www.MegaLab.it

da **dem91** » dom set 30, 2007 2:30 pm

ragazzi ho bisogno del vostro aiuto allora.... mia sorella ha preso un virus da msn quei soliti file questo si chiama ''img 122'' (o una roba simile)...solite cose manda a tutti i contatti il file e in piu mi ha reso inutilizzabile messanger dato che nn mi fa aprire piu le finestre per chattare..la guida ad inizio topic lo gia provata ma con questo virus non ha funzionato...ditemi cosa fare e che log postare plese [cry]

da **crazy.cat** » dom set 30, 2007 2:46 pm

Vediamo lo stesso un log di msnfix e poi fai la scansione sul sito della kaspersky
http://www.MegaLab.it/2657/5
e posta il risultato.

da **dem91** » dom set 30, 2007 6:14 pm

allora msnfix mi dà infezione non presente(credo perché lo gia fatta prima la scansione con msnfix e però ho cancellato il log)...adesso provo con kaspersky

da **crazy.cat** » dom set 30, 2007 6:19 pm

Nella cartella di msnfix dovresti trovare un txt con data e ora della prima scansione, devi aprire quello e incollare il testo qui nella discussione.

da **dem91** » dom set 30, 2007 6:50 pm

quel file txt lo cancellato pensando di aver risolto gia il problema [V]

adesso sto facendo la scansione con kaspersky appena ha fatto posto il log....grazie per l attenzione....

da **dem91** » lun ott 01, 2007 1:08 pm

ragazzi ho fatto la scansione con kaspersky e mi ha fatto il report adesso cosa devo fare non so piu andare avanti....please

da **dem91** » lun ott 01, 2007 2:31 pm

questo è il log dello script che ho fatto con avenger in piu mi ha creato una cartella con scritto backup che credo contenga i file infetti(la devo eliminare???)...lo script va bene???
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ivnujmlx

*******************

Script file located at: \??\C:\WINDOWS\system32\xcakuqgq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\drivers\hidr.exe not found!
Deletion of file C:\WINDOWS\system32\drivers\hidr.exe failed!

Could not process line:
C:\WINDOWS\system32\drivers\hidr.exe
Status: 0xc0000034

File C:\WINDOWS\system32\drivers\srosa.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\srosa.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\srosa.sys
Status: 0xc0000034

File C:\WINDOWS\system32\wintems.exe not found!
Deletion of file C:\WINDOWS\system32\wintems.exe failed!

Could not process line:
C:\WINDOWS\system32\wintems.exe
Status: 0xc0000034

File C:\WINDOWS\system32\hldrrr.exe not found!
Deletion of file C:\WINDOWS\system32\hldrrr.exe failed!

Could not process line:
C:\WINDOWS\system32\hldrrr.exe
Status: 0xc0000034

File C:\WINDOWS\system32\trusted.exe not found!
Deletion of file C:\WINDOWS\system32\trusted.exe failed!

Could not process line:
C:\WINDOWS\system32\trusted.exe
Status: 0xc0000034

File C:\WINDOWS\system32\drivers\pci32.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\pci32.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\pci32.sys
Status: 0xc0000034

File C:\Documents and Settings\Demetrio\Dati applicazioni\Microsoft\Windows\aiinm.exe deleted successfully.
File C:\Documents and Settings\Demetrio\Dati applicazioni\WinTouch\WinTouch.exe deleted successfully.
File C:\Documents and Settings\Demetrio\Dati applicazioni\WinTouch\WTUninstaller.exe deleted successfully.

Could not open file C:\Documents and Settings\Demetrio\Documenti\File ricevuti\Scherzettoni\vedi gli invisibili.rar/vedi gli invisibili.exe for deletion
Deletion of file C:\Documents and Settings\Demetrio\Documenti\File ricevuti\Scherzettoni\vedi gli invisibili.rar/vedi gli invisibili.exe failed!

Could not process line:
C:\Documents and Settings\Demetrio\Documenti\File ricevuti\Scherzettoni\vedi gli invisibili.rar/vedi gli invisibili.exe
Status: 0xc0000033

File C:\Documents and Settings\Demetrio\Documenti\File ricevuti\Scherzettoni\vedi gli invisibili.rar deleted successfully.
File C:\Documents and Settings\Demetrio\raahyc.exe deleted successfully.
File C:\Documents and Settings\Demetrio\wdjevs.exe deleted successfully.
File C:\Programmi\Words\UnInstall.exe deleted successfully.
File C:\Programmi\Words\Words.exe deleted successfully.

File C:\WINDOWS\b122.exe not found!
Deletion of file C:\WINDOWS\b122.exe failed!

Could not process line:
C:\WINDOWS\b122.exe
Status: 0xc0000034

Could not open file C:\WINDOWS\b128.exe.bin/b128.exe/stream/data0002/data0002 for deletion
Deletion of file C:\WINDOWS\b128.exe.bin/b128.exe/stream/data0002/data0002 failed!

Could not process line:
C:\WINDOWS\b128.exe.bin/b128.exe/stream/data0002/data0002
Status: 0xc0000033

Could not open file C:\WINDOWS\b128.exe.bin/b128.exe/stream/data0002 for deletion
Deletion of file C:\WINDOWS\b128.exe.bin/b128.exe/stream/data0002 failed!

Could not process line:
C:\WINDOWS\b128.exe.bin/b128.exe/stream/data0002
Status: 0xc0000033

Could not open file C:\WINDOWS\b128.exe.bin/b128.exe/stream for deletion
Deletion of file C:\WINDOWS\b128.exe.bin/b128.exe/stream failed!

Could not process line:
C:\WINDOWS\b128.exe.bin/b128.exe/stream
Status: 0xc0000033

Could not open file C:\WINDOWS\b128.exe.bin/b128.exe for deletion
Deletion of file C:\WINDOWS\b128.exe.bin/b128.exe failed!

Could not process line:
C:\WINDOWS\b128.exe.bin/b128.exe
Status: 0xc0000033

File C:\WINDOWS\b128.exe.bin deleted successfully.
File C:\WINDOWS\b138.exe deleted successfully.
File C:\WINDOWS\b143.exe deleted successfully.

File C:\WINDOWS\retadpu420.exe not found!
Deletion of file C:\WINDOWS\retadpu420.exe failed!

Could not process line:
C:\WINDOWS\retadpu420.exe
Status: 0xc0000034

Error: C:\WINDOWS\system32\drivers\ is a folder, not a file!
Deletion of file C:\WINDOWS\system32\drivers\ failed!

Could not process line:
C:\WINDOWS\system32\drivers\
Status: 0xc00000ba

Folder C:\WINDOWS\exefnd not found!
Deletion of folder C:\WINDOWS\exefnd failed!

Could not process line:
C:\WINDOWS\exefnd
Status: 0xc0000034

Folder C:\WINDOWS\exefld not found!
Deletion of folder C:\WINDOWS\exefld failed!

Could not process line:
C:\WINDOWS\exefld
Status: 0xc0000034

Registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
Status: 0xc0000034

Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
Status: 0xc0000034

Registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\pci32
Status: 0xc0000034

Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32 failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

da **crazy.cat** » lun ott 01, 2007 4:36 pm

dem91 ha scritto:ragazzi ho fatto la scansione con kaspersky e mi ha fatto il report adesso cosa devo fare non so piu andare avanti....please

Lo script è semi sbagliato, qualcosa ha rimosso ma non tutto.
Comprimi il report di kaspersky e allegalo alla discussione, oppure fai un copia e incolla del testo qui nella discussione.

da **dem91** » lun ott 01, 2007 6:34 pm

ecco il report di karpesky...
Infected Object Name Virus Name Last Action
C:\Documents and Settings\Demetrio\Dati applicazioni\Microsoft\Windows\aiinm.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\Documents and Settings\Demetrio\Dati applicazioni\Mozilla\Firefox\Profiles\x19z094i.default\cert8.db Object is locked skipped
C:\Documents and Settings\Demetrio\Dati applicazioni\WinTouch\WinTouch.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\Documents and Settings\Demetrio\Dati applicazioni\WinTouch\WTUninstaller.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\Documents and Settings\Demetrio\Documenti\File ricevuti\Scherzettoni\vedi gli invisibili.rar/vedi gli invisibili.exe Infected: IM-Worm.Win32.VB.ax skipped
C:\Documents and Settings\Demetrio\Documenti\File ricevuti\Scherzettoni\vedi gli invisibili.rar RAR: infected - 1 skipped
C:\Documents and Settings\Demetrio\raahyc.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\Documents and Settings\Demetrio\wdjevs.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\Programmi\Words\UnInstall.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\Programmi\Words\Words.exe Infected: not-a-virus:AdWare.Win32.Agent.dn skipped
C:\system volume information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\b122.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\WINDOWS\b128.exe.bin/b128.exe/stream/data0002/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\WINDOWS\b128.exe.bin/b128.exe/stream/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\WINDOWS\b128.exe.bin/b128.exe/stream Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\WINDOWS\b128.exe.bin/b128.exe Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\WINDOWS\b128.exe.bin ZIP: infected - 4 skipped
C:\WINDOWS\b138.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\WINDOWS\b143.exe Infected: Trojan-Downloader.Win32.Agent.dlx skipped
C:\WINDOWS\retadpu420.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
Scan process completed.

da **crazy.cat** » mar ott 02, 2007 7:08 am

Questo è lo script completo.

Files to delete:
C:\Documents and Settings\Demetrio\Dati applicazioni\Microsoft\Windows\aiinm.exe
C:\Documents and Settings\Demetrio\Dati applicazioni\WinTouch\WinTouch.exe
C:\Documents and Settings\Demetrio\Dati applicazioni\WinTouch\WTUninstaller.exe
C:\Documents and Settings\Demetrio\Documenti\File ricevuti\Scherzettoni\vedi gli invisibili.rar
C:\Documents and Settings\Demetrio\raahyc.exe
C:\Documents and Settings\Demetrio\wdjevs.exe
C:\Programmi\Words\UnInstall.exe
C:\Programmi\Words\Words.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b128.exe.bin
C:\WINDOWS\b138.exe
C:\WINDOWS\b143.exe
C:\WINDOWS\retadpu420.exe

da **n.alex** » mer ott 03, 2007 8:15 am

Ragazzi sono nuovo di qui! Spero che qualcuno possa aiutare anche me.
Posto il log di GMER. Spero vada bene.
Grazie
Alessandro

da **crazy.cat** » mer ott 03, 2007 8:20 am

n.alex ha scritto:Ragazzi sono nuovo di qui! Spero che qualcuno possa aiutare anche me.

gmer non serve a niente.
se hai già provato le istruzioni all'inizio del post, serve il log della scansione online di kaspersky
http://www.kaspersky.com/virusscanner

da **Elisewin_22** » sab ott 06, 2007 8:09 am

Ciao, ho beccato il solito virus tramite MSN, ho cercato di seguire le istruzioni, spero di non aver fatto danni permanenti ..:-)

Ecco qui i due log di MSNfix e HijackThis, pronti per il controllo.

Ho anche un altro problema, nn so da che dipende....alcune icone in basso a destra (ad esempio l'icona della connessione LAN) mi sono sparite dopo aver sconnesso e disconnesso Internet, anche se ho ripristinato da Risorse del Computer la configurazione di sistema.... Secondo voi è successo qualcosa alle mie impostazioni? In pratica la connessione LAN non vede più nulla, ma magicamente Internet funziona, devo preoccuparmi?? (cioé in Connessioni di rete la LAN risulta staccata e non posso riattivarla, le opzioni sono quasi tutte in grigio...) Magari è una cavolata, ma preferisco chiedere a chi sicuramente ne sa più di me!

Grazie mille!

Sere

Ok...non riesco a caricare, non so perché, ecco qui i due log...

MSNFix 1.537

C:\Documents and Settings\user\Desktop\MSN fix\MSNFix
Fix effettuato il 05/10/2007 - 11.37.22,14 By user
modalità normale

************************ Cercare i files presenti

... C:\WINDOWS\system\lsass.exe

************************ MSNCHK ***** /!\ beta test /!\

************************ Ricerca le cartelle presenti

Nessuna cartella trovata

************************ Eliminazione dei files

/!\ ... C:\WINDOWS\system\lsass.exe

************************ Pulizia del Registro

I files ancora presenti saranno eliminati al prossimo riavvio

************************ Eliminazione dei files

.. OK ... C:\WINDOWS\system\lsass.exe

************************ Files sospetti

/!\ questi files necessitano di un parere esperto prima di qualsiasi intervento

[C:\wordpad.exe] F0543ACEEB5CD8821469958C9F3DD9A4

==> Vi saremo grati se vorrete inviare il file C:\DOCUME~1\user\Desktop\Upload_Me.zip su http://upload.changelog.fr

I files e le chiavi di registro eliminati sono stati salvati nel file 05102007_11.42.1523.zip

------------------------------------------------------------------------
Auteur : !aur3n7 Contact: http://changelog.fr
------------------------------------------------------------------------

--------------------------------------------- END ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7.38.45, on 06/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\a-squared Free\a2service.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\WINDOWS\system32\cisvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lwtnuhbbe.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\ClamWin\bin\ClamTray.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\Creative\Shared Files\CamTray.exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\PROGRA~1\WIDCOMM\SOFTWA~1\BTSTAC~1.EXE
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\File comuni\PCSuite\Services\NclBTHandler.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\user\Desktop\MSN fix\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=192.168.1.1.:3128;gopher=192.168.1.1.:3128;http=192.168.1.1.:3128;https=192.168.1.1.:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [lwtnuhbbe] C:\WINDOWS\system32\lwtnuhbbe.exe
O4 - HKLM\..\RunServices: [lwtnuhbbe] C:\WINDOWS\system32\lwtnuhbbe.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ClamWin] "C:\Programmi\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Programmi\Creative\Shared Files\CamTray.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Programmi\Altova\XMLSpy2006\spy.htm
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programmi\Altova\XMLSpy2006\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programmi\Altova\XMLSpy2006\spy.htm
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=IT_IT&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0664337046
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://kissingthewitch.spaces.live.com/ ... nPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programmi\a-squared Free\a2service.exe
O23 - Service: Print Spooler Service (auvvdaeicltp) - Unknown owner - C:\WINDOWS\system32\lwtnuhbbe.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programmi\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 8113 bytes

Grazie mille!

Sere

da **crazy.cat** » sab ott 06, 2007 8:30 am

Che antivirus usi?

Se questi due file sono presenti nel pc cancellali pure, e anche lwtnuhbbe.exe.
C:\wordpad.exe
C:\DOCUME~1\user\Desktop\Upload_Me.zip

Rifai la scansione con hijackthis, selezioni le caselle di queste righe e premi fix checked per eliminarle.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [lwtnuhbbe] C:\WINDOWS\system32\lwtnuhbbe.exe
O4 - HKLM\..\RunServices: [lwtnuhbbe] C:\WINDOWS\system32\lwtnuhbbe.exe
O23 - Service: Print Spooler Service (auvvdaeicltp) - Unknown owner - C:\WINDOWS\system32\lwtnuhbbe.exe

Per rimuovere la riga 023, segui le istruzioni http://www.MegaLab.it/2286/2
Delete an Nt service permette di cancellare un servizio di Windows.
Dovete inserire il nome del servizio che trovate, tra parentesi, nel log di Hijackthis
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas - D:\Virit\viritsvc.exe

da **dolly90** » dom ott 21, 2007 8:19 pm

ciao..ho fatto tutto però con MSNFix dopo aver digitato N mi si kiudeva infatti nn si è creato il log...quindi ho solo quello di hijackthis..se me lo controllate perfavore...aiutooo! [cry]

da **crazy.cat** » lun ott 22, 2007 7:16 am

dolly90 ha scritto:ciao..ho fatto tutto però con MSNFix dopo aver digitato N mi si kiudeva infatti nn si è creato il log...quindi ho solo quello di hijackthis..se me lo controllate perfavore...aiutooo!

Guarda nella cartella dove hai estratto msnfix, ci dovrebbe essere un file .txt è quello il log.
Hai già riprovato ad usare msn?

Posta comunque il log di hijackthis.

da **dolly90** » mar ott 23, 2007 5:44 pm

si ho provato ad aprire msn e nn c sono miglioramenti...forse xò nn m manda + il virus xò mi si aprono lo stesso le finestre d conversazione con tutti i contattti in linea e poi m si disconette..comunque ho guardato nella cartella devo ho scompattato msnfix ma nn c è un solo file txt ma ben tre!!e mcmq nn mi sembra che nessuno dei tre sia il log........ [cry+]

da **crazy.cat** » mar ott 23, 2007 5:52 pm

crazy.cat ha scritto:Posta comunque il log di hijackthis.

E potresti fare anche una scansione online sul sito della kaspersky per vedere se pezzi di virus sono rimasti nel pc, così ripuliamo tutto.
http://www.kaspersky.com/virusscanner

da **dolly90** » mar ott 23, 2007 5:54 pm

nn iresco a caricare il file..................

da **dolly90** » mar ott 23, 2007 5:57 pm

siccome nn riesco a caricarlo lo pubblico..sxo di nn divulgare informazioni importanti...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20.06.46, on 21/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programmi\Apoint2K\Apoint.exe
C:\Programmi\Power Manager\PM.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Apoint2K\Apntex.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system\lsass.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programmi\a-squared Free\a2service.exe
C:\Documents and Settings\cielo&mare\Desktop\HThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\Portable_SD_4[1].040\PSD_4.040\Spyware Doctor\tools\iesdsg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - F:\PORTAB~1.040\PSD_4.040\SPYWAR~1\tools\iesdpb.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\FILECO~1\{344CF~1\Bar888.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\FILECO~1\{344CF~1\Bar888.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Programmi\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PowerManager] C:\Programmi\Power Manager\PM.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Lsass Services] C:\WINDOWS\system\lsass.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.h ... T_ZNfox000
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PORTAB~1.040\PSD_4.040\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\programmi\bonjour\mdnsnsp.dll' missing
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://paparedda90.spaces.msn.com//Phot ... nPUpld.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://paparedda90.spaces.live.com/Phot ... nPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b47946.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programmi\a-squared Free\a2service.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Programmi\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Servizio Bonjour (Bonjour Service) - Unknown owner - C:\Programmi\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: DirectX Service (DirectJowt) - Unknown owner - C:\WINDOWS\system32\directx.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: File Security Kernel Anti-Spyware Driver (ikhfile) - Unknown owner - F:\Portable_SD_4[1].040\PSD_4.040\Spyware Doctor\ikhfile.sys (file missing)
O23 - Service: Kernel Anti-Spyware Driver (ikhlayer) - Unknown owner - F:\Portable_SD_4[1].040\PSD_4.040\Spyware Doctor\ikhlayer.sys (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Unknown owner - C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - F:\Portable_SD_4[1].040\PSD_4.040\Spyware Doctor\SDhelper.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Utilità di pianificazione di LiveUpdate automatico - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe

--
End of file - 10908 bytes

grazie... [:)]

www.MegaLab.it

Virus diffuso via msn o NTkrnl Secure Suite

Eliminazione Virus MSN - Log richiesti

controllo log virus msn

Re: controllo log virus msn

Re: controllo log virus msn

Chi c’è in linea