www.MegaLab.it

da **danyela** » ven dic 15, 2006 1:01 pm

Allora sono riuscita a riaprire Avenger con la modalità provvisoria, ho rifatto tutto il procedimento come ieri, ho riavviato il pc in modalità provvisoria ed ho aperto il log di avenger che ti allego:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\dcvvxwmw

*******************

Script file located at: \??\E:\lkxieagf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at E:\Avenger

*******************

Beginning to process script file:

File E:\WINDOWS\SYSTEM32\lzx32.sys not found!
Deletion of file E:\WINDOWS\SYSTEM32\lzx32.sys failed!

Could not process line:
E:\WINDOWS\SYSTEM32\lzx32.sys
Status: 0xc0000034

File E:\WINDOWS\ctfmon32.dll not found!
Deletion of file E:\WINDOWS\ctfmon32.dll failed!

Could not process line:
E:\WINDOWS\ctfmon32.dll
Status: 0xc0000034

File E:\WINDOWS\ctfmon32.exe not found!
Deletion of file E:\WINDOWS\ctfmon32.exe failed!

Could not process line:
E:\WINDOWS\ctfmon32.exe
Status: 0xc0000034

File E:\WINDOWS\service32.exe not found!
Deletion of file E:\WINDOWS\service32.exe failed!

Could not process line:
E:\WINDOWS\service32.exe
Status: 0xc0000034

File E:\WINDOWS\24116418351.exe not found!
Deletion of file E:\WINDOWS\24116418351.exe failed!

Could not process line:
E:\WINDOWS\24116418351.exe
Status: 0xc0000034

Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|1
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|1 failed!
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

Ho inoltre impostato per visualizzare i file nascosti, ma non sono riuscita a trovare i file che mi hai indicato, ora ci riprovo in modalità provvisoria....GRAZIE

da **Amantide** » ven dic 15, 2006 1:08 pm

Questa è la seconda volta che esegui Avenger, è vero? In questo log dice che i file non sono stati trovati, evidentemente sono stati eliminati durante la precedente scansione. Hai provato a vedere se ora si aprono Hijackthis e tool della Prevx e Symantec (quest'ultimo dev'essere avviato dalla modalità provvisoria)?

da **danyela** » ven dic 15, 2006 1:16 pm

Ho fatto la scansione con Hijackthis(che ora sono riuscita ad aprire) sempre in modalità provvisoria, questo è i log:

Logfile of HijackThis v1.99.1
Scan saved at 11.12.51, on 15/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\Explorer.EXE
E:\Programmi\Internet Explorer\iexplore.exe
E:\Documents and Settings\fs\Desktop\Tools_antivirus\_a_i_g_i_a_c_k_t_h_i_s.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://it.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = E:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=e:\windows\system32\userinit.exe,"e:\windows\compaqnetwork.exe",
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {F118B90E-6475-D392-96A1-C53F0BB257D4} - E:\WINDOWS\dtipq1.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Programmi\Windows Live Toolbar\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Programmi\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCTVRemote] E:\Programmi\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [MMTray] "E:\Programmi\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VolControl] E:\WINDOWS\volumec.exe -i
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ImMsn] E:\WINDOWS\msncomm.exe /i
O4 - HKLM\..\Run: [UnlockerAssistant] "E:\Programmi\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [mmtask] "E:\Programmi\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKLM\..\Run: [ddwunssd] E:\bvimktak.bat
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xmk134YYIT
O8 - Extra context menu item: Invia a &Bluetooth - E:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\PROGRA~1\YAHOO!\COMMON\yhexbmesit.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\PROGRA~1\YAHOO!\COMMON\yhexbmesit.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O16 - DPF: Win32 Classes -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - E:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - E:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

Aspetto per il prossimo passo

da **Amantide** » ven dic 15, 2006 1:31 pm

Elimina questo file e:\windows\compaqnetwork.exe dopodiche dovrebbero partire tutti i tools di rimozione. Oltre a gromozon ci sono anche altri virus, ma a quelli penseremo dopo.

da **Amantide** » ven dic 15, 2006 1:35 pm

Dopo dovrai usare questo tool per rimuovere Alexa Toolbar.

da **danyela** » ven dic 15, 2006 1:42 pm

Amantide ha scritto:Elimina questo file e:\windows\compaqnetwork.exe dopodiche dovrebbero partire tutti i tools di rimozione. Oltre a gromozon ci sono anche altri virus, ma a quelli penseremo dopo.

Scusa ma lo devo eliminare dalla finestra di HijackThis che si è aperta?[/quote]

da **Amantide** » ven dic 15, 2006 1:45 pm

danyela ha scritto:
Amantide ha scritto:Elimina questo file e:\windows\compaqnetwork.exe dopodiche dovrebbero partire tutti i tools di rimozione. Oltre a gromozon ci sono anche altri virus, ma a quelli penseremo dopo.

Scusa ma lo devo eliminare dalla finestra di HijackThis che si è aperta?

No, lo devi eliminare manualmente dalla modalità provvisoria. In alternativa puoi usare il tool AGVPFIX di Paolo Monti che trovi nella guida.

da **danyela** » ven dic 15, 2006 4:42 pm

Allora, ti aggiorno su quello che ho fatto:
-ho eliminato il file e:\windows\compaqnetwork.exe;

-ho avviato la scansione con Symantec è questo è il report finale:
Symantec Trojan.Linkoptimizer Removal Tool 1.0.8
Trojan.Linkoptimizer has not been found on your computer.

-ho avviato il programma per eliminare Alexa Toolbar e alla fine della scansione dice: Congratulation Alexa Toolbar not installed

-Per quanto riguarda la scansione con Prevx è una delle prime operazioni che ho fatto e questo era il log:
E:\WINDOWS\A.tmp is infected with Adware LinkOptimizer
E:\WINDOWS\5D.tmp is infected with Adware LinkOptimizer
E:\WINDOWS\dtipq1.dll is infected with Adware LinkOptimizer
Scanning Temporary files...
Trojan.Gromozon Removed!
Scan finished normally
For a detailed log, please refer to \gromozon_removal.log

- Infine mi avevi detto di avviare GMER ma non so come si fa [cry]

perché quando clicco sul tool mi esce una finestra bianca...e poi che devo premere [cry+]

Grazie di tutto!!!

da **Amantide** » ven dic 15, 2006 9:34 pm

danyela ha scritto:- Infine mi avevi detto di avviare GMER ma non so come si fa perché quando clicco sul tool mi esce una finestra bianca...e poi che devo premere Grazie di tutto!!!

Devi fare la scansione delle sezioni Autostart e Rootkit premendo il tasto Scan. A scansione avvenuta premi a destra il tasto Copy ed incolla il risultato qui. Devi ripetere il procedimento per tutte due sezioni.
Il log di Gmer ci permetterà di vedere tuti i file infetti e li potremmo eliminare con aiuto di Avenger.

da **danyela** » ven dic 15, 2006 10:32 pm

Ok, fatto. Ti allego i log

Rootkit 2006-12-15 20:28:04
Windows 5.1.2600

---- Registry - GMER 1.0.11 ----

Reg \Registry\USER\S-1-5-21-57989841-1580818891-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACVQY:R:\Qbphzragf naq Frggvatf\sf\Erprag\uggc--jcbc15.yvoreb.vg-ptv-ova-jroznvy.ptv-Ub_gebingb_ha_ohba_ynibeb.qbpVQ=VWWrIU0XbhSUJeJzqAJ_iPragRqlUYJJ9RJuouUYIXvk9r8Tq&Npg_Ivrj=1&E_Sbyqre=nJ5vo3t=&zftVQ=3737&Obql=2&svyranzr=Ub_gebingb_ha_ohba_ynibeb.qbp.yax 0x1C 0x01 0x00 0x00 ...

---- EOF - GMER 1.0.11 ----

Autostart 2006-12-15 20:29:53
Windows 5.1.2600

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = e:\windows\system32\userinit.exe,"e:\windows\compaqnetwork.exe",

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
btwdins /*Bluetooth Service*/@ = E:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = E:\WINDOWS\System32\wdfmgr.exe
viritsvclite /*Virit eXplorer Lite*/@ = C:\VEXPLITE\viritsvc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@SystemTraySysTray.Exe = SysTray.Exe
@PCTVRemoteE:\Programmi\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe /*file not found*/ = E:\Programmi\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe /*file not found*/
@MMTray"E:\Programmi\Musicmatch\Musicmatch Jukebox\mm_tray.exe" = "E:\Programmi\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
@NeroFilterCheckE:\WINDOWS\system32\NeroCheck.exe = E:\WINDOWS\system32\NeroCheck.exe
@QuickTime Task"E:\Programmi\QuickTime\qttask.exe" -atboottime = "E:\Programmi\QuickTime\qttask.exe" -atboottime
@VolControlE:\WINDOWS\volumec.exe -i /*file not found*/ = E:\WINDOWS\volumec.exe -i /*file not found*/
@Adobe Photo Downloader"E:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" = "E:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
@ImMsnE:\WINDOWS\msncomm.exe /i /*file not found*/ = E:\WINDOWS\msncomm.exe /i /*file not found*/
@UnlockerAssistant"E:\Programmi\Unlocker\UnlockerAssistant.exe" = "E:\Programmi\Unlocker\UnlockerAssistant.exe"
@mmtask"E:\Programmi\Musicmatch\Musicmatch Jukebox\mmtask.exe" = "E:\Programmi\Musicmatch\Musicmatch Jukebox\mmtask.exe"
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k
@VIRIT LITE MONITORC:\VEXPLITE\MONLITE.EXE = C:\VEXPLITE\MONLITE.EXE

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Yahoo! Pager"E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet = "E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
@ctfmon.exeE:\WINDOWS\System32\ctfmon.exe = E:\WINDOWS\System32\ctfmon.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/E:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL = E:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL
@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} /*Shell Extension for Malware scanning*/(null) =
@(null) =
@{6af09ec9-b429-11d4-a1fb-0090960218cb} /*My Bluetooth Places*/E:\WINDOWS\System32\BTNEIG~1.DLL = E:\WINDOWS\System32\BTNEIG~1.DLL
@{5464D816-CF16-4784-B9F3-75C0DB52B499} /*Yahoo! Mail*/E:\PROGRA~1\YAHOO!\COMMON\ymmapi.dll = E:\PROGRA~1\YAHOO!\COMMON\ymmapi.dll
@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} /*UnlockerShellExtension*/E:\Programmi\Unlocker\UnlockerCOM.dll = E:\Programmi\Unlocker\UnlockerCOM.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Cartelle Web*/ = E:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\Yahoo! Mail@{5464D816-CF16-4784-B9F3-75C0DB52B499} = E:\PROGRA~1\YAHOO!\COMMON\ymmapi.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\UnlockerShellExtension@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = E:\Programmi\Unlocker\UnlockerCOM.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}E:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx = E:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
@{F118B90E-6475-D392-96A1-C53F0BB257D4}E:\WINDOWS\dtipq1.dll /*file not found*/ = E:\WINDOWS\dtipq1.dll /*file not found*/

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = none /*file not found*/

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://it.yahoo.com = http://it.yahoo.com
@Start Pagehttp://it.yahoo.com = http://it.yahoo.com
@Local PageE:\WINDOWS\SYSTEM\blank.htm = E:\WINDOWS\SYSTEM\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.libero.it/ = http://www.libero.it/
@Local PageE:\WINDOWS\System32\blank.htm = E:\WINDOWS\System32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = E:\WINDOWS\System32\msvidctl.dll
its@CLSID = E:\WINDOWS\System32\itss.dll
lid@CLSID = E:\WINDOWS\System32\msvidctl.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = E:\WINDOWS\System32\itss.dll
msnim@CLSID = "E:\PROGRA~1\MSNMES~1\msgrapp.dll"
ndwiat@CLSID = E:\WINDOWS\System32\wiascr.dll
tv@CLSID = E:\WINDOWS\System32\msvidctl.dll
vnd.ms.radio@CLSID = E:\WINDOWS\System32\msdxm.ocx

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = E:\WINDOWS\System32\wiascr.dll

E:\WINDOWS\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Microsoft Office.lnk = Microsoft Office.lnk
BTTray.lnk = BTTray.lnk

---- EOF - GMER 1.0.11 ----

da **danyela** » sab dic 16, 2006 4:24 pm

Per piacere qualcuno può aiutarmi con i log di GMER? Ho inoltre fatto la scansione con ad aware e mi esce un report lunghissimo, non ho eliminato nulla per non fare guai, posso postarlo così me lo guardate e mi aiutate?

da **Amantide** » dom dic 17, 2006 4:19 pm

Mi spiace, ma in questi giorni non ho potuto nemmeno avvicinarmi al computer.
Allora, apri Avenger, incolla ed esegui questo script:

Files to delete:
e:\windows\compaqnetwork.exe
E:\WINDOWS\msncomm.exe
E:\WINDOWS\volumec.exe
E:\WINDOWS\cat_log.log
E:\WINDOWS\wints.ini
E:\WINDOWS\dtipq1.dll

registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | Userinit

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | ImMsnE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | VolControl

registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F118B90E-6475-D392-96A1-C53F0BB257D4}

Era da tanto che non vedevo un pc cosi mal ridotto. Ma ce l'hai un antivirus e firewall?

da **danyela** » dom dic 17, 2006 4:39 pm

Grazie mille, sei gentilissima!!!

Ti alllego il log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mtyeghhr

*******************

Script file located at: \??\E:\favbbvvp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at E:\Avenger

*******************

Beginning to process script file:

File e:\windows\compaqnetwork.exe not found!
Deletion of file e:\windows\compaqnetwork.exe failed!

Could not process line:
e:\windows\compaqnetwork.exe
Status: 0xc0000034

File E:\WINDOWS\msncomm.exe not found!
Deletion of file E:\WINDOWS\msncomm.exe failed!

Could not process line:
E:\WINDOWS\msncomm.exe
Status: 0xc0000034

File E:\WINDOWS\volumec.exe not found!
Deletion of file E:\WINDOWS\volumec.exe failed!

Could not process line:
E:\WINDOWS\volumec.exe
Status: 0xc0000034

File E:\WINDOWS\cat_log.log deleted successfully.
File E:\WINDOWS\wints.ini deleted successfully.

File E:\WINDOWS\dtipq1.dll not found!
Deletion of file E:\WINDOWS\dtipq1.dll failed!

Could not process line:
E:\WINDOWS\dtipq1.dll
Status: 0xc0000034

Could not get size of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs
Replacement with dummy of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs failed!
Status: 0xc0000034

Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit replaced with dummy successfully.

Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|ImMsnE
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|ImMsnE failed!
Status: 0xc0000034

Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|VolControl deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F118B90E-6475-D392-96A1-C53F0BB257D4} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mtyeghhr

*******************

Script file located at: \??\E:\favbbvvp.txt

Script file not found! Error

Could not open script file! Status: 0xc0000034 Abort!

P.S. Come antivirus ho l'Antivir, il problema del mio pc è che la mia sorellina sta solo su internet a scaricarsi suonerie ed altro...

da **Amantide** » dom dic 17, 2006 4:52 pm

Metti anche un buon firewall, Zone Alarm o Comodo Firewall e magari anche Spyware Terminator per la protezione in tempo reale.

Dal log di Avenger sembra che la metà delle cose visibili nel log di Gmer non si trovano, può anche essere dovuto al fatto che sono passati 2 giorni è qualcosa è stato eliminato al riavvio o in altro modo.
Per sicurezza ripostami i nuovi log di Hijackthis e di Gmer (sezioni Autostart e Rootkit).
Il computer ora come va? Si è migliorata un po' la situazione?

da **danyela** » dom dic 17, 2006 5:04 pm

Il pc va meglio, non è più lento come prima. Inoltre prima al riavvio mi usciva sempre una finestra con la scritta DLL E:\Progra-1|MYWEBS1|bar|2.bin|MWSBAR.DLL che ora non mi esce più...era molto rovinato vero? comunque grazie per tutti i consigli, provvederò all'installazione del firewell. Momentaneamete ho disinstallato Antivir perché non mi faceva fare niente in quanto mi apriva in continuazione la finestra ctfmon32.dll non facendomelo eliminare. ora però lo reinstallo.
Eccoti il log di HijackThis, tra 5 min ti allego pure il nuovo GMER

Logfile of HijackThis v1.99.1
Scan saved at 14.56.04, on 17/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Programmi\Musicmatch\Musicmatch Jukebox\mm_tray.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
E:\Programmi\Internet Explorer\iexplore.exe
E:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\VEXPLITE\viritsvc.exe
E:\Documents and Settings\fs\Desktop\Tools_antivirus\_a_i_g_i_a_c_k_t_h_i_s.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://it.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = E:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=e:\windows\system32\userinit.exe,"e:\windows\compaqnetwork.exe",
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {F118B90E-6475-D392-96A1-C53F0BB257D4} - E:\WINDOWS\dtipq1.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Programmi\Windows Live Toolbar\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Programmi\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCTVRemote] E:\Programmi\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [MMTray] "E:\Programmi\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VolControl] E:\WINDOWS\volumec.exe -i
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ImMsn] E:\WINDOWS\msncomm.exe /i
O4 - HKLM\..\Run: [UnlockerAssistant] "E:\Programmi\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [mmtask] "E:\Programmi\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xmk134YYIT
O8 - Extra context menu item: Invia a &Bluetooth - E:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\PROGRA~1\YAHOO!\COMMON\yhexbmesit.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\PROGRA~1\YAHOO!\COMMON\yhexbmesit.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O16 - DPF: Win32 Classes -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - E:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - E:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

da **danyela** » dom dic 17, 2006 5:14 pm

GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-12-17 15:14:36
Windows 5.1.2600

---- Registry - GMER 1.0.11 ----

Reg \Registry\USER\S-1-5-21-57989841-1580818891-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACVQY:R:\Qbphzragf naq Frggvatf\sf\Erprag\uggc--jcbc15.yvoreb.vg-ptv-ova-jroznvy.ptv-Ub_gebingb_ha_ohba_ynibeb.qbpVQ=VWWrIU0XbhSUJeJzqAJ_iPragRqlUYJJ9RJuouUYIXvk9r8Tq&Npg_Ivrj=1&E_Sbyqre=nJ5vo3t=&zftVQ=3737&Obql=2&svyranzr=Ub_gebingb_ha_ohba_ynibeb.qbp.yax 0x1C 0x01 0x00 0x00 ...

---- EOF - GMER 1.0.11 ----

GMER 1.0.11.11390 - http://www.gmer.net
Autostart 2006-12-17 15:15:03
Windows 5.1.2600

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = e:\windows\system32\userinit.exe,"e:\windows\compaqnetwork.exe",

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
btwdins /*Bluetooth Service*/@ = E:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = E:\WINDOWS\System32\wdfmgr.exe
viritsvclite /*Virit eXplorer Lite*/@ = C:\VEXPLITE\viritsvc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@SystemTraySysTray.Exe = SysTray.Exe
@PCTVRemoteE:\Programmi\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe /*file not found*/ = E:\Programmi\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe /*file not found*/
@MMTray"E:\Programmi\Musicmatch\Musicmatch Jukebox\mm_tray.exe" = "E:\Programmi\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
@NeroFilterCheckE:\WINDOWS\system32\NeroCheck.exe = E:\WINDOWS\system32\NeroCheck.exe
@QuickTime Task"E:\Programmi\QuickTime\qttask.exe" -atboottime = "E:\Programmi\QuickTime\qttask.exe" -atboottime
@VolControlE:\WINDOWS\volumec.exe -i /*file not found*/ = E:\WINDOWS\volumec.exe -i /*file not found*/
@Adobe Photo Downloader"E:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" = "E:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
@ImMsnE:\WINDOWS\msncomm.exe /i /*file not found*/ = E:\WINDOWS\msncomm.exe /i /*file not found*/
@UnlockerAssistant"E:\Programmi\Unlocker\UnlockerAssistant.exe" = "E:\Programmi\Unlocker\UnlockerAssistant.exe"
@mmtask"E:\Programmi\Musicmatch\Musicmatch Jukebox\mmtask.exe" = "E:\Programmi\Musicmatch\Musicmatch Jukebox\mmtask.exe"
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k
@VIRIT LITE MONITORC:\VEXPLITE\MONLITE.EXE = C:\VEXPLITE\MONLITE.EXE

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Yahoo! Pager"E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet = "E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
@ctfmon.exeE:\WINDOWS\System32\ctfmon.exe = E:\WINDOWS\System32\ctfmon.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/E:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL = E:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL
@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} /*Shell Extension for Malware scanning*/(null) =
@(null) =
@{6af09ec9-b429-11d4-a1fb-0090960218cb} /*My Bluetooth Places*/E:\WINDOWS\System32\BTNEIG~1.DLL = E:\WINDOWS\System32\BTNEIG~1.DLL
@{5464D816-CF16-4784-B9F3-75C0DB52B499} /*Yahoo! Mail*/E:\PROGRA~1\YAHOO!\COMMON\ymmapi.dll = E:\PROGRA~1\YAHOO!\COMMON\ymmapi.dll
@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} /*UnlockerShellExtension*/E:\Programmi\Unlocker\UnlockerCOM.dll = E:\Programmi\Unlocker\UnlockerCOM.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Cartelle Web*/ = E:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\Yahoo! Mail@{5464D816-CF16-4784-B9F3-75C0DB52B499} = E:\PROGRA~1\YAHOO!\COMMON\ymmapi.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\UnlockerShellExtension@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = E:\Programmi\Unlocker\UnlockerCOM.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}E:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx = E:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
@{F118B90E-6475-D392-96A1-C53F0BB257D4}E:\WINDOWS\dtipq1.dll /*file not found*/ = E:\WINDOWS\dtipq1.dll /*file not found*/

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = none /*file not found*/

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://it.yahoo.com = http://it.yahoo.com
@Start Pagehttp://it.yahoo.com = http://it.yahoo.com
@Local PageE:\WINDOWS\SYSTEM\blank.htm = E:\WINDOWS\SYSTEM\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.libero.it/ = http://www.libero.it/
@Local PageE:\WINDOWS\System32\blank.htm = E:\WINDOWS\System32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = E:\WINDOWS\System32\msvidctl.dll
its@CLSID = E:\WINDOWS\System32\itss.dll
lid@CLSID = E:\WINDOWS\System32\msvidctl.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = E:\WINDOWS\System32\itss.dll
msnim@CLSID = "E:\PROGRA~1\MSNMES~1\msgrapp.dll"
ndwiat@CLSID = E:\WINDOWS\System32\wiascr.dll
tv@CLSID = E:\WINDOWS\System32\msvidctl.dll
vnd.ms.radio@CLSID = E:\WINDOWS\System32\msdxm.ocx

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = E:\WINDOWS\System32\wiascr.dll

E:\WINDOWS\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Microsoft Office.lnk = Microsoft Office.lnk
BTTray.lnk = BTTray.lnk

---- EOF - GMER 1.0.11 ----

da **Amantide** » dom dic 17, 2006 5:18 pm

Mi sa che il log di Hijackthis avevi fatto prima di eseguire lo script di Avenger, riporta questo orario

Scan saved at 14.56.04, on 17/12/2006

mente lo script per Avenger ti avevo postato alle 15.19.

da **danyela** » dom dic 17, 2006 5:26 pm

è che il mio pc porta 1 ora dietro....forse è dovuto a questo...non mi chiedere il perché ma si è cambiato da solo l'orario!!!
comunque nel dubbio l'ho rifatto

Logfile of HijackThis v1.99.1
Scan saved at 15.24.27, on 17/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Programmi\Musicmatch\Musicmatch Jukebox\mm_tray.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
E:\Programmi\Internet Explorer\iexplore.exe
E:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\VEXPLITE\viritsvc.exe
E:\WINDOWS\System32\msiexec.exe
E:\Documents and Settings\fs\Desktop\Tools_antivirus\_a_i_g_i_a_c_k_t_h_i_s.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://it.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = E:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=e:\windows\system32\userinit.exe,"e:\windows\compaqnetwork.exe",
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {F118B90E-6475-D392-96A1-C53F0BB257D4} - E:\WINDOWS\dtipq1.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Programmi\Windows Live Toolbar\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Programmi\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCTVRemote] E:\Programmi\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [MMTray] "E:\Programmi\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VolControl] E:\WINDOWS\volumec.exe -i
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ImMsn] E:\WINDOWS\msncomm.exe /i
O4 - HKLM\..\Run: [UnlockerAssistant] "E:\Programmi\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [mmtask] "E:\Programmi\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xmk134YYIT
O8 - Extra context menu item: Invia a &Bluetooth - E:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\PROGRA~1\YAHOO!\COMMON\yhexbmesit.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\PROGRA~1\YAHOO!\COMMON\yhexbmesit.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O16 - DPF: Win32 Classes -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - E:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - E:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

da **Amantide** » dom dic 17, 2006 5:57 pm

Mi sa che non si riesce ad eliminare certe voci e file con aiuto di Avenger, ora prova afd eliminarli a mano.
Avvia il computer in modalità provvisoria, abilita la visualizzazione dei file nascosti, trova ed elimina questi file (sempre se ci sono):
e:\windows\compaqnetwork.exe
E:\WINDOWS\dtipq1.dll
E:\WINDOWS\volumec.exe
E:\WINDOWS\msncomm.exe
E:\WINDOWS\web\related.htm
E:\WINDOWS\SYSTEM\blank.htm

Eliminati questi file dovresti ripulire manualmente il registro, con estrema cauzione. Vai su Start--> Esegui , scrivi regedit e premi Ok.
Espandendo le chiavi arriva fino a questo valore:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Nel panello a destra trova il valore Userinit, fai il doppio click sopra e cancella questa parte dalla riga: "e:\windows\compaqnetwork.exe",
facendo attenzione di preservare questa parte, compresa di virgola finale:
e:\windows\system32\userinit.exe,

Ora trova ed elimina anche questi valori in rosso (puoi aiutarti con opzione Modifica--> Trova per cercare il valore che ci interessa):
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VolControl
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ImMsnE
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F118B90E-6475-D392-96A1-C53F0BB257D4}

Dopo rifai la scansionecon Hijackthis, metti la spunta accanto a queste voci e premi Fix Checked:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = E:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=e:\windows\system32\userinit.exe,"e:\windows\compaqnetwork.exe",
O2 - BHO: Class - {F118B90E-6475-D392-96A1-C53F0BB257D4} - E:\WINDOWS\dtipq1.dll (file missing)
O4 - HKLM\..\Run: [VolControl] E:\WINDOWS\volumec.exe -i
O4 - HKLM\..\Run: [ImMsn] E:\WINDOWS\msncomm.exe /i
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xmk134YYIT

Dopo aver fatte queste pulizie faresti bene a fare la scansione con i tools di rimozione della Prexz e Symantec (quelli x Gromozon) ed anche con AVG Anti-Spyware.

da **danyela** » lun dic 18, 2006 12:32 am

Dei file che mi hai indicato sono riuscita a trovare solo
E:\WINDOWS\web\related.htm
e l'ho eliminato. Ora devo comunque ripulire il registro come mi hai detto pur non avendo eliminato i file?

Scusami se ti faccio tutte queste domande ma senza il tuo aiuto non saprei proprio dove mettere mano!

www.MegaLab.it

ctfmon32.dll

Chi c’è in linea