www.MegaLab.it

[carlap]

Logfile of HijackThis v1.99.1
Scan saved at 13.25.20, on 28/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\XXX\Desktop\hijackthis[1]\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.italian-incoming.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.olidata.it
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: m1a2 - {81566074-267F-41e3-A51B-2599A3AC9EC3} - C:\WINDOWS\System32\msx.dll (file missing)
O2 - BHO: (no name) - {A8BE1DEA-03DC-4DBB-8A14-8637BFADF85C} - (no file)
O2 - BHO: FastRX - {E09962E7-A39E-4F60-8003-66D57BED27B7} - C:\WINDOWS\System32\fastRX.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [mensagem[1]] C:\Documents and Settings\XXX\Impostazioni locali\Temporary Internet Files\Content.IE5\WFEDU9KR\mensagem[1].scr
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programmi\File comuni\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WorkFlowTray] "C:\Programmi\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Opware14] "C:\Programmi\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Programmi\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIEW] "rundll32.exe" nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [IncrediMail] "C:\PROGRA~1\INCRED~1\bin\IncMail.exe" /c
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Programmi\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\YAHOO!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [bllhost] C:\WINDOWS\bllhost.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Controller.LNK = C:\Programmi\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesbr.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesbr.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.olidata.it
O16 - DPF: {0F222EC8-205D-463F-90C9-D7249B333F09} - http://advnt01.biz/dialer/int_ver1.CAB
O16 - DPF: {16E166F9-35E8-4CA5-B50D-5CEFABF45B09} - http://www.ciritorno.biz/doc/documenti.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://quantebellagiovinezza.spaces.liv ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3929138046
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/se ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{832E4033-03C4-41E7-819D-56C61D1EBD48}: NameServer = 213.140.2.12,213.140.2.21,223.244.2.49,223.244.2.43
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AE68CA3-FCA5-4579-B2C0-3C24C6062538}: NameServer = 213.140.2.12,213.140.2.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{832E4033-03C4-41E7-819D-56C61D1EBD48}: NameServer = 213.140.2.12,213.140.2.21,223.244.2.49,223.244.2.43
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

[carlap]

avg ha riscontrato 3 trojan e ad aware ha trovato 42 elementi infetti....
lentezza del pc, internet sempre con problemi e non risponde all'applicazione!
che fare? il log è nel post di precedente...
grazie

[Amantide]

Abilita la visualizzazione dei file nascosti (apri una cartella qualsiasi, vai su Strumenti--> Opzioni cartella--> Visualizzazione e spunta Visualizza file e cartelle nascosti), trova ed elimina questi file, dalla modalità provvisoria o con aiuto di KillBox o Unlocker.

C:\WINDOWS\bllhost.exe
C:\Documents and Settings\XXX\Impostazioni locali\Temporary Internet Files\Content.IE5\WFEDU9KR\mensagem[1].scr

Poi rifai la scansione con Hijackthis, seleziona le seguenti voci e premi Fix checked:
O2 - BHO: m1a2 - {81566074-267F-41e3-A51B-2599A3AC9EC3} - C:\WINDOWS\System32\msx.dll (file missing)
O2 - BHO: (no name) - {A8BE1DEA-03DC-4DBB-8A14-8637BFADF85C} - (no file)
O2 - BHO: FastRX - {E09962E7-A39E-4F60-8003-66D57BED27B7} - C:\WINDOWS\System32\fastRX.dll (file missing)
O4 - HKLM\..\Run: [mensagem[1]] C:\Documents and Settings\XXX\Impostazioni locali\Temporary Internet Files\Content.IE5\WFEDU9KR\mensagem[1].scr
O4 - HKCU\..\Run: [bllhost] C:\WINDOWS\bllhost.exe
O16 - DPF: {0F222EC8-205D-463F-90C9-D7249B333F09} - http://advnt01.biz/dialer/int_ver1.CAB
O16 - DPF: {16E166F9-35E8-4CA5-B50D-5CEFABF45B09} - http://www.ciritorno.biz/doc/documenti.exe

Poi scarica ed avvia Systemscan, spunta tutte le voci e clicca su Scan Now. A scansione terminata trova in C:\suspectfile il file report.txt, comprimilo in un archivio rar o zip ed allegalo qui.

[carlap]

ecco il report della scansione di systemscan.
grazie 1000000

[carlap]

forse era questo giusto?
grazieeee

[Amantide]

Mi sa che ti sei beccata qualche trojan tipo Banker.

Tutti questi file sono da eliminare:
-This file is compressed with UPX C:\WINDOWS\BRADESCO.EXE
-This file is compressed with UPX C:\WINDOWS\CAIXA.EXE
-This file is compressed with UPX C:\WINDOWS\ITAU.EXE
-This file is compressed with UPX C:\WINDOWS\NET.EXE
-This file is compressed with UPX C:\WINDOWS\NOSSAC~1.EXE
-This file is compressed with UPX C:\WINDOWS\SANTAN~1.EXE
-This file is compressed with UPX C:\WINDOWS\UNIBANCO.EXE
-This file is compressed with UPX C:\WINDOWS\VARIOS.EXE
-This file is compressed with UPX C:\WINDOWS\WINA.EXE
-This file is compressed with UPX C:\WINDOWS\BANRISUL.EXE
-This file is compressed with UPX C:\WINDOWS\BB.EXE
-This file is compressed with UPX C:\WINDOWS\SYSTEM32\CIWIN32.EXE
-This file is compressed with UPX C:\WINDOWS\SYSTEM32\APPARAT.DLL
-This file is compressed with UPX C:\WINDOWS\SYSTEM32\SHAGEN~2.DLL

Anche tutti i file .bxz nella cartella C:\WINDOWS\ sono da eliminare.

Questi 2 file invece sono molto sospetti, caricali sul www.virustotal.com e vedi di cosa si tratta:
C:\WINDOWS\system32\aqwqw.gxz
C:\WINDOWS\system32\vcdg.bat
C:\WINDOWS\vcdg.bat

Ti consiglierei anche di di scaricare il trial di Kaspersky oppure Active Virus Shield e fare la scansione completa dalla modalità provvisoria, metti anche un buon firewall, Comodo Firewall o Zone Alarm.

[carlap]

grazie
provo a eliminare tutti i file da modalità provvisoria.
la cosa strana è che alcuni dei file in C come ITAU, UNIBANCO; SANTANDERBANESPA sono tutti nomi di banche brasiliane!
so che anche alcuni banner nei popolari blog installano i tracker anche vero?
uff....mi sa che devo smettere di sbirciare nei blog altrui!
grazie per l'aiuto!

[Amantide]

so che anche alcuni banner nei popolari blog installano i tracker anche vero?
uff....mi sa che devo smettere di sbirciare nei blog altrui!
grazie per l'aiuto!

Mica i virus si prendono solo sui blog? Li puoi beccare su qualsiasi sito e non solo... Per prevenire installa un antivirus più efficiente, metti un buon firewall ed evita di navigare con IE, usa Opera o Firefox.

[carlap]

grazie per l'aiuto.
ho eliminato i file.
provo a installare il firefox.

[Amantide]

Se non vuoi installare un altro antivirus fai almeno la scansione con A-squared e Superantispyware... ed anche con AVG dalla modalità provvisoria.