Win32:Small-gen2 [trj]

di **mammamia_che casino** » 03/04/07 15:31

MA CHE BARBA!!!!!!!!!!!!!!!
TUTTI IO DEVO BECCARMELI STI VIRUS DI M.........

ALLORA:

all'avvio del mio pc, avast4 rleva un file infetto da Win32:small-gen2 [trj]
adesso io ho avuto già a che fare con questo ma non mi sembra che cera il -gen2...allora ho pensato forse è un nuovo virus.....ora non mi ricordo come ho fatto a risolvere il mio problema....mi ricordo solo che avevo scaricato quel programma là jacketthis...o come si chiama poi.....

mi potreste indicare come muovermi?? ve ne sarei infinitamente grata

grazie ciao

di **mammamia_che casino** » 03/04/07 15:58

ecco cosa ho salvato dalla scansione di hijackthis ora spiegatemi cosa devo fare grazie=)

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:54:55, on 03.04.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\sj650\hpupdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Programmi\Alwil Software\Avast4\ashSimpl.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Hazir\Documenti\Documenti\Seada & Sanela\sanela\varie\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.imesh.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://blueadit.bluewin.ch/adsl/router/index_i.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: iMesh MediaBar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - C:\Programmi\iMesh applications\iMesh MediaBar\MediaBar.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: XBTP01621 - {9EDB89EF-E4BC-4c70-B102-8F7A4365EE33} - C:\PROGRA~1\IMESHA~1\IMESHM~1\MediaBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: iMesh MediaBar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - C:\Programmi\iMesh applications\iMesh MediaBar\MediaBar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe 3300C+
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [1] C:\WINDOWS\systpro32.exe
O4 - Startup: MSwin--1173272340.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MS_update_0612_KB74062.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: ConferenceRoom Java Client - http://irc.ticino.com:8000/java/cr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d ... o-eula.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://sane89overspace.spaces.live.com/ ... nPUpld.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://caebmm.imgag.com/imgag/cp/instal ... er-cae.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O21 - SSODL: rdihost - {7C86E66A-D01D-48C3-B886-7781C7E32816} - rdihost.dll (file missing)
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 6416 bytes

di **mammamia_che casino** » 03/04/07 16:53

VI PREGO SE QUALCUNO MI SA RISPONDERE......LO FACCIA

CMQ HO UNA DOMANDA: POSSO ELIMINARE I FILE E LE CARTELLE CHE SONO NELLLA CARTELLA C:Documents and settings/NOME/Impostazioni locali/Temp ???

di **mammamia_che casino** » 04/04/07 17:29

AIUTOOOOOO
vi prego il mio pc sta andando a putt*ne!!!!!!

Almeno spiegatemi cosa ha il mio pc...un virus, un spyware o un malaware(poi mi spiegate anche cosa sono)
perchè secondo voi ho sto problema???
e più di ogni altra cosa come posso eliminare sto coso è Win32: qualcosa che infetta il mio pc :cry:

una volta mi avete aiutato per un problema del genere ma adesso non mi ricordo come cavolo avete fatto

bhè grazie

di **mammamia_che casino** » 04/04/07 17:48

pf rispondete

di **mammamia_che casino** » 06/04/07 09:12

ciao sono di nuovo io....posso chiedervi se il mio pc ha qualcosa dal logfile di hijackthis?? almeno potete capire se c'è qualcosa che non va??

vi ringrazio infinitamente

mammamia_che casino

di **Luke57** » 06/04/07 11:48

Ciao, apri hijackthis ,premi “do a system scan only”, cerca e spunta le voci seguenti:
O4 - HKLM\..\Policies\Explorer\Run: [1] C:\WINDOWS\systpro32.exe
O4 - Startup: MSwin--1173272340.exe
Premi fix checked.

Poi scarica AVENGER e decomprimilo sul desktop (estrai i file nel desktop)
http://swandog46.geekstogo.com/avenger.zip

- con un doppio click avvia il file avenger.exe
- Seleziona "Input Script Manually"
- Clicca sulla lente di ingrandimento

- Nella finestra che si aprirà "View/edit script"
- copia / incolla (Ctrl+V) quanto segue (in neretto):

files to delete:
C:\windows\systpro32.exe
C:\windows\winhp32.exe
C:\windows\systempro32.dll

Clicca sul tasto Done
- Poi sull'icona del semaforo
- Rispondi Yes due volte

Il pc dovrebbe riavviarsi ( se così non fosse, fallo tu)
Posta il log che verrà creato in C:\Avenger.

Inoltre scarica Gmer da qui:
http://www.majorgeeks.com/GMER_d5198.html
scompatta il file .zip e avvia gmer.exe, con tutte le altre applicazioni chiuse.
Per entrare in Avanzate premi il tab>>>>. Poi scegli il tab Rootkit, spunta anche la casella ADS , fai uno Scan completo. Al termine clicca Copy e incolla il report in un file di testo.
Ritorna su Gmer, premi il tab Autostart (non spuntare la casella show all) e premi Scan. Al termine click su Copy e incolla il report nel medesimo foglio di testo.
Poi, copia e incolla i due report in un post nel forum.

di **mammamia_che casino** » 06/04/07 15:48

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vohrgjwl

*******************

Script file located at: \??\C:\myvqyymn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\windows\systpro32.exe not found!
Deletion of file C:\windows\systpro32.exe failed!

Could not process line:
C:\windows\systpro32.exe
Status: 0xc0000034

File C:\windows\winhp32.exe not found!
Deletion of file C:\windows\winhp32.exe failed!

Could not process line:
C:\windows\winhp32.exe
Status: 0xc0000034

File C:\windows\systempro32.dll not found!
Deletion of file C:\windows\systempro32.dll failed!

Could not process line:
C:\windows\systempro32.dll
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-04-06 14:50:25
Windows 5.1.2600 Service Pack 2

---- Kernel code sections - GMER 1.0.12 ----

? jouuywul.sys Impossibile trovare il file specificato.

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\Hazir\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\piccola_93@msn.com\SharingMetadata\emil94@bluewin.ch\DFSR\Staging\CS{2A9AF3C5-3341-618E-3167-EA4C84278765}\01\10-{2A9AF3C5-3341-618E-3167-EA4C84278765}-v1-{201BE37A-4454-4142-870C-A1298536C317}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Hazir\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\piccola_93@msn.com\SharingMetadata\emil94@bluewin.ch\DFSR\Staging\CS{2A9AF3C5-3341-618E-3167-EA4C84278765}\11\15-{201BE37A-4454-4142-870C-A1298536C317}-v11-{201BE37A-4454-4142-870C-A1298536C317}-v15-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\Hazir\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\piccola_93@msn.com\SharingMetadata\emil94@bluewin.ch\DFSR\Staging\CS{2A9AF3C5-3341-618E-3167-EA4C84278765}\11\15-{201BE37A-4454-4142-870C-A1298536C317}-v11-{201BE37A-4454-4142-870C-A1298536C317}-v15-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Hazir\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\seada_aljo@hotmail.com\SharingMetadata\kurmemi_cg@hotmail.com\DFSR\Staging\CS{85230BBD-9057-D3D4-9A65-2A0025DEFFBA}\01\10-{85230BBD-9057-D3D4-9A65-2A0025DEFFBA}-v1-{683D0C73-34D4-4A9A-8B52-C5400F9F78F8}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

---- EOF - GMER 1.0.12 ----

GMER 1.0.12.12086 - http://www.gmer.net
Autostart scan 2007-04-06 14:51:22
Windows 5.1.2600 Service Pack 2

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aswUpdSv /*avast! iAVS4 Control Service*/@ = "C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe"
avast! Antivirus /*avast! Antivirus*/@ = "C:\Programmi\Alwil Software\Avast4\ashServ.exe"
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe"
ProtexisLicensing /*ProtexisLicensing*/@ = C:\WINDOWS\system32\PSIService.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@SiSPowerRundll32.exe SiSPower.dll,ModeAgent = Rundll32.exe SiSPower.dll,ModeAgent
@SoundManSOUNDMAN.EXE = SOUNDMAN.EXE
@avast!C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
@ISUSPM StartupC:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup = C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
@ISUSScheduler"C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start = "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
@hp Update 3300CC:\sj650\hpupdate.exe 3300C+ /*file not found*/ = C:\sj650\hpupdate.exe 3300C+ /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run@ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@rdihost = rdihost.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\Programmi\File comuni\Microsoft Shared\Web Folders\MSONSEXT.DLL = C:\Programmi\File comuni\Microsoft Shared\Web Folders\MSONSEXT.DLL
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Programmi\Alwil Software\Avast4\ashShell.dll = C:\Programmi\Alwil Software\Avast4\ashShell.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Programmi\MSN Messenger\fsshext.8.1.0178.00.dll = C:\Programmi\MSN Messenger\fsshext.8.1.0178.00.dll
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\Office12\msohevi.dll = C:\Programmi\Microsoft Office\Office12\msohevi.dll
@{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} /*Microsoft Office Metadata Handler*/C:\PROGRA~1\FILECO~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\FILECO~1\MICROS~1\OFFICE12\msoshext.dll
@{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} /*Microsoft Office Thumbnail Handler*/C:\PROGRA~1\FILECO~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\FILECO~1\MICROS~1\OFFICE12\msoshext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{02478D38-C3F9-4EFB-9B51-7695ECA05670}C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll = C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{9030D464-4C02-4ABF-8ECC-5164760863C6}C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll = C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
@{9EDB89EF-E4BC-4c70-B102-8F7A4365EE33}C:\PROGRA~1\IMESHA~1\IMESHM~1\MediaBar.dll /*file not found*/ = C:\PROGRA~1\IMESHA~1\IMESHM~1\MediaBar.dll /*file not found*/

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.ch/ = http://www.google.ch/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-help@CLSID = C:\Programmi\File comuni\Microsoft Shared\Help\hxds.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
MS_update_0612_KB74062.exe = MS_update_0612_KB74062.exe
Utility Tray.lnk = Utility Tray.lnk

---- EOF - GMER 1.0.12 ----
[/i]

di **Luke57** » 06/04/07 17:28

Ciao, apri hijackthis, premi "do a system scan only", cerca e spunta questa voce:
O21 - SSODL: rdihost - {7C86E66A-D01D-48C3-B886-7781C7E32816} - rdihost.dll (file missing)
premi fixcheked

Non è detto che siano presenti i seguenti files, ma cercarli non costa niente:
Riavvia Avenger inserendo questo script:

Files to delete:
C:\windows\photo album.zip
C:\Windows\System32\rdfhost.dll
C:\Windows\System32\rdihost.dll
C:\Windows\System32\rdshost.dll

Posta il relativo report.

Inoltre scarica ATFcleaner da qui:
http://www.atribune.org/ccount/click.php?id=1
(per eliminare i file temporanei)

Poi avvia ATFCleaner. Clicca sul menu main e poi seleziona la casella Select All. Adesso clicca sul pulsante Empty selected e aspetta il messaggio Done Cleaning!.

di **mammamia_che casino** » 06/04/07 19:07

caro luke io ci ho provato ho seguito ogni tua indicazione...ma ad ogni riavvio mi esce sempre:
Messaggio della scansione all'avvio di avast!
C:\DOCUME~1\Proprietario\IMPOST~1\Temp\tmp1.tmp è infettato dal virus 'Win32:Small-gen2[trj]'!

poi mi esce la finestra di avast per farlo cancellare
e mi "dice":

Nome del file: C:\DOCUME~1\Proprietario\IMPOST~1\Temp\tmp1.tmp
Nome malware: Win32:Small-gen2[trj]
Tipo di malware: Cavallo di Troia

io come del resto ogni volta cancello ma poi ad ogni riavvio compare sempre...cosa ne pensi?

(ah una curiosità...ma sono talmente imbra col pc che non me ne capacito...cosa significa postare? :oops:

)

grazie mille per il tuo aiuto!![/quote]

di **Luke57** » 06/04/07 21:00

Ciao, segui queste indicazioni:
scarica SystemScan (strumento di diagnosi)
http://www.suspectfile.com/systemscan
salvalo sul desktop, diattiva l'antivirus, apri systemscan ed assicurati che tutte le opzioni siano spuntate, clicca su "Scan Now".
Al termine della scansione (da pochi minuti a 20-30 minuti) verrà rilasciato in C:\suspectfile il file report.txt.
Siccome è molto lungo non entrerà in un post nel forum (ecco che cosa significa postare

)
Vai su
http://www.easy-share.com carica il file
(Fai in questo modo: click su sfoglia, individui il file C:\suspectfile\report.txt, , premi Upload) e nella tua prossima risposta in un post, qui nel forum, scrivi l'URL che ti sarà fornito (ti sarà fornito anche il link per cancellare il file, quello non me lo indicare) per scaricarlo.
Chiaro?

di **mammamia_che casino** » 07/04/07 11:49

ecco..e cosa devo fare ora?

http://w12.easy-share.com/cgi-bin/upload.cgi

di **mammamia_che casino** » 07/04/07 11:53

usa mi sono sbagliata ecco qua quello che mi chiedevi... :oops:

http://w12.easy-share.com/974005.html

di **Luke57** » 07/04/07 14:48

Ciao, esegui Avenger con le consuete modalità, inserendo questo script:

Files to delete:
C:\WINDOWS\12155100116.exe

Posta il report.

di **mammamia_che casino** » 07/04/07 16:44

caro luke ho seguito tutto alla lettera ma appena clicco sul semaforo mi esce

Error: Selected file does not appear to be a valid script

poi vado avanti e mi esce

Press OK to log error and continue or Cancel to about

io clicco OK e mi esce

Error code: 0

Allora io non protrei aliminarlo manualmente? sono andata a cercare il file 12155100116 e l'ho trovato ma non so se eliminarlo?!?!?

cosa faccio allora se non mi va?

di **Luke57** » 07/04/07 18:45

Ciao, quello è il trojan da togliere, nello script di Avenger devi incollare questa scritta:

Files to delete:
C:\WINDOWS\12155100116.exe

Segui le istruzioni nel mio primo post riguardante l'uso di Avenger.
Altrimenti, prova ad eliminarlo manualmente.

di **mammamia_che casino** » 08/04/07 12:14

luke....io l'ho eliminato...ma quando ho riavvioato il pc mi è uscito di nuovo
Messaggio della scansione all'avvio di avast!
C:\DOCUME~1\Proprietario\IMPOST~1\Temp\tmp1.tmp è infettato dal virus 'Win32:Small-gen2[trj]'!

poi mi esce la finestra di avast per farlo cancellare
e mi "dice":

Nome del file: C:\DOCUME~1\Proprietario\IMPOST~1\Temp\tmp1.tmp
Nome malware: Win32:Small-gen2[trj]
Tipo di malware: Cavallo di Troia

cosa faccio?...non capisco!!! :?:

di **mammamia_che casino** » 08/04/07 12:16

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\pokjrhof

*******************

Script file located at: \??\C:\WINDOWS\system32\wiywjxtp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\12155100116.exe not found!
Deletion of file C:\WINDOWS\12155100116.exe failed!

Could not process line:
C:\WINDOWS\12155100116.exe
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

di **mammamia_che casino** » 10/04/07 11:59

ciao luke io ho provato a rifare tutto quello che mi hai suggerito...

ecco i report di avenger e di gmer

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vnimjpbh

*******************

Script file located at: \??\C:\mlqrnqht.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\windows\systpro32.exe not found!
Deletion of file C:\windows\systpro32.exe failed!

Could not process line:
C:\windows\systpro32.exe
Status: 0xc0000034

File C:\windows\winhp32.exe not found!
Deletion of file C:\windows\winhp32.exe failed!

Could not process line:
C:\windows\winhp32.exe
Status: 0xc0000034

File C:\windows\systempro32.dll not found!
Deletion of file C:\windows\systempro32.dll failed!

Could not process line:
C:\windows\systempro32.dll
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

Ecco il report di gmer

GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-04-10 12:49:47
Windows 5.1.2600 Service Pack 2

---- Kernel code sections - GMER 1.0.12 ----

? idmqkbnc.sys Impossibile trovare il file specificato.

---- Modules - GMER 1.0.12 ----

Module (noname) (*** hidden *** ) F7A80000

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\Hazir\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\piccola_93@msn.com\SharingMetadata\emil94@bluewin.ch\DFSR\Staging\CS{2A9AF3C5-3341-618E-3167-EA4C84278765}\01\10-{2A9AF3C5-3341-618E-3167-EA4C84278765}-v1-{201BE37A-4454-4142-870C-A1298536C317}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Hazir\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\piccola_93@msn.com\SharingMetadata\emil94@bluewin.ch\DFSR\Staging\CS{2A9AF3C5-3341-618E-3167-EA4C84278765}\11\15-{201BE37A-4454-4142-870C-A1298536C317}-v11-{201BE37A-4454-4142-870C-A1298536C317}-v15-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\Hazir\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\piccola_93@msn.com\SharingMetadata\emil94@bluewin.ch\DFSR\Staging\CS{2A9AF3C5-3341-618E-3167-EA4C84278765}\11\15-{201BE37A-4454-4142-870C-A1298536C317}-v11-{201BE37A-4454-4142-870C-A1298536C317}-v15-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Hazir\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\seada_aljo@hotmail.com\SharingMetadata\kurmemi_cg@hotmail.com\DFSR\Staging\CS{85230BBD-9057-D3D4-9A65-2A0025DEFFBA}\01\10-{85230BBD-9057-D3D4-9A65-2A0025DEFFBA}-v1-{683D0C73-34D4-4A9A-8B52-C5400F9F78F8}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

---- EOF - GMER 1.0.12 ----

GMER 1.0.12.12086 - http://www.gmer.net
Autostart scan 2007-04-10 12:51:03
Windows 5.1.2600 Service Pack 2

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aswUpdSv /*avast! iAVS4 Control Service*/@ = "C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe"
avast! Antivirus /*avast! Antivirus*/@ = "C:\Programmi\Alwil Software\Avast4\ashServ.exe"
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe"
ProtexisLicensing /*ProtexisLicensing*/@ = C:\WINDOWS\system32\PSIService.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@SiSPowerRundll32.exe SiSPower.dll,ModeAgent = Rundll32.exe SiSPower.dll,ModeAgent
@SoundManSOUNDMAN.EXE = SOUNDMAN.EXE
@avast!C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
@ISUSPM StartupC:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup = C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
@ISUSScheduler"C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start = "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
@hp Update 3300CC:\sj650\hpupdate.exe 3300C+ /*file not found*/ = C:\sj650\hpupdate.exe 3300C+ /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run@ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\Programmi\File comuni\Microsoft Shared\Web Folders\MSONSEXT.DLL = C:\Programmi\File comuni\Microsoft Shared\Web Folders\MSONSEXT.DLL
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Programmi\Alwil Software\Avast4\ashShell.dll = C:\Programmi\Alwil Software\Avast4\ashShell.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Programmi\MSN Messenger\fsshext.8.1.0178.00.dll = C:\Programmi\MSN Messenger\fsshext.8.1.0178.00.dll
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\Office12\msohevi.dll = C:\Programmi\Microsoft Office\Office12\msohevi.dll
@{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} /*Microsoft Office Metadata Handler*/C:\PROGRA~1\FILECO~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\FILECO~1\MICROS~1\OFFICE12\msoshext.dll
@{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} /*Microsoft Office Thumbnail Handler*/C:\PROGRA~1\FILECO~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\FILECO~1\MICROS~1\OFFICE12\msoshext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{02478D38-C3F9-4EFB-9B51-7695ECA05670}C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll = C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{9030D464-4C02-4ABF-8ECC-5164760863C6}C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll = C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
@{9EDB89EF-E4BC-4c70-B102-8F7A4365EE33}C:\PROGRA~1\IMESHA~1\IMESHM~1\MediaBar.dll /*file not found*/ = C:\PROGRA~1\IMESHA~1\IMESHM~1\MediaBar.dll /*file not found*/

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.ch/ = http://www.google.ch/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-help@CLSID = C:\Programmi\File comuni\Microsoft Shared\Help\hxds.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
MS_update_0612_KB74062.exe = MS_update_0612_KB74062.exe
MS_update_0704_KB74073.exe = MS_update_0704_KB74073.exe
Utility Tray.lnk = Utility Tray.lnk

---- EOF - GMER 1.0.12 ----

di **mammamia_che casino** » 10/04/07 12:02

ed eccoti anche l'url di http://www.easy-share.com

http://w12.easy-share.com/983255.html

se per favore puoi vedere se è cambiato qualcosa e se così c'è qualche speranza.....

Win32:Small-gen2 [trj]

Win32:Small-gen2 [trj]

Topic correlati a "Win32:Small-gen2 [trj]":

Chi c’è in linea