HiJackThis - Analisi Log - leggere Regole di Sezione

[Bugs Bunny]

Quote:

Originariamente inviato da fede86.exe

chiedo scusa

Spybot è un sw antispyware inferiore ad avg antispyware,comunque una scansione con spybot non fa mai male.
per cancellare le voci di registro metti la spunta e premi su fix checked. per cancellare il processo avvia in modalità provvisoria e cancellalo.
AVG antispy e spybot cmq dovrebbero levarle.


@nandox80

cancella:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Sei pieno di oggetti provenienti dal sito intranet.rfi.it ,che non conosco. Lo frequenti tu?Se non lo conosci o non lo frequenti potrebbero essere malware.

@Fiat410:

Cancella:

O2 - BHO: (no name) - {0309638F-93F8-44D3-84CF-240EB1AB7F1F} - C:\WINDOWS\system32\ddcaawv.dll (file missing)

O2 - BHO: (no name) - {0BCD78C0-B028-4A66-9056-B123CE24F786} - (no file)

O2 - BHO: (no name) - {2AB7F8DD-8F73-4EE3-B329-4B2F74072CA8} - C:\WINDOWS\system32\vtutu.dll (file missing)

O2 - BHO: (no name) - {316831A8-E68A-4FA0-A929-808160BCFEA7} - (no file)

O2 - BHO: (no name) - {7AAA4328-B3E0-4C76-A294-42E1B7C5E5CD} - (no file

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {86BF25DD-33B8-4687-9FDE-02E190B48F87} - (no file)

O2 - BHO: (no name) - {A8F128E5-8280-4A35-A324-73DDC3F75BCB} - (no file)

O2 - BHO: (no name) - {F886F4F5-1BB0-4984-A76F-6C64778BF345} - (no file)

O2 - BHO: (no name) - {F8C5752A-CC9B-4794-B65D-4D93B0A0EC94} - C:\WINDOWS\system32\vtutu.dll (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O20 - Winlogon Notify: ddcaawv - ddcaawv.dll (file missing)

E QUESTE ERANO LE CHIAVI INUTILI,PASSIAMO A QUELLE INFETTE,CANCELLA:

O20 - Winlogon Notify: mljgg - C:\WINDOWS\system32\mljgg.dll

O2 - BHO: (no name) - {AECDE9F5-0A25-4D13-94AB-BD509A886823} - C:\WINDOWS\system32\mljgg.dll



POI CI SONO QUESTI FILE DI CUI NON TROVO NIENTE,FALLI ANALIZZARE SU VIRUSTOTAL ED EVENTUALMENTE,SE SONO INFETTI(PROBABILE VISTO CHE SEMBRANO GENERATI CON NOME A CASO),POSTA UN NUOVO LOG:

pbdgmx.exe
psgwayma.dll
ddcaxut.dll

Fai una scansione con AVG Antispyware e una scansione online sul sito di kaspersky

[nandox80]

riposto il mio log, bugs quando vuoi senza fretta....

Logfile of HijackThis v1.99.1
Scan saved at 22.30.54, on 19/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Programmi\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\eMule\eMule.exe
C:\WINDOWS\System32\svchost.exe
C:\OrCAD\OrCAD_10.5\tools\bin\cdsNameServer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Nando Taglieri\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.virgilio.it/home/index.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.virgilio.it/home/index.html
O16 - DPF: {07E13CE4-9234-45B8-A97A-253AF73D3223} (CSC_AreeBuff_034.ctrlAreeBuffer) - http://intranet.rfi.it/protocollo/bi...eeBuff_034.CAB
O16 - DPF: {14D8E7C1-5E52-4FE0-928C-7F6AABA7910B} (CSC_Timbro_019.ctrlTimbro) - http://intranet.rfi.it/protocollo/bi...Timbro_019.CAB
O16 - DPF: {19B7F2D6-1610-11D3-BF30-1AF820524153} (CCRP FolderTreeview Control (VB6)) - http://intranet.rfi.it/protocollo/bin/ccrpftv6.CAB
O16 - DPF: {1B08E78F-7451-11D5-979F-00C02680C239} (CSC_ADOArray_032.ClsAdoArray) - http://intranet.rfi.it/protocollo/bi...oArray_032.CAB
O16 - DPF: {20C62CA0-15DA-101B-B9A8-444553540000} (Microsoft MAPI Session Control, version 6.0) - http://intranet.rfi.it/protocollo/bin/msmapi32.CAB
O16 - DPF: {20DD1B9E-87C4-11D1-8BE3-0000F8754DA1} (Microsoft Date and Time Picker Control 6.0 (SP4)) - http://intranet.rfi.it/protocollo/bin/mscomct2.CAB
O16 - DPF: {2536FB5E-F85C-49B4-A753-DE8A79B75005} (PictureX Control) - http://intranet.rfi.it/protocollo/bi...60_Imaging.CAB
O16 - DPF: {30DDFCAB-76AB-11D5-8211-525405F475F5} (CSC_Ammi_022.UserAmministrazione) - http://intranet.rfi.it/protocollo/bin/CSC_Ammi_022.CAB
O16 - DPF: {3661635E-6969-11D5-8202-525405F475F5} (CSC_Relazioni_024.UserRelazioni) - http://intranet.rfi.it/protocollo/bi...azioni_024.CAB
O16 - DPF: {393D73D5-2FE5-4849-8C13-B61D208CD79A} (CSC_Clienti_017.UserClienti) - http://intranet.rfi.it/protocollo/bi...lienti_017.CAB
O16 - DPF: {3F2C4984-6516-47F8-AD5C-47C9438A083E} (CSC_054_MAPI.ClsMAPI) - http://intranet.rfi.it/protocollo/bin/CSC_054_Mapi.CAB
O16 - DPF: {42F63283-7DB9-11D5-8218-525405F475F5} (CSC_Titolario_026.ctrlTitolario) - http://intranet.rfi.it/protocollo/bi...olario_026.CAB
O16 - DPF: {48E59293-9880-11CF-9754-00AA00C00908} (Microsoft Internet Transfer Control 6.0 (SP4)) - http://intranet.rfi.it/protocollo/bin/msinet.CAB
O16 - DPF: {6262D3A0-531B-11CF-91F6-C2863C385E30} (Microsoft FlexGrid Control, version 6.0) - http://intranet.rfi.it/protocollo/bin/msflxgrd.cab
O16 - DPF: {7C205B37-6970-11D5-8202-525405F475F5} (CSC_DocInCarico_028.UserDocInCarico) - http://intranet.rfi.it/protocollo/bi...Carico_028.CAB
O16 - DPF: {83730EE4-6C46-11CF-A524-0080C77A7786} (MSMask General Property Page Object) - http://intranet.rfi.it/protocollo/bin/msmask32.CAB
O16 - DPF: {917F359F-E8EA-42C4-9C9F-812D6E7863A7} (CSC_053_FSWrapper.ClsMoveFile) - http://intranet.rfi.it/protocollo/bi..._FsWrapper.CAB
O16 - DPF: {B8D759A6-79DA-11D5-8213-525405F475F5} (CSC_WebServer_033.UserWebServer) - http://intranet.rfi.it/protocollo/bi...Server_033.CAB
O16 - DPF: {BA91675A-747F-4C8B-81B4-50241531D04E} (CSC_operatori_025.UserOperatori) - http://intranet.rfi.it/protocollo/bi...ratori_025.CAB
O16 - DPF: {BDC217C5-ED16-11CD-956C-0000C04E4C0A} (Microsoft Tabbed Dialog Control 6.0 (SP4)) - http://intranet.rfi.it/protocollo/bin/tabctl32.CAB
O16 - DPF: {C9008A63-64A9-11D5-81FE-525405F475F5} (CSC_QueryBuilder_023.UserQueryBuilder) - http://intranet.rfi.it/protocollo/bi...uilder_023.CAB
O16 - DPF: {CA6466B8-618F-11D5-81FC-525405F475F5} (CSC_Protocollo_020.UserProtocollo) - http://intranet.rfi.it/protocollo/bi...ocollo_020.CAB
O16 - DPF: {CAA74873-CEFC-4B92-9ADF-ECA47DD17E8A} (CSC_GestTito_036.ctrlTitolario) - http://intranet.rfi.it/protocollo/bi...stTito_036.CAB
O16 - DPF: {DC9094C4-8C9D-4F3E-B2C6-51535F507563} (CitecTimbro.Timbro) - http://intranet.rfi.it/protocollo/bin/CitecTimbro.CAB
O16 - DPF: {E5FF9F62-0E7C-4372-8AD5-DA7D2418070C} (Message Object) - http://intranet.rfi.it/protocollo/bin/jmail.CAB
O16 - DPF: {E6CD2C2D-A791-11D5-B416-000102F56FBA} (CSC_Autorizza_029.UserAutorizza) - http://intranet.rfi.it/protocollo/bi...orizza_029.CAB
O16 - DPF: {EB6C406D-63EF-11D5-81FD-525405F475F5} (CSC_Tipologie_018.UserTipologie) - http://intranet.rfi.it/protocollo/bi...ologie_018.CAB
O16 - DPF: {EF880E00-671C-11D5-8201-525405F475F5} (CSC_Supporti_027.UserSupp) - http://intranet.rfi.it/protocollo/bi...pporti_027.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{45A9B62C-1FC9-45E4-B371-3F83263B7CB9}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE9B8241-6BCB-4820-810A-B0E92AB4576C}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmi\File comuni\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\FILECO~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: CADopia License Manager - Macrovision Corporation - C:\OrCAD\OrCAD_10.5\INTELL~1\LicenseManager\lmgrd.exe
O23 - Service: Flexlm (lmgrd) - Macrovision Corporation - C:\OrCAD\OrCAD_10.5\IntelliCAD 4\LicenseManager\lmgrd.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

a per quanto riguarda intranet.rfi è tranquillo, ci entra mio fratello!!!

[Bugs Bunny]

Pulito.

[nandox80]

Quote:

Originariamente inviato da Bugs Bunny

Pulito.

nel frattempo ho tolto la voce:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


Grazie mille bugs!!!! Davvero

[Radmaster]

raga scusate ho da pochi giorni trovato un trojan nel pc...è IMMORTALE!anche se lo elimino ritorna!nn mi dice neanche il nome (uknown trojan)

vi posto il log:


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
C:\Programmi\Ahead\InCD\InCD.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\sm56hlpr.exe
C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmi\Multimedia Card Reader\shwicon2k.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Java\jre1.6.0\bin\jusched.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\Programmi\File comuni\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\updater.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\HP\Digital Imaging\bin\hpqgalry.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\bb\IMPOST~1\Temp\Rar$EX00.015\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {43B3F517-32D1-3C54-F240-6EE34FE3FABD} - C:\WINDOWS\system32\ttgvay.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Smapp] C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [Sunkist2k] C:\Programmi\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\updater.exe 61A847B5BBF72816228849360B8D1BE1C59331416DC57C032CBD1BE3D290641833
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Nan] "C:\Documents and Settings\bb\Dati applicazioni\s?stem\explorer.exe"
O4 - HKCU\..\Run: [Raps] "C:\WINDOWS\system32\CURITY~1\attrib.exe" -vt ndrv
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Programmi\File comuni\Autodesk Shared\acstart16.exe
O4 - Global Startup: Avvio rapido di HP Image Zone.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Programmi\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Programmi\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &Cerca con Google - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Traduci parola in italiano - res://c:\programmi\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Link a ritroso - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/.../GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1103540071355
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab53083.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{92D67EC3-0EE6-4386-9653-3FDB4501079F}: NameServer = 85.37.17.13 85.38.28.81
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SSScsiSV.exe


se potete vi prego di darmi una mano.

grazie mille

[Gablogan]

mi date per piacere una controllata al log,internet va molto lento,ho beggato un virus che mi porta da solo su altri siti



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14.09.35, on 20/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
C:\Programmi\Trust\250S Series\lwbwheel.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Thrustmaster\Thrustmapper\TMTMTSR.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Programmi\Emule Extreme\emule.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Pando Networks\Pando\pando.exe
C:\Programmi\Lavasoft\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Programmi\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {26FAFD75-1005-41F6-978D-178C00165C0B} - C:\WINDOWS\system32\byxxxvw.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Programmi\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: (no name) - {BEC19947-4D31-4812-99C0-5BA407026C87} - C:\WINDOWS\system32\pmnlk.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [Smapp] C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programmi\Trust\250S Series\lwbwheel.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ThrustTSR] C:\Programmi\Thrustmaster\Thrustmapper\TMTMTSR.exe
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Pando] "C:\Programmi\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download all by Orbit - res://D:\Programmi\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: &Download by Orbit - res://D:\Programmi\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download selected by Orbit - res://D:\Programmi\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Programmi\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Scarica con FlashGet - D:\Programmi\FlashGet\jc_link.htm
O8 - Extra context menu item: Scarica tutto con FlashGet - D:\Programmi\FlashGet\jc_all.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E40E263B-E79F-41D1-B2AC-62719C0076EF}: NameServer = 85.37.17.50 85.38.28.76
O20 - Winlogon Notify: byxxxvw - C:\WINDOWS\SYSTEM32\byxxxvw.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documenti\Settings\partnership.dll
O20 - Winlogon Notify: pmnlk - C:\WINDOWS\system32\pmnlk.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5177 bytes

[Bugs Bunny]

Dunque....

@radmaster:

cancella:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\updater.exe 61A847B5BBF72816228849360B8D1BE1C59331416DC57C032CBD1BE3D290641833

O4 - HKCU\..\Run: [Nan] "C:\Documents and Settings\bb\Dati applicazioni\s?stem\explorer.exe"

O2 - BHO: (no name) - {43B3F517-32D1-3C54-F240-6EE34FE3FABD} - C:\WINDOWS\system32\ttgvay.dll

Su ttgvay non trovo niente,è meglio che tu lo faccia analizzare su virustotal,updater è un worm e explorer.exe dovrebbe trovarsi in C:\Windows

[Bugs Bunny]

@gablogan:

cancella:

O2 - BHO: (no name) - {26FAFD75-1005-41F6-978D-178C00165C0B} - C:\WINDOWS\system32\byxxxvw.dll

O2 - BHO: (no name) - {BEC19947-4D31-4812-99C0-5BA407026C87} - C:\WINDOWS\system32\pmnlk.dll

O20 - Winlogon Notify: pmnlk - C:\WINDOWS\system32\pmnlk.dll

O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documenti\Settings\partnership.dll

O20 - Winlogon Notify: byxxxvw - C:\WINDOWS\SYSTEM32\byxxxvw.dll

Poi fai una scansione con AVG Antispyware

[Radmaster]

bugs grazie dell'aiuto!

mi potresti dire per favore come faccio ad usare e caricare il ttvgay su virustotal

[outlaw16]

Logfile of HijackThis v1.99.1
Scan saved at 16.04.42, on 20/04/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ASUS\ASUS DH Remote\AsDhRemote.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Programmi\eMule\emule.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\system32\DllHost.exe
C:\Users\Tony\Desktop\Nuova cartella\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Ai Quicker Help] "C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BigDogPath] C:\Windows\VM_STI.EXE V-Gear TalkCam 1.1
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [eMuleAutoStart] D:\Programmi\eMule\emule.exe -AutoStart
O4 - Global Startup: Adobe Reader Synchronizer.lnk.disabled
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

Qualcosa di sospetto????Ho windows Vista Ultimate

[Gablogan]

Quote:

Originariamente inviato da Bugs Bunny

@gablogan:

cancella:

O2 - BHO: (no name) - {26FAFD75-1005-41F6-978D-178C00165C0B} - C:\WINDOWS\system32\byxxxvw.dll

O2 - BHO: (no name) - {BEC19947-4D31-4812-99C0-5BA407026C87} - C:\WINDOWS\system32\pmnlk.dll

O20 - Winlogon Notify: pmnlk - C:\WINDOWS\system32\pmnlk.dll

O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documenti\Settings\partnership.dll

O20 - Winlogon Notify: byxxxvw - C:\WINDOWS\SYSTEM32\byxxxvw.dll

Poi fai una scansione con AVG Antispyware

ho provato ma non li cancella,se faccio una scanzione nuova con HijackThis,ricompaiono nuovamente,ho provato anche dalla modalità provvisoria di xp e non li cancella ugualmente,ho provato anche a cancellarli manualmente da windows/system 32 ma non me li fa cancellare mi dice che il file è in esecuzione o qualcosa del genere che posso fare?

[Bugs Bunny]

Disabilita ripristino conf di sistema
In the avenger metti questo script

Files to delete:

C:\WINDOWS\system32\byxxxvw.dll
C:\WINDOWS\system32\pmnlk.dll

poi clicca su done,poi sul semaforo e poi accetta i 2 avvisiche ti appaiono.
Guarda se li cancella così

[nispo]

nn te li fa cncellare perchè la cartella di system32 è protetta da windows, servono programmi che ti disabilitano questa per il tempo necessario a eliminare i files

[Tidus Strife]

Quote:

Originariamente inviato da outlaw16

Logfile of HijackThis v1.99.1

Pulito

[Gablogan]

Quote:

Originariamente inviato da Bugs Bunny

Disabilita ripristino conf di sistema
In the avenger metti questo script

Files to delete:

C:\WINDOWS\system32\byxxxvw.dll
C:\WINDOWS\system32\pmnlk.dll

poi clicca su done,poi sul semaforo e poi accetta i 2 avvisiche ti appaiono.
Guarda se li cancella così

scusa potresti spiegarmi il procedimento da fare passo passo?come faccio a disibilitare conf di sistema e cancellarli?

[ania]

Quote:

Originariamente inviato da Gablogan

scusa potresti spiegarmi il procedimento da fare passo passo?
come faccio a disibilitare conf di sistema e cancellarli?

@Gablogan
per imparare come disabiitare il ripristino di configurazione di sistema, ti suggerisco di leggere la pagina che ti linko di seguito :
http://support.microsoft.com/kb/310405/it
"Attivazione e disattivazione di Ripristino configurazione di sistema in Windows XP"


Inoltre, come approfondimento ti suggerisco la lettura di questo interessante articolo di crazy.cat , pubblicato sul Portale MegaLab
Come disattivare "Ripristino Configurazione di Sistema"
http://www.megalab.it/articoli.php?id=510


Ed infine, per quanto concerne l'uso di The Avenger, c'è questo esaustivo articolo di Billokenobi sempre pubblicato sul Portale MegaLab.:
The Avenger: un tool dalle strabilianti capacità
http://www.megalab.it/articoli.php?id=946

Ciao!!!

[Gablogan]

allora il ripristino di conf di sistema era già disattivato,per quando riguarda the avenger,non so se l'ho usato correttamente,comunque faccio così
1) carico in load script from file il file C:\WINDOWS\system32\pmnlk.dll
2)clicco su la lente e faccio done
3)clicco sul semaforo e mi appare la scritta "are you sure you want to execute the commands in the selected script? e clicco si
4) mi appare la scritta "error:seleted file does not appear to be a valid script"
error code: 0

e non fa più nulla,ideam con l'altro file da cancellare,non so se sbaglio qualcosa io o questi file sono veramente tosti da togliere ,qualche altro suggerimento?

[ndiezzu]

Ciao a tutti!

In relazione a quanto riportato su questo post:
http://www.hwupgrade.it/forum/showthread.php?p=16827164
riporto il log di HiJackThis.
E' curioso notare (se la vista mi assiste) che non c'è traccia di quell'eseguibile...

Quote:

Logfile of HijackThis v1.99.1
Scan saved at 12.29.38, on 21/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\windows\system32\svchost.exe
C:\WINDOWS\system32\crypserv.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Programmi\UltraEdit\UEDIT32.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CD32FC5E-1A76-898B-9100-4646E14ED189} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [ccApp] C:\Programmi\File comuni\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programmi\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{8777032D-5C29-47AF-9C29-270C2C792428}: NameServer = 192.168.0.1
O20 - AppInit_DLLs:
O20 - Winlogon Notify: Sebring - c:\WINDOWS\system32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe

Grazie a tutti, ciao!

[Tidus Strife]

Quote:

Originariamente inviato da ndiezzu

Ciao a tutti!

In relazione a quanto riportato su questo post:
http://www.hwupgrade.it/forum/showthread.php?p=16827164
riporto il log di HiJackThis.
E' curioso notare (se la vista mi assiste) che non c'è traccia di quell'eseguibile...



Grazie a tutti, ciao!

Fixa:

O20 - AppInit_DLLs:

[Bugs Bunny]

Quote:

Originariamente inviato da Gablogan

allora il ripristino di conf di sistema era già disattivato,per quando riguarda the avenger,non so se l'ho usato correttamente,comunque faccio così
1) carico in load script from file il file C:\WINDOWS\system32\pmnlk.dll
2)clicco su la lente e faccio done
3)clicco sul semaforo e mi appare la scritta "are you sure you want to execute the commands in the selected script? e clicco si
4) mi appare la scritta "error:seleted file does not appear to be a valid script"
error code: 0

e non fa più nulla,ideam con l'altro file da cancellare,non so se sbaglio qualcosa io o questi file sono veramente tosti da togliere ,qualche altro suggerimento?

infatti non devi mettere solo il file,devi mettere il comando che lo fa cancellare

lo script è:

Files to delete:

C:\WINDOWS\system32\pmnlk.dll
C:\WINDOWS\system32\byxxxvw.dll