www.MegaLab.it

[alexe]

cia a tutti,cvome da oggetto mi sono accorto di avere questo(virus?)sul mio pc,ho provato a fare la scansione ma niente non vuole andarsene vi allego anche ilhijackthisLogfile of HijackThis v1.97.7
Scan saved at 15.27.23, on 29/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Belkin\Software Bluetooth\bin\btwdins.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\WINDOWS\System32\msa.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\Belkin\Software Bluetooth\BTTray.exe
C:\Programmi\StopDialers\StopDialer.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\ISTsvc\istsvc.exe
C:\WINDOWS\System32\cmd.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
E:\programmi\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my-cellular.com/modules.php? ... wforum&f=8
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [Windows Media Player] msa.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvhaf32.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msa.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows Media Player] msa.exe
O4 - Startup: Stop Dialers.lnk = C:\Programmi\StopDialers\StopDialer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Collegamenti a ritroso - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\Belkin\Software Bluetooth\btsendto_ie_ctx.htm
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: LingoWare Translator... (HKLM)
O9 - Extra button: @btrez.dll,-4015 (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} - http://download.microsoft.com/download/ ... p43dmo.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02FC8C76-AA27-4D82-95E6-1AC969DC9B98}: NameServer = 194.185.97.134 194.185.97.134
O17 - HKLM\System\CS1\Services\Tcpip\..\{02FC8C76-AA27-4D82-95E6-1AC969DC9B98}: NameServer = 194.185.97.134 194.185.97.134

log di hijackthi

[alexe]

allora....non c'e piu,l'ho rimosso.solo che adesso mi va via la barra di stumenti di google tool bar.quella che blocca i popup,cioe come se l'avessi disinstallato il programma...e non appena lo installo nuovamente,chiudo la pagina di internet e la apro la barra e sparita ,,poi mi va male il pc e da stamani...mi si chiudono misterisamente le pagine da sole.....

P.s ho notato una cosa qui in questo momento,appena voglio inserire uno smile,mi viene il simbolo dello smile ma anche un link.perche?[mandibol]

[crazy.cat]

Qui c'è un tools per la rimozione di quello spyware
http://sarc.com/avcenter/venc/data/adware.istbar.html

Questo è un altro spyware da eliminare (usa spybot e adware)
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll

Questi sono molto sospetti,prova ad eliminarli con Hijackthis, chiudendo i processi attivi nel task manager, oppure fallo dalla modalità provvisoria.
O4 - HKLM\..\Run: [Windows Media Player] msa.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvhaf32.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msa.exe
O4 - HKCU\..\Run: [Windows Media Player] msa.exe

Visto che hai Norton fai un controllo con questo antivirus
http://www.MegaLab.it/2333

Cancella anche i file temporanei di internet.

Pulisci tutto, riavvia il pc e controlla che queste voci non ritornino

[alexe]

ok...grazie...faro come dici.......una cosa pero...non sono molto esperto...come faccio ad eliminare quei file con HijackThis,cioe una volta selezionati che devo fare...e poi per riavviare il computer in modalita provvisoria comedevo fare?grazie per l'interessamento

[alexe]

fatto tutto...ecco quelloche e venuto fuori dopo la scansione

McAfee VirusScan for Win32 v4.32.0
Copyright (c) 1992-2003 Networks Associates Technology Inc. All rights reserved.
(408) 988-3832 LICENSED COPY - Nov 27 2003

Scan engine v4.3.20 for Win32.
Virus data file v4417 created Dec 29 2004
Scanning for 111451 viruses, trojans and variants.



12/30/2004 11:32:40


Options:
/AD /CLEAN /SUB /UNZIP /ALL /RPTCOR /RPTERR /REPORT C:\DOCUME~1\ALEXEE\IMPOST~1\TEMP\SCAN.TXT

Scanning C: []
Scanning C:\*.*
C:\Documents and Settings\Alexee\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat ... file could not be opened.
C:\Documents and Settings\Alexee\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG ... file could not be opened.
C:\Documents and Settings\Alexee\NTUSER.DAT ... file could not be opened.
C:\Documents and Settings\Alexee\ntuser.dat.LOG ... file could not be opened.
C:\pagefile.sys ... file could not be opened.
C:\Programmi\InstallShield Installation Information\{CA9EC1C6-3B51-11D6-B1A9-BCD2747AA951}\setup.ilg ... file could not be opened.
C:\WINDOWS\Installer\50d545.msi ... file could not be opened.
C:\WINDOWS\system32\c.bat ... Found the W32/Sdbot.worm.bat.b virus !!!
The file has been deleted.
C:\WINDOWS\system32\config\default ... file could not be opened.
C:\WINDOWS\system32\config\default.LOG ... file could not be opened.
C:\WINDOWS\system32\config\SAM ... file could not be opened.
C:\WINDOWS\system32\config\SAM.LOG ... file could not be opened.
C:\WINDOWS\system32\config\SECURITY ... file could not be opened.
C:\WINDOWS\system32\config\SECURITY.LOG ... file could not be opened.
C:\WINDOWS\system32\config\software ... file could not be opened.
C:\WINDOWS\system32\config\software.LOG ... file could not be opened.
C:\WINDOWS\system32\config\system ... file could not be opened.
C:\WINDOWS\system32\config\system.LOG ... file could not be opened.
C:\WINDOWS\system32\dust.exe ... Found the W32/Sdbot.worm.gen.t virus !!!
The file has been deleted.
C:\WINDOWS\system32\kalvaye32.exe ... Found the AdClicker-BA trojan !!!
The file has been deleted.
C:\WINDOWS\system32\kalvhaf32.exe ... Found the AdClicker-BA trojan !!!
The file has been deleted.
C:\WINDOWS\system32\kalvtfa32.exe ... Found the AdClicker-BA trojan !!!
The file has been deleted.
C:\WINDOWS\system32\msa.exe ... Found the W32/Sdbot.worm.gen.y virus !!!
The file has been deleted.

Summary report on C:\*.*
File(s)
Total files: ........... 36522
Clean: ................. 36499
Possibly Infected: ..... 6
Cleaned: ............... 0
Deleted: ............... 6
Non-critical Error(s): 1
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 00:17.00

comunque adesso sembra tutto apposto...speriamo sia cosi...vi allego anche il log di HijackThis
Logfile of HijackThis v1.97.7
Scan saved at 11.56.39, on 30/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Belkin\Software Bluetooth\bin\btwdins.exe
C:\Programmi\Norton <a target="_blank" href="http://searchmiracle.com/text/search.php?qq=antivirus">AntiVirus</a>\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Norton <a target="_blank" href="http://searchmiracle.com/text/search.php?qq=antivirus">AntiVirus</a>\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Programmi\Belkin\Software Bluetooth\BTTray.exe
C:\Programmi\StopDialers\StopDialer.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
E:\programmi\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my-cellular.com/modules.php? ... wforum&f=8
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Stop Dialers.lnk = C:\Programmi\StopDialers\StopDialer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Collegamenti a ritroso - res://c:\programmi\google\GoogleToolbar2.dll/c<a target="_blank" href="http://searchmiracle.com/text/search.php?qq=MBA">mba</a>cklinks.html
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\Belkin\Software Bluetooth\btsendto_ie_ctx.htm
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: LingoWare Translator... (HKLM)
O9 - Extra button: @btrez.dll,-4015 (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} - http://download.microsoft.com/download/ ... p43dmo.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02FC8C76-AA27-4D82-95E6-1AC969DC9B98}: NameServer = 194.185.97.134 194.185.97.134
O17 - HKLM\System\CS1\Services\Tcpip\..\{02FC8C76-AA27-4D82-95E6-1AC969DC9B98}: NameServer = 194.185.97.134 194.185.97.134

grazie ancora e scusate se sono noioso

[alexe]

persiste un problema ho rimesso su google tool bar,ma niente,dopo averlo installato va bene appena esco e provo a rientrare e sparito !!!!!!!!come mai fa sta cosa?

[crazy.cat]

Prova a disinstallarlo dal pannello di controllo delle applicazioni.
Riavii il pc.
Pulizia dal registro di tutte le voci di google toolbar ( a mano o con qualche pulitore di registro).
Reinstallazione di una nuova versione.
Di più non sò perché non uso quelle toolbar e non mi piacciono neanche troppo.
Se non basta prova ad aprire una nuova discussione

[alexe]

Prova a disinstallarlo dal pannello di controllo delle applicazioni.
Riavii il pc.
Pulizia dal registro di tutte le voci di google toolbar ( a mano o con qualche pulitore di registro).
Reinstallazione di una nuova versione.
Di più non sò perché non uso quelle toolbar e non mi piacciono neanche troppo.
Se non basta prova ad aprire una nuova discussione

ok...comunque grazie per aver risolto il mio problema