hijackthis log

[inzi]

Buongiorno a tutti, sono nuovo nel forum, credo di avere il pc infestato da virus, allego il log di hijackthis. Grazie mille!!!

Logfile of HijackThis v1.99.1
Scan saved at 13.21.36, on 07/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\windows\system32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Hewlett-Packard\HP Deskjet 1280\Toolbox\mpm.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Documents and Settings\Proprietario\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O3 - Toolbar: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Cn911] C:\WINDOWS\system32\ODBCJET.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: fsmgmt - C:\WINDOWS\SYSTEM32\fsmgmt.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[Luke57]

Ciao, apri hijackthis, premi "do a system scan only", cerca e spunta le voci seguenti:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O4 - HKLM\..\Run: [Cn911] C:\WINDOWS\system32\ODBCJET.exe
O20 - Winlogon Notify: fsmgmt - C:\WINDOWS\SYSTEM32\fsmgmt.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

premi fix checked.

Chiudi e apri hijackthis, premi "open the misc tools section", "delete a file on reboot...", nella finestra che si apre, copi e incolli:
C:\WINDOWS\SYSTEM32\fsmgmt.dll
premi Apri (non acconsenti il riavvio del computer)
poi incolli:
C:\WINDOWS\system32\ODBCJET.exe
premi Apri (questa volta acconsenti il riavvio del computer)

[inzi]

Ciao, grazie mille dell'aiuto, non mi è chiarissima la seconda parte della procedura (scusa l'ignoranza terribile!!!), cosa intendi per copia e incolla? Io ho premuto "open the misc tools section", "delete a file on reboot...", aperto C:\WINDOWS\SYSTEM32\fsmgmt.dll non acconsentendo il rinvio, poi ho provato a ripetere la cosa con il secondo file che però non trovo, non c'è più, quindi ho annullato l'operazione. Ho sbagliato qualcosa? Scusa ancora..

[Luke57]

Ciao,penso di no, riavvia e posta nuovo log di hijackthis.

[Lukino24]

Ciao a tutti
Ecco il mio problema:
AVG continua a visualizzare lo stesso messaggio ( è stato rilevato un trojan in sistem32... cura).
Anche se clicco su cura dopo 10 minuti il messaggio riappare.
Se tento di riavviare il pc esso si blocca e da una schermata nera.

Che faccio?

Ecco il log di HijackThis v2.0.2 spero che vi sia utile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16.18.51, on 07/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\1k0.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\File comuni\VirusDifesa\stmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Alice ti aiuta\bin\mad.exe
C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.EXE
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {1AA74F5D-83C7-4D4A-A85B-624519F2DEB8} - C:\WINDOWS\system32\dssenho.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [1k0] C:\WINDOWS\system32\1k0.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Salestart] "C:\Programmi\File comuni\VirusDifesa\stmon.exe" dm=http://virusdifesa.com; ad=http://virusdifesa.com
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [1k0] C:\WINDOWS\system32\1k0.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://valucciastar88.spaces.live.com/P ... nPUpld.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 3786 bytes


Grazie

P.S: Il pc è stato appena formattato, va bene avg come antivirus, spybot e outpost come firewall?

[Luke57]

Ciao, apri hijackthis, premi Main Menu" poi "open the misc tools section", "open process manager", se tra i processi trovi (se lo conosci lascialo stare)
C:\WINDOWS\system32\1k0.exe

premi kill process, torni alla pagina principale con back
premi scan. cerca e spunta le voci seguenti:
O2 - BHO: (no name) - {1AA74F5D-83C7-4D4A-A85B-624519F2DEB8} - C:\WINDOWS\system32\dssenho.dll
O4 - HKLM\..\Run: [1k0] C:\WINDOWS\system32\1k0.exe
O4 - HKLM\..\Run: [Salestart] "C:\Programmi\File comuni\VirusDifesa\stmon.exe" dm=http://virusdifesa.com; ad=http://virusdifesa.com
O4 - HKCU\..\Run: [1k0] C:\WINDOWS\system32\1k0.exe

premi fix checked.

Cerca ed elimina i seguenti file e cartelle:
C:\WINDOWS\system32\1k0.exe
C:\WINDOWS\system32\dssenho.dll
C:\Programmi\File comuni\VirusDifesa------ > la cartella

Scarica rigueremover da qui:
http://www.majorgeeks.com/RogueRemover_d5360.html
lo installi, li aggiorni fai uno scan completo.

Disistalla da pannello di controllo, installazioni\applicazioni, se c'è, Virusdifesa.

[Lukino24]

C:\WINDOWS\system32\dssenho.dll

Questo non me lo fa levare, mi da accesso negato nonostante sia l' adm del pc.
Provo in mod provvisoria

Grazie luke ^^

[Lukino24]

C:\WINDOWS\system32\dssenho.dll non riesco a rimuoverlo nemmeno in mod provvisoria...
Ho provato anche con del C:\WINDOWS\system32\dssenho.dll dal dos ma mi da sempre accesso negato.

Come faccio?

[Luke57]

C:\WINDOWS\system32\dssenho.dll non riesco a rimuoverlo nemmeno in mod provvisoria...
Ho provato anche con del C:\WINDOWS\system32\dssenho.dll dal dos ma mi da sempre accesso negato.

Come faccio?

Ciao, prova con killbox
http://www.bleepingcomputer.com/files/s ... illBox.zip
estrai il file .exe, lo apri, spunti l'opzione "delete on rebot", incolli nello spazio bianco:
C:\WINDOWS\system32\dssenho.dll
premi la crocetta bianca su sfondo rosso sulla destra, acconsenti al riavvio del computer.

Se nemmeno stavolta glielafai, scarica questo tool sul desktop
ComboFix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disconettiti da internet
disattiva l'antivirus

Avvia il file ComboFix.exe
Digita 1 per avviare il tool
Segui le instruzioni e alla fine verrà generato un log.

Riavvia il pc, riattiva l'antivirus , collegati e posta il log C:\combofix.txt

[Lukino24]

Niente da fare...
Facendo cerca me ne risulta uno in killbox e uno in system32.

Ecco il log.

ComboFix 07-12-09.1 - Giuseppe 2007-12-10 13.12.48.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.146 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Giuseppe\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Giuseppe\Dati applicazioni\install_it[1].exe
C:\Documents and Settings\Giuseppe\Dati applicazioni\install_it[2].exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FMTR


((((((((((((((((((((((((( Files Creati Da 2007-11-10 al 2007-12-10 )))))))))))))))))))))))))))))))))))
.

2007-12-07 18:41 . 2007-12-10 10:27 <DIR> d-------- C:\Programmi\RogueRemover FREE
2007-12-07 16:47 . 2007-12-10 10:22 49 --a------ C:\WINDOWS\transp.gif
2007-12-07 16:34 . 2007-12-07 16:34 675,840 --a------ C:\WINDOWS\is-8OFPP.exe
2007-12-07 16:34 . 2007-12-07 16:34 11,694 --a------ C:\WINDOWS\is-8OFPP.msg
2007-12-07 16:34 . 2007-12-07 16:34 309 --a------ C:\WINDOWS\is-8OFPP.lst
2007-12-07 16:33 . 2007-12-10 10:22 150 --a------ C:\WINDOWS\ODBC.INI
2007-12-07 16:27 . 2007-12-09 14:35 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2007-12-07 16:18 . 2007-12-07 16:18 <DIR> d-------- C:\Programmi\Trend Micro
2007-12-06 14:08 . 2007-12-06 14:08 <DIR> d--hs---- C:\UGA6PT
2007-12-06 14:08 . 2007-12-06 14:09 <DIR> d-------- C:\Documents and Settings\Giuseppe\Dati applicazioni\VirusDifesa
2007-12-06 14:08 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-12-06 14:08 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-12-06 14:08 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-12-03 21:43 . 2004-08-19 15:39 153,600 --a------ C:\WINDOWS\system32\irftp.exe
2007-12-03 21:43 . 2004-08-19 15:39 153,600 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
2007-12-03 21:43 . 2004-08-19 15:39 28,672 --a------ C:\WINDOWS\system32\irmon.dll
2007-12-03 21:43 . 2004-08-19 15:39 28,672 --a--c--- C:\WINDOWS\system32\dllcache\irmon.dll
2007-12-03 21:43 . 2004-08-19 15:39 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2007-12-03 21:43 . 2004-08-19 15:39 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2007-12-01 12:38 . 2004-08-19 15:39 91,136 --a------ C:\WINDOWS\system32\kswdmcap.ax
2007-11-29 13:12 . 2007-11-29 13:12 <DIR> d---s---- C:\Documents and Settings\vale\UserData
2007-11-27 14:33 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-11-27 09:25 . 2004-08-19 15:39 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-11-27 09:25 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-11-27 09:25 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-11-27 09:25 . 2001-08-30 23:07 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-11-25 21:36 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-11-25 21:26 . 2007-11-25 21:28 <DIR> d--hsc--- C:\Programmi\File comuni\WindowsLiveInstaller
2007-11-25 21:25 . 2007-11-27 17:52 <DIR> d-------- C:\Programmi\Windows Live
2007-11-25 21:25 . 2007-11-25 21:48 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\WLInstaller
2007-11-25 19:06 . 2007-11-25 19:06 244 --ah----- C:\sqmnoopt00.sqm
2007-11-25 19:06 . 2007-11-25 19:06 232 --ah----- C:\sqmdata00.sqm
2007-11-25 14:37 . 2007-07-09 14:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-25 14:15 . 2007-04-18 17:14 2,854,400 --a------ C:\WINDOWS\system32\msi.dll
2007-11-25 14:15 . 2005-05-04 14:45 884,736 --a------ C:\WINDOWS\system32\msimsg.dll
2007-11-25 14:15 . 2005-05-04 14:45 271,360 --a------ C:\WINDOWS\system32\msihnd.dll
2007-11-25 14:15 . 2005-05-04 14:45 78,848 --a------ C:\WINDOWS\system32\msiexec.exe
2007-11-25 14:15 . 2005-05-04 14:45 15,360 --a------ C:\WINDOWS\system32\msisip.dll
2007-11-25 12:31 . 2007-11-25 12:31 <DIR> d-------- C:\Documents and Settings\vale\Contacts
2007-11-25 12:29 . 2007-11-24 11:44 <DIR> d--h----- C:\Documents and Settings\vale\Risorse di stampa
2007-11-25 12:29 . 2007-11-24 11:44 <DIR> d--h----- C:\Documents and Settings\vale\Risorse di rete
2007-11-25 12:29 . 2007-11-25 12:30 <DIR> dr------- C:\Documents and Settings\vale\Preferiti
2007-11-25 12:29 . 2007-11-24 11:55 <DIR> d--h----- C:\Documents and Settings\vale\Modelli
2007-11-25 12:29 . 2007-11-24 11:44 <DIR> dr------- C:\Documents and Settings\vale\Menu Avvio
2007-11-25 12:29 . 2007-11-24 11:44 <DIR> d--h----- C:\Documents and Settings\vale\Impostazioni locali
2007-11-25 12:29 . 2007-12-07 12:40 <DIR> dr------- C:\Documents and Settings\vale\Documenti
2007-11-25 12:29 . 2007-11-30 15:19 <DIR> dr-h----- C:\Documents and Settings\vale\Dati applicazioni
2007-11-25 12:01 . 2006-12-26 14:07 536,576 -----c--- C:\WINDOWS\system32\dllcache\msado15.dll
2007-11-25 12:01 . 2006-12-26 14:07 200,704 -----c--- C:\WINDOWS\system32\dllcache\msadox.dll
2007-11-25 12:01 . 2006-12-26 14:07 180,224 -----c--- C:\WINDOWS\system32\dllcache\msadomd.dll
2007-11-25 12:01 . 2006-12-26 14:07 102,400 -----c--- C:\WINDOWS\system32\dllcache\msjro.dll
2007-11-25 12:00 . 2007-11-26 14:40 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-11-25 12:00 . 2006-10-13 13:35 143,360 -----c--- C:\WINDOWS\system32\dllcache\nwprovau.dll
2007-11-25 08:10 . 2007-11-25 08:10 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2007-11-25 08:07 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-25 08:07 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-11-25 08:07 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-11-24 20:05 . 2007-12-07 16:08 <DIR> d-------- C:\WINDOWS\system32\AppCert
2007-11-24 20:04 . 2004-08-03 22:31 83,456 --a------ C:\WINDOWS\system32\dssenho.dll
2007-11-24 20:04 . 19,200 C:\WINDOWS\system32\drivers\iamgdqax.dat
2007-11-24 18:11 . 2007-12-03 21:16 <DIR> d-------- C:\Programmi\Google
2007-11-24 17:52 . 2007-11-24 17:52 <DIR> d-------- C:\Documents and Settings\Giuseppe\Contacts
2007-11-24 16:19 . 2007-11-24 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Windows Live Toolbar
2007-11-24 16:19 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-11-24 16:19 . 2007-07-30 19:19 38,232 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-11-24 16:19 . 2007-07-30 19:18 21,336 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-11-24 16:18 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-11-24 16:18 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-11-24 16:15 . 2007-11-25 22:04 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-11-24 16:05 . 2007-11-24 16:05 <DIR> d---s---- C:\Documents and Settings\Giuseppe\UserData
2007-11-24 14:48 . 2007-11-24 14:51 <DIR> d-------- C:\Programmi\Ahead
2007-11-24 14:26 . 2007-11-24 14:26 <DIR> d-------- C:\WINDOWS\Motive
2007-11-24 14:26 . 2007-11-24 14:26 <DIR> d-------- C:\Programmi\Pirelli
2007-11-24 14:26 . 2007-11-24 14:26 <DIR> d-------- C:\Programmi\File comuni\Motive
2007-11-24 14:26 . 2007-11-24 14:26 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Motive
2007-11-24 14:26 . 2007-11-24 14:45 126 --a------ C:\WINDOWS\PRLTP_USBdrv.ini
2007-11-24 14:25 . 2007-11-24 14:25 <DIR> d-------- C:\Programmi\Motive
2007-11-24 14:25 . 2007-11-24 14:25 <DIR> d-------- C:\Programmi\Common Files
2007-11-24 14:25 . 2007-11-24 14:26 <DIR> d-------- C:\Programmi\Alice ti aiuta
2007-11-24 14:24 . 2007-11-24 14:24 <DIR> d-------- C:\Programmi\Telecom Italia
2007-11-24 14:24 . 2007-11-24 14:26 <DIR> d--h----- C:\Programmi\InstallShield Installation Information
2007-11-24 14:24 . 2007-11-24 14:48 <DIR> d-------- C:\Programmi\File comuni\InstallShield
2007-11-24 14:24 . 2003-02-28 18:26 404,752 --a------ C:\WINDOWS\system32\javart.dll
2007-11-24 14:24 . 2003-02-28 18:26 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2007-11-24 14:24 . 2003-02-28 18:26 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2007-11-24 14:24 . 2003-02-28 18:26 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2007-11-24 14:06 . 2007-11-24 14:06 <DIR> d-------- C:\Documents and Settings\LocalService\Dati applicazioni\AVG7
2007-11-24 14:06 . 2007-12-07 15:44 <DIR> d-------- C:\Documents and Settings\Giuseppe\Dati applicazioni\AVG7
2007-11-24 14:06 . 2007-11-24 14:06 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Grisoft
2007-11-24 14:06 . 2007-12-07 16:52 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\avg7
2007-11-24 14:06 . 2007-11-24 14:06 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-11-24 14:06 . 2007-11-24 14:06 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-11-24 13:58 . 2001-08-17 21:57 16,128 --a------ C:\WINDOWS\system32\drivers\MODEMCSA.sys
2007-11-24 13:58 . 2001-08-17 21:57 16,128 --a--c--- C:\WINDOWS\system32\dllcache\modemcsa.sys
2007-11-24 13:57 . 2007-11-24 13:57 <DIR> d-------- C:\Documents and Settings\LocalService\Menu Avvio
2007-11-24 13:51 . 2007-11-24 13:58 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2007-11-24 13:45 . 2007-11-24 13:45 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-11-24 13:39 . 2006-10-16 16:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-11-24 13:39 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002037_.tmp
2007-11-24 13:37 . 2007-11-24 13:37 <DIR> d-------- C:\WINDOWS\EHome

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-24 11:00 --------- d-----w C:\Programmi\microsoft frontpage
2007-11-24 10:58 --------- d-----w C:\Programmi\Servizi in linea
2007-11-24 10:57 --------- d-----w C:\Programmi\File comuni\MSSoap
2007-11-24 10:44 --------- d-----w C:\Programmi\File comuni\SpeechEngines
2007-11-24 10:44 --------- d-----w C:\Programmi\File comuni\ODBC
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1AA74F5D-83C7-4D4A-A85B-624519F2DEB8}]
2004-08-03 22:31 83456 --a------ C:\WINDOWS\system32\dssenho.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:39]
"MsnMsgr"="C:\Programmi\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-24 14:06]
"Motive SmartBridge"="C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe" [2006-04-21 15:41]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 11:50]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-19 15:39 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 15:39]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-24 14:06]

R0 jrpekpqt;jrpekpqt;C:\WINDOWS\system32\drivers\iamgdqax.dat

.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\DOCUME~1\Giuseppe\IMPOST~1\Temp\pmeulrfpHAM1AXH.dll
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-10 13:19:32
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2007-12-10 13:20:46 - machine was rebooted
.
--- E O F ---

Grazie pe quello che stai facendo ^^

[inzi]

Ciao, ho iniziato qualche giorno fa questo topic per la rimozione di virus dal pc. Pensavo che fosse tutto a posto, in realtà il pc appare ancora lento e macchinoso, e in più inserendo la pen driv mi è apparso dentro di questa un virus con il file UFO.exe. Riposto un nuovo log, sperando che qualcuno possa ancora darmi una mano. Grazie!!!


Logfile of HijackThis v1.99.1
Scan saved at 15.28.00, on 10/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\Skype\Plugin Manager\SkypePM.exe
C:\Documents and Settings\Proprietario\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\secpol.exe,
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O3 - Toolbar: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: fsmgmt - C:\WINDOWS\SYSTEM32\fsmgmt.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[Luke57]

@ Lukino24
Ciao, scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
Decomprimi l'archivio
Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in neretto:

Files to delete:
C:\WINDOWS\system32\dssenho.dll
C:\WINDOWS\system32\drivers\iamgdqax.dat

folders to delete:
C:\DOCUME~1\Giuseppe\IMPOST~1\Temp
C:\Windows\temp

registry keys to delete;
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1AA74F5D-83C7-4D4A-A85B-624519F2DEB8}

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs


Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi due volte Yes
Il pc dovrebbe riavviarsi da solo, se così non fosse riavvialo manualmente.
Posta anche il log generato da avenger, lo trovi in C:\ è un file di testo

Poi vai qui:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
scarica cureit sul computer, riavvia in mod.provvisoria e fai una scansione approfondita del sistema.

[Luke57]

@Inzi
Ciao, apri hijackthis, premi "do a system scan only", cerchi e spunti:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\secpol.exe,

premi fix checked.

scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
Decomprimi l'archivio
Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in neretto:

Files to delete:
C:\WINDOWS\system32\secpol.exe
C:\WINDOWS\SYSTEM32\fsmgmt.dll


registry keys to delete;
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\ fsmgmt

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs


Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi due volte Yes
Il pc dovrebbe riavviarsi da solo, se così non fosse riavvialo manualmente.
Posta anche il log generato da avenger, lo trovi in C:\ è un file di testo

[inzi]

Fatte tutte le operazioni. Ecco il log di avenger.


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\djirwcqj

*******************

Script file located at: \??\C:\Documents and Settings\frvwxorl.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\secpol.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\fsmgmt.dll deleted successfully.


File registry keys to delete; not found!
Deletion of file registry keys to delete; failed!

Could not process line:
registry keys to delete;
Status: 0xc0000034



Could not open file HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\ fsmgmt for deletion
Deletion of file HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\ fsmgmt failed!

Could not process line:
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\ fsmgmt
Status: 0xc000003a

Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.

[inzi]

Posto anche il nuovo log di hijackthis. E' tutto ok? Si verificano cose strane, prima di fare queste nuove operazioni ho attaccato la digitale per scaricare alcune foto e avast mi ha trovato un virus..


C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Documents and Settings\Proprietario\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O3 - Toolbar: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: fsmgmt - fsmgmt.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[SILVELLO10]

elimina AVG non vale come antivirus ed installa ANTIVIR ne vale la pena.

[SILVELLO10]

ah dimenticavo! AVAST come AVG certi virus non li vedono .

[Luke57]

Ciao, ti manca un pezzo del log di hijackthis, comunque apri il programma, premi "do a system scan only", cerchi e spuntoi la voce seguente:
O20 - Winlogon Notify: fsmgmt - fsmgmt.dll (file missing)

premi fix checked.