HijackThis log

[Giulia72]

Ciao,
ho perso un dialer.
Ho provato scansione con Avast!, Trojan Remover, qualche azione con RegSeeker ma niente.
In rete ho letto di Hijack--This. Non riuscivo però a scaricarlo. Appena aprivo una pagina con il suo nome... immediatamente si chiudeva. Stessa cosa per un file (di notepad) che ho provato a chiamare con il suo nome. Ho risolto con Task Manager di windows (ho XP), disattivando un processo chiamato "lexmarkutility.exe".

Adesso ho fatto scansione con Hijack--This.
Vorrei cancellare (fix) F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\wind ows\system32\lexmarkutility.exe",
che ipotizzo sia la cosa che fa avviare il dialer.
Poi... chiedevo a voi, se qualcuno sa consigliarmi sulle altre voci.

Il file lexmarkutility.exe (in windows\system32) l'ho già eliminato con agvpfix.

Vi faccio seguire il mio log.

Grazie.


Logfile of HijackThis v1.99.1
Scan saved at 21.00.20, on 13/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Apache Group\Apache2\bin\Apache.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\sysnet32.exe
C:\Programmi\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\system32\PwdLockLauncher.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Programmi\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\wind ows\system32\lexmarkutility.exe",
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: (no name) - {5653C83A-8716-0AAC-9310-A7BF770289E8} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Programmi\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PwdLockLauncher] C:\WINDOWS\system32\PwdLockLauncher.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office2\Office\OSA9.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Programmi\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Porta Symantec Fax Starter Edition.lnk = C:\Programmi\Microsoft Office2\Office\1040\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{78EA6B78-01E7-4144-A783-DB2FEC07D43D}: NameServer = 62.211.69.150 212.48.4.15
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Programmi\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[OYS]

1) Nel valore devi elminare lexmarkutility

PRIMA:
UserInit=c:\windows\system32\userinit.exe,"c:\wind ows\system32\lexmarkutility.exe"

DOPO:
UserInit=c:\windows\system32\userinit.exe,


2) Con hijackthis fixa queste voci:

O2 - BHO: (no name) - {5653C83A-8716-0AAC-9310-A7BF770289E8} - (no file)
O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe
O4 - HKLM\..\Run: [PwdLockLauncher] C:\WINDOWS\system32\PwdLockLauncher.exe
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} -




3) Vedi se riesci a scaricare The Avenger
clicca su input script manually e poi sulla lente di ingrandimento.
nello spazio bianco inserisci con copia incolla queste righe:


files to delete:
C:\WINDOWS\sysnet32.exe
C:\WINDOWS\system32\PwdLockLauncher.exe

clicca su done.
poi sul semaforo con luce verde
due volte si, il pc si riavviera' e al ritorno posta il log di avenger(C:/avenger.txt

[Giulia72]

Ciao e grazie,
allora... ho fatto tutto come mi hai detto.
Il pc si è riavviato ed è apparso il log di The Avenger, che ti posto sotto.
E' tutto ok?

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not create zip file.
Error code: 1813


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\obhyhgyb

*******************

Script file located at: \??\C:\WINDOWS\xwljftfi.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\sysnet32.exe deleted successfully.
File C:\WINDOWS\system32\PwdLockLauncher.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[OYS]

Il computer ti da ancora problemi?

[Giulia72]

Ho riavviato un paio di volte.
Adesso aspetto venti minuti e guardo se parte qualche chiamata.
Sembrerebbe tutto ok ma... le vie del dialer sono infinite.

Grazie ancora.

[Giulia72]

Tutto ok. Grazie

[OYS]

Alla prossima (speriamo di no )