Punto informatico Network
Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

Intrusioni sospette e virus rilevati

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

Intrusioni sospette e virus rilevati

Messaggioda macula_2000 » gio nov 23, 2006 7:27 pm

Beh, innanzitutto vi ringrazio infinitamente per qualsiasi risposta/consiglio mi darete al riguardo e vi faccio anche i complimenti per il forum, una vera chicca se non ultima ancora di salvezza dal format di tutto il pc [cry+]

Detto questo passo subito ad illustrare il problema:

da diversi giorni il pc si comporta in maniera strana, a tratti venivano aperte delle sottofinestre in ms dos da file Temp mai visti prima, spyboot blocava l'esecuzioni di alcuni programmi sospetti( simili nel nome) e Panda segnala e blocca in continuo tentativi d'intrusione da altri indirizzi ip e rimuove in continuazione alcuni virus

( qui sotto un piccolo report dell'attività di panda)

Richiesta Echo ICMP 23/11/06 18:02:10 Bloccato Indirizzo IP di origine: 82.49.128.109
Richiesta Echo ICMP 23/11/06 18:00:12 Bloccato Indirizzo IP di origine: 82.49.123.247
Richiesta Echo ICMP 23/11/06 17:46:54 Bloccato Indirizzo IP di origine: 82.49.121.164
Virus rilevato: Trj/Rizalof.KW 23/11/06 17:43:10 Disinfettato Posizione: http://up.medbod.com/up/injs.q.exe?jeid-1_3529_1772
Virus rilevato: Trj/Rizalof.KW 23/11/06 17:43:10 Disinfettato Posizione: c:\docume~1\computer\impost~1\temp\16exinjs.q.exe
Virus di rete: Exploit/LSASS 23/11/06 17:33:35 Bloccato IP Remoto: 82.49.26.32
Richiesta Echo ICMP 23/11/06 17:32:35 Bloccato Indirizzo IP di origine: 82.49.123.214


(qui sotto un piccolo report dell'attività di spyboot)

23/11/2006 17.43.13 Encountered and terminated Spabot in C:\DOCUME~1\computer\IMPOST~1\Temp\4exmodul32f.b.exe!


Non convinto di ciò ho scaricato e provato , sia in modalità provvisoria che normale, con o senza ripristino disattivato, diversi antivirus ed antispyware passando per Ewido, Ccleaner, spyboot, virIT, panda, che, apparte qualche downloader cancellato, non rivelano più nulla.

Ogni volta ritrovo sempre l'istananea apprizione di questi file ( sebbene con qualche numerettodiverso)

33exinjs.q.exe
55exinjs.p.exe
99exinjs.q.exe

96exmodul32f.b.exe

Etc Etc

e dalla loro esecuzione partono virus (bloccati per fortuna) come Rizalof e Exploit/LSASS

qui di seguito il log Hijack this

Logfile of HijackThis v1.99.1
Scan saved at 3.11.08, on 23/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\TPSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\programmi\panda software\panda titanium antivirus 2005\firewall\PNMSRV.EXE
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Programmi\File comuni\Logitech\QCDriver3\LVCOMS.EXE
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\Programmi\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\psimsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
c:\programmi\panda software\panda titanium antivirus 2005\WebProxy.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://it.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://it.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://it.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://it.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://it.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programmi\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {C2E07B68-2F46-4DBB-8261-285794B7F8DE} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Virgilio Toolbar - {D3403F28-7D39-435F-A8CB-45016C29E48E} - C:\Programmi\Virgilio Toolbar\VirgilioBand.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Programmi\File comuni\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Programmi\File comuni\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programmi\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Programmi\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programmi\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Programmi\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Programmi\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Programmi\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Programmi\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Programmi\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programmi\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 9897107296
O16 - DPF: {6DB731A3-B074-4118-8B1C-32511C65D836} (FotovistaPhotoUploader.ctrFpu) - http://www.mypixmania.com/it/it/tools/activex/fpu.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E17BE5B-4355-4216-813B-0E0062BDD19D}: NameServer = 192.168.0.1
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: classes - C:\WINDOWS\
O20 - Winlogon Notify: disk - C:\WINDOWS\
O20 - Winlogon Notify: eventss - C:\WINDOWS\
O20 - Winlogon Notify: gg - C:\WINDOWS\
O20 - Winlogon Notify: lindows - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\programmi\panda software\panda titanium antivirus 2005\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\psimsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\TPSrv.exe


Prima di toccare qualsiasi cosa chiedo a voi per non fare altri danni.

grazie ancora di tutto :)

p.s. siate magnanimi, capisco poco di pc e programmi :(
Avatar utente
macula_2000
Neo Iscritto
Neo Iscritto
 
Messaggi: 13
Iscritto il: gio nov 23, 2006 6:59 pm

Messaggioda Amantide » gio nov 23, 2006 10:08 pm

E' ridotto maluccio il tuo computer ma si può risolvere.

R3 - Default URLSearchHook is missing -
questa voce potrebbe indicare la presenza di Gromozon/LinkOptimizer. Per sicurezza fai la scansione con VirIt.

Seleziona anche queste voci e premi fix checked:
O2 - BHO: (no name) - {C2E07B68-2F46-4DBB-8261-285794B7F8DE} - (no file)
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: classes - C:\WINDOWS\
O20 - Winlogon Notify: disk - C:\WINDOWS\
O20 - Winlogon Notify: eventss - C:\WINDOWS\
O20 - Winlogon Notify: gg - C:\WINDOWS\
O20 - Winlogon Notify: lindows - C:\WINDOWS\

Ora dovresti eliminare il file in rosso, lo puoi fare dalla modalità provvisoria oppure con aiuto di Unlocker o KillBox.

Dopodichè apri il registro (Start--> Esegui--> regedit), trova la sottochiave
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run

e nel riquadro a destra elimina questo valore:
".nvsvc"="C:\WINDOWS\smss.exe /w"

Vai su Start--> Esegui ed esegui uno alla volta questi comandi:
sc stop Windows Log
sc delete Windows Log


Alla fine scarica CCleaner e pulisci tutti i file temporanei, prima della scansione assicurati di disabilitare in Opzioni - Elimina i file in Windows Temp solo sde più vecchi di 48 ore.

Al posto di Spybot ti consiglio di usare AVG Antispyware (ex Ewido) oppure A-squared.
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda macula_2000 » ven nov 24, 2006 5:08 am

Ti ringrazio per avermi risposto :)

ho eseguito alla lettera le tue istruzioni ma sono incappato in alcuni eventi strani, come ad esempio:

1)nel selzionare i BHO segnalati e l' R3 hoockmissing hijack this rispondeva ch i BHO non potevano essere cancellati perché dovevo prima disabilitare i browser di explore, cosa che francamente non ho capito visto che mi trovavo in modalità provvisoria [sbigot]

2) nel cercare nel regEdit ,il file ".nvsvc"="C:\WINDOWS\smss.exe /w" questo non l'ho proprio trovato eppure il percorso era giusto, ho cercato anche nelle cartelle accanto ma nulla

3) ho rifatto lo scan con hijackthis e ho come l'impresione che i fle che mi avevi detto di fixare sono ancora li [cry]

4) internet explorer non mi va più, sai come posso ripristinarlo?

5)al primo riavvio partivano ancora i file temp che ti avevo citato 99exinjs.q.exe, ma non avviene l'invio del virus exploit/LSASS, mentre ora tutto sembra normale, non vorrei sbilanciarmi e monitoro la situazione, nel fratempo ti posto l'ultimo log di hijack


Logfile of HijackThis v1.99.1
Scan saved at 3.55.37, on 24/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\TPSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\programmi\panda software\panda titanium antivirus

2005\firewall\PNMSRV.EXE
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Logitech\QCDriver3\LVCOMS.EXE
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\Programmi\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Programmi\DAP\DAP.EXE
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\psimsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
c:\programmi\panda software\panda titanium antivirus 2005\WebProxy.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://red.clientapps.yahoo.com/customi ... r6/*http:/

/www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://it.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

=

http://it.rd.yahoo.com/customize/ie/def ... /it.search

.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/def ... /www.yahoo

.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://it.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://it.rd.yahoo.com/customize/ie/def ... /it.search

.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

c:\windows\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName

= Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper -

{02478D38-C3F9-4EFB-9B51-7695ECA05670} -

C:\Programmi\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - (no

file)
O2 - BHO: Yahoo! IE Services Button -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

C:\Programmi\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {C2E07B68-2F46-4DBB-8261-285794B7F8DE} - (no

file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Programmi\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Programmi\File

comuni\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programmi\Panda Software\Panda

Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Programmi\File

comuni\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File

comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programmi\Diskeeper

Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Programmi\Musicmatch\Musicmatch

Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI

Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [Picasa Media Detector]

C:\Programmi\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics]

"C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Programmi\DAP\DAP.EXE"

/STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search &

Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat

7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5
O4 - HKCU\..\Run: [Yahoo! Pager]

C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk =

C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy

Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP -

C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search -

file:///C:\Programmi\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP -

C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: Yahoo! &Dictionary -

file:///C:\Programmi\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps -

file:///C:\Programmi\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS -

file:///C:\Programmi\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

C:\Programmi\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} -

C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite -

{B863453A-26C3-4e1f-A54D-A2CD196348E9} -

C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra button: eBay - Homepage -

{EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} -

C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class)

- C:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

-

http://v5.windowsupdate.microsoft.com/v ... n/x86/clie

nt/wuweb_site.cab?1009897107296
O16 - DPF: {6DB731A3-B074-4118-8B1C-32511C65D836}

(FotovistaPhotoUploader.ctrFpu) -

http://www.mypixmania.com/it/it/tools/activex/fpu.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -

http://us.dl1.yimg.com/download.yahoo.c ... autocomple

te.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{5E17BE5B-4355-4216-813B-0E0062BDD19D

}: NameServer = 192.168.0.1
O17 -

HKLM\System\CCS\Services\Tcpip\..\{D69F67F9-AF28-48AB-B5D2-A49C82E97272

}: NameServer = 85.37.17.50 85.38.28.76
O20 - Winlogon Notify: avldr - C:\WINDOWS\
O20 - Winlogon Notify: classes - C:\WINDOWS\
O20 - Winlogon Notify: disk - C:\WINDOWS\
O20 - Winlogon Notify: eventss - C:\WINDOWS\
O20 - Winlogon Notify: gg - C:\WINDOWS\
O20 - Winlogon Notify: lindows - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -

C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation -

C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software

International - C:\Programmi\Panda Software\Panda Titanium Antivirus

2005\PavFnSvr.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software

International - C:\Programmi\Panda Software\Panda Titanium Antivirus

2005\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software

International - c:\programmi\panda software\panda titanium antivirus

2005\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software -

C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\psimsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software -

C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\TPSrv.exe



Grazie ancora
Lascio il contact msn se dovesse servire
xxxxxxxxxxxxxxxxxxx

by Amantide
Lasciare un indirizzo email in bella vista non è una buona cosa, ti ritrovi ricoperto di spam in giro di poche ore. Se vuoi, puoi indicare il tuo contatto MSN nel profilo personale.

P.S. La prossiva volta cerca di salvare il log cosi com'è, con tutti questi spazi e le righe vuote non si capisce granchè.
Avatar utente
macula_2000
Neo Iscritto
Neo Iscritto
 
Messaggi: 13
Iscritto il: gio nov 23, 2006 6:59 pm


Messaggioda Amantide » ven nov 24, 2006 2:06 pm

macula_2000 ha scritto:2) nel cercare nel regEdit ,il file ".nvsvc"="C:\WINDOWS\smss.exe /w" questo non l'ho proprio trovato eppure il percorso era giusto, ho cercato anche nelle cartelle accanto ma nulla.

Scusami, scrivendo quel valore avevo sbagliato a copiare il percorso del file, doveva essere cosi:
".nvsvc"="C:\WINDOWS\system\smss.exe /w"
e nel nuovo log non lo vedo più.
Il problema di IE può essere dovuto al Gromozon, non mi hai scritto se avevi fatto la scansione con VitIt.
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda macula_2000 » ven nov 24, 2006 7:25 pm

Eccomi , dunque:

ho effettuato l'analisi con vir it ma non ha trovato niente, anche se prima di scrivere in questo forum qualcosa l'aveva rimosso ( non ricordo cosa), il nome forse era win32 o qualcosa del genere

Ho effettuato lo scan con "suspectfile" per creare un log da analizzare, ma , ahimè, non riesce a generare un report. All'inizio pensavo fosse un problema di panda, che interpretava lo script di Suspectfile come un falso positivo, ma anche eseguendo il programma in modalità provvisoria non riesce a generare il report.

Confermo che smss.exe/w è definitivamente eliminato, nel regedit non v'è traccia

Ora passo alle cose strane che ho notato:

in
HKML\SYSTEM\controlsetoo1\Services\SharedAccess\Parameter\
Firewallpolicy\StandardProfile\AuthorizedApplications\List

ho trovato questi files

C:\DOCUME-1\Computer\Impost-1\Temp\16exinjs.q.exe
==>C:\DOCUME-1\Computer\Impost-1\Temp\16exinjs.q.exe_*:Enabled Microsoft Update

e come sopra ripetuto per questi nomi:
99exinjs.q.exe
47exinjs.q.exe
33exinjs.q.exe

4exmodul32f.b.exe
61exmodul32f.b.exe
96exmodul32f.b.exe
97exmodul32f.b.exe

file che naturalmente panda e spybot bloccavano

Il tentativo di intrusione del virus Exploit.LSASS putroppo continua

Per internet explorer potrei abilitare la funzione di VirIT "ripara explorer" ma allo stato attuale preferire prima risolvere il porblema :(

ora riposto il log di hijack this vediamo se si legge meglio:

Logfile of HijackThis v1.99.1
Scan saved at 17.38.07, on 24/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\TPSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\programmi\panda software\panda titanium antivirus 2005\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\psimsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programmi\File comuni\Logitech\QCDriver3\LVCOMS.EXE
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\Programmi\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
c:\programmi\panda software\panda titanium antivirus 2005\WebProxy.exe
C:\WINDOWS\System32\alg.exe
c:\programmi\file comuni\installshield\updateservice\isuspm.exe
C:\Programmi\File comuni\InstallShield\UpdateService\agent.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://it.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://it.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://it.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://it.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programmi\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {C2E07B68-2F46-4DBB-8261-285794B7F8DE} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Programmi\File comuni\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Programmi\File comuni\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programmi\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Programmi\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Programmi\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Programmi\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Programmi\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Programmi\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programmi\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 9897107296
O16 - DPF: {6DB731A3-B074-4118-8B1C-32511C65D836} (FotovistaPhotoUploader.ctrFpu) - http://www.mypixmania.com/it/it/tools/activex/fpu.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E17BE5B-4355-4216-813B-0E0062BDD19D}: NameServer = 192.168.0.1
O20 - Winlogon Notify: avldr - C:\WINDOWS\
O20 - Winlogon Notify: classes - C:\WINDOWS\
O20 - Winlogon Notify: disk - C:\WINDOWS\
O20 - Winlogon Notify: eventss - C:\WINDOWS\
O20 - Winlogon Notify: gg - C:\WINDOWS\
O20 - Winlogon Notify: lindows - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\programmi\panda software\panda titanium antivirus 2005\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\psimsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\TPSrv.exe
Avatar utente
macula_2000
Neo Iscritto
Neo Iscritto
 
Messaggi: 13
Iscritto il: gio nov 23, 2006 6:59 pm

Messaggioda Amantide » ven nov 24, 2006 8:20 pm

macula_2000 ha scritto:in
HKML\SYSTEM\controlsetoo1\Services\SharedAccess\Parameter\
Firewallpolicy\StandardProfile\AuthorizedApplications\List

ho trovato questi files

C:\DOCUME-1\Computer\Impost-1\Temp\16exinjs.q.exe
==>C:\DOCUME-1\Computer\Impost-1\Temp\16exinjs.q.exe_*:Enabled Microsoft Update

e come sopra ripetuto per questi nomi:
99exinjs.q.exe
47exinjs.q.exe
33exinjs.q.exe

4exmodul32f.b.exe
61exmodul32f.b.exe
96exmodul32f.b.exe
97exmodul32f.b.exe

file che naturalmente panda e spybot bloccavano

Sei sicuro che Panda te li bloccava?
perché qui
HKML\SYSTEM\controlsetoo1\Services\SharedAccess\Parameter\
Firewallpolicy\StandardProfile\AuthorizedApplications\List

al posto di AuthorizedApplications avrei preferito vedere BlockedApplications.
Tu intanto svuota completamente tutte cartelle dei files temporanei. Al posto tuo ricontrollerei bene le impostazioni del firewall.

Poi scarica questo tool CWShredder e scansiona il pc, ci sono le voci che indicano la presenza di CoolWebSearch.

Fixa anche queste voci:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - (no file)
O2 - BHO: (no name) - {C2E07B68-2F46-4DBB-8261-285794B7F8DE} - (no file)
O20 - Winlogon Notify: classes - C:\WINDOWS\
O20 - Winlogon Notify: disk - C:\WINDOWS\
O20 - Winlogon Notify: eventss - C:\WINDOWS\
O20 - Winlogon Notify: gg - C:\WINDOWS\
O20 - Winlogon Notify: lindows - C:\WINDOWS\

Il file blank.htm in C:\Windows\ non mi piace molto, mi sa che èmeglio eliminarlo e le ultime 3 voci in rosso sono al 100% i virus, ma controllando bene, anche classes e disk non dovrebbero stare li.

Ora dovresti aprire il registro ed eliminare queste sottochiavi in rosso:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\classes
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\disk
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\eventss
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gg
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lindows
HKCR\CLSID\{7DBA5E61-9C51-4365-ACD2-DE684E133F8C}
ed anche questa
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C2E07B68-2F46-4DBB-8261-285794B7F8DE}

Altri valori che potresti trovare sono questi:
HKEY_CLASSES_ROOT\CLSID\{1559C6FD-8BDE-476E-98C7-871E59193FCE}
HKEY_CURRENT_USERS\Software\Microsoft\lindow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1559C6FD-8BDE-476E-98C7-871E59193FCE}
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda macula_2000 » sab nov 25, 2006 12:09 am

Ho seguito ala lettera le tue istruzioni Amantide, ma ogni volta è la stessa storia. Le Fixo con hijackthis e quest'ultimo mi lancia il messaggio:

hijackthis about to remove a BHO and the corresponding file from your system.close all internet explorer windows and all windows explore windows before to continuing for the best chance


dopo questo messaggio le voci scompaiono, io compio per sicurezza sempre una scansione euristica con Panda, cw shredder e AVG che danno tutti esito negativo, ma appena riavvio , lancio hijackthis e rivedo le stesse voci.

sbaglio qualche cosa?

inoltre ho cercato nel RegEdit le voci che mi hai indicato e non ne ho trovata neanche una [sbigot]

ti posto il log aggionato di hijack

Logfile of HijackThis v1.99.1
Scan saved at 22.46.32, on 24/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\TPSrv.exe
c:\programmi\panda software\panda titanium antivirus 2005\firewall\PNMSRV.EXE
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Programmi\File comuni\Logitech\QCDriver3\LVCOMS.EXE
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\psimsvc.exe
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmi\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
c:\programmi\panda software\panda titanium antivirus 2005\WebProxy.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\avciman.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://it.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://it.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://it.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://it.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programmi\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {C2E07B68-2F46-4DBB-8261-285794B7F8DE} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Programmi\File comuni\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Programmi\File comuni\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programmi\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Programmi\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Programmi\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Programmi\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Programmi\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Programmi\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programmi\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 9897107296
O16 - DPF: {6DB731A3-B074-4118-8B1C-32511C65D836} (FotovistaPhotoUploader.ctrFpu) - http://www.mypixmania.com/it/it/tools/activex/fpu.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E17BE5B-4355-4216-813B-0E0062BDD19D}: NameServer = 192.168.0.1
O20 - Winlogon Notify: avldr - C:\WINDOWS\
O20 - Winlogon Notify: classes - C:\WINDOWS\
O20 - Winlogon Notify: disk - C:\WINDOWS\
O20 - Winlogon Notify: eventss - C:\WINDOWS\
O20 - Winlogon Notify: gg - C:\WINDOWS\
O20 - Winlogon Notify: lindows - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\programmi\panda software\panda titanium antivirus 2005\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\psimsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\TPSrv.exe


In preda al caos più totale ho fatto pure una scansione online su panda ed eco il report:

Incident Status Location

Possible Virus. Not disinfected C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16352cad-171c1378.zip[javautil.zip]
Possible Virus. Not disinfected C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16352cad-28492610.zip[javautil.zip]


Boh non so che altro fare.
Ho controllato le impostazioni firewall di panda, i file exinjs sono tutti impostati come bloccati, i file exmodul32f invece neanche esistono -.-'

Ho generato un rapporto con cw shredder, se può servirti lo posto

P.S. grazie ancora per la disponibilità e scusami [cry]
Avatar utente
macula_2000
Neo Iscritto
Neo Iscritto
 
Messaggi: 13
Iscritto il: gio nov 23, 2006 6:59 pm

Messaggioda Amantide » sab nov 25, 2006 11:46 am

Non ti preoccupare, non c'è di cosa scusarsi. [8D]

Eppure nel registro ci devono stare almeno i valori relativi a queste voci di Hijackthis:
O20 - Winlogon Notify: classes - C:\WINDOWS\
O20 - Winlogon Notify: disk - C:\WINDOWS\
O20 - Winlogon Notify: eventss - C:\WINDOWS\
O20 - Winlogon Notify: gg - C:\WINDOWS\
O20 - Winlogon Notify: lindows - C:\WINDOWS\

Prova a cercare nel registro queste voci: eventss, gg, lindows.

A questo punto direi che non c'è da fidarsi molto di Panda, se non ti ha aiutato dal vivo, figuriamoci se lo può fare tramite lo scan online.

Prova a fare la scansione online con Trend Micro oppure con Kaspersky. Quest ultimo anche se non può ripulire il computer dal virus, ti creerà il log dei file infetti.
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda macula_2000 » sab nov 25, 2006 4:35 pm

Dunque h riavviato e controllado su regedit classes lindow etc etc , effettivamente le cartele esistono ( almeno finquando non le fixo) ed in modalità provvisoria neanche compaiono, ma se vado a guardare i valori all'interno di queste cartelle, non trovo niente, c'è scritto solo "valore non impostato"



nel frattempo che finisce l'analisi su "my computer" ti posto lo scan di
kaspersky su "critical area"

Saturday, November 25, 2006 3:12:16 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 25/11/2006
Kaspersky Anti-Virus database records: 231610
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\computer\IMPOST~1\Temp\
Scan Statistics
Total number of scanned objects 18346
Number of viruses found 2
Number of infected objects 2 / 0
Number of suspicious objects 0
Duration of the scan process 00:15:03

Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system\smss.exe Infected: Trojan-Proxy.Win32.Horst.or skipped
C:\WINDOWS\system32\bkup.log Infected: Trojan-Downloader.Win32.Delf.lh skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Paramete.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\Software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\System Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd8253.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\spool\PRINTERS\FP00000.SPL Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_798.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\computer\IMPOST~1\Temp\Perflib_Perfdata_590.dat Object is locked skipped
C:\DOCUME~1\computer\IMPOST~1\Temp\Perflib_Perfdata_60c.dat Object is locked skipped
C:\DOCUME~1\computer\IMPOST~1\Temp\Perflib_Perfdata_900.dat Object is locked skipped
Scan process completed.
Avatar utente
macula_2000
Neo Iscritto
Neo Iscritto
 
Messaggi: 13
Iscritto il: gio nov 23, 2006 6:59 pm

Messaggioda macula_2000 » sab nov 25, 2006 6:12 pm

Ehm, ho fatto la scansione completa del computer con kapersky -.-'''

qui sembra la malva festa dei virus


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, November 25, 2006 5:08:31 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 25/11/2006
Kaspersky Anti-Virus database records: 231610
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 114104
Number of viruses found: 8
Number of infected objects: 16 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:53:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\computer\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\computer\Dati applicazioni\Mozilla\Firefox\Profiles\c4j151la.default\cert8.db Object is locked skipped
C:\Documents and Settings\computer\Dati applicazioni\Mozilla\Firefox\Profiles\c4j151la.default\history.dat Object is locked skipped
C:\Documents and Settings\computer\Dati applicazioni\Mozilla\Firefox\Profiles\c4j151la.default\key3.db Object is locked skipped
C:\Documents and Settings\computer\Dati applicazioni\Mozilla\Firefox\Profiles\c4j151la.default\parent.lock Object is locked skipped
C:\Documents and Settings\computer\Dati applicazioni\Mozilla\Firefox\Profiles\c4j151la.default\search.sqlite Object is locked skipped
C:\Documents and Settings\computer\Dati applicazioni\Mozilla\Firefox\Profiles\c4j151la.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-21521054-71f60554.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-5d18a8f2-7c9f265b.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-a3d2037-1c5e5d31.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-3a4ea0b2.zip/Mein.class Infected: Trojan.Java.ClassLoader.aj skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-3a4ea0b2.zip/Prober.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-3a4ea0b2.zip/Beyond.class Infected: Trojan.Java.Binny.a skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-3a4ea0b2.zip/binny/binny.class Infected: Trojan-Dropper.Java.Beyond.d skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-3a4ea0b2.zip/binny/binny2.class Infected: Trojan.Java.Binny.a skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-3a4ea0b2.zip ZIP: infected - 5 skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16352cad-171c1378.zip/javautil.zip Infected: Trojan-Downloader.Win32.Small.brf skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16352cad-171c1378.zip ZIP: infected - 1 skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16352cad-28492610.zip/javautil.zip Infected: Trojan-Downloader.Win32.Small.brf skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16352cad-28492610.zip ZIP: infected - 1 skipped

C:\Documents and Settings\computer\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\computer\Impostazioni locali\Cronologia\History.IE5\MSHist012006112520061126\index.dat Object is locked skipped
C:\Documents and Settings\computer\Impostazioni locali\Dati applicazioni\ApplicationHistory\cli.exe.af01e8cc.ini.inuse Object is locked skipped
C:\Documents and Settings\computer\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\computer\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\computer\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\c4j151la.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\computer\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\c4j151la.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\computer\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\c4j151la.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\computer\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\c4j151la.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\computer\Impostazioni locali\Temp\Perflib_Perfdata_590.dat Object is locked skipped
C:\Documents and Settings\computer\Impostazioni locali\Temp\Perflib_Perfdata_60c.dat Object is locked skipped
C:\Documents and Settings\computer\Impostazioni locali\Temp\Perflib_Perfdata_900.dat Object is locked skipped
C:\Documents and Settings\computer\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\computer\ntuser.dat Object is locked skipped
C:\Documents and Settings\computer\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\PSK_NAMES2_3 Object is locked skipped
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\PSK_NAMES_3 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E98B0DF2-A226-4277-BDE3-BB897CB11D47}\RP970\A0409558.exe Infected: Trojan-Proxy.Win32.Horst.or skipped
C:\System Volume Information\_restore{E98B0DF2-A226-4277-BDE3-BB897CB11D47}\RP972\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system\smss.exe Infected: Trojan-Proxy.Win32.Horst.or skipped
C:\WINDOWS\system32\bkup.log Infected: Trojan-Downloader.Win32.Delf.lh skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Paramete.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\Software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\System Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd8253.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\spool\PRINTERS\FP00000.SPL Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_798.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.


che si può fare ?
si può anora salvare? -.-'
Avatar utente
macula_2000
Neo Iscritto
Neo Iscritto
 
Messaggi: 13
Iscritto il: gio nov 23, 2006 6:59 pm

Messaggioda crazy.cat » sab nov 25, 2006 7:02 pm

http://www.MegaLab.it/2467
Codice: Seleziona tutto
[color=darkred]C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-21521054-71f60554.class   Infected: Trojan-Downloader.Java.OpenStream.y   skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-5d18a8f2-7c9f265b.class   Infected: Trojan-Downloader.Java.OpenStream.y   skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-a3d2037-1c5e5d31.class   Infected: Trojan-Downloader.Java.OpenStream.y   skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-3a4ea0b2.zip/Mein.class   Infected: Trojan.Java.ClassLoader.aj   skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-3a4ea0b2.zip/Prober.class   Infected: Exploit.Java.ByteVerify   skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-3a4ea0b2.zip/Beyond.class   Infected: Trojan.Java.Binny.a   skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-3a4ea0b2.zip/binny/binny.class   Infected: Trojan-Dropper.Java.Beyond.d   skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-3a4ea0b2.zip/binny/binny2.class   Infected: Trojan.Java.Binny.a   skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-3a4ea0b2.zip   ZIP: infected - 5   skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16352cad-171c1378.zip/javautil.zip   Infected: Trojan-Downloader.Win32.Small.brf   skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16352cad-171c1378.zip   ZIP: infected - 1   skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16352cad-28492610.zip/javautil.zip   Infected: Trojan-Downloader.Win32.Small.brf   skipped
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16352cad-28492610.zip   ZIP: infected - 1   skipped[/color]



http://www.MegaLab.it/2330
[code]C:\System Volume Information\_restore{E98B0DF2-A226-4277-BDE3-BB897CB11D47}\RP970\A0409558.exe Infected: Trojan-Proxy.Win32.Horst.or skipped

Per eliminare questi due file utilizza Unlocker se non riesci a cancellarli manualmente.
C:\WINDOWS\system\smss.exe Infected: Trojan-Proxy.Win32.Horst.or skipped
C:\WINDOWS\system32\bkup.log Infected: Trojan-Downloader.Win32.Delf.lh skipped



[code]si può anora salvare? -.-'[/code]
Abbiamo visto di molto peggio....
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Messaggioda macula_2000 » dom nov 26, 2006 1:17 pm

Scusa crazy, come faccio ad eliminare gli ultimi due files?

Cioè, smss non è un file critico di windows?
Avatar utente
macula_2000
Neo Iscritto
Neo Iscritto
 
Messaggi: 13
Iscritto il: gio nov 23, 2006 6:59 pm

Messaggioda crazy.cat » dom nov 26, 2006 1:24 pm

smss.exe che si trova nella cartella windows\system32 è un file di windows, ma guarda bene in quale cartella si trova quello che ti ho indicato io.

Apri gestione risorse e cerchi le cartelle dei due file e li cancelli.
Oppure installi Unlocker e segui le spiegazioni di questa pagina
http://ccollomb.free.fr/unlocker/
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Messaggioda Amantide » dom nov 26, 2006 1:25 pm

macula_2000 ha scritto:Scusa crazy, come faccio ad eliminare gli ultimi due files?

Cioè, smss non è un file critico di windows?

Si, ma solo se si trova nella cartella C:\WINDOWS\system32\, il file che ti avevo detto anche io di eliminare si trova in C:\WINDOWS\system\smss.exe

Per eliminarli devi prima abilitare la visualizzazione dei file nascosti e di sistema (Pannello di controllo--> Opzioni cartella--> Visualizzazione, metti la spunta accanto a Visualizza i file e le cartelle nascosti e togli la spunta accanto Nascondi i file protetti di sistema), dopodichè eliminali con aiuto di Unlocker.
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda macula_2000 » dom nov 26, 2006 2:15 pm

gli ultimi due files li ho cancelllati con unlocker, ma quando seguo le istruzioni per scangui ( copiare l'eseguibile e sdat4904 nella cartella scangui) appena lancio il comando: C:\scangui\sdat4904.exe/e mi compare il messaggio che non è possibile trovare il file sdat4904 nel percorso specificato , questo nonostante il dat sia copiato li stesso
Avatar utente
macula_2000
Neo Iscritto
Neo Iscritto
 
Messaggi: 13
Iscritto il: gio nov 23, 2006 6:59 pm

Messaggioda crazy.cat » dom nov 26, 2006 2:17 pm

Il comando deve essere scritto con uno spazio
C:\scangui\sdat4904.exe /e
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Messaggioda macula_2000 » dom nov 26, 2006 4:46 pm

dunque, ho cancellato manualmente smss.exe con unlocker e anche l'altro file, ma conitnua a ritornare ad ogni avvio, disabilito i punti di rirpistino prima di cancellarlo?

qui di seguito il report di scangui, non è riuscito a cancellarli tutti:


McAfee VirusScan for Win32 v5.10.0
Copyright (c) 1992-2006 McAfee, Inc. All rights reserved.
(408) 988-3832 LICENSED COPY - May 26 2006

Scan engine v5.1.00 for Win32.
Virus data file v4904 created Nov 24 2006
Scanning for 218289 viruses, trojans and variants.



11/26/2006 13:30:28


Options:
/AD /CLEAN /SUB /UNZIP /ALL /RPTCOR /RPTERR /REPORT C:\SCANGUI\SCAN.TXT

Scanning C: []
Scanning C:\*.*
C:\Documents and Settings\Administrator.COMPUTER-VZCM1X\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat ... file could not be opened.
C:\Documents and Settings\Administrator.COMPUTER-VZCM1X\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG ... file could not be opened.
C:\Documents and Settings\Administrator.COMPUTER-VZCM1X\NTUSER.DAT ... file could not be opened.
C:\Documents and Settings\Administrator.COMPUTER-VZCM1X\NTUSER.DAT.LOG ... file could not be opened.
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Dr Watson\user.dmp ... file could not be opened.
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-21521054-71f60554.class ... Found the Generic Downloader.v trojan !!!
The file has been deleted.
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-5d18a8f2-7c9f265b.class ... Found the Generic Downloader.v trojan !!!
The file has been deleted.
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-a3d2037-1c5e5d31.class ... Found the Generic Downloader.v trojan !!!
The file has been deleted.
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-3a4ea0b2.zip\MEIN.CLASS ... Found the Exploit-ByteVerify trojan !!!
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-3a4ea0b2.zip\PROBER.CLASS ... Found the Exploit-ByteVerify trojan !!!
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-3a4ea0b2.zip\BEYOND.CLASS ... Found the Exploit-ByteVerify trojan !!!
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-3a4ea0b2.zip\BINNY.CLASS ... Found the Generic Dropper.g trojan !!!
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-3a4ea0b2.zip\BINNY2.CLASS ... Found the JV/Shinwow trojan !!!
File not renamed - could be archive or compound file.
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-1c7a0c22.zip ... Found the Exploit-ByteVerify trojan !!!
The file has been deleted.
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16352cad-171c1378.zip\JAVAUTIL.ZIP\JAVAUTIL.ZIP ... Found the Generic Downloader.k trojan !!!
File not renamed - could be archive or compound file.
C:\Documents and Settings\computer\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16352cad-28492610.zip\JAVAUTIL.ZIP\JAVAUTIL.ZIP ... Found the Generic Downloader.k trojan !!!
File not renamed - could be archive or compound file.
C:\Documents and Settings\computer\__rzi_00.203\IMMAGINE 161.JPG ... is corrupted.
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat ... file could not be opened.
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG ... file could not be opened.
C:\Documents and Settings\NetworkService\ntuser.dat ... file could not be opened.
C:\Documents and Settings\NetworkService\ntuser.dat.LOG ... file could not be opened.
C:\pagefile.sys ... file could not be opened.
C:\Programmi\DAP\DAPIE.DLL ... file could not be opened.
C:\Programmi\DAP\History\computer ... file could not be opened.
C:\Programmi\DAP\Log\DAP_REPORT.LOG ... file could not be opened.
C:\Programmi\DAP\Temp\ADS1E.tmp ... file could not be opened.
C:\Programmi\DAP\Temp\ADS29.tmp ... file could not be opened.
C:\Programmi\DAP\Temp\ADS49.tmp ... file could not be opened.
C:\Programmi\DAP\Temp\ADS66.tmp ... file could not be opened.
C:\Programmi\DAP\Updates\Condition.dll ... file could not be opened.
C:\Programmi\DAP\Updates\UpdateList.xml ... file could not be opened.
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe ... file could not be opened.
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB828741$\es.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe ... file could not be opened.
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp ... file could not be opened.
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe ... file could not be opened.
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll ... file could not be opened.
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll ... file could not be opened.
C:\WINDOWS\system32\config\Default ... file could not be opened.
C:\WINDOWS\system32\config\DEFAULT.LOG ... file could not be opened.
C:\WINDOWS\system32\config\SAM ... file could not be opened.
C:\WINDOWS\system32\config\SAM.LOG ... file could not be opened.
C:\WINDOWS\system32\config\Security ... file could not be opened.
C:\WINDOWS\system32\config\SECURITY.LOG ... file could not be opened.
C:\WINDOWS\system32\config\Software ... file could not be opened.
C:\WINDOWS\system32\config\SOFTWARE.LOG ... file could not be opened.
C:\WINDOWS\system32\config\System ... file could not be opened.
C:\WINDOWS\system32\config\SYSTEM.LOG ... file could not be opened.
C:\WINDOWS\system32\drivers\sptd.sys ... file could not be opened.
C:\WINDOWS\system32\drivers\sptd8253.sys ... file could not be opened.

Summary report on C:\*.*
File(s)
Total files: ........... 266413
Clean: ................. 266171
Possibly Infected: ..... 11
Cleaned: ............... 0
Deleted: ............... 4
Non-critical Error(s): 3
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0
Scanning F: []
Scanning F:\*.*
F:\System Volume Information ... file could not be opened.

Summary report on F:\*.*
File(s)
Total files: ........... 20360
Clean: ................. 20357
Possibly Infected: ..... 0
Cleaned: ............... 0
Non-critical Error(s): 2
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 02:06.24
Avatar utente
macula_2000
Neo Iscritto
Neo Iscritto
 
Messaggi: 13
Iscritto il: gio nov 23, 2006 6:59 pm

Messaggioda crazy.cat » dom nov 26, 2006 5:01 pm

Ho ripulito il tuo log dalle righe inutili e da quelle che non dovevano essere postate [sedia] [sedia] .
Certe cose non si devono vedere.....


Carica il file che si ricrea sul tuo pc nel sito www.virustotal.com in modo da sapere di che virus si tratta.
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Messaggioda macula_2000 » lun nov 27, 2006 1:21 pm

[:I] [:I] [:I]

comunque, sembra che smss.exe su windows /systame non venga ricaricato all'avvio, ho svuotato il cestino e svuotato la cache di Java sun

Faccio un'ulteriore scansione disattivando il puto di ripristino?
Avatar utente
macula_2000
Neo Iscritto
Neo Iscritto
 
Messaggi: 13
Iscritto il: gio nov 23, 2006 6:59 pm

Messaggioda macula_2000 » lun nov 27, 2006 8:08 pm

posto l'ultimo log di HJT, kaspersky mi ha dato il sistema pulito, spero proprio che sia tutto finito [sbigot] [applauso]

Logfile of HijackThis v1.99.1
Scan saved at 19.06.48, on 27/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\TPSrv.exe
c:\programmi\panda software\panda titanium antivirus 2005\firewall\PNMSRV.EXE
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Logitech\QCDriver3\LVCOMS.EXE
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\Programmi\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Programmi\Unlocker\UnlockerAssistant.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\psimsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\programmi\panda software\panda titanium antivirus 2005\WebProxy.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
c:\programmi\file comuni\installshield\updateservice\isuspm.exe
C:\Programmi\File comuni\InstallShield\UpdateService\agent.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\psimreal.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://it.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://it.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://it.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://it.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programmi\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {C2E07B68-2F46-4DBB-8261-285794B7F8DE} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Programmi\File comuni\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Programmi\File comuni\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programmi\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Programmi\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmi\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Programmi\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Programmi\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Programmi\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Programmi\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programmi\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 9897107296
O16 - DPF: {6DB731A3-B074-4118-8B1C-32511C65D836} (FotovistaPhotoUploader.ctrFpu) - http://www.mypixmania.com/it/it/tools/activex/fpu.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E17BE5B-4355-4216-813B-0E0062BDD19D}: NameServer = 192.168.0.1
O20 - Winlogon Notify: avldr - C:\WINDOWS\
O20 - Winlogon Notify: classes - C:\WINDOWS\
O20 - Winlogon Notify: disk - C:\WINDOWS\
O20 - Winlogon Notify: eventss - C:\WINDOWS\
O20 - Winlogon Notify: gg - C:\WINDOWS\
O20 - Winlogon Notify: lindows - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\programmi\panda software\panda titanium antivirus 2005\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\psimsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Programmi\Panda Software\Panda Titanium Antivirus 2005\TPSrv.exe
Avatar utente
macula_2000
Neo Iscritto
Neo Iscritto
 
Messaggi: 13
Iscritto il: gio nov 23, 2006 6:59 pm

Prossimo

Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Nessuno e 26 ospiti

Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising