richiesta connessione a numero sconosciuto

[muffo]

Ciao ragazzi, ho un problema con qualche virus, appena accendo il pc, mi appaiono dei messaggi chiedendomi di connettermi a un numero sconosciuto e una volta connesso (con mio nome utente e password) cominciano ad aprirsi delle finestre della symantec dove cerca di trasmettere delle mail (ho installato norton 2005 ma non è attivo), sicuro di un vostro aiuto...
saluto e ringrazio tutti quanti!!

[DinX2100+]

Primo consiglio:

Disinstalla Norton antivirus è un pacco e non è affidabile

Installa AVG free o avast! sono gratis e funziano.

Secondo consiglio:

Controlla le impostazioni di connessione, che sia il numero del tuo operatore telefonico, se non lo è cancella la connessione e creane un'altra.

..se ti da ancora problemi scarica hijackthis (scritto giusto? - lo trovi su sto sito) e pubblica qui in pc facile il log oppure usa il programma automatico in internet (meno affidabile).

[muffo]

Grazie Dinx!!
ho disinstallato norton ma penso mi abbia lasciato ancora qualche file, come elimino tutto completamente?
AVG free o avast da dove li scarico?
thanx...

[muffo]

intanto vi mando il log file:

Logfile of HijackThis v1.99.1
Scan saved at 22.02.13, on 21/09/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\svchost.exe
C:\Programmi\Trust\WB-3500T USB2 Webcam\SnapTrap.exe
C:\Programmi\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\WINNT\System32\mioengine.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINNT\System32\services.exe
C:\WINNT\System32\services.exe
C:\WINNT\System32\services.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Programmi\WinRAR\WinRAR.exe
C:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\nicola\IMPOST~1\Temp\Rar$EX00.117\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://it.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe "C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00001.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {5CC30395-E4A0-AF73-8212-0238EDBB6586} - C:\WINNT\wphhl1.dll (file missing)
O2 - BHO: Class - {A30D56AA-C844-5FFB-0887-16271BFB4F16} - C:\WINNT\wphhl1.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [STICAP] C:\Programmi\Trust\WB-3500T USB2 Webcam\SnapTrap.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmi\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Programmi\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [IMprocess] C:\Programmi\Instant Messenger Names\IM-svr.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [DW4] "C:\Programmi\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINNT\cpu2560.exe
O4 - Startup: My 190.it.lnk = C:\Documents and Settings\nicola\Dati applicazioni\mioObjects\[objects]\69GWEU9386MTAR08.mio
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 9925362144
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://chat.capital.it:4080/chat/data/h ... sichat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {FD18DD5E-B398-452A-B22A-B54636BA9F0D} (Aurigma Image Uploader 2.5) - http://www.digitalpix.it/controls/ImageUploader2.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EC7012D-95A3-4B41-96C8-BF06A0D51C30}: NameServer = 213.205.36.70 213.205.32.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4F7069E-E56B-4500-8481-6D1C5E3881E5}: NameServer = 193.70.192.25,193.70.152.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{5EC7012D-95A3-4B41-96C8-BF06A0D51C30}: NameServer = 213.205.36.70 213.205.32.70
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe

[andorra24]

Ciao, metti la spunta nella casellina accanto alle seguenti voci e dopo esserti disconnesso da internet ed aver chiuso tutti i programmi aperti premi fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
F2 - REG:system.ini: Shell=explorer.exe "C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [WinMedia] C:\WINNT\cpu2560.exe

Vai su start/risorse del computer/strumenti/opzioni cartella/visualizzazione e metti la spunta su visualizza cartelle file nascosti e togli la spunta da ''nascondi i file protetti di sistema''.

Scarica killbox da qui: http://www.killbox.net/downloads/KillBox.exe
con killbox elimina i seguenti files (se presenti) :
c:\secure32.html
C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00001.exe
C:\WINNT\cpu2560.exe

Purtroppo hai anche il linkoptimizer. Scarica questo tool di rimozione:
http://www.prevx.com/gromozon.asp
disattiva momentaneamente l'antivirus, con i programmi e applicazioni chiusi, esegui il tool.
Al riavvio del computer, il programma terminerà la scansione nelle restanti cartelle di windows. Al termine della scansione sarà rilasciato un report in C:\Gromzon_Removal.log.
Posta il report sul forum.

[Luke57]

Ciao, per secure32.html esiste un tool apposito:
scarica SmitFraudfix e decomprimilo in una cartella a tua scelta estraendo tutti i file:
http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Riavvia in modalità provvisoria
(Avviare il computer.Subito dopo il calcolo della RAM e prima che inizi a caricarsi Windows, iniziare a premere ripetutamente il tasto F8 sulla tastiera. Continuare a farlo fino a visualizzare il menu Opzioni avanzate di Windows. Usando i tasti freccia sulla tastiera, scorrere le opzioni e selezionare il menu Modalità Provvisoria, quindi premere Invio)

Apri la cartella che contiene SmitfraudFix avvia smitfraudfix.cmd
Seleziona opzione #2 - Clean cliccando sul 2 e premi Invio.
Riceverai questo messaggio: Registry cleaning - Do you want to clean the registry ?
Rispondi Sì cliccando Y e premi invio.
Rispondi Sì (Y) ad eventuali altre domande

Riavvia il computer normalmente e posta il report della scansione.

L'uso del programma suddetto non esonera da compiere le altre operazioni suggerite.

[muffo]

Ecco il Gromozon log

Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINNT
Gromozon-Related Malicious Code Detected!
FileName: C:\WINNT\2.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINNT\4D.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINNT\90.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINNT\wphhl1.del
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINNT\wphhl1.dll
Removed!
Scanning: C:\Programmi\File comuni
Removing protected file: C:\Programmi\File comuni\System\MhLL.exe
Removing protected file: C:\Programmi\File comuni\System\NRgP.exe
Removing protected file: C:\Programmi\File comuni\System\NRZ.exe
Removing protected file: C:\Programmi\File comuni\System\Nsf.exe
Removing protected file: C:\Programmi\File comuni\System\scU.exe
Removing protected file: C:\Programmi\File comuni\System\tJH.exe


Trojan.Gromozon Removed!

[andorra24]

Scarica Gmer :
http://www.suspectfile.com/upload/files/tools/gmer.zip

Dopo averlo scompattato, lo avvii, selezioni "Rootkit" nella tabella dei Menu
Clicca su "Scan"
Attendi la fine della scansione e clicca su "Copy"
Apri il block notes di windows, clicca su modifica e seleziona incolla

Poi fai una scansione con GMer dalla posizione Autostart, con le stesse procedure del precedente. Incolli il log generato nel suddetto block notes e poi incolli i due log in un post nel forum.

[muffo]

ecco il log di smitfraudfix e gmer (a seguire)

SmitFraudFix v2.97

Scan done at 9.34.22,19, 22/09/2006
Run from C:\Documents and Settings\nicola\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Versione 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}"="USB Mouse Driver"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\uniq Deleted
C:\Programmi\SpywareQuake.com\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-09-22 10:08:21
Windows 5.1.2600


---- Devices - GMER 1.0.10 ----

Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE

F3948F08

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\tracking.log


File C:\System Volume

Information\_restore{1FEEB6FD-CFF3-4DAF-8F5E-A1B54B3B351C}

---- EOF - GMER 1.0.10 ----


GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-09-22 10:09:11
Windows 5.1.2600


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows =

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows

SharedSection=1024,3072,512 Windows=On SubSystemType=Windows

ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3

ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off

MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit =

C:\WINNT\system32\userinit.exe,

HKLM\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\WRNotifier@DLLName = WRLogonNTF.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
C-DillaCdaC11BA /*C-DillaCdaC11BA*/@ = C:\WINNT\System32\drivers\CDAC11BA.EXE
EPSONStatusAgent2 /*EPSON Printer Status Agent2*/@ = C:\Programmi\File

comuni\EPSON\EBAPI\SAgent2.exe
Fax /*Fax*/@ = %systemroot%\system32\fxssvc.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINNT\System32\wdfmgr.exe
UpdDle /*UpdDle*/@ = "C:\Programmi\File comuni\System\Nsf.exe" /*file not

found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Synchronization Managermobsync.exe /logon = mobsync.exe /logon
@STICAPC:\Programmi\Trust\WB-3500T USB2 Webcam\SnapTrap.exe =

C:\Programmi\Trust\WB-3500T USB2 Webcam\SnapTrap.exe
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k =

%systemroot%\system32\dumprep 0 -k
@zBrowser LauncherC:\Programmi\Logitech\iTouch\iTouch.exe =

C:\Programmi\Logitech\iTouch\iTouch.exe
@EM_EXECC:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE =

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
@NeroCheckC:\WINNT\system32\NeroCheck.exe = C:\WINNT\system32\NeroCheck.exe
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime =

"C:\Programmi\QuickTime\qttask.exe" -atboottime
@CnxDslTaskBarC:\Programmi\Conexant\AccessRunner ADSL\CnxDslTb.exe =

C:\Programmi\Conexant\AccessRunner ADSL\CnxDslTb.exe
@IMprocessC:\Programmi\Instant Messenger Names\IM-svr.EXE /*file not found*/

= C:\Programmi\Instant Messenger Names\IM-svr.EXE /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MsnMsgr"C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background =

"C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
@LDMC:\Programmi\Logitech\Desktop

Messenger\8876480\Program\LogitechDesktopMessenger.exe =

C:\Programmi\Logitech\Desktop

Messenger\8876480\Program\LogitechDesktopMessenger.exe
@DW4"C:\Programmi\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

= "C:\Programmi\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
@Skype"C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized =

"C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
@swgC:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotif

ier.exe =

C:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.

exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del

Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file

not found*/
@{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}

/*Anteprima*/C:\WINNT\System32\thumbvw.dll /*file not found*/ =

C:\WINNT\System32\thumbvw.dll /*file not found*/
@{1AEB1360-5AFC-11D0-B806-00C04FD706EC} /*Programma di estrazione filtri

grafici di Office in anteprima*/C:\WINNT\System32\thumbvw.dll /*file not

found*/ = C:\WINNT\System32\thumbvw.dll /*file not found*/
@{500202A0-731E-11D0-B829-00C04FD706EC} /*LNK file thumbnail interface

delegator*/(null) =
@{fe1290f0-cfbd-11cf-a330-00aa00c16e65} /*Directory Namespace*/(null) =
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle

Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL =

C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon

Handler*/C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL =

C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon

Handler*/C:\Programmi\Microsoft Office\Office10\msohev.dll =

C:\Programmi\Microsoft Office\Office10\msohev.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell

extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{B4B3001E-0F56-4E51-8250-BDE11547EC55} /*Super Ad Blocker Toolbar*/(null) =
@{AC1DB655-4F9A-4c39-8AD2-A65324A4C446} /*Autodesk Drawing

Preview*/C:\Programmi\File comuni\Autodesk Shared\Thumbnail\AcThumbnail16.dll

= C:\Programmi\File comuni\Autodesk Shared\Thumbnail\AcThumbnail16.dll
@{36A21736-36C2-4C11-8ACB-D4136F2B57BD} /*Gestore icona firma digitale di

AutoCAD*/C:\WINNT\System32\AcSignIcon.dll = C:\WINNT\System32\AcSignIcon.dll
@CorelDRAW Shell Extension Component /*CorelDRAW Shell Extension

Component*/(null) =
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing

Folders*/C:\Programmi\MSN Messenger\fsshext.8.0.0792.00.dll =

C:\Programmi\MSN Messenger\fsshext.8.0.0792.00.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2

} = C:\Programmi\Norton AntiVirus\NavShExt.dll /*file not found*/
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} =

C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-

8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2

} = C:\Programmi\Norton AntiVirus\NavShExt.dll /*file not found*/
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} =

C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
@{5CC30395-E4A0-AF73-8212-0238EDBB6586}C:\WINNT\wphhl1.dll /*file not found*/

= C:\WINNT\wphhl1.dll /*file not found*/
@{A30D56AA-C844-5FFB-0887-16271BFB4F16}C:\WINNT\wphhl1.dll /*file not found*/

= C:\WINNT\wphhl1.dll /*file not found*/
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\programmi\google\googletoolbar2.dll

= c:\programmi\google\googletoolbar2.dll
@{BDF3E430-B101-42AD-A544-FADC6B084872}C:\Programmi\Norton

AntiVirus\NavShExt.dll /*file not found*/ = C:\Programmi\Norton

AntiVirus\NavShExt.dll /*file not found*/

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINNT\System32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.pdf@Location =

C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=ms

nhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start

Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&

pver={SUB_PVER}&ar=home =

http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver

={SUB_PVER}&ar=home
@Local PageC:\windows\system32\blank.htm = C:\windows\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.microsoft.com/isapi/redi ... ar=msnhome

= http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Local PageC:\windows\system32\blank.htm = C:\windows\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Programmi\File comuni\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINNT\System32\msvidctl.dll
its@CLSID = C:\WINNT\System32\itss.dll
lid@CLSID = C:\WINNT\System32\msvidctl.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINNT\System32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information

Retrieval\msitss.dll
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINNT\System32\msvidctl.dll
vnd.ms.radio@CLSID = C:\WINNT\System32\msdxm.ocx
wia@CLSID = C:\WINNT\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F4F7069E-

E56B-4500-8481-6D1C5E3881E5} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress10.0.0.8 = 10.0.0.8
@NameServer193.70.192.25,193.70.152.25 = 193.70.192.25,193.70.152.25
@DefaultGateway10.0.0.2 = 10.0.0.2
@Domain =

C:\Documents and Settings\nicola\Menu Avvio\Programmi\Esecuzione automatica =

My 190.it.lnk

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione

automatica >>>
EPSON Status Monitor 3 Environment Check 2.lnk = EPSON Status Monitor 3

Environment Check 2.lnk
Logitech Desktop Messenger.lnk = Logitech Desktop Messenger.lnk

---- EOF - GMER 1.0.10 ----

[Luke57]

Ciao di nuovo, esegui in ordine queste procedure:

Verifica se in pannello di controllo\installazioni\applicazioni hai LinkOptimizer /o Connection Services , se sì NON PROVARE A DISISTALLARLE, ma scarica MyUninstaller da qui:

http://www.nirsoft.net/utils/myuninst.html

con questo programmino potrai disistallare eventualmente LinkOptimizer.
Apri il programma (click su myuninst.exe, attendi che vengono elencate le applicazioni presenti, evidenzi Linkoptimizer e/o Connection Services , click con il dx e scegli Delected)


Start>esegui>control userpasswords2 (lo scrivi nello spazio bianco)>OK

Nella finestra Account utente, dovresti avere un'utenza sospetta con nome casuale (oltre le consuete Administrators e Utente, Aspnet), tipo XYZFG. La evidenzi e scegli Rimuovi
2) Rendi visibili file e cartelle nascosti:

da gestione del computer>strumenti>Opzioni Cartella
Seleziona Visualizza
Spunta "mostra file e cartelle nascoste"
Togli la spunta da "nascondi file protetti di sistema (consigliato)
Premi OK
Vai in C:\Documents and Settings, se trovi una cartella con lo stesso nome dell'utenza, elimina anch'essa

scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
scompatta il file.zip
Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in neretto:


Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\UpdDle
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A30D56AA-C844-5FFB-0887-16271BFB4F16}


Folders to delete:
C:\Windows\Temp

Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi due volte Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente


Il programma rilascia un log con le operazioni eseguite.

Posta il log di Avenger (C:/avenger.txt) con l´esito dello script.

Posta un nuovo log di hiajckthis.

[muffo]

ok, questo il log di avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bslccyrm

*******************

Script file located at: \??\C:\ftohgrwd.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKLM\SYSTEM\CurrentControlSet\Services\UpdDle deleted successfully.
Folder C:\Windows\Temp deleted successfully.


Could not get size of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs
Replacement with dummy of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs failed!
Status: 0xc0000034

Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A30D56AA-C844-5FFB-0887-16271BFB4F16} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


...e di hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 13.30.56, on 22/09/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Programmi\Trust\WB-3500T USB2 Webcam\SnapTrap.exe
C:\Programmi\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\WINNT\System32\mioengine.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINNT\system32\notepad.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINNT\System32\wuauclt.exe
C:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\nicola\IMPOST~1\Temp\Rar$EX00.917\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {5CC30395-E4A0-AF73-8212-0238EDBB6586} - C:\WINNT\wphhl1.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [STICAP] C:\Programmi\Trust\WB-3500T USB2 Webcam\SnapTrap.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmi\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Programmi\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [IMprocess] C:\Programmi\Instant Messenger Names\IM-svr.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [DW4] "C:\Programmi\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: My 190.it.lnk = C:\Documents and Settings\nicola\Dati applicazioni\mioObjects\[objects]\69GWEU9386MTAR08.mio
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 9925362144
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://chat.capital.it:4080/chat/data/h ... sichat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {FD18DD5E-B398-452A-B22A-B54636BA9F0D} (Aurigma Image Uploader 2.5) - http://www.digitalpix.it/controls/ImageUploader2.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4F7069E-E56B-4500-8481-6D1C5E3881E5}: NameServer = 193.70.192.25,193.70.152.25
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe

[Luke57]

Ciao, copia l'eseguibile di hijackthis in una cartella appositamente creata, tipo C:\HJT, in modo che il programma possa fare un backup delle voci rimosse,
Fatto questo, lo apri, premi "do a system scan only", cerchi e spunti:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {5CC30395-E4A0-AF73-8212-0238EDBB6586} - C:\WINNT\wphhl1.dll (file missing)
premi fix checked.

Hai trovato qualcosa nelle altre cose da fare?

[muffo]

ok, ho fatto quanto mi avete indicato...
due ultime cose, all'avvio mi chiede sempre la connessione, ad es. a skype (che ho installato ma è la prima volta che mi arrivano richieste di connessione) o google;
poi un'ultima richiesta, dadove scarico avast o un'altro antivirus efficace??

grazie mille ancora...

[andorra24]

dadove scarico avast o un'altro antivirus efficace??

Il sito di avast lo trovi qui: http://www.avast.com
la versione italiana dell'antivirus qui: http://files.avast.com/iavs4pro/setupita.exe

Ciao.

[muffo]

grazie mille, siete sempre super efficaci, se dovessi avere altri problemi non mancherò a contattarvi (speriamo di no...)