Problemi residui

[vicus]

Il mio problema è il seguente:
dopo aver aperto un file contenete un troyan non meglio identificato,probabilmente è Trojan.Admincash.B, ma è probabile che si entrato dopo che il firewall è caduto a causa del primo trojan, naturalmente appena il firewall è caduto potete bene immaginarvi cosa è entrato nel PC. Dopo due giorni di estanuanti lotti sono riuscito a rimuovere tutti i virus,trojan,spyware vari, almeno così sembra. Il Pc funziona bene tranne per il fatto che ad ogni riavvio del PC il firewall non è attivo e come sfondo appare sta scritta (vedi allegato), non modificabile perchè in proprietà desktop non compare la cartella sfondo e altre. Qualcuno mi può aiutare??

[YMen]

c'è la scritta trojan smitfraud c se è quello c'è una discussione qui

[vicus]

Scusa per l'ignoranza ma non ho capito come risolvere il problema, il link che mi hai dato mi porta a scaricare un programme e poi???

[YMen]

il link porta ad una discussione leggi il post di bluepix e vai sul link che indica e leggitelo (in inglese) TUTTO

[vicus]

Ma devo registrsrmi!! Che faccio?

[YMen]

in se avessi letto tutta la pag vedresti che ci sono delle istruzioni di rimozione cmq eccole qui:
Tools Needed for this fix:

* HijackThis
* Killbox
* Smitfraud.reg
* Hoster
* Deldomains.inf
* Cleanup!
* ActiveScan

Related Tutorials:

* How to use HijackThis to remove Browser Hijackers & Spyware

Symptoms in a HijackThis Log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http:://www.quicknavigate.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =http:://www.quicknavigate.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http:://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http:://www.startsearches.net/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp6DD8.tmp
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\System32\LogFiles\A5281300.so
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\winnook.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe
O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\zloader3.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O9 - Extra button: Microsoft AntiSpyware helper - {D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll (HKCU)

Note: Not all these O4 entries may be present. The O2 entry may have a different name but will start with hp.

Removal Instructions:

In order to remove this infection we will need to use HijackThis to manually remove the infection:

1. Print out these instructions as we will need to shutdown every window that is open later in the fix.

2. Download HijackThis and save it to your C:\ folder. Extract the hijackthis.zip file to c:\hijackthis. We will use this program later.

3. Enter the Windows Control Panel and double-click on Add/Remove Programs.

4. When the installed programs list appears, double-click on the following entries if they exists and allow them to uninstall.

Security IGuard
Virtual Maid
Search Maid

Then exit the Add/Remove Programs screen and the Control Panel.

5. Right-click: HERE and select Save As (in Internet Explorer it's labeled Save Target As) in order to download the Smitfraud.reg file. Save this file to your desktop.

Locate the smitfraud.reg file on your desktop and double-click it. When asked if you want to merge with the registry, click the YES button. Wait for the "merged successfully" prompt then follow the rest of the instructions below.
6. Configure your computer so you can see all hidden files.

How to see hidden files in Windows

7. Download the Killbox by Option^Explicit and save it to your desktop. Extract killbox.zip to your desktop. Then double-click on the killbox.exe program.

8. When the program is open, select the option labeled Delete on reboot.

9. Do not close killbox, and open open notepad, by clicking on Start, then Run, and typing notepad.exe and pressing the OK button.

10. When notepad is open, copy and paste the following bolded text into the notepad screen. You do this by highlighting each of the below bolded filenames and then pressing Control-C on your keyboard. Then click on the open notepad windows and press Control-V to paste the contents into the notepad.

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\windows\desktop.html
C:\windows\screen.html
C:\WINDOWS\zloader3.exe
C:\Windows\System32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\system32\perfcii.ini
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe
C:\WINDOWS\system32\oleadm.dll
C:\WINDOWS\system32\oleadm32.dll
C:\WINDOWS\system32\wp.bmp
C:\WINDOWS\system32\wp.bmp
C:\Windows\System32\LogFiles\A5281300.so
C:\Windows\System32\winnook.exe

11. Return to Killbox, go to the File menu and select Paste from Clipboard.

12. Still in Killbox, click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click No at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

13. While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then press the enter button on your keyboard.

14. Using Windows Explorer, delete the following files, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard
15. While still in Safe Mode, do the following:

Make sure all programs and windows are closed. Double-click on C:\hijackthis\hijackthis.exe that you had downloaded and extracted earlier. When the program starts place a check next to each of the following bolded entries, if found, then click FIX CHECKED button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http:://www.quicknavigate.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =http:://www.quicknavigate.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http:://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http:://www.startsearches.net/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp6DD8.tmp
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\System32\LogFiles\A5281300.so
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\winnook.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe
O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\zloader3.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O9 - Extra button: Microsoft AntiSpyware helper - {D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll (HKCU)
16. When it is done fixing the entries, exit the HijackThis program and restart your computer so its back into normal mode.

17. Download The Hoster and run hoster.exe. Press the Restore Original Hosts button and then press the press OK button. When it is done, exit the program.

18. Right-Click HERE and select Save As to download DelDomains.inf to your desktop.

19. Now RIGHT-CLICK on the DelDomains.inf file on your desktop and select the Install option.

Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

20. Download, install, and run CleanUp!

21. Run this online virus scan ActiveScan to clean up any left over traces of these infections.

22. Follow the steps here:

Simple and easy ways to keep your computer safe and secure on the Internet


Your computer should now be free of the Smitfraud / Quicknavigate / VirtualMaid infections. It is likely, though, that this infection was installed with other malware. If you need help removing it, post a hijackthis log in the forums.

[vicus]

Problema desktop risolto! Al prossimo riavvio controllo anche se il firewall resta su.

[YMen]

Quote:

Originariamente inviato da vicus

Problema desktop risolto! Al prossimo riavvio controllo anche se il firewall resta su.

posta il log di hijackthis

[vicus]

Cosa significa in pratica "posta il log"? In concreto cosa fa?

[andorra24]

Quote:

Originariamente inviato da vicus

Cosa significa in pratica "posta il log"? In concreto cosa fa?

Fai la scansione con hijackthis e incolla il risultato della scansione sul forum in modo che ti si possa dare un aiuto. Hijackthis effettua una scansione dell'intero sistema e mostra tutte le chiavi ed elementi caricati all'avvio. Se c'e' qualcosa di strano dal log ti risultera'.Lo puoi scaricare qui: http://www.majorgeeks.com/download3155.html