www.MegaLab.it

[tommyn]

Salve a tutti,
come mai da un po' di tempo a questa parte, mentre navigo su internet,utilizzando internet explorer, si aprono continuamente numerose finestre chiamate "CiD:"? pagine riguardanti ebay, sky, casinò ecc ecc.
Come si risolve il problema? mi innervosiscono queste finestre che si aprono in continuazione!!

[crazy.cat]

In quali file viene trovato il virus?

Hai provato ad usare superantispyware o A2 squared in versione freeware e aggiornati pulendo tutto quello che trovano

Posta un log della scansione di hijackthis.

[tommyn]

Questo è il:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15.41.56, on 30/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe
C:\Programmi\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\vVX6000.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
C:\Programmi\a-squared Free\a2service.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\hfp.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Microsoft LifeCam\MSCamS32.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ufdsvc.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\AntiVir PersonalEdition Classic\avscan.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WireLessMouse] C:\Programmi\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Programmi\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Programmi\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [stupid creative poll axis] C:\Documents and Settings\All Users\Dati applicazioni\Memo save stupid creative\Enc flag.exe
O4 - HKLM\..\Run: [Proc Deaf Delete Peak] C:\Documents and Settings\All Users\Dati applicazioni\file joy proc deaf\DENT LONG.exe
O4 - HKLM\..\Run: [mlmltv] C:\WINDOWS\system32\mlmltv.exe
O4 - HKLM\..\RunServices: [RunAlert] C:\Programmi\MSI\PC Alert III\AService.exe
O4 - HKLM\..\RunServices: [mlmltv] C:\WINDOWS\system32\mlmltv.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mess jugs] C:\DOCUME~1\ADMINI~1\DATIAP~1\SCRREA~1\CitySkipClose.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: PC Alert III.lnk = C:\Programmi\MSI\PC Alert III\alert.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.it/
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/conte ... ite_EN.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://1991kekkan.spaces.live.com//Phot ... nPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-U ... E_UNO1.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://1991kekkan.spaces.live.com/Photo ... nPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b56986.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programmi\a-squared Free\a2service.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HFP Service (hfprog) - Unknown owner - C:\WINDOWS\system32\hfp.exe
O23 - Service: Print Spooler Service (o6vl33audeajez) - Unknown owner - C:\WINDOWS\system32\mlmltv.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: UFD Command Service (UFDSVC) - Generic - C:\WINDOWS\system32\ufdsvc.exe

--
End of file - 9076 bytes





Questo, invece, è la scansione fatta con ANTI-VIR CLASSIC, con cui ha trovato 8 virus:

AntiVir PersonalEdition Classic
Report file date: domenica 30 dicembre 2007 15:06

Scanning for 995102 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: XPMODU

Version information:
BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 08/09/2007 18:26:02
AVSCAN.DLL : 7.0.6.0 49192 Bytes 08/09/2007 18:26:02
LUKE.DLL : 7.0.5.3 147496 Bytes 08/09/2007 18:26:04
LUKERES.DLL : 7.0.6.1 10280 Bytes 08/09/2007 18:26:04
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 20:05:21
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 14/12/2007 22:15:48
ANTIVIR2.VDF : 7.0.1.170 311296 Bytes 28/12/2007 18:53:57
ANTIVIR3.VDF : 7.0.1.174 10752 Bytes 29/12/2007 14:06:01
AVEWIN32.DLL : 7.6.0.46 3084800 Bytes 21/12/2007 19:44:57
AVWINLL.DLL : 1.0.0.7 14376 Bytes 22/04/2007 22:51:19
AVPREF.DLL : 7.0.2.2 25640 Bytes 08/09/2007 18:26:02
AVREP.DLL : 7.0.0.1 155688 Bytes 22/04/2007 22:51:21
AVPACK32.DLL : 7.6.0.2 360488 Bytes 21/12/2007 19:44:57
AVREG.DLL : 7.0.1.6 30760 Bytes 08/09/2007 18:26:02
AVARKT.DLL : 1.0.0.20 278568 Bytes 08/09/2007 18:26:02
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 08/09/2007 18:26:02
NETNT.DLL : 7.0.0.0 7720 Bytes 22/04/2007 22:51:20
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 08/09/2007 18:25:45
RCTEXT.DLL : 7.0.62.0 86056 Bytes 08/09/2007 18:25:45
SQLITE3.DLL : 3.3.17.1 339968 Bytes 08/09/2007 18:26:04

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\programmi\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: domenica 30 dicembre 2007 15:06

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'winamp.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'ServiceLayer.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'ufdsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SMAgent.exe' - '1' Module(s) have been scanned
Scan process 'MSCamS32.exe' - '1' Module(s) have been scanned
Scan process 'mdm.exe' - '1' Module(s) have been scanned
Scan process 'hfp.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'a2service.exe' - '1' Module(s) have been scanned
Scan process 'alert.exe' - '1' Module(s) have been scanned
Scan process 'mpbtn.exe' - '1' Module(s) have been scanned
Scan process 'NkbMonitor.exe' - '1' Module(s) have been scanned
Scan process 'reader_sl.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'mlmltv.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\system32\mlmltv.exe'
Scan process 'vVX6000.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'MotiveSB.exe' - '1' Module(s) have been scanned
Scan process 'PS2USBKbdDrv.exe' - '1' Module(s) have been scanned
Scan process 'MouseDrv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process 'mlmltv.exe' has been terminated
C:\WINDOWS\system32\mlmltv.exe
[DETECTION] Is the Trojan horse TR/Agent.dnb
[INFO] The file was deleted!

46 processes with 45 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!

Starting to scan the registry.

The registry was scanned ( '49' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Administrator\Dati applicazioni\ScrReadmeLicense\jqlsazaz.exe
[DETECTION] Is the Trojan horse TR/Obfusgen.A.5317
[INFO] The file was deleted!
C:\Programmi\Circle Developement\Uninstall.exe
[DETECTION] Is the Trojan horse TR/Obfusgen.A.5368
[INFO] The file was deleted!
C:\System Volume Information\_restore{5A92C5E7-AF68-46B8-8800-8A05E8E6048A}\RP290\A0135960.exe
[DETECTION] Is the Trojan horse TR/Agent.dnb
[INFO] The file was deleted!
C:\System Volume Information\_restore{5A92C5E7-AF68-46B8-8800-8A05E8E6048A}\RP290\A0135961.exe
[DETECTION] Is the Trojan horse TR/Obfusgen.A.5317
[INFO] The file was deleted!
C:\System Volume Information\_restore{5A92C5E7-AF68-46B8-8800-8A05E8E6048A}\RP290\A0135963.exe
[DETECTION] Is the Trojan horse TR/Obfusgen.A.5368
[INFO] The file was deleted!
Begin scan in 'D:\' <Disco locale>
D:\File ricevuti MSN\i4579.zip
[0] Archive type: ZIP
album_316.jpeg_norcaro@hotmail.it.com
[DETECTION] Is the Trojan horse TR/Agent.dnb
[INFO] The file was deleted!


End of the scan: domenica 30 dicembre 2007 15:36
Used time: 29:53 min

The scan has been done completely.

6133 Scanning directories
216832 Files were scanned
8 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
7 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
216824 Files not concerned
1338 Archives were scanned
2 Warnings
0 Notes

Ho anche utlizzato superadaware e mi ha trovato ed eliminato 17 minacce.

[RaFFoLo]

Con le scansioni che hai fatto sopra hai risolto??

Potresti tentare infine di fare una scansione MALWARE per debellare anche questa ipotesi

Controlla con questo piccolo tool Microsoft e facci sapere:
http://www.microsoft.com/downloads/deta ... laylang=it

Ciao.

[tommyn]

purtroppo non ho risolto con le scansioni sopra effettuate; le pagine internet CiD (fastweb,casino,alice,sky,ebay,volagratis ecc ecc) continuano a comparire in continuazione. e poi, ho notato che, quando spengo o riavvio il pc, compare la classica finestra di quando un programma non risponde e lo fa terminare, allo spegnimento vi è il suono dell'errore e si spenge; tale programma è: iexplorer!!!!

[RaFFoLo]

forse qualche trojan ha corrotto internet explorer. prova con la reinstallazione:
http://www.microsoft.com/italy/windows/ ... fault.mspx

anche se in realtà il mio consiglio sarebbe di abbandonare il browsere microsoft è provare al suo posto firefox che blocca in modo nativo le pagine popup, tra cui suppongo anche le cid che forse in questo non ti appariranno:
http://www.mozilla-europe.org/it/products/firefox/

Hai mica software come bonzibuddy, alexia, gonzo ma anche eurobarre e altri da cui possono insorgere pagine di questo tipo??
Fai una scansione come Spybot s&d:
http://fileforum.betanews.com/detail/Sp ... 43809773/1

Fai sapere se hai risolto.
Ciao.

[crazy.cat]

Carica questo file sul sito www.virustotal.com e vedi di cosa si tratta
C:\WINDOWS\system32\hfp.exe

Rifai la scansione con hijackthis e selezioni le caselle di queste 5 righe poi premi fix checked per elilminarle
Vai poi nelle cartelle indicate in rosso ed elimini tutti i file che trovi.
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [mlmltv] C:\WINDOWS\system32\mlmltv.exe
O4 - HKCU\..\Run: [mess jugs] C:\DOCUME~1\ADMINI~1\DATIAP~1\SCRREA~1\CitySkipClose.exe
O4 - HKLM\..\Run: [stupid creative poll axis] C:\Documents and Settings\All Users\Dati applicazioni\Memo save stupid creative\Enc flag.exe
O4 - HKLM\..\Run: [Proc Deaf Delete Peak] C:\Documents and Settings\All Users\Dati applicazioni\file joy proc deaf\DENT LONG.exe

Riavvii il pc e riprovi a navigare.

[tommyn]

Carica questo file sul sito www.virustotal.com e vedi di cosa si tratta
C:\WINDOWS\system32\hfp.exe


Rifai la scansione con hijackthis e selezioni le caselle di queste 5 righe poi premi fix checked per elilminarle
Vai poi nelle cartelle indicate in rosso ed elimini tutti i file che trovi.
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [mlmltv] C:\WINDOWS\system32\mlmltv.exe
O4 - HKCU\..\Run: [mess jugs] C:\DOCUME~1\ADMINI~1\DATIAP~1\SCRREA~1\CitySkipClose.exe
O4 - HKLM\..\Run: [stupid creative poll axis] C:\Documents and Settings\All Users\Dati applicazioni\Memo save stupid creative\Enc flag.exe
O4 - HKLM\..\Run: [Proc Deaf Delete Peak] C:\Documents and Settings\All Users\Dati applicazioni\file joy proc deaf\DENT LONG.exe

Riavvii il pc e riprovi a navigare.

mi viene detto che con "esafe" è un suspicious trojan/worm, mentre con "panda" è un suspicious file.

ho fatto i passaggi fix checked e i CiD non stanno apparendo più !
sei un grande crazy.cat, da solo non ci sarei mai arrivato!!

poi, per RaFFoLo: mi consigli fortemente mozilla firefox?!abbandono internet explorer?!

[tommyn]

perdonatemi, ma purtroppo le pagine internet CiD:, continuano ad apparirre, anche se in maniera meno frequente rispetto a prima, e poi il problema in fase di riavvio o di spegnimento, persiste!

[crazy.cat]

Scansione online sul sito della kaspersky
http://www.kaspersky.com/virusscanner
e posta il risultato finale.

firefox dispone di una comoda estensione Adblock che serve per bloccare tutte le pagine pseudo-pubblicitarie.

Controlla nella cartella C:\Documents and Settings\All Users\Dati applicazioni\ se ci sono altri eseguibili dai nomi strani simili a quelli che hai già eliminato.

[tecnico24]

Semplicemente si doveva disabilitare il ripristino prima di fare i passaggi riferiti da crazy.cat

[tommyn]

Semplicemente si doveva disabilitare il ripristino prima di fare i passaggi riferiti da crazy.cat

come si disabilita il ripristino?
nel pomeriggio effettuerò la scansione consigliata da crazy.cat e lo posterò!

[crazy.cat]

Disattiva il ripristino
http://www.MegaLab.it/2330

[RaFFoLo]

ho fatto i passaggi fix checked e i CiD non stanno apparendo più

Bene !!!

mi consigli fortemente mozilla firefox?!abbandono internet explorer?!

Te lo stra-ultra-mego-super-consiglio ^^
Lo installi e poi ci installi l'estensione adblock (per la pubblicità) che trovi qui:
http://www.extenzilla.org/show_ext.php?id=472

[tommyn]

[quote="crazy.cat"]Scansione online sul sito della kaspersky
http://www.kaspersky.com/virusscanner
e posta il risultato finale.

KASPERSKY ONLINE SCANNER REPORT
Tuesday, January 01, 2008 11:55:08 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/01/2008
Kaspersky Anti-Virus database records: 501220


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 56736
Number of viruses found 1
Number of infected objects 1
Number of suspicious objects 0
Duration of the scan process 00:42:40

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Dati applicazioni\Ahead\NeroVision\NeroVisionLog.txt Object is locked skipped

C:\Documents and Settings\Administrator\Dati applicazioni\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped

C:\Documents and Settings\Administrator\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Impostazioni locali\Cronologia\History.IE5\MSHist012008010120080102\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Administrator\Impostazioni locali\Temp\~DF722A.tmp Object is locked skipped

C:\Documents and Settings\Administrator\Impostazioni locali\Temp\~DF7272.tmp Object is locked skipped

C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Programmi\Alice ti aiuta\log\mpbtn.log Object is locked skipped

C:\Programmi\Alice ti aiuta\SmartBridge\AlertFilter.log Object is locked skipped

C:\Programmi\Alice ti aiuta\SmartBridge\log\httpclient.log Object is locked skipped

C:\Programmi\Alice ti aiuta\SmartBridge\SmartBridge.log Object is locked skipped

C:\Programmi\Panda Software\Panda Antivirus + Firewall 2007\cace2423dfb97c58fe7dd9f120557063PSK_NAMES Object is locked skipped

C:\Programmi\Panda Software\Panda Antivirus + Firewall 2007\cace2423dfb97c58fe7dd9f120557063PSK_NAMES2 Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{5A92C5E7-AF68-46B8-8800-8A05E8E6048A}\RP294\A0139515.exe Infected: Trojan.Win32.Inject.pv skipped

C:\System Volume Information\_restore{5A92C5E7-AF68-46B8-8800-8A05E8E6048A}\RP296\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{82E37DEE-9724-4190-AD19-E4523641FC3D}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.



Ho disattivato il ripristino e ho ripetuto i passaggi, e per ora i CiD: non stanno comparendo!! speriamo bene!

[tommyn]

finalmente i CiD: non mi appaiono più!!finalmente! ma c'è un però, è possibile che tutto questo abbia rallentato la velocità di connessione ad internet? lo chiedo perché le pagine internet, dopo tutto questo, si aprono con una lentezza assurda! non mi sono mai trovato in questo stato.

[tommyn]

nooooo!! ho di nuovo lo stesso problema ma con un altro pc. ho rifatto tutti i passaggi sopracitati, ma purtroppo non ho dimestichezza a capire dov'è il problema. qualcuno potrebbe visionare e farmi sapere cos'è la causa di questa pagine CiD questa volta?di seguito c'è la scansione effettuata con hijackthis:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14.15.30, on 15/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\File comuni\Logitech\LComMgr\Communications_Helper.exe
C:\Programmi\Logitech\QuickCam10\QuickCam10.exe
C:\Programmi\File comuni\Logitech\LComMgr\LVComSX.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Logitech\QuickCam10\COCIManager.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmi\Eset\nod32.exe
C:\Documents and Settings\ens4\Impostazioni locali\Temporary Internet Files\Content.IE5\1SCB9T85\HiJackThis_v2[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programmi\File comuni\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programmi\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LVCOMSX] "C:\Programmi\File comuni\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [CAMP SHIM EXIT HECK] C:\Documents and Settings\All Users\Dati applicazioni\That Face Camp Shim\Time build.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [Freeblue] C:\DOCUME~1\ens4\DATIAP~1\MEETSA~1\info date more.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CF0BA7D-1C92-4453-8B98-1FDBD7E43649}: NameServer = 151.99.125.2
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programmi\File comuni\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe

--
End of file - 5603 bytes


Attendo notizie.

[ste_95]

Seleziona a sinistra queste voci e premi fix checked:

O4 - HKLM\..\Run: [CAMP SHIM EXIT HECK] C:\Documents and Settings\All Users\Dati applicazioni\That Face Camp Shim\Time build.exe
O4 - HKCU\..\Run: [Freeblue] C:\DOCUME~1\ens4\DATIAP~1\MEETSA~1\info date more.exe

Poi scarica Avenger
Estrailo in una cartella a tua scelta
Esegui il file avenger.exe con la figura di una spada
Metti il pallino su input script manually
Quindi scegli la lente e cliccaci
Ora incolla queste righe nella box bianca che si è aperta:

Folders to delete:
C:\Documents and Settings\All Users\Dati applicazioni\That Face Camp Shim
C:\DOCUME~1\ens4\DATIAP~1\MEETSA~1

Adesso devi cliccare su Done in basso nella box
Seleziona il semaforino in alto a destra
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà.

[tommyn]

con avenger, mi viene dato un errore subito dopo aver cliccato sul semaforo e sul si: selected file does not appear to be a valid script....poi "press ok to log error and continue or cancel to abort...poi "error code 0".
ho riavviato manualmente ma non appare niente non appena viene apreto xp!!

[ste_95]

Prova questo script:

Files to delete:
C:\Documents and Settings\All Users\Dati applicazioni\That Face Camp Shim\Time build.exe
C:\DOCUME~1\ens4\DATIAP~1\MEETSA~1\info date more.exe