crazy.cat ha scritto:marco ballotta ha scritto:Avete qualche idea su come pulire questo schifo?
La procedura può essere simile a questa
http://www.MegaLab.it/5802/come-rimuove ... -antivirusParti in provvisoria, trovi il file exe che si avvia e lo seghi.
Poi dovresti riavere internet e malwarebytes per finire il lavoro.
ciao,
mi sembra abbia funzionato.
Mi sono collegato con il pc infetto alla rete in modalità provvisoria.
Non riuscivo a navigare attraverso Firefox o IE.
Ho modificato le impostazioni Lan di IE, non utilizzando il proxy.
Ho scaricato e aggiornato ATF e Malwarebytes.
Poi ho fatto girate ATF e una scansione completa di Malwarebytes.
Ho riavviato il pc, rimoodificato le impostazioni LAN e mi sembra funzioni regolarmente.
Copio qui i log di Malwarebytes e Hijack (non so come allegarli....)
Cosa ne dici, sono pulito o mi conviene far girare per sicurezza qualcos'altro?
ciao e grazie comunque
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.orgVersione database: 6067
Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 7.0.6002.18005
15/03/2011 23.05.36
mbam-log-2011-03-15 (23-05-36).txt
Tipo di scansione: Scansione completa (C:\|D:\|)
Elementi esaminati: 528262
Tempo trascorso: 1 ore, 30 minuti, 12 secondi
Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 1
Valori di registro infetti: 2
Voci infette nei dati di registro: 0
Cartelle infette: 0
File infetti: 4
Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)
Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)
Chiavi di registro infette:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4D7B-9389-0F166788785A} (Adware.MyWebSearch) -> Delete on reboot.
Valori di registro infetti:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Trojan.Agent) -> Value: conhost -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{FFF210A8-B654-4EA9-5039-DB2F7C45AEB0} (Trojan.ZbotR.Gen) -> Value: {FFF210A8-B654-4EA9-5039-DB2F7C45AEB0} -> Quarantined and deleted successfully.
Voci infette nei dati di registro:
(Non sono stati rilevati elementi nocivi)
Cartelle infette:
(Non sono stati rilevati elementi nocivi)
File infetti:
c:\Users\Alice\AppData\Roaming\microsoft\conhost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\UUSee\bass-plugins.exe (PUP.Uusee) -> Quarantined and deleted successfully.
c:\program files\UUSee\uninst.exe (PUP.Uusee) -> Quarantined and deleted successfully.
c:\programdata\jbnfiei07700\jbnfiei07700.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23.27.56, on 15/03/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Users\Alice\AppData\Roaming\cacaoweb\cacaoweb.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Users\Alice\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Alice\AppData\Local\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Users\Alice\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://it.intl.acer.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://it.intl.acer.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [*Restore] C:\Windows\System32\rstrui.exe /runonce
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-21-887336755-3516048099-1461371901-1000\..\Run: [AdobeBridge] (User 'Alice')
O8 - Extra context menu item: E&sporta in Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE5D4A9F-1ED8-4C26-9D9D-78EE23CB1FD8}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\system32\guard32.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Application Policy Service - Unknown owner - C:\Windows\system32\config\systemprofile\AppData\Local\Application Policy Service\svchost.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: eDSService.exe (eDataSecurity Service) - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - D:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: FSPro Filter Service (fsproflt) - FSPro Labs - C:\Windows\system32\fsproflt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\Windows\system32\oodag.exe
O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\oacat.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\oasrv.exe (file missing)
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Users\Administrator\AppData\Local\TVersity\Media Server\MediaServer.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 9547 bytes
Inviato: mar mar 15, 2011 8:52 am![[;)]](http://www.megalab.it/forum/images/smilies/wink.gif "Occhiolino")
![[^]](http://www.megalab.it/forum/images/smilies/Oh-yea.gif "Approvazione")
In più, sen non ti fa aggiornare le definizioni, 