 0x00 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@dmvvg.exe C:\WINDOWS\system32\dmvvg.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@dmvvg.exe C:\WINDOWS\system32\dmvvg.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc 0x71 0x46 0xB0 0x49 ...
GMER 1.0.12.11889 - http://www.gmer.net
Autostart scan 2006-11-09 13:01:46
Windows 5.1.2600 Service Pack 2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>>
@UserinitC:\WINDOWS\system32\userinit.exe, = C:\WINDOWS\system32\userinit.exe,
@Systemcshhn.exe = cshhn.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@DLLName = Ati2evxx.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
ATI Smart /*ATI Smart*/@ = C:\WINDOWS\system32\ati2sgag.exe
ehRecvr /*Media Center Receiver Service*/@ = C:\WINDOWS\eHome\ehRecvr.exe
ehSched /*Media Center Scheduler Service*/@ = C:\WINDOWS\eHome\ehSched.exe
GEARSecurity@ = %SystemRoot%\System32\GEARSec.exe
kavsvc /*kavsvc*/@ = "d:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe"
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe"
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
V2i Protector /*V2i Protector*/@ = C:\Programmi\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ehTrayC:\WINDOWS\ehome\ehtray.exe = C:\WINDOWS\ehome\ehtray.exe
@BluetoothAuthenticationAgentrundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent = rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
@KAVPersonal50"d:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize = "d:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k
@SunJavaUpdateSched"C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe" = "C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
@dmvvg.exeC:\WINDOWS\system32\dmvvg.exe = C:\WINDOWS\system32\dmvvg.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@updateMgr"D:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1 = "D:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
@swgC:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe = C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/d:\Programmi\WinRAR\rarext.dll = d:\Programmi\WinRAR\rarext.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/D:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL = D:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/D:\Programmi\Microsoft Office\Office10\msohev.dll = D:\Programmi\Microsoft Office\Office10\msohev.dll
@CorelDRAW Shell Extension Component /*CorelDRAW Shell Extension Component*/(null) =
@{32020A01-506E-484D-A2A8-BE3CF17601C3} /*AlcoholShellEx*/D:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll = D:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{D9872D13-7651-4471-9EEE-F0A00218BEBB} /*Multiscan*/d:\Programmi\Zone Labs\ZoneAlarm\zlavscan.dll = d:\Programmi\Zone Labs\ZoneAlarm\zlavscan.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Programmi\MSN Messenger\fsshext.8.0.0812.00.dll = C:\Programmi\MSN Messenger\fsshext.8.0.0812.00.dll
@{5E2121EE-0300-11D4-8D3B-444553540000} /*Catalyst Context Menu extension*/C:\Programmi\ATI Technologies\ATI.ACE\atiacmxx.dll = C:\Programmi\ATI Technologies\ATI.ACE\atiacmxx.dll
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
HexWorkshopContextMenu@{DB34D5DC-D41A-482E-A5EF-8FA0F88761DA} = blank /*file not found*/
Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = d:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll
MyPhoneExplorer@{C63D6E57-FE9E-43D7-B7ED-900DEB695D3E} = d:\Programmi\MyPhoneExplorer\DLL\ShellMgr.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = d:\Programmi\WinRAR\rarext.dll
ZLAVShExt@{D9872D13-7651-4471-9EEE-F0A00218BEBB} = d:\Programmi\Zone Labs\ZoneAlarm\zlavscan.dll
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = d:\Programmi\WinRAR\rarext.dll
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = d:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = d:\Programmi\WinRAR\rarext.dll
ZLAVShExt@{D9872D13-7651-4471-9EEE-F0A00218BEBB} = d:\Programmi\Zone Labs\ZoneAlarm\zlavscan.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}D:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = D:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}D:\PROGRA~1\SPYBOT~1\SDHelper.dll = D:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll = C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\programmi\google\googletoolbar1.dll = c:\programmi\google\googletoolbar1.dll
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main@Start Page = http://www.google.it/
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Programmi\File comuni\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53F2097E-3966-4B05-8752-5CFC6098721D} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress192.168.1.2 = 192.168.1.2
@NameServer85.37.17.55,85.38.28.93 = 85.37.17.55,85.38.28.93
@DefaultGateway192.168.1.1 = 192.168.1.1
@Domain =
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{75EF19B3-ABD3-44AD-8E9B-5060403E54F7} /*Connessione alla rete locale (LAN) 2*/ >>>
@IPAddress192.168.238.238 = 192.168.238.238
@NameServer =
@DefaultGateway =
@Domain =
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = %SystemRoot%\system32\wshbth.dll
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = d:\Programmi\NetLimiter\nl_lsp.dll
000000000002@PackedCatalogItem = d:\Programmi\NetLimiter\nl_lsp.dll
000000000003@PackedCatalogItem = d:\Programmi\NetLimiter\nl_lsp.dll
000000000004@PackedCatalogItem = d:\Programmi\NetLimiter\nl_lsp.dll
000000000005@PackedCatalogItem = d:\Programmi\NetLimiter\nl_lsp.dll
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012@PackedCatalogItem = d:\Programmi\NetLimiter\nl_lsp.dll
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica = Microsoft Office.lnk
---- EOF - GMER 1.0.12 ----
Spero di aver seguito in modo giusto i tuoi consigli.Buona giornata
bReAkDoWn
09-11-2006, 13:25
@ Bordo83
Come prima cosa dovresti controllare un paio di cose (con windows configurato per mostrare i file nascosti e di sistema):
se dentro la cartella C:\WINDOWS\system32 è visibile il file dmvvg.exe e se riesci a capire dal nome, dall'icona o dalla proprietà, a quale programma possa appartenere. Se non ne ricavi nienti fallo analizzare online su www.virustotal.com e vedi i risultati.
se con regedit riesci a vedere le chiavi: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dmvvg.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc
Poi vedremo di muoverci di conseguenza.
bReAkDoWn
09-11-2006, 14:38
@ ania
Ti rispondo subito per quanto riguarda il ripristino di sistema. Hai ragione tu, e non solo un pò. Per come la vedo io il ripristino di sistema (automatico) è una soluzione di emergenza e di fortuna, da utilizzarsi come tentativo quando il sistema è compromesso e non si sa come rimediare, ma non può essere considerato come uno strumento regolare di manutenzione o tantomeno di rimozione virus. Quando si effettua un ripristino infatti non si ha mai la certezza dello stato in cui il sistema viene ripristinato. Ad esempio possono essere annullate modifiche importanti che avevamo fatto, ripristinate vecchie versioni di applicazioni che avevamo aggiornato, e molte altre cose di cui è difficile tenere conto. In teoria alcuni virus potrebbero essere rimossi con un ripristino, ma è un modo di procedere che non ha senso, sia per i motivi che hai detto tu e sia per altri inconvenienti che tale metodo comporta. In definitiva questo strumento può risultare utile in alcune occasioni, ma di solito esistono sempre soluzioni migliori per risolvere i problemi.
La modalità provvisoria ha la funzione che dici tu, con l'aggiunta che purtroppo non tutti i possibili metodi di avvio che un virus può utilizzare vengono disattivati in mod. provvisoria. Quindi alcuni virus partono ugualmente.
nel log c'è solo questo che dovrebbe essere un adware:
O4 - HKLM\..\Run: [ASM] "C:\Programmi\AOL\Active Security Monitor\ASMonitor.exe" HIDEMAIN
Prima di fixarlo, per sicurezza, prova a far analizzare il file su www.virustotal.com a meno che non garantisca tu che il file è a posto perchè sai da dove proviene :)
@ bReAkDoWn
Ho cercato quello che mi avevi segnalato ma con mio stupore non ho trovato niente :(
Il file dmvvg.exe non c'è,mentre per le chiavi da regedit ho usato la funzione "trova" ed ho copiato le due stringhe ma niente....Sarà il mio pc che vuole farmi usare Firefox invece di IE :D Ciaoo
bReAkDoWn
09-11-2006, 16:31
@ bReAkDoWn
Ho cercato quello che mi avevi segnalato ma con mio stupore non ho trovato niente :(
Il file dmvvg.exe non c'è,mentre per le chiavi da regedit ho usato la funzione "trova" ed ho copiato le due stringhe ma niente....Sarà il mio pc che vuole farmi usare Firefox invece di IE :D Ciaoo
Sarà che è un rootkit ;) Cmq nel registro considera che se hai cercato la stringa copiandola intera come l'ho riportata io non la trovi perchè ad esempio il carattere @ non c'è: lo ha aggiunto gmer. Prova per sicurezza a cercare manualmente le chiavi, cliccando sui vari + partendo da HKEY_LOCAL_MACHINE.
Poi procurati gmer che stasera sarò più preciso sul da farsi.
Ciao!!
Prova per sicurezza a cercare manualmente le chiavi, cliccando sui vari + partendo da HKEY_LOCAL_MACHINE.
Allora...in HKEY_CURRENT_USER--->Software--->Microsot--->Search assistant--->ACMru ho trovato:
Nome.......Tipo..........Dati
001.........REG_SZ......Dmvvg
002.........REG_SZ......Dmvg
003.........REG_SZ......229
Qualcosa finalmente si muove...
Poi procurati gmer che stasera sarò più preciso sul da farsi.
Cosa intendi?Come già mi avevi consigliato l'ho scaricato e ho fatto lo scan rootkit e autostart.Ciaoo e grazie ancora
bReAkDoWn
09-11-2006, 21:10
Allora...in HKEY_CURRENT_USER--->Software--->Microsot--->Search assistant--->ACMru ho trovato:
Nome.......Tipo..........Dati
001.........REG_SZ......Dmvvg
002.........REG_SZ......Dmvg
003.........REG_SZ......229
Qualcosa finalmente si muove...
Cosa intendi?Come già mi avevi consigliato l'ho scaricato e ho fatto lo scan rootkit e autostart.Ciaoo e grazie ancora
E' stato un lapsus.. :D avrei voluto scrivere The Avenger (http://swandog46.geekstogo.com/) e invece ho scritto gmer.. :doh:
Ma veniamo al dunque..
Fai queste due prove: la prima avvia in modalità provvisoria e controlla se adesso vedi il file e le chiavi.
Se vedi il file rinominalo (ad esempio metti una x davanti al nome), riavvia in modalità normale e ricontrolla se continui a vedere file e chiavi di registro.
Se le due cose non fossero visibili in modalità provvisoria seguiamo un'altra strada.
Esegui the avenger, seleziona input script manually, lente di ingrandimento, copia lo script nella finestra, click done, semaforo verde e rispondi di sì. Il sistema verrà riavviato. Una volta riavviato comparirà un log dentro al notepad, copialo e riportalo sul forum.
script da copiare:
Files to delete:
C:\WINDOWS\system32\dmvvg.exe
a quel punto prima di postare puoi anche ricontrollare con regedit se adesso le chiavi sono visibili.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dmvvg.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion@nhhsc
da bravo ragazzo prima di postare il og l'ho analizzato sull'analizzatore automat e l'unica voce potenzialmente nociva sarebbe questa (anche se è li da un anno) :mbe:
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
che dite?
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
Ciao,
driver stampante HP: file buono :p
juninho85
09-11-2006, 22:24
Ciao a tutti, vorei chiedervi un parere, nella precedente (pochi giorni) scansione con HijackThis erano presenti due voci :
09 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINNT\web\related.htm
09 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
oggi nn sono più presenti. Guardando la guida di Hijackthis il gruppo
d' appartenenza riguarda "voci nuove nel menù strumenti di IE".
Non ho fatto nessuna modifica al browser e nn capisco l'attinenza.
Potreste raguagliarmi e soprattutto dirmi se la mancaza delle voci può
influire positivamente/negativamente sulla navigazione.
ora non ricordo di preciso a cosa faccia riferimento,mi pare alexa...per caso hai installato qualche antispyware ultimamente?
[/QUOTE]
Anche le voci qui sotto sono regolari ?
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
Eseguo regolari controlli con Ad-aware, Spybot, CCleaner,
su Windows 2000 professional IE 6
GRAZIE[/QUOTE]
non sono infetti ma puoi tranquillamente farne a meno,dunque elimina la seconda chiave
bReAkDoWn
09-11-2006, 22:38
@bReAkDoWn
Grazie davvero di cuore, per la pazienza che hai avuto leggendo le cose che ho scritto, (chiedo scusa per la mia mancata capacità di sintesi), per la gentilezza e la generosità che metti ( e che mettete tutti qui sul forum) per aiutare chi come me si trova in difficoltà non avendo ancora acquisito i vostri strumenti e capacità ,ma mi impegnerò all'inverosimile per migliorare ed imparare, l'ignoranza ( nel senso di mancata conoscenza) rende vulnerabili , ed è una sensazione per me dolorosa, che vorrei a poco a poco sentire in misura minore.
Sto passando ore e ore a leggermi tutto quello che avete generosamente messo a disposizione, questo forum è uno scrigno speciale e prezioso che contiene cose che vorrei "sentire mie", nel senso di comprenderle e saperle usare per essere autonoma e chiedervi il meno possibile la "pappa pronta", è bello che si insegni a pescare piuttosto che dare i pesci in pasto.
Imparare è una soddisfazione immensa, una delle gioie più profonde e piene della vita, grazie davvero a tutti voi, non lo sapete ma state diventando "compagni di viaggio speciali " per me, è difficile fare un cammino da soli, ma se si può contare sul fatto che "accanto" si avrà qualcuno cui chiedere conforto nei momenti difficili, non c'è viaggio che possa spaventare, mi sono lasciata intimorire per troppo tempo da questa macchina ancora sconosciuta.
Non so, nella mia niubbiaggine, a me dava la sensazione di una scorciatoia che però avrebbe portato ad una meta troppo oscura ed imprevedibile, perchè appunto ci sono alcuni elementi difficili da valutare.
Questo non lo sapevo, sigh, in questo caso, potrebbe servire usare il comando msconfig e disabilitare tutti i programmi dall'avvio automatico?
Mi chiedo cioè se sia opportuno, prima di andare in modalità provvisoria anche disattivare (disabilitare) sempre dall'avvio automatico tutti i processi, oppure se questo non è necessario, perchè il fatto di andare in modalità provvisoria già di per sè stesso comporta quella disattivazione ( disabilitazione).
Quando sono in modalità provvisoria e devo fare una scansione con Panda , ci impiego una decina di tentativi (e più ) per farlo partire, e quando finalmente mi compare la schermata iniziale di Panda, mi comunica che tutte le funzioni sono disattivate, ma allora in questo caso Panda era già disabilitato, oppure devo fare qualcosa per disabilitarlo quando in seguito devo eseguire le scansioni con ad-aware o spybot o sysclean, o stinger?
Da qualche parte infatti ho letto che è meglio disabilitare l'antivirus quando si lanciano in modalità provvisoria ad es. Sysclean o anche gli altri programmi di scansione, o i vari altri tool di rimozione, però non ho capito cosa significhi esattamente disabilitare l’antivirus, e se quando sono in mod provvisoria, devo ritenere che l’AV sia disabilitato di default, o cosa devo fare di preciso invece per disabilitarlo se non lo è già di default per il fatto di essere in mod provvisoria.
Scusa per la domanda che sicuramente è banale ed una schiocchezza per la stragrande maggioranza di voi, ma io ho imparato solo da poco che si possono vedere e ( credo) disattivare i processi in esecuzione automatica dal comando start --->esegui---->msconfig--->tab avvio.
All'avvio di Windows, in effetti , credo di avere diversi programmi inutilmente in esecuzione automatica, ad es. QuicK time, o Openoffice, o altri ancora che ho installato più di recente, come ISP monitor, ho provato ad escluderli dalla barra delle applicazioni, sperando che questa sola operazione fosse sufficiente per evitarne al successivo riavvio l'esecuzione automatica, ed invece ciò non basta.
Inoltre, se seguo il percorso : start--->esegui--->msconfig--->tab avvio
visualizzo che, fra i programmi in esecuzione automatica, mi compare anche il "Browser Hijack Retaliator" che in realtà ho momentaneamente disinstallato, come posso fare per scegliere autonomamente quali processi lasciare in esecuzione automatica all'avvio, e quali invece no?
Dipende forse dalle impostazioni che si sono selezionate al momento dell'installazione delle applicazioni?
Infine , digitanto start--->esegui--->services.msc
arrivo ai servizi, e fra i servizi trovo dei programmi oramai disinstallati, come posso fare per eliminarli?
Non voglio farti perdere tempo con il rispondere ai miei dubbi, se ho sbagliato a scrivere qui ( temo fortemente di avere sbagliato) questi dubbi, chiedo scusa e se c’è una sezione più adeguata dove scriverli ti prego di segnalarmela, cercherò di non sbagliare più in futuro, e se c'è un link ad una guida o a un topic qui sul forum o altrove, che tratta di "programmi in esecuzione automatica all'avvio" e di come scegliere quali lasciare in esecuzione automatica, per cortesia , me lo segnaleresti?
Questo exe fa riferimento all’active monitor security programma che ho scaricato da:
http://www.aol.com/
Sul secondo pc infatti volendo mettere un AV free, ho scelto Active virus shields, ed è così che ho scoperto l'esistenza di Active monitor security, spero bene che non sia un programmino sulle orme del DAP , che avevo installato sul mio pc perchè mi consentiva il download di file in formato real player e trasmessi in modalità streaming, ( conferenze e lezioni didattiche dal sito dell'università), non ho mai più trovato un programma free capace di fare la stessa cosa, (ma deve essere a causa del fatto che sono imbranata come pochi sul pianeta) , ma poi mi è stato detto che DAP installava spyware, sigh.
ecco il ink del programma:
http://free.aol.com/tryaolfree/index3.adp?promo=808524&service=asm
ho seguito il tuo consiglio comunque, ed ho fatto analizzare il file sia a virus total sia a virus scan jotti, ed è tutto ok.
Grazie davvero immensamente.
Il posto più adatto per questa discussione è la sezione antivirus & sicurezza, di cui questa è una sottosezione. Se vuoi approfondire puoi continuare tranquillamente di là.
Veniamo alle risposte, anche se ho la sensazione di averne già saltata qualcuna nel primo messaggio.. ;)
Con msconfig, anche disattivando tutto non otterrai niente di più (o se vuoi di meno) rispetto alla modalità provvisoria. Non ho sottomano una lista ufficiale di quello che venga o meno eseguito in modalità provvisoria, cmq puoi considerare questa regola valida in pratica. Le possibili locazioni di avvio dei programmi si possono analizzare tranquillamente a priori, senza doverle disabilitare ad una ad una.
Quando sei in modalità provvisoria, generalmente puoi considerare un antivirus disattivato quel tanto che basta per poter fare scansioni con gli altri programmi antivirus/antispyware/ecc.
Se tutti i programmi si comportassero in maniera trasparente, dovrebbero permettere all'utente di decidere riguardo alla loro esecuzione automatica o all'esecuzione di loro componenti, tramite le opzioni di configurazione o al momento dell'installazione. Invece spesso accade che senza nemmeno avvertire, molti programmi mettono in esecuzione automatica moduli che ti ricordano di loro piazzandosi nella tray (vicino all'orologio) o che magari controllano la presenza di versioni aggiornate su internet, o altro ancora..
In questo caso è possibile disattivare manualmente queste componenti, come hai imparato a fare tu con msconfig, oppure in maniera più diretta agendo sul registro di sistema con regedit.
Se vuoi eliminare un servizio di cui sei sicura di non aver più bisogno, controlla nelle sue proprietà il nome del file che poi andrai a cancellare manualmente, poi apri un prompt dei comandi (start -> esegui -> cmd) ed esegui sc delete nomeservizio così come lo leggi in services.msc
Per quanto riguarda asmonitor avevo preso l'informazione da qua: http://www.liutilities.com/products/wintaskspro/processlibrary/asmonitor/
ma fortunatamente era solo un caso di omonimia.
ciao!
@bReAkDoWn
Credo di aver capito da dove provenivano Dmvvg,Dmvg,229:non erano nient'altro che le mie ricerche utilizzando la funzione "Cerca" da windows.Infatti le ho trovate da
HKEY_CURRENT_USER--->Software--->Microsot--->Search assistant--->ACMru
e credo Search assistant spieghi tutto.229 è la prima eseguita,un nome di un firmware del quale non ricordavo la collocazione,Dmvg la seconda(avevo dimenticato una "v")e Dmvvg l'ultima.Entrando in modalità provvisoria ho cercato di scovare il file in C: con con la sigla "vvg".Una volta su regedit ecco vvg diventare il primo della lista e gli altri 3 a scalare.Un paradosso....
Che dici,provo ad usare avenger?Ciaoo
nessunopiu
10-11-2006, 07:31
ora non ricordo di preciso a cosa faccia riferimento,mi pare alexa...per caso hai installato qualche antispyware ultimamente?
Anche le voci qui sotto sono regolari ?
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
Eseguo regolari controlli con Ad-aware, Spybot, CCleaner,
su Windows 2000 professional IE 6
GRAZIE[/QUOTE]
non sono infetti ma puoi tranquillamente farne a meno,dunque elimina la seconda chiave[/QUOTE]
Installato di recente no. Ad aware è da tempo installato ed in una sua scansione (ora che me lo dici ) furono rilevati due riferimenti ad alexa.
Per la seconda chiave potrebbe essere un riferimento a Nero ?
Grazie Juninho85
Nes
bReAkDoWn
10-11-2006, 08:47
@bReAkDoWn
Credo di aver capito da dove provenivano Dmvvg,Dmvg,229:non erano nient'altro che le mie ricerche utilizzando la funzione "Cerca" da windows.Infatti le ho trovate da
HKEY_CURRENT_USER--->Software--->Microsot--->Search assistant--->ACMru
e credo Search assistant spieghi tutto.229 è la prima eseguita,un nome di un firmware del quale non ricordavo la collocazione,Dmvg la seconda(avevo dimenticato una "v")e Dmvvg l'ultima.Entrando in modalità provvisoria ho cercato di scovare il file in C: con con la sigla "vvg".Una volta su regedit ecco vvg diventare il primo della lista e gli altri 3 a scalare.Un paradosso....
Che dici,provo ad usare avenger?Ciaoo
Nono.. quelli non li avevo nemmeno presi in considerazione. Dovresti fare le verifiche che ti ho detto, provare la mod. provvisoria (intendo dire cercare quelle chiavi esattamente nei percorsi riportati da gmer, e il file idem, senza usare funzioni di ricerca automatica, ma andando a vedere direttamente con regedit e aprendo le cartelle).
Poi casomai the avenger.
@bReAkDoWn
Provata la modalità provvisoria,il file in system32 nn l'ho trovato.Le chiavi sembrerebbero non esserci.Passo alla fase avenger,vediamo che succede.Ciao
Ciao,
driver stampante HP: file buono :p
grazie mille Mod
mi controllate il log x favore?
Logfile of HijackThis v1.99.1
Scan saved at 19.38.04, on 10/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\carpserv.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\SyncroSoft\Pos\H2O\cledx.exe
C:\Programmi\Startup Mechanic\StartupMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\LUIGI\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.djpigi.tk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.virgilio.it/free
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.virgilio.it/free
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\maxtorchecker.exe",
O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A08609BE-EBFB-ACD5-E312-5FFD58D9786F} - (no file)
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [H2O] C:\Programmi\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [Startup Manager Scanner] C:\Programmi\Startup Mechanic\StartupMonitor.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Umail - {72C9FA8F-9CB2-4316-A0C2-B1CF38063724} - http://www.umail.it (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.virgilio.it/free
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/1628b9c049081abfc718/netzip/RdxIE601_it.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
gianninicp
10-11-2006, 19:26
Un saluto a tutti.
Dopo :( lunghe lotte con mostri paurosi, vorrei :help: un buon parere sul log, sperando che sia OK!
So di un paio di residui di McAfee (cattiva disinstallazione?): basta fixare le voci o devo fare un search nel registry delle varie occorrenze e cancellarle?
Spero di non trasgredire :banned: troppo, ma aggiungo una ventina di righe selezionate dall'autostart di Gmer (se poi dovesse servire, manderò il resto!)
Grazie :)
Clemente
---- EOF - GMER 1.0.12 ----
Non ho quotato tutto per non appesantire. Il resto è nel #4042.
Nessuno mi dà una mano?
Ho sbagliato qualcosa?
"... beh! ma allora ditelooo" :p
Su, ditemi che sono guarito!
Ciao a tutti, e GGRRAAZZIIEE
Clemente
bReAkDoWn
10-11-2006, 19:50
Non ho quotato tutto per non appesantire. Il resto è nel #4042.
Nessuno mi dà una mano?
Ho sbagliato qualcosa?
"... beh! ma allora ditelooo" :p
Su, ditemi che sono guarito!
Ciao a tutti, e GGRRAAZZIIEE
Clemente
Quei log sono puliti. I vari file not found sono segni di applicazioni disinstallate o che comunque hanno lasciato qualche pezzo per strada. Toglierle o meno non è che faccia molta differenza. Se le applicazioni sono disinstallate toglile, se qualche applicazione non è disinstallata lasciale.
Ciao!
gianninicp
10-11-2006, 20:21
:yeah: Che Dio Vi benedica!(a parte un post mio diretto ne ho seguito mooolti ed ho utilizzato i vari consigli cercando di non rompere troppo) :cool:
E che stramaledica quei @*£çX :ncomment: grandissimi figli di :oink: :fuck: che non tengono meglio da fare che rompere :grrr:
Scusatemi :nonio:
A presto :help: (questo era il mio portatile, dopo tocca al PC di casa :doh: ed a quello di mia figlia :doh: . :cry: tutti in rete per condividere l'accesso al WWW)
Clemente
Ciao a tutti ragazzi... :D
Ho qui il log di un mio amico che è disperato...il suo pc si riavvia casualmente col il messaggino di shutdown, con il conto alla rovescia, ha passato ogni possibile antivirus, scan on-line e anti-spyware senza nessun risultato...il suo pc sembra a posto, ma evidentemente non è così...
Mi aiutate a dargli un consiglio prima dell'implacabile format??? :D
Logfile of HijackThis v1.99.1
Scan saved at 0.50.03, on 11/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\DIRECT~1\DUService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programmi\VIAudioi\SBADeck\ADeck.exe
C:\Programmi\DirectUpdate\DUControl.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\QuickTime\qttask.exe
C:\VEXPLITE\viritsvc.exe
C:\Programmi\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\teamspeak2_RC2\TeamSpeak.exe
C:\PROGRA~1\MOZILLA FIREFOX\FIREFOX.EXE
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Documents and Settings\king\Desktop\hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tgsoft.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [AudioDeck] C:\Programmi\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [DUControl] C:\Programmi\DirectUpdate\DUControl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKLM\..\Run: [avast!] "C:\Programmi\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] memstat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Programmi\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.notrace.it/scan/Msie/bitdefender.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E99A3CB8-AE53-492E-9991-412C2CFF6638}: NameServer = 62.211.69.150 212.48.4.15
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WB - C:\Programmi\Stardock\Object Desktop\ThemeManager\fastload.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DirectUpdate engine (DirectUpdate) - http://www.directupdate.net/ - C:\PROGRA~1\DIRECT~1\DUService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
Grazie della pazienza...
Bye ;)
@ tarm@
Se nn ricordo male un problema del genere era dovuto al "worm blaster",se cerchi su google troverai spiegato come rimuoverlo.Nel caso si apra la finestra di shutdown mentre cercate di sistemare dovreste riuscire a chiderla digitando dal prompt dei comandi "shutdown -a".Spero a quest'ora di ragionare ancora....ciaoo
@ bReAkDoWn
sono stato un po' incasinato,appena provo l'avenger ti faccio sapere,e grazie ancora.Ciaoo
FOXYLADY
11-11-2006, 00:21
O4 - HKCU\..\Run: [Microsoft Update Machine] memstat.exe
O20 - Winlogon Notify: WB - C:\Programmi\Stardock\Object Desktop\ThemeManager\fastload.dll (file missing)
fixa questi due, ma non so se risolverai il problema.
juninho85
11-11-2006, 00:57
Installato di recente no. Ad aware è da tempo installato ed in una sua scansione (ora che me lo dici ) furono rilevati due riferimenti ad alexa.
Per la seconda chiave potrebbe essere un riferimento a Nero ?
Grazie Juninho85
Nes
è un riferimento a nero,senza condizionale ;)
Logfile of HijackThis v1.99.1
Scan saved at 0.50.03, on 11/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Ciao,
con questi presupposti è difficile restare indenni da schifezze purtroppo :(
E' necessario passare a SP2 e mantenere aggiornato il SO, altrimenti non ci si salva :p
Se per qualsiasi ragione non potete aggiornare i computer con windows update, usate almeno autopatcher (http://www.eng2ita.net/forum/index.php)
bReAkDoWn
11-11-2006, 09:12
mi controllate il log x favore?
Questi fixali:
O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O2 - BHO: (no name) - {A08609BE-EBFB-ACD5-E312-5FFD58D9786F} - (no file)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
---------------------------------------------------------------------------
La voce seguente è sospetta, ho trovato definizioni contrastanti in rete...
Edit: l'ip risulta di RealNetworks: se hai installato qualche loro prodotto, tipo RealPlayer o altro, è probabile che la voce sia legittima.
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/1628b9c049081abfc718/netzip/RdxIE601_it.cab
E ugualmente maxtorchecker: se hai installato una utility della Maxtor che deve essere eseguita in automatico lascialo, altrimenti toglilo. Non ho trovato riferimenti, casomai verificalo con una scansione online su www.virustotal.com
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\maxtorchecker.exe",
Ciao,
con questi presupposti è difficile restare indenni da schifezze purtroppo :(
E' necessario passare a SP2 e mantenere aggiornato il SO, altrimenti non ci si salva :p
Se per qualsiasi ragione non potete aggiornare i computer con windows update, usate almeno autopatcher (http://www.eng2ita.net/forum/index.php)
Cazzarola...non me ne ero neanche accorto... :doh:
Ora vado a tirargli le orecchie... :D
Nel frattempo ha fixato le due voci di prima...vedrò di fargli fare tutti gli aggiornamenti...
Bye ;)
Ho appena sconfitto (forse) una variante particolarmente bastarda di linkoptimizer, ma... mi date un occhio al log per vedere se c'è qualcosa di anomalo?
Logfile of HijackThis v1.99.1
Scan saved at 20.26.25, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\Programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Ufficio\Omnipage Pro 15\Opware15.exe
E:\Internet\AntiVir PersonalEdition Premium\avgnt.exe
E:\Internet\AntiVir PersonalEdition Premium\sched.exe
E:\Internet\AntiVir PersonalEdition Premium\avguard.exe
E:\Internet\AntiVir PersonalEdition Premium\avesvc.exe
C:\Programmi\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
E:\Internet\eMule\emule.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Roby\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tin.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Grafica\Adobe Acrobat 7.0 Profesisonal\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Ufficio\Canon Pixma IP4200\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IAAnotif] C:\Programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Opware15] "E:\Ufficio\Omnipage Pro 15\Opware15.exe"
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [avgnt] "E:\Internet\AntiVir PersonalEdition Premium\avgnt.exe" /min
O8 - Extra context menu item: Aggiungi all'elenco di stampa Easy-WebPrint - res://E:\Ufficio\Canon Pixma IP4200\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Anteprima Easy-WebPrint - res://E:\Ufficio\Canon Pixma IP4200\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://E:\Ufficio\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Stampa ad alta velocità Easy-WebPrint - res://E:\Ufficio\Canon Pixma IP4200\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Stampa Easy-WebPrint - res://E:\Ufficio\Canon Pixma IP4200\Easy-WebPrint\Resource.dll/RC_Print.html
O10 - Broken Internet access because of LSP provider 'avsda.dll' missing
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163252877421
O17 - HKLM\System\CCS\Services\Tcpip\..\{668A4C16-3C95-4198-AB40-31F13BE3552B}: NameServer = 212.216.112.112,212.216.172.62
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Mail Security Service (AntiVirMailService) - Avira GmbH - E:\Internet\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - E:\Internet\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: AntiVir PersonalEdition Premium Service (AntiVirService) - AVIRA GmbH - E:\Internet\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: AntiVir Engine Service (AVEService) - Avira GmbH - E:\Internet\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Programmi\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Programmi\File comuni\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Programmi\File comuni\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Programmi\File comuni\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Programmi\File comuni\SureThing Shared\stllssvr.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - E:\Sistema\TuneUp Utilities 2006\WinStylerThemeSvc.exe
calexico
12-11-2006, 10:25
ciao a tutti...è da un po' di giorni che il mio fido nod continua a rilevare la seguente minaccia:
Win32 Medbot CB, OGGETTO file, nome DOCUMENTI/SETUP.EXE
ho fatto una scansione completa, una scansione con ewido ed altri antispyware ma nessuno ha rilevato niente.è possibile eliminare questa minaccia una volta per tutte.grazie per l'aiuto.
Nod mi sta tempestando di avvisi continui su FILE SOSPETTI.boh
posto il log di HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 11.24.43, on 12/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\WINDOWS\PL15Co2K.exe
C:\Programmi\Eset\nod32kui.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Programmi\emule morph 9.2\eMule.exe
C:\Programmi\Opera\Opera.exe
C:\Documents and Settings\andrea\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Programmi\File comuni\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Programmi\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Programmi\ReGetDx\iebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MS Unix Binary] msmq2inst.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Programmi\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [HI-SPEED USB DEVICE Coinstaller] PL15Co2K.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download &Flash Movies - C:\Programmi\Flash2X\Flash Hunter\save.htm
O8 - Extra context menu item: Salva oggetto con NetXfer - C:\Programmi\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: Salva tutti gli oggetti con NetXfer - C:\Programmi\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Scarica con Re&Get Deluxe - C:\Programmi\File comuni\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Scarica tutto con &ReGet Deluxe - C:\Programmi\File comuni\ReGet Shared\CC_All.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Programmi\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Programmi\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.tele2.it/redirect/dial_up
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://ax.emsisoft.com/axscan.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4677/mcfscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: Prolific HotFix Q0306270 (PLQ0306270) - Unknown owner - (no file)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Conexant - (no file)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
FOXYLADY
12-11-2006, 18:09
O4 - HKLM\..\Run: [MS Unix Binary] msmq2inst.exe
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Programmi\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Programmi\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
Fixa questi e installa l'sp2.
calexico
13-11-2006, 13:21
Fixa questi e installa l'sp2.
ok...procedo.grazie
secondo voi c'è qualcosa che non va? c'è un trojan che non riesco ad eliminare
Logfile of HijackThis v1.99.1
Scan saved at 16.31.45, on 13/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Trust\250S Series\lwbwheel.exe
C:\Programmi\Eset\nod32kui.exe
C:\WINDOWS\system32\dslagent.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Amedeo\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-0040F46CB696} - C:\Documents and Settings\Amedeo\Desktop\101892816.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programmi\Trust\250S Series\lwbwheel.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmi\Daemon Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.coolstreaming.us/webtv/tvkoo/KooPlayer.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162563057453
O17 - HKLM\System\CCS\Services\Tcpip\..\{867D9137-0C1E-4428-A973-307FF2A823EE}: NameServer = 212.216.112.112,212.216.172.62
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LogBbz - Unknown owner - C:\Programmi\File comuni\Services\CTi.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
grazie :D
tatovm2s
13-11-2006, 17:23
ciao ragazzi ho il pc incredibilmente lento ad aprire le pagine web, nonostante abbia formattato da poco, spero che qualcuno riesca a darmi una mano. Grazie
Logfile of HijackThis v1.99.1
Scan saved at 18.20.33, on 13/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programmi\Trust\Trust MD3100 USB ADSL MODEM\CnxDslTb.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Microsoft Office\Office10\WINWORD.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\dario\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {AEEBC458-F6E3-F86B-2C9E-03AE5F41205D} - C:\WINDOWS\xelre1.dll
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\Trust\Trust MD3100 USB ADSL MODEM\CnxDslTb.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [cppc] C:\Documents and Settings\dario\Desktop\issimo\hl2crack.exe hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [kav] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Programmi\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B82CFE5-8EFE-4B6B-B895-B9E12C7232D0}: NameServer = 193.70.152.15 193.70.152.25
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programmi\Canon\CAL\CALMAIN.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe
O23 - Service: SysNih - Unknown owner - C:\DOCUME~1\dario\IMPOST~1\Temp\3.tmp (file missing)
bReAkDoWn
13-11-2006, 21:38
ciao ragazzi ho il pc incredibilmente lento ad aprire le pagine web, nonostante abbia formattato da poco, spero che qualcuno riesca a darmi una mano. Grazie
Prima di tutto prova a dare una passata con questo:
http://www.prevx.com/gromozon.asp e riporta qua sul forum il risultato ottenuto.
Poi vai in MODALITA' PROVVISORIA e:
Fixa, fra le seguenti voci, quelle che non hai messo tu:
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O4 - HKLM\..\Run: [cppc] C:\Documents and Settings\dario\Desktop\issimo\hl2crack.exe hide
Queste fixale sicuramente:
O2 - BHO: Class - {AEEBC458-F6E3-F86B-2C9E-03AE5F41205D} - C:\WINDOWS\xelre1.dll
O23 - Service: SysNih - Unknown owner - C:\DOCUME~1\dario\IMPOST~1\Temp\3.tmp (file missing)[/QUOTE]
Riavvia in modalità standard e controlla che le voci siano scomparse.
bReAkDoWn
13-11-2006, 21:51
secondo voi c'è qualcosa che non va? c'è un trojan che non riesco ad eliminare
grazie :D
Ci sono segni di un possibile passaggio di agent/lo
Prova ad eseguire questo: http://www.prevx.com/gromozon.asp
Poi fixa questi anche se essendo entrambi file missing non dovrebbe cambiare molto..
O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-0040F46CB696} - C:\Documents and Settings\Amedeo\Desktop\101892816.dll (file missing)
O23 - Service: LogBbz - Unknown owner - C:\Programmi\File comuni\Services\CTi.exe (file missing)
Dacci anche qualche dettaglio in più su questo trojan che non riesci a eliminare, tipo quali sintomi dà, come hai tentato di eliminarlo ecc.
ragazzi trovate qualcosa di strano in questo log? il computer mi sembra rallentato e anche emule in down non va più come prima!
Logfile of HijackThis v1.99.1
Scan saved at 12.27.50, on 14/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Programmi\Software Bluetooth\bin\btwdins.exe
C:\Programmi\Agnitum\Outpost Firewall\outpost.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Acronis\TrueImage\TrueImageMonitor.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmi\Creative\SBLive\AudioHQ\AHQTBU.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\Programmi\Logitech\Video\LogiTray.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\Programmi\ATI Technologies\ATI.ACE\CLI.EXE
C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe
C:\Programmi\digicomt\Michelangelo USB ADSL\CnxDslTb.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\File comuni\PCSuite\Services\NclBTHandler.exe
C:\Programmi\Software Bluetooth\BTTray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\Opera\Opera.exe
C:\Documents and Settings\me stesso\Desktop\antivirus vari new\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acronis*True*Image Monitor] "C:\Programmi\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AudioHQU] C:\Programmi\Creative\SBLive\AudioHQ\AHQTBU.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [kav] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programmi\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\digicomt\Michelangelo USB ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Outpost Firewall] C:\Programmi\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Programmi\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Omnipage] C:\Programmi\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Programmi\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programmi\Logitech\Video\ManifestEngine.exe boot
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\Software Bluetooth\btsendto_ie_ctx.htm
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Scarica con FlashGet - C:\Programmi\FlashGet\jc_link.htm
O8 - Extra context menu item: Scarica tutto con FlashGet - C:\Programmi\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Outpost Firewall Pro Regolazione rapida - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Programmi\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158232940203
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2E1BAA6-AAAC-4C8D-9A5D-5380BF6A295C}: NameServer = 85.37.17.58 85.38.28.94
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmi\Software Bluetooth\bin\btwdins.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Programmi\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
Ciao,
@ c.m.g
Non noto nulla di maligno nel tuo log ma hai troppi, (veramente troppi!) programmi in esacuzione automatica, (entry 04) oltre la meta forse più, non serve che si avviino con windows.
Togli tutti quelli che non ti servono in autostart (quasi tutti direi) e vedrai che dopo il pc vola! :p
Ciao,
@ c.m.g
Non noto nulla di maligno nel tuo log ma hai troppi, (veramente troppi!) programmi in esacuzione automatica, (entry 04) oltre la meta forse più, non serve che si avviino con windows.
Togli tutti quelli che non ti servono in autostart (quasi tutti direi) e vedrai che dopo il pc vola! :p
grazie del consiglio, se ti avessi quì ti offrirei da bere per la tua gentilezza, è bello vedere che c'è gente gentile come te.
cosa mi consiglieresti di eliminare in avvio secondo te?
grazie per le info.
Mavettor
14-11-2006, 12:21
Ragazzi, ho appena rimosso con SUPERantispyware un trojan idd.tmp solo che adesso il computer mi sembra piu' lento.................mi controllate per cortesia il log?
Logfile of HijackThis v1.99.1
Scan saved at 13.17.35, on 14/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Resources\Themes\DameK UltraBlue\Longhorn Clock\Yzdock.exe
C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
D:\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\File comuni\ACD Systems\EN\DevDetectPE.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Winamp\winampa.exe
C:\Programmi\TrojanHunter 4.6\THGuard.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\Programmi\Logitech\MouseWare\system\em_exec.exe
E:\Encarta 2006 premium\Microsoft Encarta Enciclopedia DVD - 2006\EDICT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Software Bluetooth\BTTray.exe
C:\Programmi\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\system32\rundll32.exe
D:\Easy Notification 2.0\EasyNoti.exe
C:\Programmi\Objectdock\ObjectDock.exe
C:\Programmi\Software Bluetooth\bin\btwdins.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
D:\PROGRA~1\Webshots\webshots.scr
D:\Norton Antivirus 2004\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
D:\Norton Antivirus 2004\SAVScan.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Messenger\msmsgs.exe
E:\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.excite.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.virgilio.it/free
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O1 - Hosts: 72.232.140.20 www.winmx.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: LinkTracker Class - {85A77577-A8CA-41b7-AA1E-DDAD4C0B12B1} - (no file)
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Programmi\Accoona\ASearchAssist.dll
O2 - BHO: Encarta Web Companion Oggetto helper - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Programmi\File comuni\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar4.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Norton Antivirus 2004\NavShExt.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton Antivirus 2004\NavShExt.dll
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
O3 - Toolbar: Accoona - {364B6276-C6C1-40B6-A6D7-6C48871FD707} - C:\Programmi\Accoona\atoolbar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Programmi\File comuni\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar4.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [LonghornClock] C:\WINDOWS\Resources\Themes\DameK UltraBlue\Longhorn Clock\Clock.lnk
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Timer] C:\WINDOWS\fw_304.exe /i
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [TikBellExe] C:\WINDOWS\system32\rhothrl.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Device Detector PE] DevDetectPE.exe -autorun
O4 - HKLM\..\Run: [EPSON Stylus Photo R240 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P30 "EPSON Stylus Photo R240 Series" /O6 "USB001" /M "Stylus Photo R240"
O4 - HKLM\..\Run: [VVSN] C:\Programmi\VVSN\VVSN.exe
O4 - HKLM\..\Run: [Setup] C:\Programmi\Setup\Setup.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [THGuard] "C:\Programmi\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Programmi\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [E06IXLRD_2298296] "E:\Encarta 2006 premium\Microsoft Encarta Enciclopedia DVD - 2006\EDICT.EXE" -m
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Collegamento a EasyNoti.lnk = D:\Easy Notification 2.0\EasyNoti.exe
O4 - Startup: Easy Notification.lnk = C:\Programmi\Easy Notification 2.0\EasyNoti.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Programmi\Objectdock\ObjectDock.exe
O4 - Startup: Webshots.lnk = C:\Programmi\Webshots\Launcher.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: &Download with &DAP - D:\DAP\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programmi\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\Software Bluetooth\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programmi\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programmi\File comuni\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://www.virgilio.it/free
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c18.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/v4.0/ysb_cracks.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121840063357
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D843B80B-B96F-4C5E-A748-F9975EF5B1F5}: NameServer = 85.37.17.8 85.38.28.73
O18 - Filter: text/html - {03974811-C15F-462c-B6B0-2D2336AA57D0} - (no file)
O20 - Winlogon Notify: winmxw32 - C:\WINDOWS\SYSTEM32\winmxw32.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmi\Software Bluetooth\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - D:\Norton Antivirus 2004\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Norton Antivirus 2004\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
grazie del consiglio...
Ciao,
ci sono vari modi, dipende dal livello di esperienza.
Per tutti consiglio "Spybot" che permette tra le sue opzioni, (utilità -> esecuzione automatica) di vedere tutti i programmi che si avviano con windows.
Sarà molto facile, facendo un po' di prove, togliere la spunta dalle varie voci, verificando così quelli che ci servono realmente. In caso di errore, sarà molto facile ripristinare la situazione precedente rimettendo la spunta sulle voci che si erano tolte.
P.S.
Spybot in italiano è qui: http://www.safer-networking.org/it/spybotsd/index.html
Ciao,
ci sono vari modi, dipende dal livello di esperienza.
Per tutti consiglio "Spybot" che permette tra le sue opzioni, (utilità -> esecuzione automatica) di vedere tutti i programmi che si avviano con windows.
Sarà molto facile, facendo un po' di prove, togliere la spunta dalle varie voci, verificando così quelli che ci servono realmente. In caso di errore, sarà molto facile ripristinare la situazione precedente rimettendo la spunta sulle voci che si erano tolte.
P.S.
Spybot in italiano è qui: http://www.safer-networking.org/it/spybotsd/index.html
grazie mille :winner:
tatovm2s
14-11-2006, 13:20
Prima di tutto prova a dare una passata con questo:
http://www.prevx.com/gromozon.asp e riporta qua sul forum il risultato ottenuto.
Poi vai in MODALITA' PROVVISORIA e:
Fixa, fra le seguenti voci, quelle che non hai messo tu:
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O4 - HKLM\..\Run: [cppc] C:\Documents and Settings\dario\Desktop\issimo\hl2crack.exe hide
Queste fixale sicuramente:
O2 - BHO: Class - {AEEBC458-F6E3-F86B-2C9E-03AE5F41205D} - C:\WINDOWS\xelre1.dll
O23 - Service: SysNih - Unknown owner - C:\DOCUME~1\dario\IMPOST~1\Temp\3.tmp (file missing)
Riavvia in modalità standard e controlla che le voci siano scomparse.[/QUOTE]
ciao grazie per la risposta. Ho provato il programmino che avevi scritto tu ma nn ha trovato nulla, però quando apro le pagine web vedo che quando carica nella barra sotto, dove esce a quale indirizzo si sta collegando, esce sempre un sito ad2.google e qualcosa e mi sembra strano. Poi scusa l'ignoranza, ma vado in modalità provvisoria (schiacciando F8 giusto?) e poi da lì cm faccio a fixare le voci che mi hai detto? Grazie
@ bReAkDoWn
Rieccomi finalmente all'opera,ecco il log di Avenger
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hbcmwdyo
*******************
Script file located at: \??\C:\WINDOWS\system32\gweykdof.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\dmvvg.exe not found!
Deletion of file C:\WINDOWS\system32\dmvvg.exe failed!
Could not process line:
C:\WINDOWS\system32\dmvvg.exe
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
Chissà dove si nasconde...ciaoo
bReAkDoWn
14-11-2006, 15:54
@ bReAkDoWn
Rieccomi finalmente all'opera,ecco il log di Avenger
Finished! Terminate.
Chissà dove si nasconde...ciaoo
Quasi c'avrei scommesso, cmq tu continui ad avere problemi di.. ? redirezione di pagine?
bReAkDoWn
14-11-2006, 15:56
Riavvia in modalità standard e controlla che le voci siano scomparse.
ciao grazie per la risposta. Ho provato il programmino che avevi scritto tu ma nn ha trovato nulla, però quando apro le pagine web vedo che quando carica nella barra sotto, dove esce a quale indirizzo si sta collegando, esce sempre un sito ad2.google e qualcosa e mi sembra strano. Poi scusa l'ignoranza, ma vado in modalità provvisoria (schiacciando F8 giusto?) e poi da lì cm faccio a fixare le voci che mi hai detto? Grazie
sì la mod. prov. si attiva premendo f8 all'avvio del pc, subito prima che windows inizi a caricarsi. Poi esegui hijackthis, fai un log, selezioni le voci che ti ho riportato e premi "fix checked"..
tatovm2s
14-11-2006, 16:17
ok fatto, le voci sono scomparse, internet da oggi va meglio, però rimane ancora quella questione che mi esce un qualcosa riferito a google nel caricamento della pagina. Boh. Grazie comunque dell'aiuto, molto gentile. :)
redirezione di pagine?
Esatto,mi capita su google,se lascio il computer acceso(2 o 3 giorni)dopo alcune visite il problema svanisce.Le prime volte che ci passo mi reindirizza i primi 3-4 "clik".Ciaoo
evilogre
14-11-2006, 19:17
ciao.sono nuovo del forum e ho un problema.
ho fatto una scansione con hijackthis.non so come rimuovere questo spyware.
ecco a voi il log.help me please
Logfile of HijackThis v1.99.1
Scan saved at 19.24.15, on 13/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\Fast.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\fast.exe
C:\Programmi\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\CTHELPER.EXE
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\sescmgr.exe
C:\Programmi\File comuni\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andrea\Documenti\HijackThis.exe
C:\Programmi\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ogame.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\system32\fast.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Programmi\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [tbnb1.exe] C:\WINDOWS\TEMP\tbnb1.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\system32\sescmgr.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O15 - Trusted Zone: www.1987324.com
O15 - Trusted Zone: *.realsearch.cc
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programmi\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NetYfa - Unknown owner - C:\WINDOWS\TEMP\1.tmp (file missing)
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SrvUui - Unknown owner - \\?\C:\Programmi\File comuni\Microsoft Shared\com7.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Utilità di pianificazione di LiveUpdate automatico - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe
bReAkDoWn
14-11-2006, 19:32
ok fatto, le voci sono scomparse, internet da oggi va meglio, però rimane ancora quella questione che mi esce un qualcosa riferito a google nel caricamento della pagina. Boh. Grazie comunque dell'aiuto, molto gentile. :)
E' molto probabile che in quelle pagine ci siano banner pubblicitari di Google. Quando carichi una pagina di un certo sito, possono esserci elementi caricati da server esterni, come contatori di visite, banner pubblicitari, ecc. In questo caso, vedere indirizzi di siti diversi nella barra di stato è normale.
bReAkDoWn
14-11-2006, 19:35
Esatto,mi capita su google,se lascio il computer acceso(2 o 3 giorni)dopo alcune visite il problema svanisce.Le prime volte che ci passo mi reindirizza i primi 3-4 "clik".Ciaoo
Tu fai una ricerca e poi quando clicchi sui risultati ti trovi su siti che non corrispondono?
FOXYLADY
14-11-2006, 20:06
@evilogre
Disattiva il ripristino di configurazione di win
apri hijackthis e vai in Open the misc tool section>open process manager, seleziona se presente questa voce
C:\WINDOWS\system32\sescmgr.exe
e premi il pulsante kill process
Poi rifai la scansione con hijack e fixa queste voci
O4 - HKLM\..\Run: [tbnb1.exe] C:\WINDOWS\TEMP\tbnb1.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\system32\sescmgr.exe
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O15 - Trusted Zone: www.1987324.com
O15 - Trusted Zone: *.realsearch.cc
O23 - Service: NetYfa - Unknown owner - C:\WINDOWS\TEMP\1.tmp (file missing)
O23 - Service: SrvUui - Unknown owner - \\?\C:\Programmi\File comuni\Microsoft Shared\com7.exe (file missing
Fai una scansione con un antispyware, ad esempio AVG antispyware o Superantispyware.
Un aiuto per favore, non capisco perché ho tutte quelle voci 017
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
C:\Programmi\AOL\Active Virus Shield\avp.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\D-Link\AirPlus G\AirGCFG.exe
C:\Programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Programmi\Logitech\iTouch\iTouch.exe
C:\Programmi\AOL\Active Virus Shield\avp.exe
C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe
C:\Programmi\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
G:\hijackthis_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programmi\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Programmi\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programmi\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Programmi\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programmi\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmi\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [aol] "C:\Programmi\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7
O4 - HKCU\..\Run: [NBJ] "C:\Programmi\Ahead\Nero BackItUp\nbj.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk.disabled
O4 - Global Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk.disabled
O4 - Global Startup: Tasto di scelta rapida per l'avvio di AutoCAD.lnk.disabled
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programmi\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programmi\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programmi\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programmi\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programmi\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programmi\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programmi\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programmi\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scarica con Free Download Manager - file://C:\Programmi\Free Download Manager\dllink.htm
O8 - Extra context menu item: Scarica selezionati con Free Download Manager - file://C:\Programmi\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Scarica tutto con Free Download Manager - file://C:\Programmi\Free Download Manager\dlall.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://webscanner.kaspersky.fr/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://ww3.pcn.minambiente.it/ecwplugins/ncs.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{164C3688-7B2E-4E14-B7AF-268EF92FAE81}: NameServer = 213.205.32.70,213.205.36.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{3437801E-AA14-4FAC-AAA1-E9836DDE11CB}: NameServer = 213.205.32.70,213.205.36.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FF4F7F9-4013-4B4D-B0E0-F141447190AD}: NameServer = 213.205.32.70,213.205.36.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{164C3688-7B2E-4E14-B7AF-268EF92FAE81}: NameServer = 213.205.32.70,213.205.36.70
O17 - HKLM\System\CS2\Services\Tcpip\..\{164C3688-7B2E-4E14-B7AF-268EF92FAE81}: NameServer = 213.205.32.70,213.205.36.70
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Programmi\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Programmi\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Programmi\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Programmi\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
aiutatemi per favore...sto avendo dei problemi stranissimi col mio pc....credo di essere vittima di un attacco da parte di esterni.... :(
Logfile of HijackThis v1.99.1
Scan saved at 23.54.32, on 14/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Winamp\winampa.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Programmi\ATI Technologies\ATI.ACE\CLI.EXE
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programmi\PowerMenu\PowerMenu.exe
C:\Programmi\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\UPHClean\uphclean.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Toro\Documenti\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programmi\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: PowerMenu.lnk = C:\Programmi\PowerMenu\PowerMenu.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Programmi\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Programmi\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Programmi\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Programmi\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Programmi\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Programmi\ieSpell\iespell.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: @C:\Programmi\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Programmi\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AB7A99F-929C-43B2-B017-A97611C05E07}: NameServer = 85.37.17.49 85.38.28.91
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exe
Tu fai una ricerca e poi quando clicchi sui risultati ti trovi su siti che non corrispondono?
Proprio così,sento il "clik" due volte consecutive e la pagina nn corrisponde(anche facedo "apri in un'altra finestra).Dopo 3-4 tentativi il clik è come sempre singolo e l'indirizzo segnalato corrisponde nella pagina aperta.Ciaoo
Astrolina
15-11-2006, 14:46
Per Astrolina: Non so se sta bene ora il sistema però so che come antivirus norton è uno dei peggiori perchè rallenta il 50% del pc,non aggiorna spesso le definizioni,non trova le minaccie più recenti,il firewall è sufficiente per la protezione ecc...
Il pc per stare completamente bene devi tenere un antivirus come kaspersky o nod32 (a pagamento) e come antispyware adware se personal e spybot search & destroy(gratuiti).
Poi avvolte devi eseguire delle puliture disco,delle deframmentazioni e degli scan disk. E per finire installati anche un programma molto buono che serve per eliminare i file inutili che occupano solo memoria e l'instabilità del sistema questo programma si chiama CCLEANER scaricabile gratuitamente.
Spero possa esserti d'aiuto
Ti ringrazio molto, seguirò i tuoi consigli!
Come da titolo...
Logfile of HijackThis v1.99.1
Scan saved at 21.05.34, on 15/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\Programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Internet\Kaspersky Antivirus\avp.exe
E:\Ufficio\Omnipage Pro 15\Opware15.exe
E:\Internet\Kaspersky Antivirus\avp.exe
C:\Programmi\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
E:\Internet\eMule\emule.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Roby\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tin.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Grafica\Adobe Acrobat 7.0 Profesisonal\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Ufficio\Canon Pixma IP4200\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IAAnotif] C:\Programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [kav] "E:\Internet\Kaspersky Antivirus\avp.exe"
O4 - HKLM\..\Run: [Opware15] "E:\Ufficio\Omnipage Pro 15\Opware15.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Aggiungi all'elenco di stampa Easy-WebPrint - res://E:\Ufficio\Canon Pixma IP4200\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Anteprima Easy-WebPrint - res://E:\Ufficio\Canon Pixma IP4200\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://E:\Ufficio\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Stampa ad alta velocità Easy-WebPrint - res://E:\Ufficio\Canon Pixma IP4200\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Stampa Easy-WebPrint - res://E:\Ufficio\Canon Pixma IP4200\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Internet\Kaspersky Antivirus\scieplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163252877421
O17 - HKLM\System\CCS\Services\Tcpip\..\{668A4C16-3C95-4198-AB40-31F13BE3552B}: NameServer = 212.216.112.112,212.216.172.62
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - E:\Internet\Kaspersky Antivirus\avp.exe" -r (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Programmi\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Programmi\File comuni\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Programmi\File comuni\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Programmi\File comuni\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Programmi\File comuni\SureThing Shared\stllssvr.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - E:\Sistema\TuneUp Utilities 2006\WinStylerThemeSvc.exe
FOXYLADY
15-11-2006, 20:14
...
Pulito.
FOXYLADY
15-11-2006, 20:19
....
A me sembri pulito, che problemi riscontri esattamente?
FOXYLADY
15-11-2006, 20:24
Un aiuto per favore, non capisco perché ho tutte quelle voci 017
Non so perchè ne hai 4, comunque sono i dns di tiscali.
FOXYLADY
15-11-2006, 20:46
....
Disabilita il ripristino configurazione di sistema di winxp e fixa queste voci
O1 - Hosts: 72.232.140.20 www.winmx.com
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Programmi\Accoona\ASearchAssist.dll
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Programmi\Accoona\ASearchAssist.dll
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
O3 - Toolbar: Accoona - {364B6276-C6C1-40B6-A6D7-6C48871FD707} - C:\Programmi\Accoona\atoolbar.dll
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Timer] C:\WINDOWS\fw_304.exe /i
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [TikBellExe] C:\WINDOWS\system32\rhothrl.exe
O4 - HKLM\..\Run: [VVSN] C:\Programmi\VVSN\VVSN.exe
O4 - HKLM\..\Run: [Setup] C:\Programmi\Setup\Setup.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\System32\shdocvw.dll
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M.../bridge-c18.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/v4.0/ysb_cracks.cab
O18 - Filter: text/html - {03974811-C15F-462c-B6B0-2D2336AA57D0} - (no file)
O20 - Winlogon Notify: winmxw32 - C:\WINDOWS\SYSTEM32\winmxw32.dll
Scarica AVG antispyware
http://www.ewido.net/en/download/
installalo e fai una scansione.
Poi riposta un log di hijackthis.
Mavettor
15-11-2006, 21:23
Grazie, fatto quanto da te suggerito, come ti sembra adesso?
Byez
Logfile of HijackThis v1.99.1
Scan saved at 22.21.59, on 15/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Resources\Themes\DameK UltraBlue\Longhorn Clock\Yzdock.exe
C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
D:\Logitech\iTouch\iTouch.exe
C:\Programmi\File comuni\ACD Systems\EN\DevDetectPE.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Winamp\winampa.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmi\Logitech\MouseWare\system\em_exec.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
E:\Encarta 2006 premium\Microsoft Encarta Enciclopedia DVD - 2006\EDICT.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Software Bluetooth\BTTray.exe
C:\Programmi\SEC\Natural Color\NaturalColorLoad.exe
C:\Programmi\Easy Notification 2.0\EasyNoti.exe
C:\Programmi\Objectdock\ObjectDock.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
D:\PROGRA~1\Webshots\webshots.scr
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\Software Bluetooth\bin\btwdins.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Sicurezza\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.excite.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.virgilio.it/free
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: LinkTracker Class - {85A77577-A8CA-41b7-AA1E-DDAD4C0B12B1} - (no file)
O2 - BHO: Encarta Web Companion Oggetto helper - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Programmi\File comuni\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar4.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Programmi\File comuni\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar4.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [LonghornClock] C:\WINDOWS\Resources\Themes\DameK UltraBlue\Longhorn Clock\Clock.lnk
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Device Detector PE] DevDetectPE.exe -autorun
O4 - HKLM\..\Run: [EPSON Stylus Photo R240 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P30 "EPSON Stylus Photo R240 Series" /O6 "USB001" /M "Stylus Photo R240"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [STYLEXP] C:\Programmi\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [E06IXLRD_2298296] "E:\Encarta 2006 premium\Microsoft Encarta Enciclopedia DVD - 2006\EDICT.EXE" -m
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Collegamento a EasyNoti.lnk = D:\Easy Notification 2.0\EasyNoti.exe
O4 - Startup: Easy Notification.lnk = C:\Programmi\Easy Notification 2.0\EasyNoti.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Programmi\Objectdock\ObjectDock.exe
O4 - Startup: Webshots.lnk = C:\Programmi\Webshots\Launcher.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: &Download with &DAP - D:\DAP\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programmi\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\Software Bluetooth\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programmi\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programmi\File comuni\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.virgilio.it/free
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121840063357
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D843B80B-B96F-4C5E-A748-F9975EF5B1F5}: NameServer = 85.37.17.8 85.38.28.73
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmi\Software Bluetooth\bin\btwdins.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe
FOXYLADY
15-11-2006, 21:53
Adesso il tuo log è pulito, questo lo puoi fixare perchè inutile
O2 - BHO: LinkTracker Class - {85A77577-A8CA-41b7-AA1E-DDAD4C0B12B1} - (no file)
;)
Mavettor
15-11-2006, 21:58
Adesso il tuo log è pulito, questo lo puoi fixare perchè inutile
O2 - BHO: LinkTracker Class - {85A77577-A8CA-41b7-AA1E-DDAD4C0B12B1} - (no file)
;)
Grazie mille!
byez
A me sembri pulito, che problemi riscontri esattamente?
ho avuto diversi problemi ieri nell'apertura di cartelle o finestre in windows, cioè proprio non mi apriva nulla, inoltre quando cliccavo in un punto vuoto del desktop all'uscita del menù a tendina erano sparite la gran parte delle voci normalmente presenti....
cosa poteva essere?
FOXYLADY
15-11-2006, 22:33
:boh:
Magari era solo un problema di windows e riavviando è tornato tutto a posto.
Il tuo log l'ho ricontrollato ed è a posto, se hai dei dubbi fai una scansione online qui
http://www.kaspersky.com/virusscanner
Non so perchè ne hai 4, comunque sono i dns di tiscali.
Non lo so nemmeno io :ciapet:
Cmq ne ho sempre avuto uno, ho anche controllato in un vecchio log di HJ. Ho fixato gli ultimi 3 e mi é scomparso pure il primo. Ho inserito nuovamente i dns di Tiscali nella finestra della connessione e adesso ricontrollando con HJ sono ritornato ad averne uno.
Un pò mi preoccupa la cosa. A cosa potrebbe essere dovuto?
ciciolo1974
16-11-2006, 09:00
Salve. E' da un paio di giorni che ogni tanto mi capita, all' avvio, che ogni 4 secondi il pc si inchiodi per una frazione di secondo. Risolvo solo con un riavvio. Uso kaspersky 6.0 e comodo firewall, oltre a windows defender e spybot per controllare se qualcosa scappa ai primi.
Posto un log di hijackthis:
Logfile of HijackThis v1.99.0
Scan saved at 9.43.58, on 16/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Comodo\Firewall\CPF.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\Programmi\Mediafour\MacDrive\MDDiskProtect.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\TBPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\freepops\freepopsd.exe
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmi\Comodo\Firewall\cmdagent.exe
D:\Scaricati\Yz Dock 0.8.3\YzDock.exe
D:\ENZO\modding vista\YzToolbar\yztbr103\YzToolBar.exe
C:\Programmi\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Enzo\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [kis] "C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Programmi\File comuni\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [PSDrvCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Programmi\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Programmi\File comuni\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Programmi\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Programmi\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Collegamento a freepopsd.lnk = D:\freepops\freepopsd.exe
O4 - Startup: Collegamento a YzDock.lnk = D:\Scaricati\Yz Dock 0.8.3\YzDock.exe
O4 - Startup: Collegamento a YzToolBar.exe.lnk = D:\ENZO\modding vista\YzToolbar\yztbr103\YzToolBar.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Tasto di scelta rapida per l'avvio di AutoCAD.lnk = C:\Programmi\File comuni\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: Aggiungi a Kaspersky Anti-Banner - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Scarica con il Wizard di LeechGet - file://C:\Programmi\LeechGet 2006\\Wizard.html
O8 - Extra context menu item: Scarica con LeechGet - file://C:\Programmi\LeechGet 2006\\AddUrl.html
O8 - Extra context menu item: Scarica pagina con LeechGet - file://C:\Programmi\LeechGet 2006\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.6.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157213929453
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmi\File comuni\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\FILECO~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Internet Security 6.0 - Kaspersky Lab - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: Comodo Application Agent - COMODO - C:\Programmi\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lsdiorw - Unknown - C:\PROGRA~1\LS_DUHEM\lsdiorw\lsdiorw2.exe (file missing)
O23 - Service: RaySat_3dsmax8 Server - Unknown - C:\Programmi\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) - Unknown - C:\Programmi\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Programmi\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programmi\Raxco\PerfectDisk\PDEngine.exe
Grazie dell' aiuto
Salve, sono stato avvisato più volte dalla finestra di errorsafe ma non l'ho mai aperta, ho fatto un log e sembra non si sia nulla di anomalo, potreste darci un occhiata e dirmi se mi è sfuggito qualcosa e se siete d'accordo?
Logfile of HijackThis v1.99.1
Scan saved at 10.29.50, on 16/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\Programmi\ATI Technologies\ATI.ACE\CLI.EXE
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Programmi\Save\Save.exe
C:\Programmi\Logitech\SetPoint\KEM.exe
C:\Programmi\Logitech\SetPoint\KHALMNPR.EXE
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmi\File comuni\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Edu\Documenti\UTorrent\utorrent.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Documents and Settings\Edu\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Programmi\FlashFXP\IEFlash.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Programmi\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Programmi\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Programmi\Save\Save.exe"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech\SetPoint\KEM.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E407E16-217F-4430-B369-1395E0F43053}: NameServer = 62.211.69.150 212.48.4.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1F376A2-2C81-459B-ABEC-C90D7DC1A32F}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E407E16-217F-4430-B369-1395E0F43053}: NameServer = 62.211.69.150 212.48.4.15
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Sbaffini
16-11-2006, 11:54
posto il log, come suggerito da skunkworks 68
Logfile of HijackThis v1.99.1
Scan saved at 12.49.13, on 16/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Winamp\winampa.exe
C:\WINDOWS\system32\sescmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi set up\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Programmi\DeluxeCommunications\DxcBho.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Programmi\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG /PSCONV={NO} /NO_DEFPS
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Programmi\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [I downloaded pirated Software from P2P 2006] Geheimakte Tunguska
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\system32\sescmgr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Programmi\DeluxeCommunications\Dxc.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O15 - Trusted Zone: *.realsearch.cc
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142957039734
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C8C2AC6-E7AD-4D3E-B91F-F6F6D373B4CC}: NameServer = 193.12.150.2 212.247.152.2
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
SkunkWorks 68
16-11-2006, 12:29
C:\WINDOWS\system32\"sescmgr.exe"
Questo è collegato ad un trojan(quindi l'exe è da cercare ed eliminare da provvisoria con la funzione cerca di Win abilitando la ricerca anche sui files nascosti e di sistema)
"R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Programmi\DeluxeCommunications\DxcBho.dll"
Fixa questa,è collegata ad uno spyware:
http://411-spyware.com/italiano/remove-deluxecommunications
Da fixare anche:
"O4 - HKLM\..\Run: [DeluxeCommunications] C:\Programmi\DeluxeCommunications\Dxc.exe"
"O4 - HKLM\..\Run: [I downloaded pirated Software from P2P 2006] Geheimakte Tunguska"( :stordita: )
"O4 - HKLM\..\Run: [Systems] C:\WINDOWS\system32\sescmgr.exe"
"O4 - HKCU\..\Run: [DeluxeCommunications] C:\Programmi\DeluxeCommunications\Dxc.exe"
"O15 - Trusted Zone: *.realsearch.cc"
"O20 - AppInit_DLLs: dxclib303562752.dll"
Dai anche una passata con Superantispyware che è decisamente potente...
Ciao
FOXYLADY
16-11-2006, 14:51
....
Hai l'adaware savenow, fixa questa
O4 - HKCU\..\Run: [WhenUSave] "C:\Programmi\Save\Save.exe"
e fai una scansione con un antispyware.
Vi allego il logo, ma prima vi illustro il problema:
Grosso problema, mi sa che ho preso un altro rootkit... In breve:
- all'avvio di windows, il caricamento procede fino alla schermata con la barra di caricamento verde sotto il logo xp, poi lo schermo diventa nero e il pc non da più segno di vita;
- entro in modalità provvisoria, e alla schermata di ingresso ci trovo un nuovo utente Administrator, che non dovrebbe esistere: do il comando control userpasswords2 da esegui e mi mostra effettivamente questo sedicente utente administrator, ma quando cerco di eliminarlo l'operazione fallisce;
- nel frattempo, controllando la cartelal Impostazioni locali, ci trovo due file temporanei pxr1.tmp e pxr2.tmp; sono riuscito a cancellarli, ma nulal di fatto.
E ora il log
Logfile of HijackThis v1.99.1
Scan saved at 16.40.15, on 16/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Roby\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tin.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Grafica\Adobe Acrobat 7.0 Profesisonal\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Ufficio\Canon Pixma IP4200\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IAAnotif] C:\Programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Opware15] "E:\Ufficio\Omnipage Pro 15\Opware15.exe"
O4 - HKLM\..\Run: [PrevxRootkitRemovalTool] "C:\Documents and Settings\Roby\Desktop\Killgro\1-PRV-Fgro.exe" -scan
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] E:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Aggiungi all'elenco di stampa Easy-WebPrint - res://E:\Ufficio\Canon Pixma IP4200\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Anteprima Easy-WebPrint - res://E:\Ufficio\Canon Pixma IP4200\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://E:\Ufficio\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Stampa ad alta velocità Easy-WebPrint - res://E:\Ufficio\Canon Pixma IP4200\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Stampa Easy-WebPrint - res://E:\Ufficio\Canon Pixma IP4200\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Internet\Kaspersky Antivirus\scieplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163252877421
O17 - HKLM\System\CCS\Services\Tcpip\..\{668A4C16-3C95-4198-AB40-31F13BE3552B}: NameServer = 212.216.112.112,212.216.172.62
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - E:\Internet\Kaspersky Antivirus\avp.exe" -r (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Programmi\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Programmi\File comuni\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Programmi\File comuni\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Programmi\File comuni\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Programmi\File comuni\SureThing Shared\stllssvr.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - E:\Sistema\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - E:\VEXPLITE\viritsvc.exe
Sbaffini
16-11-2006, 16:54
ecco il log, che mi consigli?
adesso che ci faccio caso, le voci che mi hai indicato prima non ci sono più; avessi risolto senza accrogermene... tutto sommato non mi stupirebbe.
come va, è pulito?
Logfile of HijackThis v1.99.1
Scan saved at 17.48.44, on 16/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi set up\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Programmi\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG /PSCONV={NO} /NO_DEFPS
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142957039734
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C8C2AC6-E7AD-4D3E-B91F-F6F6D373B4CC}: NameServer = 193.12.150.2 212.247.152.2
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Gestione sessione di assistenza mediante desktop remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
SkunkWorks 68
16-11-2006, 17:27
ecco il log, che mi consigli?
adesso che ci faccio caso, le voci che mi hai indicato prima non ci sono più; avessi risolto senza accrogermene... tutto sommato non mi stupirebbe.
come va, è pulito?
Meglio,molto meglio :)
Io controllerei ancora questa:
"R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)"(prova a fixarla e vedere come va,al limite ripristini...)
Dovrebbe andare molto meglio,ora...
Ciao
Sbaffini
16-11-2006, 17:46
fatto, ho tolto anche quella.
sembra vada tutto bene!
grazie, sei un mito!
ciao
SkunkWorks 68
16-11-2006, 17:55
fatto, ho tolto anche quella.
sembra vada tutto bene!
grazie, sei un mito!
ciao
Bene :)
Occhio sempre agli aggiornamenti(di Windows e dell'Antivirus) e io consiglio sempre un browser alternativo ad IE 6 per navigare(vedi Mozilla-magari con le estensioni ad block e no-script,Opera o K-Meleon)un buon Antispyware.Io utilizzo il firewall di Win XP,dietro Router.Occhio sempre a quello che si scarica,ovvio-al 99% sei a posto.
Ciao
FOXYLADY
16-11-2006, 18:07
.....
Il tuo log è pulito, l'unica cosa che noto è che hai moltissimi processi in avvio automatico, ben 25, forse potresti provare a sfoltire un pò.
Sto risolvendo forse... ora il log è coem segue
Logfile of HijackThis v1.99.1
Scan saved at 20.55.42, on 16/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\Programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Ufficio\Omnipage Pro 15\Opware15.exe
E:\Internet\Kaspersky Antivirus\avp.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Internet\Kaspersky Antivirus\avp.exe
C:\Programmi\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Documents and Settings\Roby\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tin.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Grafica\Adobe Acrobat 7.0 Profesisonal\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Ufficio\Canon Pixma IP4200\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IAAnotif] C:\Programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Opware15] "E:\Ufficio\Omnipage Pro 15\Opware15.exe"
O4 - HKLM\..\Run: [kav] "E:\Internet\Kaspersky Antivirus\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Aggiungi all'elenco di stampa Easy-WebPrint - res://E:\Ufficio\Canon Pixma IP4200\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Anteprima Easy-WebPrint - res://E:\Ufficio\Canon Pixma IP4200\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Grafica\Adobe Acrobat 7.0 Profesisonal\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://E:\Ufficio\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Stampa ad alta velocità Easy-WebPrint - res://E:\Ufficio\Canon Pixma IP4200\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Stampa Easy-WebPrint - res://E:\Ufficio\Canon Pixma IP4200\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Internet\Kaspersky Antivirus\scieplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163252877421
O17 - HKLM\System\CCS\Services\Tcpip\..\{668A4C16-3C95-4198-AB40-31F13BE3552B}: NameServer = 212.216.112.112,212.216.172.62
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - E:\Internet\Kaspersky Antivirus\avp.exe" -r (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Programmi\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Programmi\File comuni\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Programmi\File comuni\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Programmi\File comuni\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Programmi\File comuni\SureThing Shared\stllssvr.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - E:\Sistema\TuneUp Utilities 2006\WinStylerThemeSvc.exe
Una voce mi sembra sospetta:
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - E:\Internet\Kaspersky Antivirus\avp.exe" -r (file missing)
infatti mi trovo due servizi teoricamente appartenenti a Kaspersky anche nel tesk manager... che ne dite?
bReAkDoWn
16-11-2006, 20:17
Sto risolvendo forse... ora il log è coem segue
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - E:\Internet\Kaspersky Antivirus\avp.exe" -r (file missing)
infatti mi trovo due servizi teoricamente appartenenti a Kaspersky anche nel tesk manager... che ne dite?
Il log è pulito. Potresti aprire services.msc e controllare lo stato del servizio kaspersky antivirus pro? Non perchè sia pericoloso, ma perchè secondo me è hijackthis che si confonde dicendo file missing. Se è avviato è tutto ok. E poi se guardi nella cartella E:\Internet\Kaspersky Antivirus vedrai che avp.exe è presente.
Ci sono segni di un possibile passaggio di agent/lo
Prova ad eseguire questo: http://www.prevx.com/gromozon.asp
Poi fixa questi anche se essendo entrambi file missing non dovrebbe cambiare molto..
O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-0040F46CB696} - C:\Documents and Settings\Amedeo\Desktop\101892816.dll (file missing)
O23 - Service: LogBbz - Unknown owner - C:\Programmi\File comuni\Services\CTi.exe (file missing)
Dacci anche qualche dettaglio in più su questo trojan che non riesci a eliminare, tipo quali sintomi dà, come hai tentato di eliminarlo ecc.
scusa se rispondo in ritardo ma ho risolto il problema. praticamente avevo un utente in + in documents and settings e non riuscivo a eliminarlo.
grazie cmq per l'aiuto
ciciolo1974
17-11-2006, 07:25
Il tuo log è pulito, l'unica cosa che noto è che hai moltissimi processi in avvio automatico, ben 25, forse potresti provare a sfoltire un pò.
Grazie
Si, sono un pò troppi effettivamente..vedrò di ridurre un pò ;)
Inlogitech
17-11-2006, 08:35
3d utilissimo l'ho scoperto solo stamattina grazie a mio fratello....... adesso posto il mio log e vediamo che schifezze ci sono (io nn c'ho capito nulla :D )
Logfile of HijackThis v1.99.1
Scan saved at 9.29.15, on 17/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Programmi\Winamp\winampa.exe
C:\Programmi\D-Tools\daemon.exe
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Documents and Settings\Yota\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programmi\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmi\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SmartGuardian] C:\Programmi\ITE\Smart Guardian\ITESmart.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programmi\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programmi\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Utilità di pianificazione di LiveUpdate automatico - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
SkunkWorks 68
17-11-2006, 08:58
3d utilissimo l'ho scoperto solo stamattina grazie a mio fratello....... adesso posto il mio log e vediamo che schifezze ci sono (io nn c'ho capito nulla :D )Logfile of HijackThis v1.99.1
Scan saved at 9.29.15, on 17/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Complimenti,il log è a posto,nonostante tu non abbia il SP 2 installato(che fortuna,o estrema accortezza :) )
Al limite queste potresti fixarle(c'è sempre il buon back-up),se vuoi,ma se non hai problemi di sorta non toccare niente:
"O3 - Toolbar: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)"
"O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)"
"O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)"
Ciao
Logfile of HijackThis v1.99.1
Scan saved at 10.03.51, on 16/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\Norton Internet Security\NISUM.EXE
C:\Programmi\Sandboxie\SandboxieServer.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Programmi\CpuIdle\Crack\cpuidle.exe
C:\Programmi\Spyware Doctor\sdhelp.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Programmi\Norton Internet Security\NISSERV.EXE
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSCNo.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSCNo.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSCNo.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSCNo.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSCNo.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSCNo.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSCNo.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSCNo.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSCNo.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSCNo.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSCNo.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSCNo.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSCNo.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSCNo.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSCNo.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\VTRADER\VTTOOLS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Programmi\a2 Free\a2start.exe
C:\Programmi\a2 Free\a2scan.exe
C:\Documents and Settings\Scud\Documenti\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://it.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://it.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iwbank.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://it.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://it.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://it.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://it.search.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iwbank.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://it.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://it.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn5\yt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [CpuIdle] C:\Programmi\CpuIdle\Crack\cpuidle.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programmi\Spyware Doctor\swdoctor.exe" /Q
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Programmi\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Programmi\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Programmi\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Programmi\Yahoo!\Common/ycsms.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programmi\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoftware.com/activescan/it/activescan_principal.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/103404d8a17ad398f922/netzip/RdxIE601_it.cab
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2759281-35B0-46D7-9D34-F758EEF16FBF}: NameServer = 62.211.69.150,212.48.4.15
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Programmi\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Programmi\Norton Internet Security\NISUM.EXE
O23 - Service: Sandboxie Service (SandboxU) - tzuk - C:\Programmi\Sandboxie\SandboxieServer.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programmi\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
federico_78
17-11-2006, 11:51
Zone Alarm mi ha messo in quarantena questi 2 trojan: Win32.Application.Adware.WinAntiVirus
Win32.Application.Adware.KooWo
Questo è il mio log. Mi ci date un occhiata:
CIAO!
Logfile of HijackThis v1.99.1
Scan saved at 12.41.12, on 17/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Norton Utilities\NPROTECT.EXE
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe
C:\Programmi\Eset\nod32kui.exe
C:\programmi\softwin\bitdefender8\bdnagent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\SOPHTEMP\sargui.exe
C:\Programmi\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [BDNewsAgent] "c:\programmi\softwin\bitdefender8\bdnagent.exe"
O4 - HKLM\..\RunOnce: [srePostpone] rundll32.exe c:\windows\system32\zonelabs\srescan.dll,DoSpecialAction
O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1122916063246
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A42CC2D-E30A-46E2-AAC7-D2D4E10227E0}: NameServer = 192.168.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programmi\Norton Utilities\NPROTECT.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
Salve a tutti, ho un problema con un maledetto dialer: ogni volta ke mi connetto ad internet (Alice ADSL) mi appare un'icona a sfondo bianco cn 2 labbra rosse, e digisoft Antidialer mi interrompe la connessione perchè nn è un numero ammesso, dato ke tenta di connettersi ad un 899. Se vi posto il log di HijackThis ke ne dite di darmi una mano x risolvere il problema? :help: :help:
Logfile of HijackThis v1.99.1
Scan saved at 13.10.39, on 17/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\service32.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Programmi\MSI\Live Update 3\LMonitor.exe
C:\Programmi\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Programmi\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Programmi\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmi\Digisoft AntiDialer\AntiDialer.exe
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Antonio\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programmi\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programmi\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LiveMonitor] C:\Programmi\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programmi\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digisoft AntiDialer.lnk = C:\Programmi\Digisoft AntiDialer\AntiDialer.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Programmi\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
Grazie mille!!! :D :D
bReAkDoWn
17-11-2006, 13:25
Salve a tutti, ho un problema con un maledetto dialer: ogni volta ke mi connetto ad internet (Alice ADSL) mi appare un'icona a sfondo bianco cn 2 labbra rosse, e digisoft Antidialer mi interrompe la connessione perchè nn è un numero ammesso, dato ke tenta di connettersi ad un 899. Se vi posto il log di HijackThis ke ne dite di darmi una mano x risolvere il problema? :help: :help:
C:\WINDOWS\service32.exe
Scarica killbox (www.killbox.net) e prova a cancellare quel file con l'opzione standard file kill oppure delete on reboot. Verifica che il file sia effettivamente stato cancellato.
Poi esegui regedit (start menu -> esegui -> regedit), vai alla seguente chiave HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
e se c'è un riferimento a C:\WINDOWS\service32.exe eliminalo. (elimina solo quello, non tutta la chiave, cioè soltanto il valore che si trova nella sezione destra di regedit).
Per qualsiasi dubbio chiedi pure qua.
Ciao!
FOXYLADY
17-11-2006, 16:37
....
Il tuo log mi sembra pulito, solo i dns mi lasciano perplesso,
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2759281-35B0-46D7-9D34-F758EEF16FBF}: NameServer = 62.211.69.150,212.48.4.15
62.211.69.150 appartiene a Tin, l'altro 212.48.4.15 è registrato a nome MATRIXNET che non so cosa sia, aspetta il consiglio di qualche esperto.
FOXYLADY
17-11-2006, 16:39
....
Il log è pulito ;)
Salve un mio amico ha dei problemi al pc gli potete esaminare il suo log?
Logfile of HijackThis v1.99.1
Scan saved at 17.43.49, on 17/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\service32.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\Macrogaming\SweetIM\SweetIM.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programmi\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\Programmi\Lemoncast\lemoncast.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programmi\File comuni\Ravisent Shared\cinetray.exe
C:\Programmi\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Programmi\Microsoft Office\Office\1040\OLFSNT40.EXE
C:\Programmi\Mustek 1200 UB Plus\Driver\WATCH.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Spybot - Search & Destroy\SpybotSD.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Agostino\Documenti\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gw.aliceadsl.it/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gw.aliceadsl.it/home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Alice
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Programmi\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\Programmi\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Programmi\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SweetIM] C:\Programmi\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [eDonkey2000] C:\Programmi\eDonkey2000\eDonkey2000.exe -t
O4 - HKLM\..\Run: [PCTVRemote] C:\Programmi\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [Windows Update] Windowsupfixer.exe
O4 - HKLM\..\Run: [I downloaded pirated Software from P2P] Pro Evolution Soccer 6
O4 - HKLM\..\Run: [Windows Services] "C:\Programmi\svchosts.exe"
O4 - HKLM\..\Run: [carpediem] C:\Programmi\Lemoncast\lemoncast.exe
O4 - HKLM\..\RunServices: [Windows Update] Windowsupfixer.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Cinetray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O4 - Global Startup: Porta Symantec Fax Starter Edition.lnk = C:\Programmi\Microsoft Office\Office\1040\OLFSNT40.EXE
O4 - Global Startup: Watch.lnk = C:\Programmi\Mustek 1200 UB Plus\Driver\WATCH.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmi\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Apri in nuova scheda in primo piano - res://C:\Programmi\Windows Live Toolbar\Components\it-it\msntabres.dll.mui/230?74133293138f4217a432b33e061af6ee
O8 - Extra context menu item: Apri in nuova scheda in secondo piano - res://C:\Programmi\Windows Live Toolbar\Components\it-it\msntabres.dll.mui/229?74133293138f4217a432b33e061af6ee
O9 - Extra button: Europa Casino - {4C826F10-D34B-4ba8-B609-1FB8C6482A05} - C:\Casino\Europa Casino\casino.exe
O9 - Extra 'Tools' menuitem: Europa Casino - {4C826F10-D34B-4ba8-B609-1FB8C6482A05} - C:\Casino\Europa Casino\casino.exe
O9 - Extra button: Alice - {E09247A1-D579-41CC-865A-7EBA13694D66} - http://gw.aliceadsl.it/alice (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://gw.aliceadsl.it/home
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E98F17B-1CD6-4B6D-984E-EF7F777FFB1D}: NameServer = 81.74.236.46 81.74.236.45
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E98F17B-1CD6-4B6D-984E-EF7F777FFB1D}: NameServer = 81.74.236.46 81.74.236.45
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
FOXYLADY
17-11-2006, 16:59
Ciao raffree,
il problema del tuo amico è che non ha un sistema aggiornato....oggi non è veramente più possibile navigare con un xp senza il sevicepack 2, lui non ha nemmeno l'1 :mc:
Comunque dal log si vedono diverse infezioni, io direi di incominciare (se non l'hai già fatto) col fare scansioni coi programmi suggeriti da eraser in questo post
http://www.hwupgrade.it/forum/showthread.php?t=1142673
terminato il tutto riposta un log di hijackthis per vedere se la situazione è migliorata.
P.S.
Le scansioni è meglio farle in modalità provvisoria e con il ripristino di xp disattivato ;)
Posto anch'io il log, ma anche se non ci capisco molto con questo programma dando un occhiata sembra tutto apposto
Logfile of HijackThis v1.99.1
Scan saved at 18.05.06, on 17/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\MessengerPlus! 3\MsgPlus.exe
C:\Programmi\Eset\nod32kui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\FirefoxPreloader\FirefoxPreloader.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\eMule\eMule.exe
C:\Documents and Settings\Admin\Documenti\Peace&Protection_Sctipt\mIRC.exe
C:\Programmi\Winamp\winamp.exe
C:\WINDOWS\system32\ctpdesrv.exe
C:\Documents and Settings\Admin\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.petrrsqpzbvmnkcklxbmu.net/tNNkJAIEBaxfLDQSxNAJpC8HqcvYlI6uMBryJL96/Wri/O9URXyibthY/ZbAQstb.jpg
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgilio.it/home/indexbb.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Miniclip - {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {D481B5E0-0E82-530A-2F23-CEC145834FE2} - (no file)
O3 - Toolbar: Miniclip - {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} - (no file)
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programmi\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Firefox Preloader.lnk = C:\Programmi\FirefoxPreloader\FirefoxPreloader.exe
O8 - Extra context menu item: &Search - http://speedbar.myway.com/menusearch.html?p=MG1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{60C68FF8-B44B-4AB8-B13D-B63596205E38}: NameServer = 85.37.17.46 85.38.28.84
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Grazie a tutti.
Gabrillo
17-11-2006, 17:07
Salve a tutti
Ho appena fatto una scansione... qualcuno mi può dire se il mio log è a posto?? Grazie :)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\Ahead\InCD\InCD.exe
C:\Programmi\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Creative\MediaSource\Detector\CTDetect.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programmi vari\Immagini Programmi sicurezza\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gw.aliceadsl.it/home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Alice
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Programmi\File comuni\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PhilipsDM] "C:\Programmi\Philips\Philips Device Manager\Bin\DeviceManager.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Piracy] "C:\WINDOWS\SysUtil.exe" /PIRACY
O4 - HKCU\..\Run: [Creative Detector] C:\Programmi\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Tasto di scelta rapida per l'avvio di AutoCAD.lnk = C:\Programmi\File comuni\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Organizzatore ricerche - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programmi\File comuni\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programmi\File comuni\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra button: Alice - {BFB03567-E0C6-489D-B725-0F6B606E0F42} - http://gw.aliceadsl.it/alice (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://gw.aliceadsl.it/home
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA5E68C2-974B-4E2B-884C-428984DAD688}: NameServer = 85.37.17.8 85.38.28.73
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programmi\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Programmi\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Programmi\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcSandraSrv.exe
FOXYLADY
17-11-2006, 17:22
.....
Nel tuo log mi salta all'occhio questo
O8 - Extra context menu item: &Search - http://speedbar.myway.com/menusearch.html?p=MG1
questa speedbar è considerata da alcuni antispyware come un adaware, quindi da eliminare.
Questi non sono pericolosi, ma li puoi fixare perchè inutili
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Miniclip - {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} - (no file)
O2 - BHO: (no name) - {D481B5E0-0E82-530A-2F23-CEC145834FE2} - (no file)
O3 - Toolbar: Miniclip - {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} - (no file)
FOXYLADY
17-11-2006, 17:25
....
Il tuo log è pulito ;)
ho fixato gli ultimi 4 che mi hai segnalato, ma la speedbar come faccio a rimuoverla? grazie FOXLADY.
Sono nuovo della discussione ma il mio problema sembra di molti. Dopo la scansione con Spybot mi viene rilevato sempre "citofarera" e "sfonditalia". Ho avviato HijackThis e queto è il file log salvato.
Qualcuno puo' darmi una mano?
Logfile of HijackThis v1.99.1
Scan saved at 20.07.51, on 17/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\CpuIdle\cpuidle.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Programmi\Saitek\Software\Profiler.exe
C:\Programmi\Saitek\Software\SaiSmart.exe
C:\Programmi\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Programmi\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmi\Softick\PPP\Bin\PPPGate.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Programmi\Agnitum\Outpost Firewall\outpost.exe
C:\Programmi\File comuni\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\Programmi\LG PC Suite\LG PC Sync\LGSyncManager.exe
C:\calendario\Rainlendar.exe
C:\Programmi\StopDialers\StopDialers.exe
C:\PROGRA~1\WIDCOMM\SOFTWA~1\BTSTAC~1.EXE
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [CpuIdle] C:\Programmi\CpuIdle\cpuidle.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Profiler] C:\Programmi\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Programmi\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmi\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Programmi\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\Programmi\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Programmi\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [SoftickPPP] "C:\Programmi\Softick\PPP\Bin\PPPGate.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Programmi\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Programmi\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Disk Cleaner.lnk = C:\Programmi\Disk Cleaner\dclean.exe
O4 - Startup: Rainlendar.lnk = C:\calendario\Rainlendar.exe
O4 - Startup: Stop Dialers.lnk = C:\Programmi\StopDialers\StopDialers.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: LG SyncManager.lnk = ?
O9 - Extra button: Outpost Firewall Pro Regolazione rapida - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Programmi\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: DirectX Service (DirectJejh) - Unknown owner - c:\windows\system32\directx.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Programmi\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Programmi\File comuni\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
Grazie a tutti.
FOXYLADY
17-11-2006, 20:25
Disattiva il ripristino di xp,
fixa queste due voci
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: DirectX Service (DirectJejh) - Unknown owner - c:\windows\system32\directx.exe (file missing)
e fai una scansione in modalità provvisoria con AVG antispyware
http://www.ewido.net/en/download/
Ecco il mio log....ho un trojan horse downloader.swizzor.8.Bk da circa un mese e con AVG antivirus dopo averlo eliminato torna e cosi una volta all'ora!! :mad: ...ho anche disabilitato il ripristino di configurazione del sistema e poi fatto la scansione dell'intero sistema anche con spyware terminator ma questo cavolo di trojan torna sempre...posto il log ditemi se vedete qualcosa o avete qualche idea per aiutarmi....
Logfile of HijackThis v1.99.1
Scan saved at 14.09.31, on 18/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Programmi\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\ATI Technologies\ATI.ACE\CLI.EXE
C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Traverso Cristian\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWSabout.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Programmi\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmi\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\b
bReAkDoWn
18-11-2006, 13:20
Ecco il mio log....ho un trojan horse downloader.swizzor.8.Bk da circa un mese e con AVG antivirus dopo averlo eliminato torna e cosi una volta all'ora!! :mad: ...ho anche disabilitato il ripristino di configurazione del sistema e poi fatto la scansione dell'intero sistema anche con spyware terminator ma questo cavolo di trojan torna sempre...posto il log ditemi se vedete qualcosa o avete qualche idea per aiutarmi....
Non mi pare completo questo log, come se mancasse la parte finale. Ma fai così, invece di rifarlo, potresti:
Scaricare gmer (www.gmer.net) e fare due scansioni: rootkit e autostart, copiare i risultati (gmer ha direttamente il pulsante copy) e incollarli in un messaggio qua sul forum. Assicurati che in entrambe le scansioni NON sia selezionata l'opzione show all. Infine, mentre fai la scansione rootkit non utilizzare il pc e chiudi tutte le applicazioni che puoi.
Inoltre ti ricordi su quali file avg trova l'infezione?
BranMakMorn
18-11-2006, 14:13
Una domanda rapidissima, il PC funziona bene, ma uso il programma da poco e volevo solo sapere che devo fare di queste voci che non riesco a identificare: Li fixo e basta?
O2 - BHO: (no name) - {2EE23CB4-E144-4584-AB0E-2337A1A524ED} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8BADF3FF-B9E2-46F6-90D9-83C2B1FD7A8B} - (no file)
O2 - BHO: (no name) - {973556E0-5052-4218-B551-E29BDDFAC7DA} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CDB6975-066C-47DE-A7AD-D9FA341D240B}: NameServer = 212.216.172.62,212.216.112.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB4310A8-CAFB-4CA1-8B2A-E78712691707}: NameServer = 194.204.159.1,194.204.152.34
O17 - HKLM\System\CS1\Services\Tcpip\..\{1CDB6975-066C-47DE-A7AD-D9FA341D240B}: NameServer = 212.216.172.62,212.216.112.112
Grazie mille :)
FOXYLADY
18-11-2006, 16:43
O2 - BHO: (no name) - {2EE23CB4-E144-4584-AB0E-2337A1A524ED} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8BADF3FF-B9E2-46F6-90D9-83C2B1FD7A8B} - (no file)
O2 - BHO: (no name) - {973556E0-5052-4218-B551-E29BDDFAC7DA} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB4310A8-CAFB-4CA1-8B2A-E78712691707}: NameServer = 194.204.159.1,194.204.152.34
Fixa solo queste
FOXYLADY
18-11-2006, 16:57
ho fixato gli ultimi 4 che mi hai segnalato, ma la speedbar come faccio a rimuoverla? grazie FOXLADY.
Incomincia col fixarla in hijackthis,
poi vai in pannello di controllo>installazione applicazioni e verifica se ci sono elementi del tipo
My Search Bar
MyWay Speed Bar
My Web Search Bar
My Way Search Assistant
o altra voce simile, nel caso disinstallali.
Poi fai una scansione con un antispyware ed una pulizia con ccleaner.
Posto il log, non ci capisco molto quindi mi fido di voi.Il problema e il seguente:
File:
C:\Programmi\eMule\Incoming\setup.exe
Virus:
Probabilemte una variante di Win32/Medbot.CH cavallo di troia
Commento:
Evento occorso durante la creazione del file.Il file è stato inserito nella quarantena.Puoi chiudere questa finestra.
Log:
Logfile of HijackThis v1.99.1
Scan saved at 22.01.01, on 18/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\Mixer.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programmi\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\LuCHeZarD\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Programmi\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Programmi\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [eBayToolbar] C:\Programmi\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Programmi\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [lycosInside] C:\Converted Music\lycos\Lyc_SysTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &eBay Search - res://C:\Programmi\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130007884298
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B802BF3-5EC0-485B-BAFE-677CB253D187}: NameServer = 151.99.250.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{F010F07A-1F0E-4DD5-AF6B-2DED73563844}: NameServer = 193.70.192.25,193.70.152.25
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programmi\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Programmi\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
FOXYLADY
18-11-2006, 21:23
Il tuo log mi sembra pulito, non ci sono infezioni attive presenti nel tuo PC, può essere che uno dei file scaricati con emule contenga un virus o trojan, ma comunque non è attivo nel tuo sistema, altrimenti il log di hijackthis evidenzierebbe problemi.
Dovresti cercare di capire quale file tra quelli scaricati con emule, ha generato quell'avviso ed eliminarlo manualmente.
mr. vertigo
18-11-2006, 22:33
Grazie, ecco il log.
mr. vertigo
Logfile of HijackThis v1.99.1
Scan saved at 23.20.05, on 18/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\oobe\setup\smss.exe
C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\atievxx.exe
C:\Programmi\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Programmi\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Programmi\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Documents and Settings\massimo\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Outpost Firewall] C:\Programmi\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Programmi\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O5 "LPT1:" /M "Stylus C86"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Avvio veloce di Adobe Acrobat.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a periferica &Bluetooth... - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Outpost Firewall Pro Regolazione rapida - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Programmi\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163768655570
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Programmi\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - %windir%\system32\oobe\setup\csrss.exe" /service (file missing)
FOXYLADY
19-11-2006, 09:07
L'unica cosa che mi lascia perplesso :mbe: è quel smss.exe presente in
C:\WINDOWS\system32\oobe\setup\
Prova a farlo analizzare qui
http://www.virustotal.com/en/indexf.html
upAYB[1].int
4d5e3b.exe
17111.exe
Questi sono i 3 file che ogni volta che accendo il computer sono infetti.
Ecco il log completo sorry:
Logfile of HijackThis v1.99.1
Scan saved at 10.56.09, on 19/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Programmi\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Traverso Cristian\Desktop\Utility\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Programmi\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmi\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Programmi\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
mr. vertigo
19-11-2006, 10:44
grazie dell'interessamento e del consiglio, ma ci sono delle novità. allora: ho fatto una scansione con cureit di doctor web (preso dal sito di hardware upgrade) e mi ha identificato come virus proprio csrss.exe, posto nella stessa cartella di smss.exe ossia c\windows\system32\oobe\setup. per sicurezza ne ho prima fatto una copia sul desktop e poi ho eliminato csrss: al riavvio non compariva più la maledetta finestra del "can't load...". l'unica cosa mi dava la rete assente o limitata, perciò ho staccato e riattaccato il cavo di rete (uso fastweb) e si è subito ricollegato. può essere che smss sia un processo consentito di windows (in questo momento va) e csrss un intruso? secondo te posso buttarne via anche la copia visto che la sua eliminazione non sembra aver danneggiato nulla? infine: come faccio a fare lo scan con il link che mi hai dato? dal sito allegavo il file smss.exe, davo il via ma non succedeva nulla. e via email quando andavo ad allegarlo nella directory specificata non risultava (vedevo solo i .dll): devo farne una copia da un'altra parte, comprimerla e allegarla? eh, quanta confusione domenica mattina!
grazie ancora.
mr. vertigo
19-11-2006, 10:50
dimenticavo: nel log che ho postato ieri hai potuto vedere, nell'ultima riga
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - %windir%\system32\oobe\setup\csrss.exe" /service (file missing)
questo perché avevo precedentemente fixato proprio con hijackthis quel file (che però era rimasto al suo posto). la stessa informazione mi dà anche ora, nonostante l'abbia eliminato: come mai? perché è comunque presente sul desktop?
Bimbosoft
19-11-2006, 11:04
A me esce questo e dall'analisi on-line dicono che e' tutto apposto ma cosi non e'.......ho qualcosa che vuole accedere alla porta TCP:3460 verso knud.no-ip.org random ogni 20 sec... :cry:
Logfile of HijackThis v1.99.1
Scan saved at 11.58.42, on 19/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Programmi\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Programmi\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Programmi\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\System32\svchost.exe
E:\Emule\emule.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Downloads\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Programmi\GetRight\xx2gr.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [CTSysVol] C:\Programmi\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Programmi\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Programmi\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [kav] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programmi\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Download with GetRight Pro - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Programmi\GetRight\GRbrowse.htm
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferito portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Programmi\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Programmi\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Programmi\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Programmi\SiSoftware\SiSoftware Sandra Pro Home 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Programmi\SiSoftware\SiSoftware Sandra Pro Home 2007.SP1\RpcSandraSrv.exe
bReAkDoWn
19-11-2006, 13:59
upAYB[1].int
4d5e3b.exe
17111.exe
Questi sono i 3 file che ogni volta che accendo il computer sono infetti.
Ecco il log completo sorry:
Quel log è pulito, se vuoi indagare ulteriormente devi postare i log di gmer..
Ciao!
bReAkDoWn
19-11-2006, 14:05
A me esce questo e dall'analisi on-line dicono che e' tutto apposto ma cosi non e'.......ho qualcosa che vuole accedere alla porta TCP:3460 verso knud.no-ip.org random ogni 20 sec... :cry:
Il log è a posto. Dovresti postare i log di gmer, seguendo le indicazioni che ho dato qualche post fa ad altri utenti. Poi potrebbe anche essere utile sapere quale processo cerchi di effettuare quella connessione..
Ciao!
GMER 1.0.12.11889 - http://www.gmer.net
Rootkit scan 2006-11-19 16:13:39
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
---- Kernel code sections - GMER 1.0.12 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 23E4 805010E8 12 Bytes
.text ntkrnlpa.exe!ZwCallbackReturn + 2424 80501128 8 Bytes
.text ntkrnlpa.exe!ZwYieldExecution + 28BC 805010E8 12 Bytes
.text ntkrnlpa.exe!ZwYieldExecution + 28FC 80501128 8 Bytes
---- User code sections - GMER 1.0.12 ----
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] kernel32.dll!LoadResource 7C80A065 7 Bytes JMP 27001960 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] kernel32.dll!FindResourceExW 7C80AB10 7 Bytes JMP 270018E0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] kernel32.dll!FindResourceW 7C80BA56 7 Bytes JMP 27001860 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] kernel32.dll!SizeofResource 7C80BAF1 7 Bytes JMP 27001A00 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] kernel32.dll!LockResource 7C80C6CF 5 Bytes JMP 27001A90 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes JMP 004E12D0 C:\Programmi\MSN Messenger\msnmsgr.exe
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] kernel32.dll!CreateEventA 7C81E4BD 5 Bytes JMP 27001650 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] USER32.dll!PeekMessageW 77D19278 5 Bytes JMP 27003510 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] USER32.dll!CreateWindowExW 77D21AD5 5 Bytes JMP 27003020 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] USER32.dll!SetWindowRgn 77D21DE0 7 Bytes JMP 27004840 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] USER32.dll!CreateDialogParamW 77D3629F 5 Bytes JMP 27004BC0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] USER32.dll!SetWindowPlacement 77D3FBEA 5 Bytes JMP 27004760 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] USER32.dll!FlashWindow 77D55C9D 5 Bytes JMP 270048E0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] USER32.dll!MessageBoxIndirectW 77D660B7 5 Bytes JMP 27004D20 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] USER32.dll!TrackPopupMenuEx 77D6CAFE 5 Bytes JMP 27003CE0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] WS2_32.dll!send 71A3428A 5 Bytes JMP 27009360 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] WS2_32.dll!WSARecv 71A34318 5 Bytes JMP 27009150 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] WS2_32.dll!recv 71A3615A 5 Bytes JMP 27008FC0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] WS2_32.dll!WSASend 71A36233 5 Bytes JMP 270094E0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] WS2_32.dll!closesocket 71A39639 5 Bytes JMP 270096F0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] SHELL32.dll!Shell_NotifyIconW 7CA47CE1 5 Bytes JMP 27002960 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] ole32.dll!CoInitializeEx 774C42F3 5 Bytes JMP 27001AF0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] ole32.dll!CoRegisterClassObject 77511BFC 5 Bytes JMP 27001BF0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] WININET.dll!HttpOpenRequestA 77194AC5 5 Bytes JMP 27007F50 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] WININET.dll!InternetCloseHandle 771961DC 5 Bytes JMP 27008230 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] WININET.dll!HttpSendRequestA 771976B8 5 Bytes JMP 27008180 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[1860] WININET.dll!InternetReadFile 77199555 5 Bytes JMP 270080B0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll
---- Devices - GMER 1.0.12 ----
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [EE8242A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [EE8242A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [EE8242A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B4685A] avgtdi.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [EE8242A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [EE8242A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [EE8242A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [EE8242A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B4685A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [EE8242A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [EE8242A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [EE8242A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [EE8242A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B4685A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [EE8242A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [EE8242A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [EE8242A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [EE8242A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B4685A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [EE8242A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [EE8242A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [EE8242A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [EE8242A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B4685A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [EE8242A0] vsdatant.sys
---- Registry - GMER 1.0.12 ----
Reg \Registry\USER\S-1-5-21-1220945662-1844237615-839522115-1004\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY@?? 0xBD 0xE3 0xAE 0x7D ...
Reg \Registry\USER\S-1-5-21-1220945662-1844237615-839522115-1004\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY@?? 0x0F 0x8C 0x29 0x8C ...
---- Files - GMER 1.0.12 ----
ADS C:\Documents and Settings\All Users\Dati applicazioni\TEMP:2A81F9CE
ADS C:\Documents and Settings\All Users\Dati applicazioni\TEMP:CB0AACC9
ADS C:\Programmi\ATI Technologies\ATI.ACE\skins\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_Scrollbar:Smaller.WB4
ADS C:\Programmi\ATI Technologies\ATI.ACE\skins\CATALYST_SteelBlue\CATALYST_SteelBlue.uis_Scrollbar:Smaller.WB4
---- EOF - GMER 1.0.12 ----
Gablogan
19-11-2006, 16:07
è da un paio di giorni che mi succede una cosa stranissima,se faccio una ricerca su google e vada su un determinato sito,google mi porta su un altro sito,tipo il sito di sky,casino,ecc,devo fare la ricerca sempre due volte prima di accedere correttamente a un sito,ho provato altri motori di ricerca ma suddere la stessa cosa,se cerco con altalavista mi riporta su google che continua a fare di testa sua,ho provato a passare alcuni antivirus ma non mi individuano nessun virus,qualcuno sa dirmi quale può essere il problema,perchè google continua a indirizzarmi su i siti che vuole lui?
vi posto il log di HijackThis
Logfile of HijackThis v1.97.5
Scan saved at 16.32.37, on 19/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
C:\Programmi\Trust\250S Series\lwbwheel.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Thrustmaster\Thrustmapper\TMTMTSR.exe
C:\WINDOWS\system32\rundll32.exe
C:\windows\system32\winclean.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
D:\Programmi\Emule\emule.exe
C:\Programmi\Webteh\BSplayerPro\bsplayer.exe
C:\Programmi\K-Lite Codec Pack\filters\divxsm.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Lavasoft\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [Smapp] C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programmi\Trust\250S Series\lwbwheel.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ThrustTSR] C:\Programmi\Thrustmaster\Thrustmapper\TMTMTSR.exe
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [winclean] c:\windows\system32\winclean.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Scarica con FlashGet - D:\Programmi\FlashGet\jc_link.htm
O8 - Extra context menu item: Scarica tutto con FlashGet - D:\Programmi\FlashGet\jc_all.htm
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pu...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E40E263B-E79F-41D1-B2AC-62719C0076EF}: NameServer = 85.37.17.50 85.38.28.76
bReAkDoWn
19-11-2006, 16:10
[cut]
manca ancora il log autostart di gmer..
bReAkDoWn
19-11-2006, 16:22
è da un paio di giorni che mi succede una cosa stranissima,se faccio una ricerca su google e vada su un determinato sito,google mi porta su un altro sito,tipo il sito di sky,casino,ecc,devo fare la ricerca sempre due volte prima di accedere correttamente a un sito,ho provato altri motori di ricerca ma suddere la stessa cosa,se cerco con altalavista mi riporta su google che continua a fare di testa sua,ho provato a passare alcuni antivirus ma non mi individuano nessun virus,qualcuno sa dirmi quale può essere il problema,perchè google continua a indirizzarmi su i siti che vuole lui?
vi posto il log di HijackThis
Logfile of HijackThis v1.97.5
Scan saved at 16.32.37, on 19/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Fai questa verifica: start -> esegui -> services.msc
nella lista dei servizi, guarda se nella colonna connessione compare qualche voce con caratteri casuali diversa da tutte le altre. Se così fosse guarda le proprietà (tasto dx -> proprietà) del servizio(i che presenta questa voce e prendi nota del nome del file. Scarica questo: http://www.nod32.it/cgi-bin/mapdl.pl?tool=Agent.VP e utilizzalo per eliminare il/i file di cui sopra.
Poi con hijackthis fixa questo: O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll
Facci sapere l'esito dei vari passaggi.
Ciao!
FOXYLADY
19-11-2006, 16:22
@mr. vertigo
Allora, entrambi i processi smss.exe e csrss.exe, esistono in winxp, ma dovrebbero trovarsi in c\windows\system32 e non in quella directory system32\oobe\setup\, o perlomeno io non li ho mai visti in quella posizione.
Io ti consiglio di rifare la scansione con cureit in modalità provvisoria e col ripristino disabilitato. Sempre in modalità provvisoria riprova a fixare quel 023 (file missing) che è rimasto e, se non riscontri malfunzionamenti, elimina pure la copia dal desktop.
Per fare analizzare i file su virustotal devi selezionare il file tramite il pulsante scegli e poi cliccare su send, a volte c'è da aspettare un pò, anche 10-15 minuti perchè c'è già una coda di altri utenti che stanno utilizzando il sito.
Bimbosoft
19-11-2006, 17:33
Il log è a posto. Dovresti postare i log di gmer, seguendo le indicazioni che ho dato qualche post fa ad altri utenti. Poi potrebbe anche essere utile sapere quale processo cerchi di effettuare quella connessione..
Ciao!
http://img299.imageshack.us/img299/2029/immagine5do4.jpg (http://imageshack.us)
Grazie x l'interessamento Break
Ecco i log autostart
Il log rootkit non riesco a postarlo forse perche' troppo lungo il forum mi da errore :(
GMER 1.0.12.11889 - http://www.gmer.net
Autostart scan 2006-11-19 18:31:25
Windows 5.1.2600 Service Pack 2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
klogon@DLLName = C:\WINDOWS\system32\klogon.dll
WgaLogon@DLLName = WgaLogon.dll
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AVP /*Kaspersky Anti-Virus 6.0*/@ = "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r
IAANTMON /*Intel(R) Matrix Storage Event Monitor*/@ = C:\Programmi\Intel\Intel Matrix Storage Manager\Iaantmon.exe
NVSvc /*NVIDIA Display Driver Service*/@ = %SystemRoot%\system32\nvsvc32.exe
O&O Defrag /*O&O Defrag*/@ = C:\WINDOWS\system32\oodag.exe
OutpostFirewall /*Outpost Firewall Service*/@ = C:\Programmi\Agnitum\Outpost Firewall\outpost.exe /service /*file not found*/
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@IAAnotifC:\Programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe = C:\Programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe
@GBB36X ConfigureC:\WINDOWS\system32\JMRaidTool.exe boot = C:\WINDOWS\system32\JMRaidTool.exe boot
@CTSysVolC:\Programmi\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r /*file not found*/ = C:\Programmi\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r /*file not found*/
@CTHelperCTHELPER.EXE = CTHELPER.EXE
@SBDrvDetC:\Programmi\Creative\SB Drive Det\SBDrvDet.exe /r /*file not found*/ = C:\Programmi\Creative\SB Drive Det\SBDrvDet.exe /r /*file not found*/
@UpdRegC:\WINDOWS\UpdReg.EXE = C:\WINDOWS\UpdReg.EXE
@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
@nwiznwiz.exe /install = nwiz.exe /install
@NvMediaCenterRUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
@Outpost FirewallC:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice = C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
@OutpostFeedBackC:\Programmi\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup /*file not found*/ = C:\Programmi\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup /*file not found*/
@kav"C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" = "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
@ /*file not found*/ = /*file not found*/
@BluetoothAuthenticationAgentrundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent = rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
@ISUSPM StartupC:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\isuspm.exe -startup = C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
@ISUSScheduler"C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start = "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
@FinePrint Dispatcher v5"C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
@NeroFilterCheckC:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe = C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MessengerPlus3"C:\Programmi\MessengerPlus! 3\MsgPlus.exe" /WinStart = "C:\Programmi\MessengerPlus! 3\MsgPlus.exe" /WinStart
@msnmsgr"C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background = "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
@H/PC Connection Agent"C:\PROGRA~1\MICROS~4\wcescomm.exe" = "C:\PROGRA~1\MICROS~4\wcescomm.exe"
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A48} /*nView Desktop Context Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{85E0B171-04FA-11D1-B7DA-00A0C90348D6} /*Web Anti-Virus*/C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll = C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
@{32020A01-506E-484D-A2A8-BE3CF17601C3} /*AlcoholShellEx*/C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll = C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451} /*OODefrag*/C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll = C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Programmi\MSN Messenger\fsshext.8.0.0812.00.dll = C:\Programmi\MSN Messenger\fsshext.8.0.0812.00.dll
@{AC1DB655-4F9A-4c39-8AD2-A65324A4C446} /*Autodesk Drawing Preview*/C:\Programmi\File comuni\Autodesk Shared\Thumbnail\AcThumbnail16.dll = C:\Programmi\File comuni\Autodesk Shared\Thumbnail\AcThumbnail16.dll
@{36A21736-36C2-4C11-8ACB-D4136F2B57BD} /*Gestore icona firma digitale di AutoCAD*/C:\WINDOWS\system32\AcSignIcon.dll = C:\WINDOWS\system32\AcSignIcon.dll
@{6DEA92E9-8682-4b6a-97DE-354772FE5727} /*Autodesk DWF Preview*/C:\Programmi\File comuni\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll = C:\Programmi\File comuni\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll
@{46E22146-59C0-4136-9233-52E412E2B428} /*EzCddax extension*/C:\Programmi\Easy CD-DA Extractor 9\ezcddax9.dll = C:\Programmi\Easy CD-DA Extractor 9\ezcddax9.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{49BF5420-FA7F-11cf-8011-00A0C90A8F78} /*Mobile Device*/C:\PROGRA~1\MICROS~4\Wcesview.dll = C:\PROGRA~1\MICROS~4\Wcesview.dll
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
ASW@{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A} = C:\Programmi\Agnitum\Outpost Firewall\op_shell.dll
EzCddax@{46E22146-59C0-4136-9233-52E412E2B428} = C:\Programmi\Easy CD-DA Extractor 9\ezcddax9.dll
Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll
OODefrag@{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451} = C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll
UltraEdit-32@{b5eedee0-c06e-11cf-8c56-444553540000} = C:\Programmi\IDM Computer Solutions\UltraEdit-32\ue32ctmn.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
ASW@{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A} = C:\Programmi\Agnitum\Outpost Firewall\op_shell.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
ASW@{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A} = C:\Programmi\Agnitum\Outpost Firewall\op_shell.dll
Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll
OODefrag@{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451} = C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{31FF080D-12A3-439A-A2EF-4BA95A3148E8}C:\Programmi\GetRight\xx2gr.dll = C:\Programmi\GetRight\xx2gr.dll
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pageabout:blank = about:blank
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm
HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = %SystemRoot%\system32\wshbth.dll
---- EOF - GMER 1.0.12 ----
bReAkDoWn
19-11-2006, 22:21
http://img299.imageshack.us/img299/2029/immagine5do4.jpg (http://imageshack.us)
Grazie x l'interessamento Break
Ecco i log autostart
Il log rootkit non riesco a postarlo forse perche' troppo lungo il forum mi da errore :(
A questo punto vorrei vedere anche quello perchè per adesso non ne vengo a capo. Fai così: salvalo come file di testo con notepad e uploadalo su www.mytempdir.com postando qua il link che ti viene assegnato per scaricare il file. Assicurati che l'opzione show all non sia selezionata, chiudi tutte le applicazioni e durante la scansione non utilizzare il pc. In questo modo si evitano falsi positivi e il log viene più corto.
ciao!
Gablogan
20-11-2006, 10:03
Fai questa verifica: start -> esegui -> services.msc
nella lista dei servizi, guarda se nella colonna connessione compare qualche voce con caratteri casuali diversa da tutte le altre. Se così fosse guarda le proprietà (tasto dx -> proprietà) del servizio(i che presenta questa voce e prendi nota del nome del file. Scarica questo: http://www.nod32.it/cgi-bin/mapdl.pl?tool=Agent.VP e utilizzalo per eliminare il/i file di cui sopra.
Poi con hijackthis fixa questo: O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll
Facci sapere l'esito dei vari passaggi.
Ciao!
nella colonna connessione non compare nulla di strano,però ho fixato quella voce di hijackthis e adesso sembra che google sia tornato normale,ti ringrazio tantissimo;)
Bimbosoft
20-11-2006, 11:57
A questo punto vorrei vedere anche quello perchè per adesso non ne vengo a capo. Fai così: salvalo come file di testo con notepad e uploadalo su www.mytempdir.com postando qua il link che ti viene assegnato per scaricare il file. Assicurati che l'opzione show all non sia selezionata, chiudi tutte le applicazioni e durante la scansione non utilizzare il pc. In questo modo si evitano falsi positivi e il log viene più corto.
ciao!
Grazie sei gentilissimo
Ecco il log rootkit senza "show all" e senza "file" solo di c:
http://www.mytempdir.com/1071969
ps: solo explorer punta a questa posta, firefox che ho provato ad installare ieri sembra non avere nessun problema
bReAkDoWn
20-11-2006, 17:15
Grazie sei gentilissimo
Ecco il log rootkit senza "show all" e senza "file" solo di c:
http://www.mytempdir.com/1071969
ps: solo explorer punta a questa posta, firefox che ho provato ad installare ieri sembra non avere nessun problema
Continuo a non vederci niente.. :muro: Se vuoi indagare ulteriormente crea un log con questo: http://www.suspectfile.com/upload/files/tools/systemscan.exe
selezionando tutte le opzioni. Considera che può impiegarci un bel pò, non usare il pc durante la scansione. Quando ha finito comparirà il notepad con il log. Puoi metterlo su mytempdir.
Infine vorrei capire bene una cosa. Da un tentativo di connessione all'altro cambia soltanto la porta (3460 nella immagine che hai allegato) e rimane sempre uguale knud.no-ip.org? Queste connessioni le fa anche solo aprendo explorer senza andare su alcun sito?
Bimbosoft
20-11-2006, 17:24
Continuo a non vederci niente.. :muro: Se vuoi indagare ulteriormente crea un log con questo: http://www.suspectfile.com/upload/files/tools/systemscan.exe
selezionando tutte le opzioni. Considera che può impiegarci un bel pò, non usare il pc durante la scansione. Quando ha finito comparirà il notepad con il log. Puoi metterlo su mytempdir.
Infine vorrei capire bene una cosa. Da un tentativo di connessione all'altro cambia soltanto la porta (3460 nella immagine che hai allegato) e rimane sempre uguale knud.no-ip.org? Queste connessioni le fa anche solo aprendo explorer senza andare su alcun sito?
Le connesioni cominciano appena windows ha terminato il caricamento del sistema.....senza aprire IE comincia la prima richiesta e poi ogni 20 sec loop......puntano sempre quel sito/address e quella porta......nulla cambia.
Sembra un banale spyware ma nessun software trova nulla.....
E' cominciato tutto quando ho installato IE7 rc1 da fonte "asinello" se vuoi in pvt ti dico il file preciso....se sei curioso.....io l'ho riscaricato ed analizzato ma non ho visto nulla di particolare, c'era un reg ma pulito a mio avviso.
A nulla è servito mettere IE7 final oppure tornare ad IE6...solo firefox sembra esente dal problema.
Mi e' venuto anche il dubbio che insieme all'installazione di explorer sia stata inserita una chiave di registro che fa un imput ad explorer a puntare quella porta di quell'address, magari x "telefonare casa".....pero' non so' dove risiedano le chiavi di explorer x eventualmente controllare.
bReAkDoWn
20-11-2006, 17:30
Le connesioni cominciano appena windows ha terminato il caricamento del sistema.....senza aprire IE comincia la prima richiesta e poi ogni 20 sec loop......puntano sempre quel sito/address e quella porta......nulla cambia.
Sembra un banale spyware ma nessun software trova nulla.....
E' cominciato tutto quando ho installato IE7 rc1 da fonte "asinello" se vuoi in pvt ti dico il file preciso....se sei curioso.....io l'ho riscaricato ed analizzato ma non ho visto nulla di particolare, c'era un reg ma pulito a mio avviso.
Quindi le conn. partono da iexplore.exe (dall'icona nel popup del firewall si vede che è il 7 appunto) anche se tu non lo hai nemmeno lanciato..
Certo ora che mi dici quando sono iniziate, potrebbe essere quella versione di explorer ad essere stata in qualche modo manomessa. Se è una rc1 installaci sopra quella finale, dovrebbe essere possibile. Io per adesso ie7 l'ho provato solo su Vista RC1, su xp non l'ho ancora installato.
Edit: ho letto la tua modifica. non conosco semplici chiavi per poter "chiamare a casa" con qualche scopo.. se vuoi provare l'altra scansione.. è una situazione curiosa..
Bimbosoft
20-11-2006, 17:37
Quindi le conn. partono da iexplore.exe (dall'icona nel popup del firewall si vede che è il 7 appunto) anche se tu non lo hai nemmeno lanciato..
Certo ora che mi dici quando sono iniziate, potrebbe essere quella versione di explorer ad essere stata in qualche modo manomessa. Se è una rc1 installaci sopra quella finale, dovrebbe essere possibile. Io per adesso ie7 l'ho provato solo su Vista RC1, su xp non l'ho ancora installato.
Edit: ho letto la tua modifica. non conosco semplici chiavi per poter "chiamare a casa" con qualche scopo.. se vuoi provare l'altra scansione.. è una situazione curiosa..
Guarda anche tornando a IE6 non ho visto differenze e nemmeno passando a IE7 final....sembra che questa "cosa" resti fissa indipendentemente.
Ho provato vari scan nel registro con "3460" "kund" ".org" ma non ho trovato nulla.
Sembra un fantasma sta cosa e non si capisce da dove venga, in qualche posto ci sara' un eseguibile che chiama sta cosa o altro, ma qualcosa che muove i fili c'e'.
bReAkDoWn
20-11-2006, 17:41
Sembra un fantasma sta cosa e non si capisce da dove venga, in qualche posto ci sara' un eseguibile che chiama sta cosa o altro, ma qualcosa che muove i fili c'e'.
Certamente.. Ed è proprio quella che vorrei scovare.. Per quello ti suggerivo di provare questa nuova scansione.. Io son disponibile a controllarla.
Cmq da quel che dice il fw sembra che sia iexplore.exe (ovvero internet explorer) a lanciare la connessione. Quando avvii windows, internetexplorer non viene lanciato automaticamente (perlomeno il 6 no). Hai guardato con taskmanager se il processo iexplore.exe risulta visibile e se chiudendolo smettono questi tentativi?
Bimbosoft
20-11-2006, 17:42
Certamente.. Ed è proprio quella che vorrei scovare.. Per quello ti suggerivo di provare questa nuova scansione.. Io son disponibile a controllarla.
Cmq da quel che dice il fw sembra che sia iexplore.exe (ovvero internet explorer) a lanciare la connessione. Quando avvii windows, internetexplorer non viene lanciato automaticamente (perlomeno il 6 no). Hai guardato con taskmanager se il processo iexplore.exe risulta visibile e se chiudendolo smettono questi tentativi?
Dici che il 6 non viene lanciato...ora riavvio e controllo e poi provo anche a terminarlo
Sbloccato IE, messo in zona neutra con supervisione fw.....riavviato....aperto istanza web ecc.....non da segni di nota, assurdo.....sembra sparito tutto.....non ne vado fuori di sta cosa mi sta logorando.......navigo con IE senza vedere segni.
piu' tardi faro altre prove ma e' molto strano ed io odio non scoprire il perche' di tutto quello che succede......cmq e' certo.....firefox mi piace una cifra e credo che usero' molto poco IE da oggi in poi
Non posso che ringraziarti infinitamente x l'appoggio e l'aiuto che mi hai dato Break, sono in debito ;)
bReAkDoWn
20-11-2006, 19:30
piu' tardi faro altre prove ma e' molto strano ed io odio non scoprire il perche' di tutto quello che succede......
Quando è possibile anch'io cerco di indagare a fondo.. :) se risuccede qualcosa fatti sentire.. ciao!
Bimbosoft
20-11-2006, 19:33
Quando è possibile anch'io cerco di indagare a fondo.. :) se risuccede qualcosa fatti sentire.. ciao!
davvero non ho parole....lo sto' provando parecchio.....credo che sia morto quel pseudo processo quando firefox dopo averlo installato mi ha chiesto se volevo metterlo come browser default.....non vedo altra spiegazione, anche se resta il mistero di cosa fosse....
drowning man
21-11-2006, 17:39
hijack.de mi ha rilevato questo elemento. secondo voi devo cancellarlo? grazie
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1A71D87-DD0B-480D-81ED-EC8097994338}: NameServer = 85.37.17.17 85.38.28.72 Abbastanza sospetto
Abbastanza sospetto Se il Dominio non appartiene al vostro provider Internet od alla vostra rete aziendale, questi elementi dovrebbero essere eliminati. Anche gli elementi 'SearchList' dovrebbero essere cancellati (Fix).
Attualmente non è stato lasciato alcun voto dai visitatori! Conoscete l'indirizzo IP o il Dominio '85.37.17.17 85.38.28.72'? Se no, eliminate questo oggetto.
Mirko1986
21-11-2006, 18:51
hijack.de mi ha rilevato questo elemento. secondo voi devo cancellarlo? grazie
Non cancellarlo, sono i dns Telecom
in seguito all' installazione di una crack, il computer non mi faceva piu
accedere al task manager dicendomi che non ero autorizzato
dall'amministrarore che sono io, al nod32 control center dandomi questo
messagio "si è verificato un errore durante la comunicazione con il servizio
kernel di nod 32", non apre più in automatico i programmi all'avvio di
windows , al firewall di windows non mi fa più accedere. allora ho fatto uno
scan di ad-aware, spybot search & destroy e di nod32 che mi hanno rilevato
alcuni virus che ho eliminato.Il problema è ancora esistente, l'accesso al
task manager è stato riabilitato ma del nod 32 control center e del firewall
di windows no e l' avvio dei programmi all'accesso di windows non avviene. ecco lo scan di HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 22.30.11, on 21/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Messenger\msmsgs.exe
C:\DOCUME~1\Gia\IMPOST~1\Temp\96exinjs.p.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\DAP\DAP.EXE
C:\Programmi\eMule\emule.exe
C:\Documents and Settings\Gia\Desktop\Nuova cartella\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgilio.it/free
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.creative.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRA~1\DAP\DAPIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] -HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] -RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] -ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] -C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [ATICCC] -"C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Omnipage] -C:\Programmi\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] -C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [Register MediaRing Talk] -C:\Programmi\MediaRing Talk\register.exe
O4 - HKLM\..\Run: [NWEReboot] -
O4 - HKLM\..\Run: [NeroFilterCheck] -C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] -"C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DownloadAccelerator] -"C:\Programmi\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools-1033] -"C:\Programmi\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] -C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [nod32kui] -"C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] -"C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CBitSpirit] -"C:\Programmi\BitSpirit\BitSpirit.exe" /start
O4 - HKLM\..\Run: [CloneCDTray] -"C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [I downloaded pirated Software from P2P ] Neverwinter Nights 2
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - HKCU\..\Run: [CTFMON.EXE] -C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] -"C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] -"C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] -C:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Programmi\eMule\emule.exe -AutoStart
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - -"C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - Unknown owner - -C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - -"C:\Programmi\Eset\nod32krn.exe (file missing)
O23 - Service: Office Source Engine (ose) - Unknown owner - -"C:\Programmi\File comuni\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - -C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
drowning man
21-11-2006, 23:17
Non cancellarlo, sono i dns Telecom
ah grazie
alessio2583
22-11-2006, 13:09
Ciao ragazzi,chi mi può dare una mano?Ci sono delle finestre a sfondo erotico che si aprono, e inoltre compare un avviso di virus, dice di cliccare e mi porta ad una pagina web che propone unantivirus o qualcosa del genere.Ho fatto la scansione con HijackThis, questo è il report:
Logfile of HijackThis v1.99.1
Scan saved at 14.02.05, on 22/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\ATKKBService.exe
C:\Programmi\Sitecom\Software Bluetooth\bin\btwdins.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Intel\Wireless\Bin\OProtSvc.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\ASUS\Wireless Console\wcourier.exe
C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Softwin\BitDefender9\bdoesrv.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\Microsoft ActiveSync\wcescomm.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programmi\Sitecom\Software Bluetooth\BTTray.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmi\Perfect Codec\pmsngr.exe
C:\Programmi\Perfect Codec\pmmon.exe
C:\Programmi\mirc617ita-Invision\mIRC6.2-Italiano-TuttoIRC\mIRC 6.2 in Italiano by TuttoIRC\TuttoIRC.exe
C:\Programmi\File comuni\Softwin\BitDefender Update Service\livesrv.exe
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
C:\Programmi\Softwin\BitDefender9\vsserv.exe
c:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\ALESSIO\Programmi\hijackthis_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9730E85F-FD7C-2A40-BC97-C7F76F30D47D} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: Protection Bar - {96ebbe6a-2864-4345-b32b-26ee9be524b5} - C:\Programmi\Perfect Codec\iesplugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Collegamento alla pagina delle proprietà di High Definition Audio] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Wireless Console] C:\Programmi\ASUS\Wireless Console\wcourier.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Programmi\Corel\Corel Graphics 12\Languages\IT\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=120406 serial=dr12wex-1504397-kty lang=IT
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BDMCon] c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Programmi\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "c:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "c:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [AnyDVD] "C:\Programmi\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\Sitecom\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferito portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\Sitecom\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\Sitecom\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133645723965
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61} (DownloaderActiveX Control) - http://c6.community.virgilio.it/download/DownloaderActiveX.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - (no file)
O20 - Winlogon Notify: IntelWireless - C:\Programmi\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: gimmicks - {40dcff6e-af8d-4183-8ebe-a82270ac449e} - C:\WINDOWS\system32\dcvwaah.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Programmi\Sitecom\Software Bluetooth\bin\btwdins.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Programmi\Softwin\BitDefender9\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
NinoRapis
22-11-2006, 15:04
Salve ragazzi :)
facendo un auto analisi del log di un mio amico ci siamo accorti che ci sono delle righe sospette che riguarda gli 01 e gli reindirizzi del file HOST, ci aiutereste a venirne a capo? grazie
Logfile of HijackThis v1.99.1
Scan saved at 19.46.31, on 21/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Acer\eManager\anbmServ.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\CyberLink\Shared Files\RichVideo.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Arcade\PCMService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\acer\epm\epm-dm.exe
C:\Programmi\Launch Manager\QtZgAcer.EXE
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe
C:\Programmi\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\ARESCOM\Modem Telindus Arescom ND220b\dslmon.exe
C:\Programmi\Stardock\ObjectDock\ObjectDock.exe
C:\Programmi\acer\eRecovery\Monitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\eMule\emule.exe
C:\Documents and Settings\Lelo\Documenti\personali\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programmi\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Programmi\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: DSLMON.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2195F61F-0922-4FF1-A71F-371AEC050BC7}: NameServer = 85.37.17.50 85.38.28.76
O17 - HKLM\System\CCS\Services\Tcpip\..\{8EB28C55-D16A-41FB-92A3-6FCDB4F887E9}: NameServer = 151.99.125.2,151.99.125.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{2195F61F-0922-4FF1-A71F-371AEC050BC7}: NameServer = 85.37.17.50 85.38.28.76
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - (no file)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
avevo installato il zone alarm con il nod32 da qualche giorno mi si presentava ogni tanto un errore che "la memoria non poteva essere written" e chiudeva il processo vsmon che è uno di quelli del zone alarm come sapete, allora ho optato per un drastico cambiamento, ho disintallato sia il zone alarm e il nod o "inserito" i firewall di windows e un amico mi ha prestato il kapersky, sembrava tutto ok ma ora qualcosa mi "spegne" il kvp dandomi il seguente errore:
http://img523.imageshack.us/img523/6427/immaginexz1.jpg
ho notato pero che lo da solo se sono connesso a internet...
ho fatto una scansione con lo stesso da offline niente
antispyware avg niente
nod 32 niente
non so cosa fare....
illuminatemi vi posto il log per avvantaggiarvi, in anticipo grazie
Logfile of HijackThis v1.99.1
Scan saved at 21.55.10, on 22/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Programmi\Bluetooth Software\bin\btwdins.exe
D:\Programmi\ewido anti-malware\ewidoctrl.exe
D:\WINDOWS\System32\GEARSec.exe
D:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Programmi\MessengerPlus! 3\MsgPlus.exe
D:\Programmi\Messenger\msmsgs.exe
D:\Programmi\MSN Messenger\msnmsgr.exe
D:\Programmi\NetLimiter\NetLimiter.exe
D:\Programmi\eMule\emule.exe
D:\Programmi\uTorrent\utorrent.exe
D:\Programmi\Mozilla Firefox\firefox.exe
D:\Programmi\WinRAR\WinRAR.exe
D:\DOCUME~1\MATTBU~1\IMPOST~1\Temp\Rar$EX00.563\HijackThis.exe
D:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Programmi\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [kav] "D:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [BitTorrent] "D:\Programmi\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "D:\Programmi\Messenger\msmsgs.exe" /background
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A88856D-625F-47F4-9B2E-5DA7D1E67E4B}: NameServer = 213.205.32.70 213.205.36.70
O20 - AppInit_DLLs: runner.dll MsgPlusLoader.dll
O20 - Winlogon Notify: klogon - D:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - D:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - D:\Programmi\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks - D:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - D:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - D:\Programmi\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
ho riattivato il zone alarm giusto perche non mi fido tanto dei firewall di windows e prima di dare l'errore il kapersky compare questo:
http://img212.imageshack.us/img212/7537/immaginexc1.jpg
penso reinstallero il mio vecchio nod 32 .... in attesa di risposte
schumi84
23-11-2006, 14:45
il mio pc in ufficio si è rallentato... sarà per i programmi e varie cose installate..
cosa mi consigliate di aggiustare dal hijackthis?
Logfile of HijackThis v1.99.1
Scan saved at 12.58.25, on 22/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\HP\KBD\KBD.EXE
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb13.exe
C:\WINDOWS\system32\hphmon06.exe
C:\PROGRA~1\HP\{BA2D9~1\pexpress\hphPED06.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\winlogin.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmi\Logitech\SetPoint\SetPoint.exe
C:\Programmi\RMClient\PMClient.exe
C:\Programmi\File comuni\Logitech\KHAL\KHALMNPR.EXE
C:\Programmi\File comuni\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\mIRC\mirc.exe
C:\Programmi\Nemetschek\Allplan\Prg\Allplan_2006.exe
c:\programmi\nemetschek\allplan\prg\ava_mat2006.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Proprietario\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Programmi\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [JobHisInit] C:\Programmi\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Programmi\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb13.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Programmi\HP\{BA2D9411-DBB4-43e4-9421-780413650A67}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [HPHped06] C:\PROGRA~1\HP\{BA2D9~1\pexpress\hphPED06.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Winlogin] C:\WINDOWS\system32\winlogin.exe
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Programmi\RMClient\PMClient.exe
O4 - Global Startup: Tasto di scelta rapida per l'avvio di AutoCAD.lnk = C:\Programmi\File comuni\Autodesk Shared\acstart17.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Guida alla connessione - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Guida alla connessione - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153982985953
O17 - HKLM\System\CCS\Services\Tcpip\..\{988ABF58-850A-48C2-B28B-F4E2BB7992CB}: NameServer = 192.106.1.1,192.106.1.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{B55ECBEE-E5CF-40C8-9D44-8D53119B36A9}: NameServer = 192.106.1.1,192.106.1.9
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Utilità di pianificazione di LiveUpdate automatico - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe
mauretto81
23-11-2006, 18:01
ciao raga ... vi invio questo log fatto con hijackthis dopo avere eliminato il processo service32.exe tramite spyware terminator ... c'è qualcosa da fixare??? secondo voi ci sono delle voci riconducibili a qualche spyware, rootkit o altra schifezza varia?? grazie mille..
Logfile of HijackThis v1.99.0
Scan saved at 17.47.29, on 23/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\Babylon\Babylon.exe
C:\Programmi\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\Garzanti Linguistica\Italiano Clic\vb\ItaTray.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe
C:\Programmi\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmi\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Programmi\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [OpwareSE2] "C:\Programmi\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Italiano clic] C:\PROGRA~1\Garzanti Linguistica\Italiano Clic\vb\ItaTray.exe /w
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Point&&Go - C:\Programmi\File comuni\Expert System\PGPlatform\PGPlatform.htm
O8 - Extra context menu item: Aggiungi all'elenco di stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Anteprima Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Stampa ad alta velocità Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O20 - AppInit_DLLs:
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Programmi\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
FOXYLADY
23-11-2006, 20:34
O4 - HKLM\..\Run: [I downloaded pirated Software from P2P ] Neverwinter Nights 2
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
Prova a fixare questi 2
FOXYLADY
23-11-2006, 20:48
.....
Disattiva il ripristino di configurazione di win
apri hijackthis e vai in Open the misc tool section>open process manager, seleziona se presenti queste voci
C:\Programmi\Perfect Codec\pmsngr.exe
C:\Programmi\Perfect Codec\pmmon.exe
e clicca su killprocess.
Poi fixa queste
O2 - BHO: (no name) - {9730E85F-FD7C-2A40-BC97-C7F76F30D47D} - (no file)
O3 - Toolbar: Protection Bar - {96ebbe6a-2864-4345-b32b-26ee9be524b5} - C:\Programmi\Perfect Codec\iesplugin.dll
O21 - SSODL: gimmicks - {40dcff6e-af8d-4183-8ebe-a82270ac449e} - C:\WINDOWS\system32\dcvwaah.dll
Fai una scansione con AVG antispyware
http://www.ewido.net/en/download/
FOXYLADY
23-11-2006, 20:54
....
Se non hai aggiunto tu quelle voci al file di host fixale, per il resto il tuo log è pulito.
FOXYLADY
23-11-2006, 21:04
O20 - AppInit_DLLs: runner.dll MsgPlusLoader.dll
Prova a fixare questa, ma non so se risolverai il tuo problema.
Prova anche a fare una scansione online, per esempio qui
http://www.bitdefender.com/scan8/ie.html
e qui
http://www.ewido.net/en/onlinescan/
FOXYLADY
23-11-2006, 21:11
.....
C'è un problema qui
C:\WINDOWS\system32\winlogin.exe
O4 - HKCU\..\Run: [Winlogin] C:\WINDOWS\system32\winlogin.exe
fixa la seconda voce e fai qualche scansione con antivirus e antispyaware
schumy2006
23-11-2006, 21:18
avevo installato il zone alarm con il nod32 da qualche giorno mi si presentava ogni tanto un errore che "la memoria non poteva essere written" e chiudeva il processo vsmon che è uno di quelli del zone alarm come sapete, allora ho optato per un drastico cambiamento, ho disintallato sia il zone alarm e il nod o "inserito" i firewall di windows e un amico mi ha prestato il kapersky, sembrava tutto ok ma ora qualcosa mi "spegne" il kvp dandomi il seguente errore:
http://img523.imageshack.us/img523/6427/immaginexz1.jpg
ho notato pero che lo da solo se sono connesso a internet...
ho fatto una scansione con lo stesso da offline niente
antispyware avg niente
nod 32 niente
non so cosa fare....
illuminatemi vi posto il log per avvantaggiarvi, in anticipo grazie
Logfile of HijackThis v1.99.1
Scan saved at 21.55.10, on 22/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Programmi\Bluetooth Software\bin\btwdins.exe
D:\Programmi\ewido anti-malware\ewidoctrl.exe
D:\WINDOWS\System32\GEARSec.exe
D:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Programmi\MessengerPlus! 3\MsgPlus.exe
D:\Programmi\Messenger\msmsgs.exe
D:\Programmi\MSN Messenger\msnmsgr.exe
D:\Programmi\NetLimiter\NetLimiter.exe
D:\Programmi\eMule\emule.exe
D:\Programmi\uTorrent\utorrent.exe
D:\Programmi\Mozilla Firefox\firefox.exe
D:\Programmi\WinRAR\WinRAR.exe
D:\DOCUME~1\MATTBU~1\IMPOST~1\Temp\Rar$EX00.563\HijackThis.exe
D:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Programmi\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [kav] "D:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [BitTorrent] "D:\Programmi\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "D:\Programmi\Messenger\msmsgs.exe" /background
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A88856D-625F-47F4-9B2E-5DA7D1E67E4B}: NameServer = 213.205.32.70 213.205.36.70
O20 - AppInit_DLLs: runner.dll MsgPlusLoader.dll
O20 - Winlogon Notify: klogon - D:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - D:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - D:\Programmi\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks - D:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - D:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - D:\Programmi\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
ho riattivato il zone alarm giusto perche non mi fido tanto dei firewall di windows e prima di dare l'errore il kapersky compare questo:
http://img212.imageshack.us/img212/7537/immaginexc1.jpg
penso reinstallero il mio vecchio nod 32 .... in attesa di risposte
Stai scherzando ?? Vorresti disinstallare il miglior antivirus al mondo ??
Era solo un piccolo errore del vecchio file updcfg.xml
Usando l'aggiornamento manuale da' un errore che scollega Kaspersky...
Se vai sul sito di Kaspersky trovi la soluzione, ma cmq eccola:
(se hai la versione inglese di KAV6)
Tasto destro mouse sull'iconcina rossa di Kav in basso vicino all'orologio del PC...
Clicca una volta sulla voce Services;
togli la spunta a "self-defence" e poi vai a cancellare il file updcfg.xml che si trova in: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Data\updcfg.xml
Fai l'aggiornamento...e tutto torna a posto
(*soluzione x KAV6 italiano:*)
vai sull icona Kaspersky rossa vicino all'orologio nella barra delle applicazioni....
Tasto destro e clikka IMPOSTAZIONI
- Vai su Servizi.....e disabilita la voce "Abilita protezione automatica"
- poi vai a cancellare il file updcfg.xml che si trova in: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Data\updcfg.xml
Fai l'aggiornamento... (tasto destro sull'icona rossa.. --> Aggiornamento)
,,,e tutto torna a posto (scaricherai un nuovo file "updcfg.xml" )
Dicci se hai risolto..
Ciao !!
FOXYLADY
23-11-2006, 21:21
...
Il tuo log è pulito, questa la puoi anche fixare
O20 - AppInit_DLLs:
mauretto81
23-11-2006, 22:51
grazie mille FOXYLADY ..... :mano:
schumi84
24-11-2006, 09:52
C'è un problema qui
C:\WINDOWS\system32\winlogin.exe
O4 - HKCU\..\Run: [Winlogin] C:\WINDOWS\system32\winlogin.exe
fixa la seconda voce e fai qualche scansione con antivirus e antispyaware
mentre per toglie qualche schifezza che rallenta l'avvio del s.o.?
FOXYLADY
24-11-2006, 10:44
Beh, quello dipende da te e da quali programmi ti interessa mantenere in avvio automatico.
Io ti consiglio di utilizzare spybot, nelle sue funzioni avanzate permette di vedere quali sono i programmi in avvio automatico e, in alcuni casi, fornisce anche una breve descrizione.
Puoi fare un pò di prove, con spybot non corri rischi, perchè al contrario di altri software permette facilmente di ripristinare ciò che hai tolto dall'avvio automatico, basta mettere o togliere la spunta sulla casellina a fianco alla voce.
http://www.safer-networking.org/it/spybotsd/index.html
O4 - HKLM\..\Run: [I downloaded pirated Software from P2P ] Neverwinter Nights 2
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
Prova a fixare questi 2
li ho fixati ma non è cambiato niente. il firewall di windows è disabilitato e non posso accederci perchè mi dice si è verificato un problema non identificato. Lo stesso vale per il control center di nod32. Allora ho provato a disinstallare e rinstallare nod32 e ora funziona correttamente, ma con il firewall di windows non so come fare per riabilitarlo e riaccedeci di nuovo, credo si sia danneggiato qualche file di windows.
nessunopiu
24-11-2006, 10:58
li ho fixati ma non è cambiato niente. il firewall di windows è disabilitato e non posso accederci perchè mi dice si è verificato un problema non identificato. Lo stesso vale per il control center di nod32. Allora ho provato a disinstallare e rinstallare nod32 e ora funziona correttamente, ma con il firewall di windows non so come fare per riabilitarlo e riaccedeci di nuovo, credo si sia danneggiato qualche file di windows.
Non ho seguito la discussione, quindi probabilmente potrei confondermi,ma per quanto riguarda il firewall hai provato a vedere nei servizi ?
Ciao
FOXYLADY
24-11-2006, 10:59
Guarda nei servizi, come suggerito da nessunopiu, oppure prova ad utilizzare questo
http://www.hwupgrade.it/forum/showpost.php?p=14199378&postcount=9
se non funziona, non saprei.... :(
Ciao ragazzi a quanto pare ho problemi con virus.
AVG Antispyware 7.5 mi trova un malware che si chiama Hijacker.Small.kj che a quanto pare forse ho eliminato mettendo "elimina".
Questo è il rapporto di Hijack
Logfile of HijackThis v1.99.1
Scan saved at 13.58.18, on 24/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\service32.exe
C:\Programmi\Softwin\BitDefender10\bdmcon.exe
C:\Programmi\Softwin\BitDefender10\bdagent.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programmi\File comuni\Softwin\BitDefender Update Service\livesrv.exe
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
C:\Programmi\Softwin\BitDefender10\vsserv.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Mike\Desktop\hijack\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BDMCon] "C:\Programmi\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Programmi\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Programmi\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
Che mi sapete dire? tutto apposto?
Ciao e grazie mille
che ne dite di questo è tutto a posto?
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE
C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\LeechGet 2006\LeechGet.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\TaskSwitchXP\TaskSwitchXP.exe
C:\Programmi\Logitech\SetPoint\SetPoint.exe
C:\Programmi\File comuni\Logitech\khalshared\KHALMNPR.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
D:\Filippo\HijackThis.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by114fd.bay114.hotmail.msn.com/cgi-bin/hmhome?fti=yes&curmbox=00000000%2d0000%2d0000%2d0000%2d000000000001&a=bc7d80a878b898678f5cf2ae6b2420913e6453daee7018f0d2936653bc05448f&addCGif=74840
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Programmi\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Programmi\File comuni\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB002" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LeechGet] "C:\Programmi\LeechGet 2006\LeechGet.exe" -intray
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Programmi\TaskSwitchXP\TaskSwitchXP.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scarica con il Wizard di LeechGet - file://C:\Programmi\LeechGet 2006\\Wizard.html
O8 - Extra context menu item: Scarica con LeechGet - file://C:\Programmi\LeechGet 2006\\AddUrl.html
O8 - Extra context menu item: Scarica pagina con LeechGet - file://C:\Programmi\LeechGet 2006\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://fmratd.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
Black_Air
24-11-2006, 20:09
Credevo fosse un piccolo problema, invece questo maledetto malware/dialer risulta parecchio ostico da essere estirpato. Problemi generali: rallentamento generale PC e comparsa ogni tanto di un dialer con eseguibili del tipo idd###.tmp.exe. Problema principale: non riesco ad aprire nessuno applicazioni che contenga il nome HiJackThis [persino se carico le pagine con un browser conteneti la scritta HiJackThis mi si chiude immediatamente il browser]. Non riesco così a creare nè quindi a postare alcun log. Ho già provato AVG e NOD32 [questo anche in modalità provissoria] e ho sistemato un winjyg32.dll che sembrava essere virale nella cartella c:\windows\system32.
Non so più cosa fare, mi piacerebbe almeno poter aprire HJT per postare un lok. Qualcuno mi aiuti, vi prego!!!
Grazie
con riferimento a questo thread (http://www.hwupgrade.it/forum/showthread.php?p=14828743#post14828743) posto il mio log...se potete rispondete direttamente nell'altro thread, così c'è meno casino.
Grazie mille
Logfile of HijackThis v1.99.1
Scan saved at 21.15.49, on 24/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
E:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\system32\slserv.exe
E:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Programmi\Eset\nod32kui.exe
E:\Programmi\Razer\razertra.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
E:\Programmi\MessengerPlus! 3\MsgPlus.exe
C:\Programmi\QuickTime\qttask.exe
E:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Softwin\BitDefender8\bdmcon.exe
C:\Programmi\Softwin\BitDefender8\bdnagent.exe
E:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
E:\Programmi\iPod\bin\iPodService.exe
E:\Programmi\Internet Download Manager\IDMan.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
E:\Programmi\Odometer\Odometer.exe
C:\Programmi\MSN Toolbar Suite\DS\02.05.0001.1119\it-it\bin\WindowsSearch.exe
C:\Programmi\MSN Toolbar Suite\DS\02.05.0001.1119\it-it\bin\WindowsSearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\WinRAR\WinRAR.exe
C:\Documents and Settings\utente\Documenti\Downloads\Compressed\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - E:\Programmi\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {ae18da4e-be15-4925-81bb-890c04af0200} - C:\Programmi\Silver Codec\isaddon.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Toolbar Suite\TB\02.05.0000.1082\it-it\msntb.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Toolbar Suite\TB\02.05.0000.1082\it-it\msntb.dll
O3 - Toolbar: Protection Bar - {96ebbe6a-2864-4345-b32b-26ee9be524b5} - C:\Programmi\Silver Codec\iesplugin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [razertra] e:\Programmi\Razer\razertra.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [MessengerPlus3] "E:\Programmi\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Programmi\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Programmi\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [!ewido] "E:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "E:\Programmi\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKCU\..\Run: [IDMan] E:\Programmi\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Odometer.lnk = E:\Programmi\Odometer\Odometer.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Programmi\MSN Toolbar Suite\DS\02.05.0001.1119\it-it\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Programmi\MSN Toolbar Suite\TB\02.05.0000.1082\it-it\msntb.dll/search.htm
O8 - Extra context menu item: Apri in nuova scheda in primo piano - res://C:\Programmi\MSN Toolbar Suite\TAB\02.05.0001.1119\it-it\msntabres.dll/230?dce882eeb925421983e4b4ed21e043
O8 - Extra context menu item: Apri in nuova scheda in secondo piano - res://C:\Programmi\MSN Toolbar Suite\TAB\02.05.0001.1119\it-it\msntabres.dll/229?dce882eeb925421983e4b4ed21e043
O8 - Extra context menu item: Download All Links with IDM - E:\Programmi\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - E:\Programmi\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferito portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Programmi\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Programmi\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://superteo38teoitaly.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131630647460
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DDE4FCD-878F-4679-9B37-93DC195098E8}: NameServer = 85.37.17.4 85.38.28.70
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - E:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
Black_Air
24-11-2006, 20:45
trovato!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
c:\windows\lotustools.exe
Logfile of HijackThis v1.99.1
Scan saved at 21.43.15, on 24/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Prevx1\PXAgent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\Programmi\Prevx1\PXConsole.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\Programmi\Ray Adams\ATI Tray Tools\atitray.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1040
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\lotustool.exe",
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Dati applicazioni\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Programmi\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [lotustool] "c:\windows\lotustool.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [PrevxOne] "C:\Programmi\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Programmi\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Programmi\eMule\emule.exe -AutoStart
O4 - Startup: Azureus.lnk = C:\Programmi\Azureus\Azureus.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binar...er.cab31267.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://portale.bpubanca.it/dana-ca...oterisSetup.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kurt-frusciante.spaces.live....ad/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...nt.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programmi\Skype\Plugin Manager\Skype4COM.dll
O20 - Winlogon Notify: winjyg32 - winjyg32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Boonty Games - BOONTY - C:\Programmi\File comuni\BOONTY Shared\Service\Boonty.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Programmi\Prevx1\PXAgent.exe" -f (file missing)
Guarda nei servizi, come suggerito da nessunopiu, oppure prova ad utilizzare questo
http://www.hwupgrade.it/forum/showpost.php?p=14199378&postcount=9
se non funziona, non saprei.... :(
ho provato con quel file ma nn cambia niente. Cmq ho provato ad andare nei servizi ma cosa dovrei vedere? ho letto tutte le voci e descrizioni ma di firewall non ne parla tranne che nel servizio gateway di livello applicazione, devo esse io ke so niubbo. Ho tutto in manuale e automatico e 7 disabilitati. Ma per riabilitarlo non si può trovare un'altra strada, non so, ripassarci sopra i file di windows. non si può disinstallare e riinstallare so firewall di windows in qualke maniera?
FOXYLADY
24-11-2006, 23:44
...
Dovresti eliminare questo
C:\WINDOWS\service32.exe
Per farlo disattiva il ripristino di configurazione di win
apri hijackthis e vai in Open the misc tool section>open process manager, seleziona la voce C:\WINDOWS\service32.exe e clicca su kill process.
Poi scarica unlocker
http://ccollomb.free.fr/unlocker/
installalo, vai in C:\Windows cerca il file service32.exe, cliccaci sopra col destro ed eliminalo con unlocker.
Dai una lettura anche qui
http://www.hwupgrade.it/forum/showthread.php?t=1283096
FOXYLADY
24-11-2006, 23:46
....
Pulito ;)
FOXYLADY
25-11-2006, 00:00
ho provato con quel file ma nn cambia niente. Cmq ho provato ad andare nei servizi ma cosa dovrei vedere? ho letto tutte le voci e descrizioni ma di firewall non ne parla tranne che nel servizio gateway di livello applicazione, devo esse io ke so niubbo. Ho tutto in manuale e automatico e 7 disabilitati. Ma per riabilitarlo non si può trovare un'altra strada, non so, ripassarci sopra i file di windows. non si può disinstallare e riinstallare so firewall di windows in qualke maniera?
In Pannello di controllo>strumenti di amministrazione>servizi, dovrebbe essere presente anche il windows firewall, se non c'è vuol dire che è stato cancellato da qualche malaware o da qualche altro casino combinato nel PC :( .
Una soluzione drastica potrebbe essere quella di formattare...altrimenti puoi utilizzare un altro firewall.
Un firewall che ha caratteristiche simili a quello di windows è Ghostwall
http://www.devspy.com/public/viewer/show.aspx?guid=13d
altrimenti puoi utilizzare uno dei vari firewall gratuiti, tipo Zone Alarm, sygate, comodo, kerio, eccetera.
EDIT
Prova anche questa procedura
http://www.hwupgrade.it/forum/showthread.php?t=1341972
Gunny Highway
25-11-2006, 09:02
Scusate sto impazzendo nn Nod32 nn mi toglie questo virus
http://img161.imageshack.us/img161/9572/agentgh4.jpg
quel file autgd1.dll nn esiste :rolleyes:
ho provato a fare scan
Logfile of HijackThis v1.99.1
Scan saved at 17.17.06, on 24/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\ASUS\NB Probe\SPM\spmgr.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\ASUS\ASUS Live Update\ALU.exe
C:\Programmi\ASUS\NB Probe\NBProbe.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Wireless Console 2\wcourier.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\Programmi\MessengerPlus! 3\MsgPlus.exe
C:\Programmi\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\RMClock\RMClock.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Programmi\a-squared Free\a2free.exe
\Enzo\emule (e)\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\lantop.exe","c:\windows\ibmhlp.exe","c:\windows\canoncenter.exe",
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ASUS Live Update] C:\Programmi\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [NB Probe] C:\Programmi\ASUS\NB Probe\NBProbe.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Programmi\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Zshutdown] c:\sysprep\patch\sysprep.cmd
O4 - HKLM\..\Run: [GameFace Messenger] C:\Programmi\GameFace Messenger\GameFace.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\ASUSTeK\ASUSDVD\PDVDServ.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programmi\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Startup: RightMark CPU Clock Utility.lnk = C:\Programmi\RMClock\RMClock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Tasto di scelta rapida per l'avvio di AutoCAD.lnk = C:\Programmi\File comuni\Autodesk Shared\acstart16.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: NetOrs - Unknown owner - \\?\C:\Programmi\File comuni\System\lpt4.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: spmgr - Unknown owner - C:\Programmi\ASUS\NB Probe\SPM\spmgr.exe
:muro: ma nn c'è nulla da togliere :muro:
e ogni volta che apro IE nod32 apre quella finestra :muro: :muro:
Gunny Highway
25-11-2006, 09:16
Scusate sto impazzendo nn Nod32 nn mi toglie questo virus
http://img161.imageshack.us/img161/9572/agentgh4.jpg
quel file autgd1.dll nn esiste :rolleyes:
ho provato a fare scan
Logfile of HijackThis v1.99.1
Scan saved at 17.17.06, on 24/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\ASUS\NB Probe\SPM\spmgr.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\ASUS\ASUS Live Update\ALU.exe
C:\Programmi\ASUS\NB Probe\NBProbe.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Wireless Console 2\wcourier.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\Programmi\MessengerPlus! 3\MsgPlus.exe
C:\Programmi\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\RMClock\RMClock.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Programmi\a-squared Free\a2free.exe
\Enzo\emule (e)\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\lantop.exe","c:\windows\ibmhlp.exe","c:\windows\canoncenter.exe",
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ASUS Live Update] C:\Programmi\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [NB Probe] C:\Programmi\ASUS\NB Probe\NBProbe.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Programmi\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Zshutdown] c:\sysprep\patch\sysprep.cmd
O4 - HKLM\..\Run: [GameFace Messenger] C:\Programmi\GameFace Messenger\GameFace.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\ASUSTeK\ASUSDVD\PDVDServ.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programmi\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Startup: RightMark CPU Clock Utility.lnk = C:\Programmi\RMClock\RMClock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Tasto di scelta rapida per l'avvio di AutoCAD.lnk = C:\Programmi\File comuni\Autodesk Shared\acstart16.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: NetOrs - Unknown owner - \\?\C:\Programmi\File comuni\System\lpt4.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: spmgr - Unknown owner - C:\Programmi\ASUS\NB Probe\SPM\spmgr.exe
:muro: ma nn c'è nulla da togliere :muro:
e ogni volta che apro IE nod32 apre quella finestra :muro: :muro:
FOXYLADY
25-11-2006, 10:31
Prova a fare così
Clicca su start>esegui e digita regedit
Ti si aprirà l'editor del registro
Usando le caselline col segno + portati su questa chiave:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows NT>CurrentVersion
ora clicca sulla casellina Winlogon
a destra ti appariranno varie voci, seleziona col tasto destro del mouse la voce Userinit e scegli l'opzione modifica, elimina dalla casella i valori
c:\windows\lantop.exe","c:\windows\ibmhlp.exe","c:\windows\canoncenter.exe
In pratica deve presentarsi così
c:\windows\system32\userinit.exe
poi clicca su OK e riavvia il PC.
Prova anche a dare una passata con questo
http://www.sophos.it/products/free-tools/sophos-anti-rootkit.html
toonamix
25-11-2006, 10:32
Salve ragazzi, siccome il mio portatile (un ACER aspire 5612wlmi) è diventato un pò lento (essendo un centrino duo) e mi compaiono anke popup improvvisi ho paura di essere "infetto"!
Ecco lo scan fatto di HijackThis poi consigliatemi qualkosa...
Logfile of HijackThis v1.99.1
Scan saved at 7.37.09, on 25/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Programmi\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Programmi\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Programmi\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\CyberLink\Shared Files\RichVideo.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Acer\Acer Arcade\PCMService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Acer\Empowering Technology\admtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\Programmi\Trust\CnxDslTb.exe
C:\Programmi\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\eMule\emule.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Antonio\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Programmi\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Programmi\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [\\Matteo\EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P40 "\\Matteo\EPSON Stylus Photo RX420 Series" /O6 "USB002" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [trustras] trustras.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Programmi\Trust\CnxDslTb.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.1] C:\Programmi\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://toonamix.spaces.live.com//Ph...ad/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9556160C-A1F3-48D8-8B26-C4219D77ED0D}: NameServer = 62.94.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDEE9443-F6E1-4D66-9E37-D03C30F1C5B4}: NameServer = 85.37.17.11 151.99.125.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programmi\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programmi\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmi\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
FOXYLADY
25-11-2006, 10:47
A me il tuo log sembra pulito, per la lentezza può dipendere da questo
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Programmi\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Programmi\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [\\Matteo\EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P40 "\\Matteo\EPSON Stylus Photo RX420 Series" /O6 "USB002" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [trustras] trustras.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Programmi\Trust\CnxDslTb.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.1] C:\Programmi\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
hai veramente troppi processi in avvio automatico, dovresti sfoltire parecchio, ti consiglio di usare spybot, nelle sue funzioni avanzate permette di vedere quali sono i programmi in avvio automatico e, in molti casi, fornisce anche una breve descrizione e suggerisce se il processo è necessario o meno.
http://www.safer-networking.org/it/spybotsd/index.html
Gunny Highway
25-11-2006, 10:58
Prova a fare così
Clicca su start>esegui e digita regedit
Ti si aprirà l'editor del registro
Usando le caselline col segno + portati su questa chiave:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows NT>CurrentVersion
ora clicca sulla casellina Winlogon
a destra ti appariranno varie voci, seleziona col tasto destro del mouse la voce Userinit e scegli l'opzione modifica, elimina dalla casella i valori
c:\windows\lantop.exe","c:\windows\ibmhlp.exe","c:\windows\canoncenter.exe
In pratica deve presentarsi così
c:\windows\system32\userinit.exe
poi clicca su OK e riavvia il PC.
Prova anche a dare una passata con questo
http://www.sophos.it/products/free-tools/sophos-anti-rootkit.html
:D provato quel programma mi ha tolto il file autgd1 GRazieeeeeee
(zar)sheva
25-11-2006, 10:59
mi date un occhio al mio log grazie ;)
Logfile of HijackThis v1.99.1
Scan saved at 11.57.19, on 25/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Raxco\PerfectDisk\PDSched.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Ray Adams\ATI Tray Tools\atitray.exe
C:\WINDOWS\system32\WISPTIS.EXE
F:\Utorrent\utorrent.exe
C:\Programmi\RMClock\RMClock.exe
I:\hijackthis_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [RMClock] C:\Programmi\RMClock\RMClock.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4FCFDDA1-F40A-4EC0-9D1E-CAE40968F55C}: NameServer = 85.37.17.4 85.38.28.70
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programmi\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Programmi\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
FOXYLADY
25-11-2006, 11:06
(zar)sheva il tuo log è pulito.
(zar)sheva
25-11-2006, 11:11
(zar)sheva il tuo log è pulito.
grazie mille,mi sembrava anche a me,ma occhi piu' professional li preferisco!!! ;)
piu' che altro che ho aperto un immagine con imagshack e mi e' uscita una finestra riconducibile al "mitico" error safe,da qui il dubbio perche' sia a-squared che ewido non mi hanno trovato niente!!!
Salve, di nuovo qui a chiedere aiuto, pareri e consigli su un problema difficilmente descrivibile.
Ho da poco formattato il pc e reinstallato SO, driver e tutto il necessario per il funzionamento ottimale di pc e periferiche ma ancora questo fastidioso problema si presenta puntuale.
Praticamente mentre navigo, gioco o faccio altro, quindi indipendentemente da ciò che faccio, mi si apre sulla barra delle applicazioni una finestra senza titolo nè icona specifica (viene solo quella di default che segnala un eseguibile) che sta meno di un secondo e si richiude, tant'è vero che non riesco neanche a capire cos'è tenendo il task manager aperto.. troppo veloce!
Ho avviato SpyBot Search&Destroy, mi trova 30 problemi da correggere, faccio correggere, immunizzo ma rifacendo la scansione ritrova gli stessi 30 errori. Kaspersky non rileva niente di niente...
Di per sè non dà molto fastidio durante la navigazione, compare e scompare velocemente; è noiosa quando sto giocando, mi crasha i giochi o nella migliore delle ipotesi me li riduce a icona. Non riesco a capire se sia un virus, un trojan, uno spyware, un malware oppure (come sospetto) un programma che gira in background.
Vi posto il log di hijackthis, io non ne capisco molto, spero mi possiate aiutare:
Logfile of HijackThis v1.99.1
Scan saved at 4.29.41, on 25/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Raxco\PerfectDisk\PDSched.exe
C:\Programmi\ATI Technologies\ATI.ACE\CLI.EXE
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\SensorsView\sview.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\Programmi\Active SMART\ActiveSMART.exe
C:\Programmi\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\The Cleaner\cleaner.exe
C:\Programmi\The Cleaner\tca.exe
C:\Programmi\The Cleaner\tcm.exe
C:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\casa\IMPOST~1\Temp\Rar$EX00.656\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SensorsView] C:\Programmi\SensorsView\sview.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [tcactive] C:\Programmi\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Programmi\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File
comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Programmi\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Window Washer] C:\Programmi\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Programmi\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\RunOnce: [Index Washer] C:\Programmi\Webroot\Washer\WashIdx.exe "casa"
O4 - Startup: Active SMART.lnk = C:\Programmi\Active SMART\ActiveSMART.exe
O4 - Global Startup: Avvio rapido di HP Image Zone.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5091E096-0C4D-4ADA-8E1F-F63D59637D7D}: NameServer =
192.168.0.1,192.168.0.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{5091E096-0C4D-4ADA-8E1F-F63D59637D7D}: NameServer =
192.168.0.1,192.168.0.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{5091E096-0C4D-4ADA-8E1F-F63D59637D7D}: NameServer =
192.168.0.1,192.168.0.3
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programmi\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Programmi\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Programmi\SiSoftware\SiSoftware Sandra Lite
2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Programmi\SiSoftware\SiSoftware Sandra Lite
2007\RpcSandraSrv.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
La mia config: Scheda madre ASRock Cpu EZ upgrade K8 upgrade NF3, AMD Sempron 2500+, Ati Sapphire Radeon x1300XT 256mb, hard disk Maxtor DiamondMax 9 S-ata 120gb (primario), hard disk Maxtor DiamondMax 10 P-ata 250gb (secondario), masterizzatore DVD Pioneer 109, masterizzatore cd Lite-on.
Spero possiate aiutarmi :muro:
In Pannello di controllo>strumenti di amministrazione>servizi, dovrebbe essere presente anche il windows firewall, se non c'è vuol dire che è stato cancellato da qualche malaware o da qualche altro casino combinato nel PC :( .
Una soluzione drastica potrebbe essere quella di formattare...altrimenti puoi utilizzare un altro firewall.
Un firewall che ha caratteristiche simili a quello di windows è Ghostwall
http://www.devspy.com/public/viewer/show.aspx?guid=13d
altrimenti puoi utilizzare uno dei vari firewall gratuiti, tipo Zone Alarm, sygate, comodo, kerio, eccetera.
EDIT
Prova anche questa procedura
http://www.hwupgrade.it/forum/showthread.php?t=1341972
oggi ho acceso il pc e il firewall è ritornato in funzione. tnx di tutto
lannutti
25-11-2006, 15:39
Da qualche giorno ho notato che il mio pc è molto lento nel caricarsi all’accensione ed è molto rallentato nell’utilizzo in particolare con alcuni programmi.
Temendo qualcosa di negativo ho fatto un log di HijackThis che vi posto dal quale mi pare di capire che ci sono alcuni elementi non del tutto sicuri.
Visto che però non sono un esperto vi sarò grato se qualcuno avrà la pazienza di analizzare il mio log e darmi gli opportuni suggerimenti su cosa fare per eliminare eventuali elementi pericolosi o migliorare le prestazioni.
Grazie in anticipo.
Logfile of HijackThis v1.99.1
Scan saved at 11.19.14, on 25/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\ZyXEL\ADSL USB Modem\CnxDslTb.exe
C:\WINDOWS\System32\ELAN.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programmi\Webshots\WebshotsTray.exe
C:\Programmi\File comuni\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm36.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmi\Messenger\msmsgs.exe
C:\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.yahoo.com/index_narrow.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.pentaservice.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\ZyXEL\ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [RemoveElanIcon] C:\WINDOWS\System32\ELAN.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 AmeCSA.cpl,RUN_DLL
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "D:\Anydvd\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Programmi\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http:\\www.pentaservice.it
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/it/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v10_it.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{337B3F82-8E7B-47A2-92B1-D59E6C76E2A8}: NameServer = 151.99.125.1,151.99.0.100
O18 - Protocol hijack: cn - {9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programmi\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Utilità di pianificazione di LiveUpdate automatico - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe
FOXYLADY
25-11-2006, 15:43
Salve, di nuovo qui a chiedere aiuto, pareri e consigli su un problema difficilmente descrivibile.
Ho da poco formattato il pc e reinstallato SO, driver e tutto il necessario per il funzionamento ottimale di pc e periferiche ma ancora questo fastidioso problema si presenta puntuale.
Praticamente mentre navigo, gioco o faccio altro, quindi indipendentemente da ciò che faccio, mi si apre sulla barra delle applicazioni una finestra senza titolo nè icona specifica (viene solo quella di default che segnala un eseguibile) che sta meno di un secondo e si richiude, tant'è vero che non riesco neanche a capire cos'è tenendo il task manager aperto.. troppo veloce!
Ho avviato SpyBot Search&Destroy, mi trova 30 problemi da correggere, faccio correggere, immunizzo ma rifacendo la scansione ritrova gli stessi 30 errori. Kaspersky non rileva niente di niente...
Di per sè non dà molto fastidio durante la navigazione, compare e scompare velocemente; è noiosa quando sto giocando, mi crasha i giochi o nella migliore delle ipotesi me li riduce a icona. Non riesco a capire se sia un virus, un trojan, uno spyware, un malware oppure (come sospetto) un programma che gira in background.
Vi posto il log di hijackthis, io non ne capisco molto, spero mi possiate aiutare:
Il tuo log pare pulito.
Spybot esattamente cosa segnala? Semplici cookie o qualcosa di più serio?
Ciao foxilady, grazie per l'aiuto.
ho appena rifatto la scansione con spybot search&destroy e mi ha segnalato solo la presenza di 4 cookie che ho rimosso, ma scommetto che rifacendola si ripresenterebbero nuovamente loro più qualche altra cosa (infatti fino a stanotte mi segnalava e diceva di rimuovere cookies piu altra roba che a dire il vero non ricordo cosa fosse...) a sto punto che posso fare per evitare la formattazione?
FOXYLADY
25-11-2006, 17:41
Per quanto riguarda i cookie, non sono particolarmente pericolosi, comunque puoi provare ad immunizzare ulteriormente il sistema con spywareblaster e arovaxshields, li trovi qui
http://www.javacoolsoftware.com/spywareblaster.html
http://www.arovaxshield.com/
per l'altro tuo problema, il crash e l'icona che appare nella barra delle applicazioni, onestamente non so che dire, può darsi che ci sia un conflitto tra alcuni dei software che utilizzi, per esempio tra l'antivirus e The Cleaner, ma è solo un ipotesi....
FOXYLADY
25-11-2006, 17:51
O18 - Protocol hijack: cn - {9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
Questi li puoi fixare, ma non sono un problema.
La lentezza del PC può dipendere da tante cose...
Incomincia col fare una bella deframmentazione, sfoltisci un pò i programmi in avvio automatico e dai una passata con Ccleaner e Advanced windows care, li trovi qui
http://www.ccleaner.com/download/
http://www.iobit.com/AdvancedWindowsCarePersonal/download.htm
magari per sicurezza fai prima una copia di backup del registro usando erunt
http://www.ilsoftware.it/querydl.asp?ID=779
SkunkWorks 68
25-11-2006, 17:57
Log
"C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm36.exe"
Ho guardato un po' in giro e questo non mi convince...Sai a che cosa si riferisce?
"O18 - Protocol hijack: cn - {9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}"
Questo invece lo fixerei subito.
Ciao
Per quanto riguarda i cookie, non sono particolarmente pericolosi, comunque puoi provare ad immunizzare ulteriormente il sistema con spywareblaster e arovaxshields, li trovi qui
http://www.javacoolsoftware.com/spywareblaster.html
http://www.arovaxshield.com/
per l'altro tuo problema, il crash e l'icona che appare nella barra delle applicazioni, onestamente non so che dire, può darsi che ci sia un conflitto tra alcuni dei software che utilizzi, per esempio tra l'antivirus e The Cleaner, ma è solo un ipotesi....
Grazie ancora... Ho installato anche questi ultimi due programmi che mi hai consigliato... ma sembra che vada tutto bene.
Per quanto riguarda conflitti software già ci avevo pensato, ma the cleaner l'ho installato appunto per l'occasione, per vedere se trovava qualcosa... quindi il problema esisteva già prima di installarlo...
Mi toccherà andare per esclusione, vedrò se formattare o disinstallare un programma per volta per trovare quello incriminato.. L'importante è sapere che non sia un virus, spyware e compagnia bella.
Grazie ancora per l'aiuto.
mistermars
25-11-2006, 19:48
appena faccio una ricerca con google, mi compaiono come risultato dei siti strani come www.wordsea.com, www.advfn.it,camouflageclothingonline.net ,http://www.casinocaesar.com,http://mov-x-archive.com,e molti altri
ho provato a fare diverse scansioni con spybot, ad-aware, spyware doctor, ewido, avast ma il problema non riesco a risolverlo.
Questo è il file log ottenuta dalla scansione con hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 16.18.22, on 25/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\VEXPLITE\viritsvc.exe
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\HP\QuickPlay\QPService.exe
C:\Programmi\Hp\HP Software Update\HPWuSchd2.exe
C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\vsnp2std.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\WIDCOMM\SOFTWA~1\BTSTAC~1.EXE
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\PowerArchiver\POWERARC.EXE
C:\DOCUME~1\CRI\IMPOST~1\Temp\_PA85\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...ilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?T...ilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Programmi\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Programmi\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O8 - Extra context menu item: &Cerca con Google - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Traduci parola in italiano - res://c:\programmi\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O8 - Extra context menu item: Link a ritroso - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesit.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesit.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=IT_IT&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.91 85.255.112.234
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.91 85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.91 85.255.112.234
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programmi\Spyware Doctor\sdhelp.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
ragazzi mi analizzate il mio log? secondo voi tutto ok? cos'é questo?
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7D6C7CF-0E8A-44D7-BB46-1B54C8E9737E}: NameServer = 85.37.17.16 151.99.125.
Logfile of HijackThis v1.99.1
Scan saved at 17.28.23, on 26/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Programmi\Pocket USB ADSL Modem\CnxDslTb.exe
C:\Programmi\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Programmi\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Programmi\Hitware Popup Killer Lite\HitwarePKLite.exe
C:\Programmi\LG PC Suite\LG PC Sync\LGSyncManager.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Spyware Terminator\SpywareTerminator.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Pippo\Desktop\1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://notizie.alice.it/home/index.html?pmk=hphead
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\Pocket USB ADSL Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Programmi\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Programmi\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [HitwarePKLite] C:\Programmi\Hitware Popup Killer Lite\HitwarePKLite.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: LG SyncManager.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://esupport.epson-europe.com/selftest/it/Prg/ESTPTest.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7D6C7CF-0E8A-44D7-BB46-1B54C8E9737E}: NameServer = 85.37.17.16 151.99.125.1
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
FOXYLADY
26-11-2006, 17:00
ragazzi mi analizzate il mio log? secondo voi tutto ok? cos'é questo?
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7D6C7CF-0E8A-44D7-BB46-1B54C8E9737E}: NameServer = 85.37.17.16 151.99.125.
Sono i dns del tuo provider internet, piuttosto mi lascia perplesso questo
C:\Documents and Settings\Pippo\Desktop\1.exe
tu sai di cosa si tratta? :mbe:
1.exe é hijack....l'ho rinominato così perchè un worm non mi permetteva di usarlo con il vero nome!!!!!!!
FOXYLADY
26-11-2006, 17:46
Dal tuo log non si notano infezioni, prova a fare un controllo antirootkit con gmer
http://www.gmer.net/
se lo scan trova qualcosa lo segnala in rosso.
gmer non segnala alcun rootkit...speriamo abbia ragione!
Vittorio_Bo
26-11-2006, 23:46
Ragazzi, dopo aver penato ore per eliminare non solo il virus in questione ma un altra marea di schifezze con i tools da sempre consigliati qui, vi sottpongo gentilmente il log HJT per un esame. Grazie
Logfile of HijackThis v1.99.1
Scan saved at 0.17.46, on 27/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmi\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
F:\VARI\REGISTRO\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - http://kn.bar.need2find.com/KN/menusearch.html?p=KN
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
O23 - Service: wampapache - Unknown owner - c:\svr\wamp\apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\svr\wamp\mysql\bin\mysqld-nt.exe
FOXYLADY
27-11-2006, 17:42
O8 - Extra context menu item: &Search - http://kn.bar.need2find.com/KN/menusearch.html?p=KN
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
Fixa queste 2
zichichi
28-11-2006, 11:43
ragazzi mi sa che mi sono beccato un trojan...mi date una mano a capire il mio log? grazie:
Logfile of HijackThis v1.99.1
Scan saved at 12.40.08, on 28/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\Programmi\Photodex\ProShowGold\ScsiAccess.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Programmi\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\ADSL\StarModem ADSL USB MODEM\dslmon.exe
C:\Programmi\Logitech\SetPoint\SetPoint.exe
C:\Programmi\File comuni\Logitech\KhalShared\KHALMNPR.EXE
C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\World of Warcraft\BackgroundDownloader.exe
C:\WINDOWS\system32\svchost.exe
D:\Programmi\eMule\emule.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Chris\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Programmi\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Programmi\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Programmi\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [kis] "C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programmi\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [9xadiras] 9xadiras.exe
O4 - HKLM\..\Run: [2kadiras] 2kadiras.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Programmi\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Programmi\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programmi\bonjour\mdnsnsp.dll
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D4786F6-FA3D-4DBC-9D1C-EF4FB489B502}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C52D8387-D138-4952-82E4-7AEB3A9F07BA}: NameServer = 85.37.17.51 85.38.28.76
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Servizio stato di ASP.NET (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Servizio Bonjour (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Programmi\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
FOXYLADY
28-11-2006, 14:59
A me il tuo log pare pulito, cos'è che non ti convince?
zichichi
28-11-2006, 15:12
kav mi ha trovato 3 trojan, volevo capire se ero infetto... :confused:
FOXYLADY
28-11-2006, 15:22
Evidentemente ci ha già pensato il kav a ripulire ;)
M'han segnalato che ho un worm :muro:
Logfile of HijackThis v1.99.1
Scan saved at 10.07.25, on 30/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Programmi\Winamp\winampa.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Creative\MediaSource\Go\CTCMSGo.exe
C:\Programmi\MSI\Core Center\CoreCenter.exe
C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programmi\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Programmi\ABC\abc.exe
C:\Programmi\Microsoft Office\Office10\WINWORD.EXE
C:\Programmi\Messenger\msmsgs.exe
C:\Documents and Settings\Ric\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Web Desk - {BD2E165D-1BC6-23AA-345B-1C234F173CBD} - C:\WINDOWS\system32\webdesk.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [CTSysVol] C:\Programmi\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [kav] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [outpost_uninst] C:\DOCUME~1\Ric\IMPOST~1\Temp\_uninstop.exe /u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Programmi\Creative\MediaSource\Go\CTCMSGo.exe /SCB
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CoreCenter.lnk = C:\Programmi\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Programmi\File comuni\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Programmi\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
bReAkDoWn
30-11-2006, 09:38
M'han segnalato che ho un worm :muro:
Non c'è niente di sospetto, l'unica cosa che non riesco a verificare è questa: O2 - BHO: Web Desk - {BD2E165D-1BC6-23AA-345B-1C234F173CBD} - C:\WINDOWS\system32\webdesk.dll
Secondo me dal nome potrebbe essere collegato a 3dsmax. Casomai fai analizzare quel file (C:\WINDOWS\system32\webdesk.dll) su www.virustotal.com
Infine puoi fare un controllo manualmente, start -> esegui -> regedit . Poi spostati con i + fino a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
e guarda nella parte destra della finestra se ci sono dei valori diversi da (default).
Per quale motivo pensi di avere un worm? Antivirus? O cos'altro?
Non c'è niente di sospetto, l'unica cosa che non riesco a verificare è questa: O2 - BHO: Web Desk - {BD2E165D-1BC6-23AA-345B-1C234F173CBD} - C:\WINDOWS\system32\webdesk.dll
Secondo me dal nome potrebbe essere collegato a 3dsmax. Casomai fai analizzare quel file (C:\WINDOWS\system32\webdesk.dll) su www.virustotal.com
Infine puoi fare un controllo manualmente, start -> esegui -> regedit . Poi spostati con i + fino a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
e guarda nella parte destra della finestra se ci sono dei valori diversi da (default).
Per quale motivo pensi di avere un worm? Antivirus? O cos'altro?
Per questo (http://www.hwupgrade.it/forum/showthread.php?p=14908038#post14908038) motivo :rolleyes:
Grazie dell'aiuto ora faccio i controlli che mi hai segnalato :mano:
la dll,non viene rilevata da nessun antivirus :)
bReAkDoWn
30-11-2006, 10:34
la dll,non viene rilevata da nessun antivirus :)
Guardando anche l'altro thread.. tu hai verificato che quella dll, quel bho insomma, è installato dal software consigliato nella email?
Mi sembra chiaro :D :D
Ciao
Ciao, nel log di hijackthis tra le altre cose, mi trovo questa riga:
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D1FCC4B-CDA7-4689-8ADE-5DE778253ABD}: NameServer = 85.37.17.11 151.99.125.1
Se la fixo, non risolvo più i dns, e se disconnetto e riconnetto ricompare. Qualcuno ha qualche idea?
outlaw16
30-11-2006, 21:35
active virus shield continua a dirmi che ho un trojian..ho usato anche avenger per risolvere il problema..cmq
Logfile of HijackThis v1.99.1
Scan saved at 22.33.34, on 30/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\AOL\Active Virus Shield\avp.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Microsoft IntelliPoint\point32.exe
C:\Programmi\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\AOL\Active Virus Shield\avp.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\ASUS\ASUS DH Remote\AsRc.exe
C:\Programmi\Microsoft IntelliType Pro\type32.exe
C:\Programmi\ASUS\ASUS DH Remote\AsDhRemote.exe
C:\Programmi\Softwin\BitDefender8\bdnagent.exe
C:\Programmi\eMule\emule.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmi\ASUS WiFi-AP Solo\RtWLan.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tony\Desktop\Download\hijackthis_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: XBTP06568 Class - {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - C:\Programmi\AOL Security Toolbar\tbu1\AOL_security_toolbar.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Programmi\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: AOL Security Toolbar - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - C:\Programmi\AOL Security Toolbar\tbu1\AOL_security_toolbar.dll
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmi\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [aol] "C:\Programmi\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ai Quicker Help] "C:\Programmi\ASUS\ASUS DH Remote\AsRc.exe"
O4 - HKLM\..\Run: [type32] "C:\Programmi\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [ioloDelayModule] C:\Programmi\iolo\System Mechanic 6\delay.exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Programmi\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Programmi\eMule\emule.exe -AutoStart
O4 - Startup: Fastrate USB 100.lnk = ?
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162551032015
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB78CD2A-1DD3-4B95-8F5B-E94D4CB471BE}: NameServer = 85.37.17.47 85.38.28.82
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Programmi\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
qualcosa di sospettO?grazie in anticipo
bReAkDoWn
30-11-2006, 23:08
active virus shield continua a dirmi che ho un trojian..ho usato anche avenger per risolvere il problema..cmq
Log pulito.
vBulletin® v3.6.4, Copyright ©2000-2025, Jelsoft Enterprises Ltd.