Condividi:        

analisi mio LOG

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

analisi mio LOG

Postdi simfin » 04/08/07 12:53

Da quando ho iniziato a utilizzare connessione ADSL (con modem dlink usb dsl 200), ho frequenti blocchi di sistema in connessione, o errori legati a "explorer.exe". Il tutto causa notevoli disagi.
Ogni tanto appare
"explorer.exe" Impossibile trovarei il disco nell' unita A
Sono infetto: :eeh:

Allego logfile:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 13.23.37, on 04/08/2007
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Eset\nod32kui.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\dllcache\ivchost.exe
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system\msnrav.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alice.it/oggi/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AE5C8371-FE91-4EBD-85BD-3266B800D63D} - C:\WINDOWS\System32\mlljj.dll
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - C:\WINDOWS\System32\qomlijj.dll
O2 - BHO: (no name) - {FE3E8BB7-0D6D-470D-9609-D15684A2119B} - C:\WINDOWS\madopew.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVGCtrl] C:\Programmi\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Begone] C:\Programmi\freescan.exe -FastScan
O4 - HKCU\..\Run: [SpySweeper] "C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.1\bin\npjpi141.dll
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://hb.bam.it/CertRenewal/CertContr ... enroll.dll
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O20 - Winlogon Notify: mlljj - C:\WINDOWS\System32\mlljj.dll
O20 - Winlogon Notify: qomlijj - C:\WINDOWS\SYSTEM32\qomlijj.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe
O23 - Service: ms hexidecimal defx (mshexdefx) - Unknown owner - C:\WINDOWS\system32\dllcache\ivchost.exe
O23 - Service: MSN RAV - Unknown owner - C:\WINDOWS\system\msnrav.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Programmi\Eset\nod32krn.exe
O23 - Service: SmartLinkService (SLService) - Unknown owner - slserv.exe (file missing)

--
End of file - 5744 bytes
simfin
Utente Junior
 
Post: 13
Iscritto il: 02/08/07 10:13

Sponsor
 

Postdi Luke57 » 04/08/07 14:51

Ciao, Scarica The Avenger
http://swandog46.geekstogo.com/avenger.zip


Poi avvia il file Avenger.exe.
Seleziona l'opzione Input Script Manually, clicca sulla lente di ingrandimento e all'interno dello spazio bianco copia ed incolla questo script:


Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE5C8371-FE91-4EBD-85BD-3266B800D63D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4002052-AB29-4B33-8C8D-0E99084564EC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE3E8BB7-0D6D-470D-9609-D15684A2119B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mlljj
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qomlijj
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ISEXEng
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mshexdefx
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSN RAV


Files to delete:
C:\WINDOWS\system\msnrav.exe
C:\WINDOWS\system32\dllcache\ivchost.exe
C:\WINDOWS\System32\mlljj.dll
C:\WINDOWS\System32\qomlijj.dll
C:\WINDOWS\madopew.dll
C:\WINDOWS\SYSTEM32\crypts.dll
C:\WINDOWS\System32\angelex.exe


Clicca sul pulsante Done
Adesso clicca sul semaforo con la luce verde
Rispondi Yes 2 volte
Il pc si dovrebbe riavviare,se non si riavvia,riavvialo manualmente

Al riavvio collegati e posta il contenuto del file C:\Avenger.txt

Scarica anche vundofix:
da qui, sul desktop
http://www.atribune.org/content/view/24/2/
Eseguilo, seleziona "Scan for Vundo" e poi "Remove Vundo". Alla fine della scansione ti verrà rilasciato un report, posta il suo contenuto.
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10

Postdi simfin » 04/08/07 18:13

grazie, sto procedendo con quanto mi hai indicato.
Poi ti posto i vari report...
Thanks...
Simo
simfin
Utente Junior
 
Post: 13
Iscritto il: 02/08/07 10:13

Postdi simfin » 05/08/07 16:22

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\khnhcnst

*******************

Script file located at: \??\C:\Documents and Settings\ranghbai.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ISEXEng deleted successfully.
Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mshexdefx deleted successfully.
Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSN RAV deleted successfully.
File C:\WINDOWS\system\msnrav.exe deleted successfully.
File C:\WINDOWS\system32\dllcache\ivchost.exe deleted successfully.
File C:\WINDOWS\System32\mlljj.dll deleted successfully.
File C:\WINDOWS\System32\qomlijj.dll deleted successfully.


File C:\WINDOWS\madopew.dll not found!
Deletion of file C:\WINDOWS\madopew.dll failed!

Could not process line:
C:\WINDOWS\madopew.dll
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\crypts.dll deleted successfully.
File C:\WINDOWS\System32\angelex.exe deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE5C8371-FE91-4EBD-85BD-3266B800D63D} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE5C8371-FE91-4EBD-85BD-3266B800D63D} failed!
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4002052-AB29-4B33-8C8D-0E99084564EC} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE3E8BB7-0D6D-470D-9609-D15684A2119B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mlljj deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qomlijj deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Vundo Fix non mi ha rilasciato LOG o report.
Mi ha fornito un elenco di file da eliminare e con l'azione REMOVE ho proceduto, poi reboot della macchina.

Per il resto sembra che dopo procedure indicate i problemi sono spariti.
C'e' qualche altra procedura che mi consigli ?

ti ringrazio

Thanks
SIM
simfin
Utente Junior
 
Post: 13
Iscritto il: 02/08/07 10:13

Postdi simfin » 05/08/07 16:26

scausami ecco il log/report di vundofix:


VundoFix V6.5.6

Checking Java version...

Sun Java not detected
Scan started at 17.12.46 05/08/2007

Listing files found while scanning....

C:\windows\system32\cbxvvst.dll
C:\windows\system32\efcccab.dll
C:\windows\system32\efcyyyy.dll
C:\windows\system32\mljggdb.dll
C:\WINDOWS\System32\qomlijj.dll
C:\windows\system32\qommmkl.dll
C:\windows\system32\tuvuurr.dll
C:\windows\system32\vtutssr.dll
C:\windows\system32\yayawur.dll
C:\windows\system32\yayvuro.dll

Beginning removal...

Attempting to delete C:\windows\system32\cbxvvst.dll
C:\windows\system32\cbxvvst.dll Has been deleted!

Attempting to delete C:\windows\system32\efcccab.dll
C:\windows\system32\efcccab.dll Has been deleted!

Attempting to delete C:\windows\system32\efcyyyy.dll
C:\windows\system32\efcyyyy.dll Has been deleted!

Attempting to delete C:\windows\system32\mljggdb.dll
C:\windows\system32\mljggdb.dll Has been deleted!

Attempting to delete C:\windows\system32\qommmkl.dll
C:\windows\system32\qommmkl.dll Has been deleted!

Attempting to delete C:\windows\system32\tuvuurr.dll
C:\windows\system32\tuvuurr.dll Has been deleted!

Attempting to delete C:\windows\system32\vtutssr.dll
C:\windows\system32\vtutssr.dll Has been deleted!

Attempting to delete C:\windows\system32\yayawur.dll
C:\windows\system32\yayawur.dll Has been deleted!

Attempting to delete C:\windows\system32\yayvuro.dll
C:\windows\system32\yayvuro.dll Has been deleted!

Performing Repairs to the registry.
Done!
simfin
Utente Junior
 
Post: 13
Iscritto il: 02/08/07 10:13

Postdi SkunkWorks 68 » 05/08/07 16:46

Se non installi il SP 2 e non fai tutti gli ulteriori aggiornamenti tutto il lavoro di Luke rischia di venire vanificato...in pratica dopo un po' ti reinfetti(navigare in rete senza i service packs è un suicidio)Con il modem USB che lascia "passare" tutto,poi.Del resto il consiglio te l'avevo dato anche nell'altro thread che hai aperto.
Ciao
"Quando ti svegli la mattina,pensa quale prezioso privilegio e’ essere vivi:respirare, pensare,provare gioia e amare"(Marco Aurelio).
Avatar utente
SkunkWorks 68
Utente Senior
 
Post: 2336
Iscritto il: 03/03/07 08:55

Postdi simfin » 06/08/07 13:13

ciao e grazie...
dove trovo il SP2 ?
simfin
Utente Junior
 
Post: 13
Iscritto il: 02/08/07 10:13

Postdi SkunkWorks 68 » 06/08/07 16:03

simfin ha scritto:ciao e grazie...
dove trovo il SP2 ?

http://www.xdownload.it/download.asp?idl=572
Esegui il tutto e lasci lavorare il PC.
L'ideale sarebbe installarlo in modo "pulito" e ancora meglio crearsi un CD di installazione integrato,formattare e reinstallare.
Poi,via Windows update,esegui tutti gli aggiornamenti successivi...
Ciao
"Quando ti svegli la mattina,pensa quale prezioso privilegio e’ essere vivi:respirare, pensare,provare gioia e amare"(Marco Aurelio).
Avatar utente
SkunkWorks 68
Utente Senior
 
Post: 2336
Iscritto il: 03/03/07 08:55


Torna a Sicurezza e Privacy


Topic correlati a "analisi mio LOG":

Analisi log HijackThis
Autore: Sanko
Forum: Sicurezza e Privacy
Risposte: 4

Chi c’è in linea

Visitano il forum: Nessuno e 77 ospiti