Command Service e spyware....aiutoooo!!!!

[baycoreano]

Aiuto ragazzi... ho formattato il pc,e nel periodo in cui sono rimasto senza antivirus secondo me ho preso una brutta bestia, command service. Faccio la scanzione con spybot, lo rilevo e lo elimino, ma al momento di riaccedere al sistema lo ritrovo sempre li' a dare fastidio, per non parlare delle 1000 finestre che si aprono mentre navigo in Intrnet. Mi aiutate per favore, non vorrei formattare di nuovo!!!
Vi posto il log di Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 18.57.48, on 20/03/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\Explorer.EXE
C:\sdkhj.exe
C:\WINDOWS\System32\Sygate.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\Softwin\BitDefender8\bdmcon.exe
C:\Programmi\Softwin\BitDefender8\bdnagent.exe
C:\WINDOWS\System32\lsass_322.exe
C:\windows\mousepad4.exe
C:\Programmi\webHancer\Programs\whagent.exe
C:\Programmi\webHancer\Programs\whsurvey.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\newfrn.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\devldr32.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Nello\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Programmi\webHancer\programs\whiehlpr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [mdc] C:\sdkhj.exe
O4 - HKLM\..\Run: [Microsoft Update] Sygate.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Programmi\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Programmi\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [zpfq32] lsass_322.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard4.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad4.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname4.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Programmi\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Programmi\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Sygate.exe
O4 - HKLM\..\RunServices: [zpfq32] lsass_322.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Run Service Vxdrun] vxddirectx32.exe
O4 - HKCU\..\Run: [Microsoft Update] Sygate.exe
O4 - HKCU\..\Run: [MS Windows System Alert] MSWSA32.exe
O4 - HKCU\..\Run: [MS Windows Local Directory] MSWLD32.exe
O4 - HKCU\..\RunServices: [Run Service Vxdrun] vxddirectx32.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C7C7DC7-C2BC-4C87-893B-CDFF6E596BF2}: NameServer = 85.37.17.9 85.38.28.75
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\uitheme.dll
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\m0ju0a19ed.dll (file missing)
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINDOWS\System32\wuapi.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINDOWS\System32\dfrgfat32.exe
O23 - Service: Msn Service (MSNSVC) - Unknown owner - C:\WINDOWS\msnsrv.exe (file missing)
O23 - Service: Performance True Type Font (PerfFont) - Unknown owner - C:\WINDOWS\System32\perfont.exe (file missing)
O23 - Service: Win32Sr - Unknown owner - C:\WINDOWS\win32ssr.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

[andorra24]

Ciao, posta il log nell'apposito thread in rilievo cosi te lo analizzo con calma.
Questo thread lo chiuderanno sicuramente.

[baycoreano]

Qual'è il thread in rilievo. Quello ufficiale di Hijackthis??

[Psycho9]

Vai quì:

http://hijackthis.de/

[andorra24]

Quote:

Originariamente inviato da baycoreano

Qual'è il thread in rilievo. Quello ufficiale di Hijackthis??

E' il thread ufficiale di hijackthis. Posta il log cosi ti dico cosa devi eliminare.

http://www.hwupgrade.it/forum/showth...&goto=lastpost

[baycoreano]

Sono andato all'indirizzo che mi hai dato, ho analizzato il log di hijackthis e mi ha riscontrato tanti errori( file sospetti).Ti riposto il log, così mi dici anche come devo operare per eliminare i file:

Logfile of HijackThis v1.99.1
Scan saved at 18.57.48, on 20/03/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\Explorer.EXE
C:\sdkhj.exe
C:\WINDOWS\System32\Sygate.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\Softwin\BitDefender8\bdmcon.exe
C:\Programmi\Softwin\BitDefender8\bdnagent.exe
C:\WINDOWS\System32\lsass_322.exe
C:\windows\mousepad4.exe
C:\Programmi\webHancer\Programs\whagent.exe
C:\Programmi\webHancer\Programs\whsurvey.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\newfrn.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\devldr32.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Nello\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Programmi\webHancer\programs\whiehlpr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [mdc] C:\sdkhj.exe
O4 - HKLM\..\Run: [Microsoft Update] Sygate.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Programmi\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Programmi\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [zpfq32] lsass_322.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard4.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad4.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname4.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Programmi\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Programmi\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Sygate.exe
O4 - HKLM\..\RunServices: [zpfq32] lsass_322.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Run Service Vxdrun] vxddirectx32.exe
O4 - HKCU\..\Run: [Microsoft Update] Sygate.exe
O4 - HKCU\..\Run: [MS Windows System Alert] MSWSA32.exe
O4 - HKCU\..\Run: [MS Windows Local Directory] MSWLD32.exe
O4 - HKCU\..\RunServices: [Run Service Vxdrun] vxddirectx32.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C7C7DC7-C2BC-4C87-893B-CDFF6E596BF2}: NameServer = 85.37.17.9 85.38.28.75
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\uitheme.dll
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\m0ju0a19ed.dll (file missing)
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINDOWS\System32\wuapi.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINDOWS\System32\dfrgfat32.exe
O23 - Service: Msn Service (MSNSVC) - Unknown owner - C:\WINDOWS\msnsrv.exe (file missing)
O23 - Service: Performance True Type Font (PerfFont) - Unknown owner - C:\WINDOWS\System32\perfont.exe (file missing)
O23 - Service: Win32Sr - Unknown owner - C:\WINDOWS\win32ssr.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

[andorra24]

baycoreano ti avevo detto di postare il log di hijackthis nel thread ufficiale in rilievo.

http://www.hwupgrade.it/forum/showth...&goto=lastpost

[andorra24]

Visto che hai molta difficolta' a postare il log di hijackthis nell'apposito thread in rilievo per questa volta te lo analizzo in questo thread SPERANDO CHE I MODERATORI non lo chiudano (dopo la fatica che ho fatto).

Fixa:

C:\sdkhj.exe
C:\WINDOWS\System32\Sygate.exe
C:\WINDOWS\System32\lsass_322.exe
C:\windows\mousepad4.exe
C:\Programmi\webHancer\Programs\whagent.exe
C:\Programmi\webHancer\Programs\whsurvey.exe
C:\WINDOWS\newfrn.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Programmi\webHancer\programs\whiehlpr.dll
O4 - HKLM\..\Run: [mdc] C:\sdkhj.exe
O4 - HKLM\..\Run: [Microsoft Update] Sygate.exe
O4 - HKLM\..\Run: [zpfq32] lsass_322.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard4.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad4.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname4.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Programmi\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Programmi\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Sygate.exe
O4 - HKLM\..\RunServices: [zpfq32] lsass_322.exe
O4 - HKCU\..\Run: [Run Service Vxdrun] vxddirectx32.exe
O4 - HKCU\..\Run: [Microsoft Update] Sygate.exe
O4 - HKCU\..\Run: [MS Windows System Alert] MSWSA32.exe
O4 - HKCU\..\Run: [MS Windows Local Directory] MSWLD32.exe
O4 - HKCU\..\RunServices: [Run Service Vxdrun] vxddirectx32.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\uitheme.dll
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\m0ju0a19ed.dll (file missing)
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINDOWS\System32\dfrgfat32.exe
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINDOWS\System32\wuapi.exe (file missing)
O23 - Service: Performance True Type Font (PerfFont) - Unknown owner - C:\WINDOWS\System32\perfont.exe (file missing)
O23 - Service: Msn Service (MSNSVC) - Unknown owner - C:\WINDOWS\msnsrv.exe (file missing)
O23 - Service: Win32Sr - Unknown owner - C:\WINDOWS\win32ssr.exe (file missing)

[baycoreano]

Ho fixato gli elementi che hai detto, mi ha datto problema solo per 010 WinSock LSP, che mi dice che posso eliminare con SpyBot. Avvio la scansiobe com spybot e mi trova ancora delle voci:

-Smitfraud-C

Eseguibile
c:\MTE3NDI60DoxNg.exe

Dati
c:\windows\teller2.chk

Dati
c:windows\drsmartload2.dat

Eseguibile
c:\drsmartload1.exe

Impostazioni
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\.........

Impostazioni
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\.......

Impostazioni
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\drsmartload2

-webHancer

<$WINSOCK>
webHancer

Assistente del Browser(BHO)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Explorer\Browser Helper Object\..........

Classe radice (Root)
HKEY_LOCAL_MACHINE\Software\Classes\WhleHelperObj.WhleHelperObj.1

Classe radice (Root)
HKEY_LOCAL_MACHINE\Software\Classes\WhleHelperObj.WhleHelperObj

ID di classe
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\.........

Impostazioni di disinstallazione
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent

Impostazioni globali
HKEY_LOCAL_MACHINE\Software\webHancer

Interfaccia
HKEY_CLASSES_ROOT\Interface\...............

Libreria dei tipi
HKEY_CLASSES_ROOT\TypeLib\................

-Network Monitor

File di testo
C:\WINDOWS\uninstall_nmon.vbs

Cartella di programma
C:\Programmi\Network Monitor\

Cartella di programma
C:\Documents and Settings\LocalService\Dati applicazioni\NetMon\

Impostazioni di disinstallazione
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\..........

-MediaPlex

Cookie tracciante (Internet Explorer:Nello)
Internet Explorer (Nello): Cookie:[email protected]/()

-Deskwizz

Eseguibile
C:\WINDOWS\newfrn.exe

File di cofigurazione
C:\WINDOWS\dh.ini

Libreria
C:\WINDOWS\DH.dll

ID di classe
HKEY_CLASSES_ROOT\CLSID\.............

-CoolWWWSearch

Pagina di ricerca di IE
HKEY_USERSS-1-5-21-1957994488-484763869-10602842298-1003\Software\Microsoft\Internet Explorer\Search\SearchAssistant Explorer\Main\Default_Search_URL=about:blank

-Command Service

Eseguibile
C:\Documents and Settings\Nello\Impostazioni locali\Temp\cmdinst.exe

Impostazioni di disinstallazione
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\..................



Alcune di queste voci non mi erano mai uscite. Ora le ho eliminate e ho corretto gli errori trovati. Ti posto il nuovo log di Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 23.34.23, on 20/03/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\Softwin\BitDefender8\bdmcon.exe
C:\Programmi\Softwin\BitDefender8\bdnagent.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\Nello\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Programmi\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Programmi\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\q0680ajuedo80.dll
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINDOWS\System32\wuapi.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINDOWS\System32\dfrgfat32.exe
O23 - Service: Msn Service (MSNSVC) - Unknown owner - C:\WINDOWS\msnsrv.exe (file missing)
O23 - Service: Performance True Type Font (PerfFont) - Unknown owner - C:\WINDOWS\System32\perfont.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

[Stev-O]

hai fatto anche una scansione con ewido??

[andorra24]

Fixa queste voci:

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\q0680ajuedo80.dll
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINDOWS\System32\wuapi.exe (file missing)
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINDOWS\System32\dfrgfat32.exe
O23 - Service: Msn Service (MSNSVC) - Unknown owner - C:\WINDOWS\msnsrv.exe (file missing)
O23 - Service: Performance True Type Font (PerfFont) - Unknown owner - C:\WINDOWS\System32\perfont.exe (file missing)

Fai una scansione con questo tool seguendo attentamente le istruzioni:
http://www.bleepingcomputer.com/files/smitRem.php

[Stev-O]

mai visto un log da fixare a "passate"

[baycoreano]

Ciao ho fixato gli elementi che mi hai indicato, e ho fatto una scansione con smitrem. Ora ti posto il nuovo log di hijackthis, mi sembra che apre ancora le spyware:

Scan saved at 19.50.37, on 21/03/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\Softwin\BitDefender8\bdmcon.exe
C:\Programmi\Softwin\BitDefender8\bdnagent.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\Programmi\File comuni\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\Nello\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Programmi\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Programmi\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C7C7DC7-C2BC-4C87-893B-CDFF6E596BF2}: NameServer = 85.37.17.9 85.38.28.75
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\en2ql1f51.dll
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINDOWS\System32\wuapi.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINDOWS\System32\dfrgfat32.exe
O23 - Service: Msn Service (MSNSVC) - Unknown owner - C:\WINDOWS\msnsrv.exe (file missing)
O23 - Service: Performance True Type Font (PerfFont) - Unknown owner - C:\WINDOWS\System32\perfont.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

[andorra24]

Fixa queste:

O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\en2ql1f51.dll
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINDOWS\System32\wuapi.exe (file missing)
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINDOWS\System32\dfrgfat32.exe
O23 - Service: Msn Service (MSNSVC) - Unknown owner - C:\WINDOWS\msnsrv.exe (file missing)
O23 - Service: Performance True Type Font (PerfFont) - Unknown owner - C:\WINDOWS\System32\perfont.exe (file missing)

[baycoreano]

Fixato queste voci, ho fatto anche una scansione con Ewido e mi ha trovato 80 file infetti. Ora posto sia il niovo log di hijackthis e sia il log di Ewido:

Logfile of HijackThis v1.99.1
Scan saved at 20.19.41, on 21/03/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\Softwin\BitDefender8\bdmcon.exe
C:\Programmi\Softwin\BitDefender8\bdnagent.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\Programmi\ewido anti-malware\ewidoguard.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Nello\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Programmi\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Programmi\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C7C7DC7-C2BC-4C87-893B-CDFF6E596BF2}: NameServer = 85.37.17.9 85.38.28.75
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\en2ql1f51.dll
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINDOWS\System32\wuapi.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmi\ewido anti-malware\ewidoguard.exe
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINDOWS\System32\dfrgfat32.exe
O23 - Service: Msn Service (MSNSVC) - Unknown owner - C:\WINDOWS\msnsrv.exe (file missing)
O23 - Service: Performance True Type Font (PerfFont) - Unknown owner - C:\WINDOWS\System32\perfont.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

EWIDO

---------------------------------------------------------
ewido anti-malware - Rapporto Scansione
---------------------------------------------------------

+ Creato il: 20.14.49, 21/03/2006
+ Report-Checksum: 614A8A4A

+ Risultati scansione:

[1016] C:\WINDOWS\system32\vfrifier.dll -> Adware.Look2Me : Errore durante la pulizia
[1992] C:\WINDOWS\system32\vfrifier.dll -> Adware.Look2Me : Errore durante la pulizia
C:\argc.exe -> Downloader.Adload.t : Pulito con Backup
C:\Documents and Settings\Nello\Cookies\nello@2o7[2].txt -> TrackingCookie.2o7 : Pulito con Backup
C:\Documents and Settings\Nello\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Pulito con Backup
C:\Documents and Settings\Nello\Cookies\[email protected][1].txt -> TrackingCookie.Searchingbooth : Pulito con Backup
C:\Documents and Settings\Nello\Cookies\nello@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Pulito con Backup
C:\Documents and Settings\Nello\Cookies\[email protected][2].txt -> TrackingCookie.Sexcounter : Pulito con Backup
C:\Documents and Settings\Nello\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : Pulito con Backup
C:\Documents and Settings\Nello\Cookies\[email protected][1].txt -> TrackingCookie.Itrack : Pulito con Backup
C:\Documents and Settings\Nello\Cookies\[email protected][1].txt -> TrackingCookie.Top-banners : Pulito con Backup
C:\Documents and Settings\Nello\Cookies\nello@overture[1].txt -> TrackingCookie.Overture : Pulito con Backup
C:\Documents and Settings\Nello\Cookies\[email protected][2].txt -> TrackingCookie.Realtracker : Pulito con Backup
C:\Documents and Settings\Nello\Cookies\[email protected][1].txt -> TrackingCookie.Liveperson : Pulito con Backup
C:\Documents and Settings\Nello\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : Pulito con Backup
C:\Documents and Settings\Nello\Cookies\nello@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Pulito con Backup
C:\Documents and Settings\Nello\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : Pulito con Backup
C:\Documents and Settings\Nello\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : Pulito con Backup
C:\Documents and Settings\Nello\Cookies\[email protected][1].txt -> TrackingCookie.Adtrak : Pulito con Backup
C:\Documents and Settings\Nello\Cookies\[email protected][2].txt -> TrackingCookie.Popuptraffic : Pulito con Backup
C:\Documents and Settings\Nello\Cookies\nello@xxxcounter[2].txt -> TrackingCookie.Xxxcounter : Pulito con Backup
:mozilla.12:C:\Documents and Settings\Nello\Dati applicazioni\Mozilla\Firefox\Profiles\0u1emfgv.default\cookies.txt -> TrackingCookie.Cpvfeed : Pulito con Backup
:mozilla.24:C:\Documents and Settings\Nello\Dati applicazioni\Mozilla\Firefox\Profiles\0u1emfgv.default\cookies.txt -> TrackingCookie.Revenue : Pulito con Backup
:mozilla.28:C:\Documents and Settings\Nello\Dati applicazioni\Mozilla\Firefox\Profiles\0u1emfgv.default\cookies.txt -> TrackingCookie.Zedo : Pulito con Backup
:mozilla.29:C:\Documents and Settings\Nello\Dati applicazioni\Mozilla\Firefox\Profiles\0u1emfgv.default\cookies.txt -> TrackingCookie.Zedo : Pulito con Backup
:mozilla.30:C:\Documents and Settings\Nello\Dati applicazioni\Mozilla\Firefox\Profiles\0u1emfgv.default\cookies.txt -> TrackingCookie.Zedo : Pulito con Backup
:mozilla.31:C:\Documents and Settings\Nello\Dati applicazioni\Mozilla\Firefox\Profiles\0u1emfgv.default\cookies.txt -> TrackingCookie.Zedo : Pulito con Backup
:mozilla.32:C:\Documents and Settings\Nello\Dati applicazioni\Mozilla\Firefox\Profiles\0u1emfgv.default\cookies.txt -> TrackingCookie.Zedo : Pulito con Backup
:mozilla.33:C:\Documents and Settings\Nello\Dati applicazioni\Mozilla\Firefox\Profiles\0u1emfgv.default\cookies.txt -> TrackingCookie.Yieldmanager : Pulito con Backup
:mozilla.34:C:\Documents and Settings\Nello\Dati applicazioni\Mozilla\Firefox\Profiles\0u1emfgv.default\cookies.txt -> TrackingCookie.Yieldmanager : Pulito con Backup
:mozilla.35:C:\Documents and Settings\Nello\Dati applicazioni\Mozilla\Firefox\Profiles\0u1emfgv.default\cookies.txt -> TrackingCookie.Yieldmanager : Pulito con Backup
:mozilla.44:C:\Documents and Settings\Nello\Dati applicazioni\Mozilla\Firefox\Profiles\0u1emfgv.default\cookies.txt -> TrackingCookie.Reliablestats : Pulito con Backup
:mozilla.45:C:\Documents and Settings\Nello\Dati applicazioni\Mozilla\Firefox\Profiles\0u1emfgv.default\cookies.txt -> TrackingCookie.Reliablestats : Pulito con Backup
:mozilla.46:C:\Documents and Settings\Nello\Dati applicazioni\Mozilla\Firefox\Profiles\0u1emfgv.default\cookies.txt -> TrackingCookie.Reliablestats : Pulito con Backup
:mozilla.47:C:\Documents and Settings\Nello\Dati applicazioni\Mozilla\Firefox\Profiles\0u1emfgv.default\cookies.txt -> TrackingCookie.Reliablestats : Pulito con Backup
:mozilla.48:C:\Documents and Settings\Nello\Dati applicazioni\Mozilla\Firefox\Profiles\0u1emfgv.default\cookies.txt -> TrackingCookie.Reliablestats : Pulito con Backup
:mozilla.49:C:\Documents and Settings\Nello\Dati applicazioni\Mozilla\Firefox\Profiles\0u1emfgv.default\cookies.txt -> TrackingCookie.Reliablestats : Pulito con Backup
:mozilla.50:C:\Documents and Settings\Nello\Dati applicazioni\Mozilla\Firefox\Profiles\0u1emfgv.default\cookies.txt -> TrackingCookie.Reliablestats : Pulito con Backup
:mozilla.51:C:\Documents and Settings\Nello\Dati applicazioni\Mozilla\Firefox\Profiles\0u1emfgv.default\cookies.txt -> TrackingCookie.Reliablestats : Pulito con Backup
:mozilla.52:C:\Documents and Settings\Nello\Dati applicazioni\Mozilla\Firefox\Profiles\0u1emfgv.default\cookies.txt -> TrackingCookie.Reliablestats : Pulito con Backup
:mozilla.53:C:\Documents and Settings\Nello\Dati applicazioni\Mozilla\Firefox\Profiles\0u1emfgv.default\cookies.txt -> TrackingCookie.Reliablestats : Pulito con Backup
:mozilla.54:C:\Documents and Settings\Nello\Dati applicazioni\Mozilla\Firefox\Profiles\0u1emfgv.default\cookies.txt -> TrackingCookie.Reliablestats : Pulito con Backup
C:\Documents and Settings\Nello\Desktop\hijackthis\backups\backup-20060320-225143-487.dll -> Dialer.VB.j : Pulito con Backup
C:\Documents and Settings\Nello\zikra.exe -> Downloader.Adload.t : Pulito con Backup
C:\Programmi\webHancer\Programs\webhdll.dll -> Adware.WebHancer : Pulito con Backup
C:\Programmi\webHancer\Programs\whagent.exe -> Adware.WebHancer : Pulito con Backup
C:\Programmi\webHancer\Programs\whiehlpr.dll -> Adware.WebHancer : Pulito con Backup
C:\Programmi\webHancer\Programs\whsurvey.exe -> Adware.WebHancer : Pulito con Backup
C:\Programmi\whInstall -> Adware.Webhancer : Pulito con Backup
C:\Programmi\whInstall\license.txt -> Adware.Webhancer : Pulito con Backup
C:\Programmi\whInstall\readme.txt -> Adware.Webhancer : Pulito con Backup
C:\Programmi\whInstall\whAgent.ini -> Adware.Webhancer : Pulito con Backup
C:\WHCC2.exe/whAgent.exe -> Adware.WebHancer : Pulito con Backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERST_0001_N68M0602NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Pulito con Backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UERST_0001_N68M0602NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Pulito con Backup
C:\WINDOWS\Downloaded Program Files\UERST_0001_N68M0602NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Pulito con Backup
C:\WINDOWS\system32\a.exe -> Backdoor.SdBot.aad : Pulito con Backup
C:\WINDOWS\system32\ad.html -> Hijacker.Agent.e : Pulito con Backup
C:\WINDOWS\system32\asvpack.dll -> Adware.Look2Me : Pulito con Backup
C:\WINDOWS\system32\cndial32.dll -> Adware.Look2Me : Pulito con Backup
C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\0T6ROX67\rp5[1].exe -> Backdoor.SdBot.aad : Pulito con Backup
C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\0T6ROX67\rp5[2].exe -> Backdoor.SdBot.aad : Pulito con Backup
C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\K9Y3WPUF\drsmartload556a[1].exe -> Downloader.Adload.t : Pulito con Backup
C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\K9Y3WPUF\drsmartload[1].exe -> Downloader.Adload.u : Pulito con Backup
C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\SL6V0XIF\rp5[2].exe -> Backdoor.SdBot.aad : Pulito con Backup
C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\SL6V0XIF\winsysban12[1].exe -> Hijacker.VB.li : Pulito con Backup
C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\SLA78PMB\rp5[1].exe -> Backdoor.SdBot.aad : Pulito con Backup
C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\SLA78PMB\rp5[2].exe -> Backdoor.SdBot.aad : Pulito con Backup
C:\WINDOWS\system32\guard.tmp -> Adware.Look2Me : Pulito con Backup
C:\WINDOWS\system32\mZg_hook.dll -> Adware.Look2Me : Pulito con Backup
C:\WINDOWS\system32\mzxoci.dll -> Adware.Look2Me : Pulito con Backup
C:\WINDOWS\system32\tHpi32.dll -> Adware.Look2Me : Pulito con Backup
C:\WINDOWS\system32\winabra.exe -> Heuristic.Win32.Morphine-Crypted : Pulito con Backup
C:\WINDOWS\system32\wzppmht.exe -> Dropper.Paradrop.a : Pulito con Backup
C:\WINDOWS\system32\zikra.exe -> Downloader.Adload.t : Pulito con Backup
C:\WINDOWS\system32\__delete_on_reboot__vfrifier.dll -> Adware.Look2Me : Pulito con Backup
C:\WINDOWS\THVjaWFubw\asappsrv.dll -> Adware.CommAd : Pulito con Backup
C:\WINDOWS\THVjaWFubw\command.exe -> Adware.CommAd : Pulito con Backup
C:\WINDOWS\wallpap.exe -> Hijacker.Agent.gp : Pulito con Backup
C:\winsysban12.exe -> Hijacker.VB.li : Pulito con Backup


::Fine Rapportoਊ


Ma non è che queste operazioni devo farle in modalità provvisoria???

[andorra24]

Ewido ti ha trovato tantissime infezioni, avevi il pc davvero molto inquinato. Ci sono alcune voci del log di hijackthis che devi fixare in modalita' provvisoria dopo aver disattivato il ripristino di sistema e sono queste:

O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\en2ql1f51.dll
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINDOWS\System32\wuapi.exe (file missing)
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINDOWS\System32\dfrgfat32.exe
O23 - Service: Msn Service (MSNSVC) - Unknown owner - C:\WINDOWS\msnsrv.exe (file missing)
O23 - Service: Performance True Type Font (PerfFont) - Unknown owner - C:\WINDOWS\System32\perfont.exe (file missing)

Per disattivare il ripristino di sistema segui le istruzioni:
http://service1.symantec.com/SUPPORT...20823151930924

Per andare in modalita' provvisoria:
http://service1.symantec.com/SUPPORT...20722090503924

ps: gia' che vai in modalita' provvisoria ripeti anche la scansione con ewido.

[baycoreano]

Sono andato in modalità provvisoria, ma hijackthis non lo trovo, come mai?? La scansione la faccio solo con Ewido??

[andorra24]

Quote:

Originariamente inviato da baycoreano

Sono andato in modalità provvisoria, ma hijackthis non lo trovo, come mai?? La scansione la faccio solo con Ewido??

In che senso non lo trovi?
In qualche cartella deve esserci per forza, cercalo meglio. Ci sono quelle voci del log che vanno fixate. Se non riesci in modalita' normale devi insistere in mod.provvisoria. Inoltre ripeti la scansione con ewido sempre in mod.provvisoria.

[Stev-O]

ma è sempre lo stesso log di ieri???

[andorra24]

Quote:

Originariamente inviato da Stev-O

ma è sempre lo stesso log di ieri???

Si, era pieno zeppo di malwares.