www.MegaLab.it

da **Adriadri** » lun ott 04, 2004 1:55 pm

Buongiorno ragazzi e piacere di conoscervi!
Dopo aver scoperto ed utilizzato il vostro ottimo sito per mesi, ho deciso di iscrivermi per sottoporvi il mio problema.
Ho un notebook Acer 1604 2.8 Ghz con Windows XP aggiornato con Sp2.
Da un po' di giorni (esattamente dopo aver installato e poi disinstallato il modem Datacom USB fornitomi da Telecom per Alice ADSL), non riesco a visualizzare nessuna pagina internet con il modem analogico (Agere VC'97), o meglio, visualizzo le prime 2\3 e poi, pur rimanendo connesso, non vedo più nulla.
Premetto che prima non avevo nessun tipo di problema e che ho eseguito:
scansione con Avast! (non ci sono virus)
scansione con Ad-Ware (non ci sono zozzerie varie)
scansione con CWShredder (tutto Ok)
disinstallazione e reinstallazione del modem e della connessione internet.
Potete darmi qualche consiglio?
Grazie anticipatamente ed ancora complimenti per il servizio che offrite.

da **crazy.cat** » lun ott 04, 2004 3:18 pm

Reinstallato internet explorer?
Hai provato ad usare Mozilla o firefox per navigare?

Benvenuto nel forum.

da **Adriadri** » lun ott 04, 2004 3:25 pm

La prova con Mozilla ancora non l'ho fatta (ti farò sapere).
Come faccio a reinstallare IE?
La cosa che mi sorprende è che prima di complicarmi la vita con Datacom andava tutto bene, mah!
Qui di seguito posto anche il log di hijack, tante volte fosse utile...
Logfile of HijackThis v1.98.2
Scan saved at 17.34.07, on 02/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\htpatch.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Launch Manager\LaunchAp.exe
C:\Programmi\Launch Manager\PowerKey.exe
C:\Programmi\Launch Manager\HotkeyApp.exe
C:\Programmi\Launch Manager\CtrlVol.exe
C:\Programmi\Launch Manager\Wbutton.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\WINBOOT32.EXE
C:\WINDOWS\system32\wuamk.exe
C:\WINDOWS\system32\vpc32.exe
C:\WINDOWS\system32\crsrs.exe
C:\WINDOWS\system32\sres32.exe
C:\WINDOWS\system32\pomedsrv.exe
C:\WINDOWS\system32\crvss.exe
C:\WINDOWS\system32\winmplayer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\File comuni\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\adriano\Impostazioni locali\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Programmi\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Programmi\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [HotkeyApp] C:\Programmi\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Programmi\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Programmi\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [WorksFUD] c:\Programmi\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Programmi\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] c:\Programmi\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LaunchList] C:\Programmi\Pinnacle\Studio 8\LaunchList.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Reg Services] WINBOOT32.EXE
O4 - HKLM\..\Run: [Microsoft Update Machine] memstat.exe
O4 - HKLM\..\Run: [Security Patches] wuamk.exe
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\Run: [Auto updat] crsrs.exe
O4 - HKLM\..\Run: [OEM32 Tools] sres32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\gkmoy.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] pomedsrv.exe
O4 - HKLM\..\Run: [Windows media service] crvss.exe
O4 - HKLM\..\Run: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programmi\ltmoh\Ltmoh.exe
O4 - HKLM\..\RunServices: [Reg Services] WINBOOT32.EXE
O4 - HKLM\..\RunServices: [Microsoft Update Machine] memstat.exe
O4 - HKLM\..\RunServices: [Security Patches] wuamk.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKLM\..\RunServices: [Auto updat] crsrs.exe
O4 - HKLM\..\RunServices: [OEM32 Tools] sres32.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] pomedsrv.exe
O4 - HKLM\..\RunServices: [msconfig] wins.exe
O4 - HKLM\..\RunServices: [Windows media service] crvss.exe
O4 - HKLM\..\RunServices: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\RunOnce: [Auto updat] crsrs.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] pomedsrv.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update Machine] memstat.exe
O4 - HKCU\..\Run: [Auto updat] crsrs.exe
O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe
O4 - HKCU\..\Run: [OEM32 Tools] sres32.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] pomedsrv.exe
O4 - HKCU\..\RunOnce: [Auto updat] crsrs.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] pomedsrv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Promemoria del Calendario di Microsoft Works.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe

Grazie ancora!

da **crazy.cat** » lun ott 04, 2004 4:15 pm

Stai messo male ci sono moltissimi exe sospetti o virus conosciuti.
Se riesci a collegarti a zanezane cerca negli articoli categoria software quello mio su cleanboot e creati il cd di boot con l'antivirus,scansione e pulizia con quello.
Altrimenti prova almeno con questo e così facciamo un po di pulizia
http://www.MegaLab.it/forum/viewtopic.php?t=5694

Adesso esco dal lavoro e sono di corsa.

da **Adriadri** » lun ott 04, 2004 5:00 pm

Grazie, non appena ho un po' di tempo provo e ti dico.

Ciao.

da **Adriadri** » mer ott 06, 2004 7:57 am

Ciao crazy.cat, scusa il ritardo con cui aggiorno ma sono incasinatissimo...
Per il momento ho avuto modo di utilizzare scangui.
Nonostantei i miei problemi ancora rimangano mi ha fatto un po' di pulizia.
Ti posto nell'ordine l'output di scangui e i log con hijack dopo scangui e dopo una connessione in internet a valle della quale ho notato che rispunta un po' di mondezza.

McAfee VirusScan for Win32 v4.32.0
Copyright (c) 1992-2003 Networks Associates Technology Inc. All rights reserved.
(408) 988-3832 LICENSED COPY - Nov 27 2003

Scan engine v4.3.20 for Win32.
Virus data file v4396 created Sep 29 2004
Scanning for 102558 viruses, trojans and variants.

This program is more than 3 months old. New viruses come out all the
time - we would suggest that you upgrade your copy.

01/04/2005 23:23:15

Options:
/AD /CLEAN /SUB /ALL /RPTCOR /RPTERR /REPORT C:\DOCUME~1\ADRIANO\IMPOST~1\TEMP\SCAN.TXT

Scanning C: [ACER]
Scanning C:\*.*
C:\Documents and Settings\adriano\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat ... file could not be opened.
C:\Documents and Settings\adriano\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG ... file could not be opened.
C:\Documents and Settings\adriano\NTUSER.DAT ... file could not be opened.
C:\Documents and Settings\adriano\ntuser.dat.LOG ... file could not be opened.
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat ... file could not be opened.
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG ... file could not be opened.
C:\Documents and Settings\NetworkService\NTUSER.DAT ... file could not be opened.
C:\Documents and Settings\NetworkService\ntuser.dat.LOG ... file could not be opened.
C:\ies.exe\ies.exe ... Found the Downloader-PS trojan !!!
The file has been deleted.
C:\pagefile.sys ... file could not be opened.
C:\sys.exe\sys.exe ... Found the Downloader-PE trojan !!!
The file has been deleted.
C:\System Volume Information\_restore{14FA416F-387E-439E-B21B-ABAEE7E86D97}\RP77\A0041123.exe\A0041123.exe ... Found the Downloader-PS trojan !!!
The file has been deleted.
C:\System Volume Information\_restore{14FA416F-387E-439E-B21B-ABAEE7E86D97}\RP77\A0041124.exe\A0041124.exe ... Found the Downloader-PE trojan !!!
The file has been deleted.
C:\WINDOWS\system32\config\DEFAULT ... file could not be opened.
C:\WINDOWS\system32\config\default.LOG ... file could not be opened.
C:\WINDOWS\system32\config\SAM ... file could not be opened.
C:\WINDOWS\system32\config\SAM.LOG ... file could not be opened.
C:\WINDOWS\system32\config\SECURITY ... file could not be opened.
C:\WINDOWS\system32\config\SECURITY.LOG ... file could not be opened.
C:\WINDOWS\system32\config\SOFTWARE ... file could not be opened.
C:\WINDOWS\system32\config\software.LOG ... file could not be opened.
C:\WINDOWS\system32\config\SYSTEM ... file could not be opened.
C:\WINDOWS\system32\config\system.LOG ... file could not be opened.
C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\6LIZ1O1H\ie[1].exe\ie[1].exe ... Found the Downloader-PS trojan !!!
The file has been deleted.
C:\WINDOWS\system32\crsrs.exe ... Found the W32/Sdbot.worm.gen.h virus !!!
The file has been deleted.
C:\WINDOWS\system32\crvss.exe ... Found the W32/Sdbot.worm.gen.p virus !!!
The file has been deleted.
C:\WINDOWS\system32\memstat.exe ... Found the W32/Sdbot.worm.gen.z virus !!!
The file has been deleted.
C:\WINDOWS\system32\ntfs16.exe\ntfs16.exe ... Found the Exploit-MS04-011.gen trojan !!!
The file has been deleted.
C:\WINDOWS\system32\o ... Found the W32/Sdbot.worm!ftp virus !!!
The file has been deleted.
C:\WINDOWS\system32\sres32.exe\sres32.exe ... Found the Exploit-MS04-011.gen trojan !!!
The file has been deleted.
C:\WINDOWS\system32\WINBOOT32.EXE ... Found the W32/Sdbot.worm.gen.x virus !!!
The file has been deleted.
C:\WINDOWS\system32\wins.exe ... Found the W32/Sdbot.worm.gen.t virus !!!
The file has been deleted.

Summary report on C:\*.*
File(s)
Total files: ........... 70673
Clean: ................. 70641
Possibly Infected: ..... 13
Cleaned: ............... 0
Deleted: ............... 13
Non-critical Error(s): 1
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0
Scanning D: [ACERDATA]
Scanning D:\*.*

Summary report on D:\*.*
File(s)
Total files: ........... 60
Clean: ................. 60
Possibly Infected: ..... 0
Cleaned: ............... 0
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0

Time: 00:40.17

Hjack dopo scangui

Logfile of HijackThis v1.98.2
Scan saved at 0.12.06, on 05/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\htpatch.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Launch Manager\LaunchAp.exe
C:\Programmi\Launch Manager\PowerKey.exe
C:\Programmi\Launch Manager\HotkeyApp.exe
C:\Programmi\Launch Manager\CtrlVol.exe
C:\Programmi\Launch Manager\Wbutton.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wuamk.exe
C:\WINDOWS\system32\vpc32.exe
C:\WINDOWS\system32\pomedsrv.exe
C:\WINDOWS\system32\winmplayer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\File comuni\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\adriano\Impostazioni locali\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Programmi\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Programmi\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [HotkeyApp] C:\Programmi\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Programmi\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Programmi\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [WorksFUD] c:\Programmi\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Programmi\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] c:\Programmi\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LaunchList] C:\Programmi\Pinnacle\Studio 8\LaunchList.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Security Patches] wuamk.exe
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\gkmoy.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] pomedsrv.exe
O4 - HKLM\..\Run: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programmi\ltmoh\Ltmoh.exe
O4 - HKLM\..\RunServices: [Security Patches] wuamk.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] pomedsrv.exe
O4 - HKLM\..\RunServices: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] pomedsrv.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] pomedsrv.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] pomedsrv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Promemoria del Calendario di Microsoft Works.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe

Hijack dopo connessione

Logfile of HijackThis v1.98.2
Scan saved at 0.20.03, on 05/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\htpatch.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Launch Manager\LaunchAp.exe
C:\Programmi\Launch Manager\PowerKey.exe
C:\Programmi\Launch Manager\HotkeyApp.exe
C:\Programmi\Launch Manager\CtrlVol.exe
C:\Programmi\Launch Manager\Wbutton.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wuamk.exe
C:\WINDOWS\system32\vpc32.exe
C:\WINDOWS\system32\pomedsrv.exe
C:\WINDOWS\system32\winmplayer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\File comuni\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\TT.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\adriano\Impostazioni locali\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Programmi\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Programmi\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [HotkeyApp] C:\Programmi\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Programmi\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Programmi\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [WorksFUD] c:\Programmi\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Programmi\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] c:\Programmi\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LaunchList] C:\Programmi\Pinnacle\Studio 8\LaunchList.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Security Patches] wuamk.exe
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\gkmoy.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] pomedsrv.exe
O4 - HKLM\..\Run: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programmi\ltmoh\Ltmoh.exe
O4 - HKLM\..\RunServices: [Security Patches] wuamk.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] pomedsrv.exe
O4 - HKLM\..\RunServices: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] pomedsrv.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] pomedsrv.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] pomedsrv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Promemoria del Calendario di Microsoft Works.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe

Grazie e a dopo.

da **crazy.cat** » mer ott 06, 2004 9:44 am

Dal primo log sono già spariti parecchi exe sospetti,frà il secondo e il terzo non sono riapparse cose pericolose.
Ti consiglierei di fare questo per finire la pulizia
http://www.zanezane.net/articoli.asp?id=187

Voci molto dubbie
O4 - HKLM\..\Run: [Security Patches] wuamk.exe
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\Run: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\RunServices: [Security Patches] wuamk.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKLM\..\RunServices: [Microsoft media services] winmplayer.exe
O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe

Sconosciuto
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\gkmoy.exe

Virus
http://es.trendmicro-europe.com/enterpr ... ZA&VSect=O
O4 - HKCU\..\Run: [Win32 USB2 Driver] pomedsrv.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] pomedsrv.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] pomedsrv.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] pomedsrv.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] pomedsrv.exe

da **Adriadri** » ven ott 08, 2004 12:21 pm

Ciao!
Innanzitutto una buona notizia: mi rifunziona la visualizzazione delle pagine internet dopo aver eliminato "[Win32 USB2 Driver] pomedsrv.exe".
Non sono però riuscito a fare una ulteriore pulizia con cleanboot o meglio:
se masterizzo con Nero l'immagine ISO aprendo l'eseguibile dal CD mi da un messaggio del tipo "memoria insufficiente per eseguire il programma", mentre se decido di creare dei floppy mi genera 3 file .img di 1,47 MB ognuno che non mi fa mettere sui floppy stessi (magari sarà una cretinata ma non ho tutta questa esperienza nel settore...).
Inoltre ho un paio di curiosità: come ho potuto prendere quei virus dato che ho navigato molto poco e su siti che consideravo "sicuri" (lavoro, università ecc)? E poi: come faccio a prevenire, ovvero un antivirus come Avast! non riesce a riconoscere quei virus ed impedirne l'installazione?
Ti allego infine l'ultimo log di hijack, dovrebbero essere rimaste solo le voci che tu definivi dubbie.

Logfile of HijackThis v1.98.2
Scan saved at 20.02.08, on 07/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\htpatch.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Launch Manager\LaunchAp.exe
C:\Programmi\Launch Manager\PowerKey.exe
C:\Programmi\Launch Manager\HotkeyApp.exe
C:\Programmi\Launch Manager\CtrlVol.exe
C:\Programmi\Launch Manager\Wbutton.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wuamk.exe
C:\WINDOWS\system32\vpc32.exe
C:\WINDOWS\system32\winmplayer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\File comuni\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\adriano\Impostazioni locali\Temp\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Programmi\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Programmi\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [HotkeyApp] C:\Programmi\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Programmi\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Programmi\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [WorksFUD] c:\Programmi\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Programmi\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] c:\Programmi\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LaunchList] C:\Programmi\Pinnacle\Studio 8\LaunchList.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Security Patches] wuamk.exe
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\gkmoy.exe
O4 - HKLM\..\Run: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programmi\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\RunServices: [Security Patches] wuamk.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKLM\..\RunServices: [Microsoft media services] winmplayer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Promemoria del Calendario di Microsoft Works.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe

Ti ringrazio tantissimo per la tua assistenza!!!

da **crazy.cat** » ven ott 08, 2004 12:33 pm

Il cd che ti crea è un cd di boot,devi avviare il pc partendo da quello e non lanciandolo da windows.
Parte da lì,il sistema operativo windows non è caricato e quindi tutti i virus sono "spenti" ed eliminabili più facilmente.
Dai ultimo tentativo così finisci la pulizia dei sospetti.

Hai un firewall installato?
Non mi dire quello di Xp perché serve a poco o niente, Sygate personal firewall e free ed è molto buono,serve a bloccare l'ingresso di molte cose.
Patch di windows xp installate e aggiornate.
Usare un altro browser come Mozilla per navigare,non sai quante robe già blocca lui rispetto da Ie.

Nei prossimi giorni verrà pubblicato un articolo sul come tenere sotto controllo l'installazione di virus e spyware pericolosi, almeno per essere avvertiti all'istante che è arrivato qualche cosa.

da **EntropheaR** » ven ott 08, 2004 7:40 pm

Prova con questo

da **Adriadri** » lun ott 11, 2004 4:45 pm

Grazie!

da **Adriadri** » mer ott 13, 2004 12:16 pm

Tutto sembra funzionare, la scansione con Cleanboot (finalmente ce l'ho fatta) mi ha tolto le ultime schifezze!
Ti inoltro il log di hijack.
Di nuovo grazie e a presto! [applauso]

Logfile of HijackThis v1.98.2
Scan saved at 13.38.15, on 09/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Launch Manager\LaunchAp.exe
C:\Programmi\Launch Manager\PowerKey.exe
C:\Programmi\Launch Manager\HotkeyApp.exe
C:\Programmi\Launch Manager\CtrlVol.exe
C:\Programmi\Launch Manager\Wbutton.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wuamk.exe
C:\WINDOWS\system32\vpc32.exe
C:\WINDOWS\system32\winmplayer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\File comuni\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\adriano\Impostazioni locali\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Programmi\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Programmi\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [HotkeyApp] C:\Programmi\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Programmi\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Programmi\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [WorksFUD] c:\Programmi\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Programmi\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] c:\Programmi\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LaunchList] C:\Programmi\Pinnacle\Studio 8\LaunchList.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Security Patches] wuamk.exe
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\gkmoy.exe
O4 - HKLM\..\Run: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programmi\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\RunServices: [Security Patches] wuamk.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKLM\..\RunServices: [Microsoft media services] winmplayer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Promemoria del Calendario di Microsoft Works.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe

da **Adriadri** » ven ott 15, 2004 8:47 am

Ho esultato troppo presto; sono bastate un paio di connessioni che il problema si è ripresentato (anche con Sygate).
Ti invio il log di HJ

Logfile of HijackThis v1.98.2
Scan saved at 22.15.41, on 14/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Launch Manager\LaunchAp.exe
C:\Programmi\Launch Manager\PowerKey.exe
C:\Programmi\Launch Manager\HotkeyApp.exe
C:\Programmi\Launch Manager\CtrlVol.exe
C:\Programmi\Launch Manager\Wbutton.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wuamk.exe
C:\WINDOWS\system32\winmplayer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\vpc32.exe
C:\Programmi\File comuni\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\adriano\Impostazioni locali\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Programmi\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Programmi\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [HotkeyApp] C:\Programmi\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Programmi\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Programmi\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [WorksFUD] c:\Programmi\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Programmi\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] c:\Programmi\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LaunchList] C:\Programmi\Pinnacle\Studio 8\LaunchList.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Security Patches] wuamk.exe
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\gkmoy.exe
O4 - HKLM\..\Run: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programmi\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\RunServices: [Security Patches] wuamk.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKLM\..\RunServices: [Microsoft media services] winmplayer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Promemoria del Calendario di Microsoft Works.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe

Ciao!

da **crazy.cat** » sab ott 16, 2004 10:13 am

Cancella con hijackthis queste voci e controlla che i vari files exe siano spariti dal tuo pc. Fai tutto dalla modalità provvisoria.

O4 - HKLM\..\Run: [Security Patches] wuamk.exe
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\gkmoy.exe
O4 - HKLM\..\Run: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\RunServices: [Security Patches] wuamk.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKLM\..\RunServices: [Microsoft media services] winmplayer.exe
O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe

Tutte le patch di windowsupdate sono installate?

da **Adriadri** » lun ott 18, 2004 12:12 pm

Ho fatto ciò che mi avevi consigliato, sembra tutto a posto!
Ti invio il log di HJ.
Di nuovo grazie.
P.S. Le voci che mi hai detto di cancellare, cosa sono?

Logfile of HijackThis v1.98.2
Scan saved at 17.42.32, on 17/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\htpatch.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Launch Manager\LaunchAp.exe
C:\Programmi\Launch Manager\PowerKey.exe
C:\Programmi\Launch Manager\HotkeyApp.exe
C:\Programmi\Launch Manager\CtrlVol.exe
C:\Programmi\Launch Manager\Wbutton.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\File comuni\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\adriano\Impostazioni locali\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Programmi\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Programmi\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [HotkeyApp] C:\Programmi\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Programmi\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Programmi\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [WorksFUD] c:\Programmi\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Programmi\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] c:\Programmi\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programmi\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Promemoria del Calendario di Microsoft Works.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe

da **crazy.cat** » lun ott 18, 2004 12:19 pm

Quasi sicuramente dei virus che non venivano riconosciuti ed eliminati dal cd di cleanboot.
O appena ti eri ricollegato li avevi ribeccati.
Mi raccomando un giro su windowsupdate per scaricare tutte le patch della microsoft.

da **Adriadri** » lun ott 18, 2004 1:38 pm

Thanks!

www.MegaLab.it

Connessione OK ma nessuna pagina visualizzata

Connessione OK ma nessuna pagina visualizzata

Chi c’è in linea