www.MegaLab.it

da **andrea677** » dom gen 27, 2008 3:08 pm

Quando apro Internet Explorer il browser rimane bloccato per 2-3 minuti prima di partire, poi a un certo punto della navigazione, Sygate firewall mi segnala il tentativo di collegamento a "a.doginhispen.com". Ho già fatto tutte le scansioni con Hijack, Avg antivirus,Spyware Doctor e SuperAntiSpyware senza trovare nulla.
Leggevo in giro che questo sembra essere una specie di virus-dialer.
Sapete se esiste un tool in particolare per tentare di rimuoverlo ?

Grazie, Andrea

da **crazy.cat** » dom gen 27, 2008 3:13 pm

andrea677 ha scritto: Ho già fatto tutte le scansioni con Hijack,

Vediamo il log di questa, tanto per avere qualche idea.

da **Fred** » dom gen 27, 2008 3:14 pm

posso sugerirti di farla con IE aperto?

da **andrea677** » mar gen 29, 2008 7:50 am

Ieri sera mi sono collegato ad internet tramite 56k visto che non sono servito da adsl, e di nuovo Sygate mi ha segnalato il tentetivo di connessione a "b.skitodayplease.com" che a quanto pare va in accoppiata ad "a.doginhispen.com".
Ho già controllato nell'installazione applicazioni senza trovare nulla, ho controllato con Regedit senza risultati, anche nei file temporanei nulla.

Ho fatto girare Hijack e qui posto il log:

Logfile of HijackThis v1.98.2
Scan saved at 21.04.49, on 28/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG7\avgamsvr.exe
C:\PROGRA~1\AVG7\avgupsvc.exe
C:\PROGRA~1\AVG7\avgemc.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\Ghost\GhostStartService.exe
C:\WINDOWS\System32\r_server.exe
C:\Programmi\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
C:\PROGRA~1\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Windows Sidebar\sidebar.exe
C:\Programmi\Analog Devices\SoundMAX\bak\SMTray.exe
C:\Programmi\Windows Sidebar\sidebar.exe
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Computer\HijackThis processi aperti.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Smapp] C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Programmi\ATI Technologies\ATI HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAMMI\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programmi\Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Programmi\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [Sidebar] C:\Programmi\Windows Sidebar\sidebar.exe /autoRun
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab

Questo è invece il log di FindAwf:

Find AWF report by noahdfear ©2006
Version 1.40

bak folders found
~~~~~~~~~~~

Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\AVG7\BAK

22/12/2007 10.26 579.072 avgcc.exe
1 File 579.072 byte
2 Directory 27.755.532.288 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\GHOST\BAK

14/08/2002 15.21 94.208 GhostStartTrayApp.exe
1 File 94.208 byte
2 Directory 27.755.532.288 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\QUICKT~1\BAK

16/02/2007 09.54 282.624 qttask.exe
1 File 282.624 byte
2 Directory 27.755.528.192 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\WINDOWS\SYSTEM32\BAK

31/08/2001 13.00 13.312 ctfmon.exe
15/10/2002 23.05 114.688 hkcmd.exe
15/10/2002 23.18 155.648 igfxtray.exe
09/07/2001 09.50 155.648 NeroCheck.exe
4 File 439.296 byte
2 Directory 27.755.528.192 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\ALCOHO~1\ALCOHO~1\BAK

02/07/2007 11.29 220.544 axcmd.exe
1 File 220.544 byte
2 Directory 27.755.528.192 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK

11/10/2002 17.26 98.304 SMTray.exe
1 File 98.304 byte
2 Directory 27.755.528.192 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

12/08/2003 21.10 335.872 ATIPTAXX.EXE
1 File 335.872 byte
2 Directory 27.755.528.192 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\ATITEC~1\ATIHYD~1\BAK

01/04/2003 16.41 270.336 HydraDM.exe
1 File 270.336 byte
2 Directory 27.755.528.192 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

13/10/2007 09.25 68.856 GoogleToolbarNotifier.exe
1 File 68.856 byte
2 Directory 27.755.528.192 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\LOGITECH\VIDEO\BAK

29/08/2003 14.17 188.416 ISStart.exe
29/08/2003 14.20 77.824 LogiTray.exe
2 File 266.240 byte
2 Directory 27.755.528.192 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

04/03/2005 02.36 36.975 jusched.exe
1 File 36.975 byte
2 Directory 27.755.524.096 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

01/07/2002 04.05 74.752 E_S10IC2.EXE
1 File 74.752 byte
2 Directory 27.755.524.096 byte disponibili

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

579072 20 Jan 2008 "C:\Programmi\AVG7\avgcc.exe"
579072 22 Dec 2007 "C:\Programmi\AVG7\bak\avgcc.exe"
2474054 14 Aug 2002 "C:\Programmi\Ghost\GhostStart.exe"
94208 14 Aug 2002 "C:\Programmi\Ghost\bak\GhostStartTrayApp.exe"
14348 6 Jan 2008 "C:\Programmi\QuickTime\qttask.exe"
28672 2 Jan 2005 "C:\WINDOWS\system32\qttask.exe"
282624 16 Feb 2007 "C:\Programmi\QuickTime\bak\qttask.exe"
15360 19 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe"
13312 31 Aug 2001 "C:\WINDOWS\system32\bak\ctfmon.exe"
13312 31 Aug 2001 "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6c224b18c466dffa7011b6ceb0bf0467\backup\ctfmon.exe"
14348 6 Jan 2008 "C:\WINDOWS\system32\hkcmd.exe"
114688 15 Oct 2002 "C:\compaq\sp22924\Win2000\hkcmd.exe"
114688 15 Oct 2002 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 15 Oct 2002 "C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\hkcmd.exe"
14348 6 Jan 2008 "C:\WINDOWS\system32\igfxtray.exe"
155648 15 Oct 2002 "C:\compaq\sp22924\Win2000\igfxtray.exe"
155648 15 Oct 2002 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 15 Oct 2002 "C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\igfxtray.exe"
14348 6 Jan 2008 "C:\WINDOWS\system32\NeroCheck.exe"
155648 9 Jul 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
14348 6 Jan 2008 "C:\Programmi\Alcohol Soft\Alcohol 120\axcmd.exe"
220544 2 Jul 2007 "C:\Programmi\Alcohol Soft\Alcohol 120\bak\axcmd.exe"
14348 6 Jan 2008 "C:\Programmi\Analog Devices\SoundMAX\SMTray.exe"
98304 11 Oct 2002 "C:\Programmi\Analog Devices\SoundMAX\bak\SMTray.exe"
98304 11 Oct 2002 "C:\compaq\swsetup\SP23296\SM_Panel\Sys\SMTray.exe"
14348 6 Jan 2008 "C:\Programmi\ATI Technologies\ATI Control Panel\ATIPTAXX.EXE"
335872 12 Aug 2003 "C:\Programmi\ATI Technologies\ATI Control Panel\bak\ATIPTAXX.EXE"
14348 6 Jan 2008 "C:\Programmi\ATI Technologies\ATI HydraVision\HydraDM.exe"
270336 1 Apr 2003 "C:\Programmi\ATI Technologies\ATI HydraVision\bak\HydraDM.exe"
52272 10 Feb 2007 "C:\Programmi\Google\googletoolbar3user.exe"
14348 6 Jan 2008 "C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
138168 10 Feb 2007 "C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe"
68856 13 Oct 2007 "C:\Programmi\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
14348 6 Jan 2008 "C:\Programmi\Logitech\Video\ISStart.exe"
188416 29 Aug 2003 "C:\Programmi\Logitech\Video\bak\ISStart.exe"
14348 6 Jan 2008 "C:\Programmi\Logitech\Video\LogiTray.exe"
77824 29 Aug 2003 "C:\Programmi\Logitech\Video\bak\LogiTray.exe"
14348 6 Jan 2008 "C:\Programmi\Java\jre1.5.0_02\bin\jusched.exe"
36975 4 Mar 2005 "C:\Programmi\Java\jre1.5.0_02\bin\bak\jusched.exe"
74752 1 Jul 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\E_S10IC2.EXE"
14348 6 Jan 2008 "C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S10IC2.EXE"
74752 1 Jul 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_S10IC2.EXE"

end of report

Ho scaricato anche Avenger ma non so come si utilizza.
Se qualche eperto trova qualcosa di interessante a riguardo ...

Grazie, Andrea

da **crazy.cat** » mar gen 29, 2008 9:50 am

Disattiva il ripristino della configurazione su tutti i dischi poi riavvia il pc
http://www.MegaLab.it/2330

Scarica Avenger
Estrailo in una cartella a tua scelta
Esegui il file avenger.exe con la figura di una spada
Metti il pallino su input script manually
Quindi scegli la lente e cliccaci
Ora incolla queste righe nel box bianco che si è aperto:

Codice: Seleziona tutto: Files to move: C:\Programmi\AVG7\bak\avgcc.exe | C:\Programmi\AVG7\avgcc.exe C:\Programmi\QuickTime\bak\qttask.exe | C:\Programmi\QuickTime\qttask.exe C:\WINDOWS\system32\bak\ctfmon.exe | C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\bak\hkcmd.exe | C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\bak\igfxtray.exe | C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\bak\NeroCheck.exe | C:\WINDOWS\system32\NeroCheck.exe C:\Programmi\Alcohol Soft\Alcohol 120\bak\axcmd.exe | C:\Programmi\Alcohol Soft\Alcohol 120\axcmd.exe C:\Programmi\Analog Devices\SoundMAX\bak\SMTray.exe | C:\Programmi\Analog Devices\SoundMAX\SMTray.exe C:\Programmi\ATI Technologies\ATI Control Panel\bak\ATIPTAXX.EXE | C:\Programmi\ATI Technologies\ATI Control Panel\ATIPTAXX.EXE C:\Programmi\ATI Technologies\ATI HydraVision\bak\HydraDM.exe | C:\Programmi\ATI Technologies\ATI HydraVision\HydraDM.exe C:\Programmi\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe | C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Programmi\Logitech\Video\bak\ISStart.exe | C:\Programmi\Logitech\Video\ISStart.exe C:\Programmi\Logitech\Video\bak\LogiTray.exe | C:\Programmi\Logitech\Video\LogiTray.exe C:\Programmi\Java\jre1.5.0_02\bin\bak\jusched.exe | C:\Programmi\Java\jre1.5.0_02\bin\jusched.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_S10IC2.EXE | C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S10IC2.EXE

Adesso devi cliccare su Done in basso nella box
Seleziona il semaforino in alto a destra
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà.

Dopo il riavvio fai una nuova scansione con hijackthis.

da **andrea677** » mar gen 29, 2008 3:35 pm

Ho eseguito le operazioni sopra descritte:
non ho ancora provato a collegarmi ad internet, il ripristino di sistema devo riabilitarlo ?

A seguire il log di Avenger e il log di Hijack:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\utojcqxt

*******************

Script file located at: \??\C:\Documents and Settings\cggwjlvb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File move operation C:\Programmi\AVG7\bak\avgcc.exe|C:\Programmi\AVG7\avgcc.exe completed successfully.
File move operation C:\Programmi\QuickTime\bak\qttask.exe|C:\Programmi\QuickTime\qttask.exe completed successfully.
File move operation C:\WINDOWS\system32\bak\ctfmon.exe|C:\WINDOWS\system32\ctfmon.exe completed successfully.
File move operation C:\WINDOWS\system32\bak\hkcmd.exe|C:\WINDOWS\system32\hkcmd.exe completed successfully.
File move operation C:\WINDOWS\system32\bak\igfxtray.exe|C:\WINDOWS\system32\igfxtray.exe completed successfully.
File move operation C:\WINDOWS\system32\bak\NeroCheck.exe|C:\WINDOWS\system32\NeroCheck.exe completed successfully.
File move operation C:\Programmi\Alcohol Soft\Alcohol 120\bak\axcmd.exe|C:\Programmi\Alcohol Soft\Alcohol 120\axcmd.exe completed successfully.
File move operation C:\Programmi\Analog Devices\SoundMAX\bak\SMTray.exe|C:\Programmi\Analog Devices\SoundMAX\SMTray.exe completed successfully.
File move operation C:\Programmi\ATI Technologies\ATI Control Panel\bak\ATIPTAXX.EXE|C:\Programmi\ATI Technologies\ATI Control Panel\ATIPTAXX.EXE completed successfully.

Could not move file C:\Programmi\ATI Technologies\ATI HydraVision\bak\HydraDM.exe
File move operation C:\Programmi\ATI Technologies\ATI HydraVision\bak\HydraDM.exe|C:\Programmi\ATI Technologies\ATI HydraVision\HydraDM.exe C:\Programmi\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe | C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Programmi\Logitech\Video\bak\ISStart.exe | C:\Programmi\Logitech\Video\ISStart.exe failed!

Could not process line:
C:\Programmi\ATI Technologies\ATI HydraVision\bak\HydraDM.exe|C:\Programmi\ATI Technologies\ATI HydraVision\HydraDM.exe C:\Programmi\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe | C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Programmi\Logitech\Video\bak\ISStart.exe | C:\Programmi\Logitech\Video\ISStart.exe
Status: 0xc0000033

File move operation C:\Programmi\Logitech\Video\bak\LogiTray.exe|C:\Programmi\Logitech\Video\LogiTray.exe completed successfully.

Could not move file C:\Programmi\Java\jre1.5.0_02\bin\bak\jusched.exe
File move operation C:\Programmi\Java\jre1.5.0_02\bin\bak\jusched.exe|C:\Programmi\Java\jre1.5.0_02\bin\jusched.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_S10IC2.EXE | C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S10IC2.EXE failed!

Could not process line:
C:\Programmi\Java\jre1.5.0_02\bin\bak\jusched.exe|C:\Programmi\Java\jre1.5.0_02\bin\jusched.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_S10IC2.EXE | C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S10IC2.EXE
Status: 0xc0000033

Completed script processing.

*******************

Finished! Terminate.

________________________________________________________

Logfile of HijackThis v1.98.2
Scan saved at 13.53.26, on 29/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG7\avgamsvr.exe
C:\PROGRA~1\AVG7\avgupsvc.exe
C:\PROGRA~1\AVG7\avgemc.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\Ghost\GhostStartService.exe
C:\WINDOWS\System32\r_server.exe
C:\Programmi\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\Logitech\Video\LogiTray.exe
C:\PROGRAMMI\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\PROGRA~1\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Windows Sidebar\sidebar.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bak\E_S10IC2.EXE
C:\WINDOWS\System32\LVComS.exe
C:\Programmi\Windows Sidebar\sidebar.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Computer\HijackThis processi aperti.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Smapp] C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Programmi\ATI Technologies\ATI HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAMMI\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programmi\Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Programmi\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [Sidebar] C:\Programmi\Windows Sidebar\sidebar.exe /autoRun
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab

Ciao, Andrea

da **ste_95** » mar gen 29, 2008 3:39 pm

Lo script non è andato interamente a buon fine.

Esegui una nuova scansione con findawf.

da **andrea677** » mer gen 30, 2008 9:27 am

Ecco il log di FindAwf che ho rifatto ieri sera:

Find AWF report by noahdfear ©2006
Version 1.40

bak folders found
~~~~~~~~~~~

Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\AVG7\BAK

0 File 0 byte
2 Directory 30.123.995.136 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\GHOST\BAK

14/08/2002 15.21 94.208 GhostStartTrayApp.exe
1 File 94.208 byte
2 Directory 30.123.995.136 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\QUICKT~1\BAK

0 File 0 byte
2 Directory 30.123.991.040 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\WINDOWS\SYSTEM32\BAK

0 File 0 byte
2 Directory 30.123.991.040 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\ALCOHO~1\ALCOHO~1\BAK

0 File 0 byte
2 Directory 30.123.991.040 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK

0 File 0 byte
2 Directory 30.123.991.040 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

0 File 0 byte
2 Directory 30.123.991.040 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\ATITEC~1\ATIHYD~1\BAK

01/04/2003 16.41 270.336 HydraDM.exe
1 File 270.336 byte
2 Directory 30.123.991.040 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

13/10/2007 09.25 68.856 GoogleToolbarNotifier.exe
1 File 68.856 byte
2 Directory 30.123.991.040 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\LOGITECH\VIDEO\BAK

29/08/2003 14.17 188.416 ISStart.exe
1 File 188.416 byte
2 Directory 30.123.991.040 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

04/03/2005 02.36 36.975 jusched.exe
1 File 36.975 byte
2 Directory 30.123.991.040 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

01/07/2002 04.05 74.752 E_S10IC2.EXE
1 File 74.752 byte
2 Directory 30.123.991.040 byte disponibili

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

2474054 14 Aug 2002 "C:\Programmi\Ghost\GhostStart.exe"
94208 14 Aug 2002 "C:\Programmi\Ghost\bak\GhostStartTrayApp.exe"
14348 6 Jan 2008 "C:\Programmi\ATI Technologies\ATI HydraVision\HydraDM.exe"
270336 1 Apr 2003 "C:\Programmi\ATI Technologies\ATI HydraVision\bak\HydraDM.exe"
52272 10 Feb 2007 "C:\Programmi\Google\googletoolbar3user.exe"
14348 6 Jan 2008 "C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
138168 10 Feb 2007 "C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe"
68856 13 Oct 2007 "C:\Programmi\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
14348 6 Jan 2008 "C:\Programmi\Logitech\Video\ISStart.exe"
188416 29 Aug 2003 "C:\Programmi\Logitech\Video\bak\ISStart.exe"
14348 6 Jan 2008 "C:\Programmi\Java\jre1.5.0_02\bin\jusched.exe"
36975 4 Mar 2005 "C:\Programmi\Java\jre1.5.0_02\bin\bak\jusched.exe"
74752 1 Jul 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\E_S10IC2.EXE"
14348 6 Jan 2008 "C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S10IC2.EXE"
74752 1 Jul 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_S10IC2.EXE"

end of report

da **ste_95** » mer gen 30, 2008 1:45 pm

Scarica Avenger
Estrailo in una cartella a tua scelta
Esegui il file avenger.exe con la figura di una spada
Metti il pallino su input script manually
Quindi scegli la lente e cliccaci
Ora incolla queste righe nella box bianca che si è aperta:

Files to move:
C:\Programmi\ATI Technologies\ATI HydraVision\bak\HydraDM.exe| C:\Programmi\ATI Technologies\ATI HydraVision\HydraDM.exe
C:\Programmi\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe | C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmi\Logitech\Video\bak\ISStart.exe | C:\Programmi\Logitech\Video\ISStart.exe
C:\Programmi\Java\jre1.5.0_02\bin\bak\jusched.exe | C:\Programmi\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_S10IC2.EXE | C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S10IC2.EXE

Adesso devi cliccare su Done in basso nella box
Seleziona il semaforino in alto a destra
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà.

da **andrea677** » ven feb 01, 2008 9:11 am

Eccomi di nuovo, ieri sono stato fuori sede tutto il giorno e non ho potuto rispondere. A seguire il log di Avenger, sembra che abbia lavorato correttamente. Qualche domanda:
1 - Ora dovrebbe essere sistemato ?
2 - Il ripristino di sistema lo devo riabilitare ?
3 - Lo script da mettere su Avenger, come si compila ? Cioè come a faccio a sapere quali file deve riscrivere ?

Grazie, Andrea

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\grdqbyom

*******************

Script file located at: \??\C:\ckygduwj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File move operation C:\Programmi\ATI Technologies\ATI HydraVision\bak\HydraDM.exe|C:\Programmi\ATI Technologies\ATI HydraVision\HydraDM.exe completed successfully.
File move operation C:\Programmi\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe|C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe completed successfully.
File move operation C:\Programmi\Logitech\Video\bak\ISStart.exe|C:\Programmi\Logitech\Video\ISStart.exe completed successfully.
File move operation C:\Programmi\Java\jre1.5.0_02\bin\bak\jusched.exe|C:\Programmi\Java\jre1.5.0_02\bin\jusched.exe completed successfully.
File move operation C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_S10IC2.EXE|C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S10IC2.EXE completed successfully.

Completed script processing.

*******************

Finished! Terminate.

da **ste_95** » ven feb 01, 2008 9:21 am

Posta un nuovo log di hijackthis e di findAWF.

da **andrea677** » dom feb 03, 2008 10:56 am

Ecco i log di Hijack e Awf con l'ultima scansione:

Logfile of HijackThis v1.98.2
Scan saved at 10.42.51, on 03/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG7\avgamsvr.exe
C:\PROGRA~1\AVG7\avgupsvc.exe
C:\PROGRA~1\AVG7\avgemc.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\Ghost\GhostStartService.exe
C:\WINDOWS\System32\r_server.exe
C:\Programmi\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
C:\Programmi\ATI Technologies\ATI HydraVision\HydraDM.exe
C:\Programmi\Logitech\Video\LogiTray.exe
C:\PROGRAMMI\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\Programmi\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\AVG7\avgcc.exe
C:\Programmi\Ghost\GhostStartTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmi\Windows Sidebar\sidebar.exe
C:\Programmi\Ghost\bak\GhostStartTrayApp.exe
C:\WINDOWS\System32\LVComS.exe
C:\Programmi\Windows Sidebar\sidebar.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Computer\HijackThis processi aperti.exe
C:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Smapp] C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Programmi\ATI Technologies\ATI HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAMMI\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programmi\Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Programmi\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [Sidebar] C:\Programmi\Windows Sidebar\sidebar.exe /autoRun
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab

___________________________________________________________

Find AWF report by noahdfear ©2006
Version 1.40

bak folders found
~~~~~~~~~~~

Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\AVG7\BAK

0 File 0 byte
2 Directory 29.556.547.584 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\GHOST\BAK

14/08/2002 15.21 94.208 GhostStartTrayApp.exe
1 File 94.208 byte
2 Directory 29.556.547.584 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\QUICKT~1\BAK

0 File 0 byte
2 Directory 29.556.543.488 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\WINDOWS\SYSTEM32\BAK

0 File 0 byte
2 Directory 29.556.543.488 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\ALCOHO~1\ALCOHO~1\BAK

0 File 0 byte
2 Directory 29.556.543.488 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK

0 File 0 byte
2 Directory 29.556.543.488 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

0 File 0 byte
2 Directory 29.556.543.488 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\ATITEC~1\ATIHYD~1\BAK

0 File 0 byte
2 Directory 29.556.543.488 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

0 File 0 byte
2 Directory 29.556.543.488 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\LOGITECH\VIDEO\BAK

0 File 0 byte
2 Directory 29.556.543.488 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

0 File 0 byte
2 Directory 29.556.543.488 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

0 File 0 byte
2 Directory 29.556.543.488 byte disponibili

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

2474054 14 Aug 2002 "C:\Programmi\Ghost\GhostStart.exe"
94208 14 Aug 2002 "C:\Programmi\Ghost\bak\GhostStartTrayApp.exe"

end of report

da **ste_95** » dom feb 03, 2008 11:12 am

Scarica Avenger
Estrailo in una cartella a tua scelta
Esegui il file avenger.exe con la figura di una spada
Metti il pallino su input script manually
Quindi scegli la lente e cliccaci
Ora incolla queste righe nella box bianca che si è aperta:

Files to move:
C:\Programmi\bak\Ghost\GhostStart.exe | C:\Programmi\Ghost\GhostStart.exe

Adesso devi cliccare su Done in basso nella box
Seleziona il semaforino in alto a destra
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà.

da **andrea677** » dom feb 03, 2008 12:02 pm

Ho fatto l'operazione con Avenger 2 volte ma restituisce sempre questo:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vxackixw

*******************

Script file located at: \??\C:\WINDOWS\lsplpuri.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Could not open file C:\Programmi\bak\Ghost\GhostStart.exe for move operation
File move operation C:\Programmi\bak\Ghost\GhostStart.exe|C:\Programmi\Ghost\GhostStart.exe failed!

Could not process line:
C:\Programmi\bak\Ghost\GhostStart.exe|C:\Programmi\Ghost\GhostStart.exe
Status: 0xc000003a

Completed script processing.

*******************

Finished! Terminate.

Eventualmente al momento non utilizzo Ghost, per cui potrei anche disinstallarlo se il problema è quello.

Grazie, Andrea

da **ste_95** » dom feb 03, 2008 12:27 pm

Noto ora che la data di creazione die file coincide, quindi problemi non ce ne dovrebbero essere. per scrupolo fai analizzare il file C:\Programmi\Ghost\GhostStart.exe su www.virustotal.com e vedi se gli antivirus lo riconoscono come infetto.

da **andrea677** » lun feb 04, 2008 2:08 pm

Come detto ho disinstallato Ghost che al momento non utilizzo.
Ho rifatto le scansioni con Hijach e Awf: i log a seguire.
Per il ripristino configurazione posso riabilitarlo ?

Grazie, Andrea

Find AWF report by noahdfear ©2006
Version 1.40

bak folders found
~~~~~~~~~~~

Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\AVG7\BAK

0 File 0 byte
2 Directory 29.660.536.832 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\QUICKT~1\BAK

0 File 0 byte
2 Directory 29.660.536.832 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\WINDOWS\SYSTEM32\BAK

0 File 0 byte
2 Directory 29.660.532.736 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\ALCOHO~1\ALCOHO~1\BAK

0 File 0 byte
2 Directory 29.660.532.736 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK

0 File 0 byte
2 Directory 29.660.532.736 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

0 File 0 byte
2 Directory 29.660.532.736 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\ATITEC~1\ATIHYD~1\BAK

0 File 0 byte
2 Directory 29.660.532.736 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

0 File 0 byte
2 Directory 29.660.532.736 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\LOGITECH\VIDEO\BAK

0 File 0 byte
2 Directory 29.660.532.736 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

0 File 0 byte
2 Directory 29.660.532.736 byte disponibili
Il volume nell'unit… C Š Disco principale
Numero di serie del volume: F42C-A1DF

Directory di C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

0 File 0 byte
2 Directory 29.660.532.736 byte disponibili

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

Logfile of HijackThis v1.98.2
Scan saved at 13.04.09, on 04/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG7\avgamsvr.exe
C:\PROGRA~1\AVG7\avgupsvc.exe
C:\PROGRA~1\AVG7\avgemc.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\r_server.exe
C:\Programmi\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
C:\Programmi\ATI Technologies\ATI HydraVision\HydraDM.exe
C:\Programmi\Logitech\Video\LogiTray.exe
C:\PROGRAMMI\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\Programmi\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\AVG7\avgcc.exe
C:\Programmi\Ghost\GhostStartTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Andrea\Desktop\FindAWF.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Computer\HijackThis processi aperti.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Smapp] C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Programmi\ATI Technologies\ATI HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAMMI\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Programmi\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab

da **ste_95** » lun feb 04, 2008 2:16 pm

Il log di hijackthis è tagliato.

da **andrea677** » lun feb 04, 2008 4:44 pm

Stasera sul Pc di casa provo a rifarlo, lo avevo copiato su una chiave Usb, non mi sembrava tagliato. Comunque domattina lo riposto.

Andrea

da **andrea677** » mar feb 05, 2008 7:43 am

Riposto come detto il log di Hijack:

Logfile of HijackThis v1.98.2
Scan saved at 19.36.15, on 04/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG7\avgamsvr.exe
C:\PROGRA~1\AVG7\avgupsvc.exe
C:\PROGRA~1\AVG7\avgemc.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\r_server.exe
C:\Programmi\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
C:\Programmi\ATI Technologies\ATI HydraVision\HydraDM.exe
C:\Programmi\Logitech\Video\LogiTray.exe
C:\PROGRAMMI\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\Programmi\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Computer\HijackThis processi aperti.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Smapp] C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Programmi\ATI Technologies\ATI HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAMMI\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Programmi\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab

da **ste_95** » mar feb 05, 2008 7:46 am

E' di nuovo tagliato, mancano le voci sotto la O16.

www.MegaLab.it

virus "a.doginhispen.com"

virus "a.doginhispen.com"

Re: virus "a.doginhispen.com"

Chi c’è in linea