Salve,
su un computer che era pieno di virus e spyware, sono riuscito a ripulire quasi tutto.
Mi sono rimasti solo due problemi:
- Sporadicamente durante la navigazione si aprono finestre pubblicitarie (non pornografiche).
- La prima volta (solo la prima volta) quando apro internet explorer non vengono visualizzate le barre degli strumenti (successivamente riaprendolo č tutto ok).
C'č qualcuno che sa aiutarmi?
Saluti e grazie
Dimenticavo, vi posto il log di HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10.43.15, on 07/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Dati applicazioni\ktydgxmt\urcjotcr.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\AxiosSpa\bin\fbicfg.exe
C:\Programmi\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AxiosSpa\bin\fbisvc.exe
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.1.1119 .1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [p2aO7301T3] C:\Documents and Settings\All Users\Dati applicazioni\ktydgxmt\urcjotcr.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AXIOSData AluWeb Producer.lnk = C:\Programmi\AxiosSpa\bin\fbicfg.exe
O4 - Global Startup: Google Updater.lnk = C:\Programmi\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Lookup aggiornamenti.lnk = C:\Programmi\AxiosSpa\bin\cluplookup.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O20 - Winlogon Notify: __c00606A2 - C:\WINDOWS\system32\__c00606A2.dat
O21 - SSODL: sxfnewqb - {83FDD397-903E-4D1C-8B1B-8E7DB19B8084} - C:\WINDOWS\sxfnewqb.dll (file missing)
O21 - SSODL: fkdnrwsv - {B6832B8C-7DAF-4D9C-87A2-F9E7ECCE15D8} - C:\WINDOWS\fkdnrwsv.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AxiosData AluWeb Producer (AxiosAluWeb) - InfoSchool S.r.l. - C:\Programmi\AxiosSpa\bin\fbisvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O24 - Desktop Component 0: Privacy Protection - (no file)
--
End of file - 5423 bytes
Nessuno sa aiutarmi?
Il problema ora č unicamente quello dei popup, visto che ho risolto la mancata visualizzazione delle barre degli strumenti disinstallando explorer 7.
Controlla se c'é qualcosa di strano nei componenti aggiuntivi di IE.
fixa
O4 - HKLM\..\Policies\Explorer\Run: [p2aO7301T3] C:\Documents and Settings\All Users\Dati applicazioni\ktydgxmt\urcjotcr.exe
O20 - Winlogon Notify: __c00606A2 - C:\WINDOWS\system32\__c00606A2.dat
O21 - SSODL: sxfnewqb - {83FDD397-903E-4D1C-8B1B-8E7DB19B8084} - C:\WINDOWS\sxfnewqb.dll (file missing)
O21 - SSODL: fkdnrwsv - {B6832B8C-7DAF-4D9C-87A2-F9E7ECCE15D8} - C:\WINDOWS\fkdnrwsv.dll (file missing)
ed elimina la cartella:
C:\Documents and Settings\All Users\Dati applicazioni\ktydgxmt
ed il file:
C:\WINDOWS\system32\__c00606A2.dat
scarica: SmitfraudFix
entra in modalitą provvisoria ed esegui SmitfraudFix.
Seleziona l'opzione 2 (Clean) e premi invio (elimina i file infetti).
Alla domanda "Registry cleaning - Do you want to clean the registry ?", rispondi "si", digitando "Y" e dai l'invio (rimuove tutto quanto associato con l'infezione - se non erro reimposta lo sfondo del desktop, quindi il tuo potrebbe sparire).
Il computer si riavviera' per completare il processo di pulizia (altrimenti riavvialo tu in modalita' normale). Sul desktop verra' visualizzato un file di testo con risultati: dovresti trovare questo report anche in C:\rapport.txt.
Posta il log di SmitfraudFix
...
:x:_::_:*:_::_: )(:_:*:_:*:__::_:°FM°:_: )(:_:*:_:x:___
Ho seguito scrupolosamente quanto da te indicato (sei stato veramente molto gentile e dettagliato).
Purtroppo non riesco a cancellare il file C:\WINDOWS\system32\__c00606A2.dat (nč da provvisoria che da modalitą normale)
Inoltre ecco il rapporto di SmitFraudFix
-----------------------------------------------
SmitFraudFix v2.309
Scan done at 18.39.26,09, 07/04/2008
Run from C:\Documents and Settings\Amministratore\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Versione 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{00721EC6-1752-4CFC-B029-FBDA5AC28F88}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{00721EC6-1752-4CFC-B029-FBDA5AC28F88}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Grazie
scarica Avenger, eseguilo e nel box bianco copia/incolla:
Spunta "Automatically disable any rootkits found" e clicca su "execute".files to delete:
C:\WINDOWS\system32\__c00606A2.dat
Il pc dovrebbe riavviarsi da solo, altrimenti riavvialo tu.
Poi, visto che un dubbio l'ho, scarica SystemScan, disconnetti il pc da internet => esegui systemscan => clicca su "unselect all" => spunta solo le opzioni:
- Recent files
- Registry Run Keys
- Include Hijackthis log
clicca su "Scan Now". Finita la scansione, carica il rapporto che trovi sul Desktop su Freefilehosting e posta il link ottenuto.
...
:x:_::_:*:_::_: )(:_:*:_:*:__::_:°FM°:_: )(:_:*:_:x:___
Ecco il file:
http://www.freefilehosting.net/download/3f0fe
Sospetti confermati..
scarica CCleaner
Esegui nuovamente avenger, inserisci questo script:
Spunta "Automatically disable any rootkits found" e clicca su "execute".files to delete:
C:\WINDOWS\system32\ylehsjwt.exe
C:\WINDOWS\system32\kdcvezav.exe
C:\WINDOWS\system32\arwrqdif.exe
C:\WINDOWS\system32\rmnwpyfo.exe
C:\WINDOWS\system32\kjyhgncj.exe
C:\WINDOWS\system32\onkfgjkj.exe
C:\WINDOWS\system32\tkhqfkpa.exe
C:\WINDOWS\system32\kdixgpol.exe
C:\WINDOWS\system32\zsxgxixm.exe
C:\WINDOWS\system32\fwvuladw.exe
C:\WINDOWS\system32\wfsbivkv.exe
C:\WINDOWS\system32\kfmfgbyr.exe
C:\WINDOWS\system32\__c00606A2.dat
registry keys to delete:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00606A2
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdvhknxp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mhnrqnaj
Il pc dovrebbe riavviarsi da solo, altrimenti riavvialo tu. Posta il report rilasciato
Esegui CCleaner e ripulisci sia i file temporanei e cookie (eseguilo 2 volte) che il registro.
Posta un nuovo systemscan (stavolta completo, lascia tutte le spunte)
...
:x:_::_:*:_::_: )(:_:*:_:*:__::_:°FM°:_: )(:_:*:_:x:___
Sei gentilissimo..
Cmq per la cronaca i popup ora non si stanno aprendo :-)
Eccoti l'ultimo bollettino medico:
http://www.freefilehosting.net/download/3f0l8
Grazie
Permessi di invio
Rispondi quotando