Eliminare CiD e Navipromo da Windows Vista [ho uno spyware che rompe...]

**orken** · 05-09-2008, 17:38

salve ... sn sicuro di avere qualke problema ma facendo la scansione cn hijackthis nn riesco a capire il problema mi aiutate?
Allego il filelog di hijack:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17.08.47, on 05/09/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Gaetano\AppData\Local\suqqa.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Movie Maker\moviemk.exe
C:\Users\Gaetano\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [suqqa] "c:\users\gaetano\appdata\local\suqqa.exe" suqqa
O4 - HKCU\..\Run: [Name Mpeg] "C:\ProgramData\for mess mess.82fbbtf"
O4 - HKCU\..\Run: [hold data mags move] "C:\ProgramData\free atom web.7c32i"
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia immagine alla periferica &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Invia pagina alla periferica &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/.../GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D92F962D-27FB-462C-9132-311A3FF2BE81}: NameServer = 85.37.17.11 85.38.28.69
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 8394 bytes

VVoVe:

**Analyzer** · 05-09-2008, 17:51

Ciao!

Scarica SystemScan da qui : http://www.suspectfile.com/systemscan
Disconnetti il pc da internet->disattiva l'antivirus->chiudi gli altri programmi attivi in memoria->Premi su "Scan Now";

Terminata la scansione carica il rapporto su : http://www.savefile.com/ e posta il link ottenuto;

Ciao!

**Deifobe** · 05-09-2008, 20:22

Scusa se intervengo Analyzer ma mi sa che ti ritroverai con qualche syastemscan di troppo da analizzare

@ orken : fai quello che ti scrivo, ci sono due problemi da risolvere

1) disattiva l'UAC di Vista (qui viene spiegato come disattivarlo microsoft.com)

Start => Pannello di controllo => Account Utente e protezione per la famiglia (User Accounts and Family Safety) => Account Utente
Se viene richiesto una password di amministratore, digitare il nome di utente di amministratore e la password e quindi scegliere OK. Se si richiede la conferma, scegliere Continua.
Deselezionare la casella di controllo Use User Account Control (UAC) .... quindi scegliere OK.
Riavvia il computer.

Scarica navilog1.exe_il mafioso sul desktop e installalo.
Eseguilo, scegli la lingua e, al menù di scelta, seleziona l'opzione 1 (non scegliere le altre). Ad un certo punto uscirà una scritta "Analysis ... Terminate", premi un tasto come richiesto e si aprirà un file di testo (il rapporto della scansione che dovrai postare).

2) esegui hijackthis e fixa:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [Name Mpeg] "C:\ProgramData\for mess mess.82fbbtf"
O4 - HKCU\..\Run: [hold data mags move] "C:\ProgramData\free atom web.7c32i"

3) usa la funzine cerca di windows e cerca ed elimina tutti i:
free atom web
for mess mess

che trovi. Se ne vedi uno in AppData , elimina prima quello e poi elimini gli altri file.

4) Poi, clicca su start => digita msconfig e clicca sulla voce trovata.
Dai le autorizzazioni necessarie e, nella finestra "unità di configurazione sistema" (o system configuration), sezione "avvio" (opp. startup) trova e deseleziona Name Mpeg e hold data mags move. Dai l'ok, riavvia il sistema.
(Dovesse servirti, guarda questa guida per eseguire msconfig.)

clicca su => applica => ok

**Analyzer** · 05-09-2008, 20:27

Originariamente inviato da Deifobe
Scusa se intervengo Analyzer ma mi sa che ti ritroverai con qualche syastemscan di troppo da analizzare

Hai ragione!! Grazie!!

**orken** · 06-09-2008, 13:11

Search Navipromo version 3.6.5 began on 06/09/2008 at 12.31.51,67

!!! Warning, this report may include legitimate files/programs !!!
!!! Post this report on the forum you are being helped !!!
!!! Don't continue with removal unless instructed by an authorized helper !!!
Fix running from C:\Program Files\navilog1
Actual User Account : "Gaetano"

Updated on 22.08.2008 at 17h30 by IL-MAFIOSO

Microsoft Windows Vista 6.0.6000
Version Internet Explorer : 7.0.6000.16711
Filesystem type : NTFS

Search done in normal mode

*** Searching for installed Software ***

*** Search folders in "C:\Windows" ***

*** Search folders in "C:\Program Files" ***

*** Search folders in "c:\progra~2\micros~1\windows\startm~1\program s" ***

*** Search folders in "c:\progra~2\micros~1\windows\startm~1" ***

*** Search folders in "C:\ProgramData" ***

*** Search folders in "c:\users\gaetano\appdata\roaming\micros~1\windows \startm~1\programs" ***

*** Search folders in "C:\Users\Gaetano\AppData\Local\virtualstore\Progr am Files" ***

*** Search folders in "C:\Users\Gaetano\AppData\Roaming" ***

*** Search with Catchme-rootkit/stealth malware detector by gmer ***
for more info : http://www.gmer.net

Hidden file(s) :

C:\Users\Gaetano\AppData\Local\suqqa.dat
C:\Users\Gaetano\AppData\Local\suqqa.exe
C:\Users\Gaetano\AppData\Local\suqqa_nav.dat
C:\Users\Gaetano\AppData\Local\suqqa_navps.dat

*** Search with GenericNaviSearch ***
!!! Possibility of legitimate files in the result !!!
!!! Must always be checked before manually deleting !!!

* Scan in "C:\Windows\system32" *

* Scan in "C:\Users\Gaetano\AppData\Local\Microsoft" *

* Scan in "C:\Users\Gaetano\AppData\Local\virtualstore\windo ws\system32" *

* Scan in "C:\Users\Gaetano\AppData\Local" *

Files found :

suqqa.exe found !

*** Search files ***

C:\Windows\system32\nvs2.inf found !

*** Search specific Registry keys ***

*** Complementary Search ***
(Search specific files)

1)Search new Instant Access files :

2)Heuristic Search :

* In "C:\Windows\system32" :

* In "C:\Users\Gaetano\AppData\Local\Microsoft" :

* In "C:\Users\Gaetano\AppData\Local\virtualstore\windo ws\system32" :

* In "C:\Users\Gaetano\AppData\Local" :

3)Certificates Search :

Egroup certificate found !
Electronic-Group certificate found !
Montorgueil certificate not found !
OOO-Favorit certificate found !
Sunny-Day-Design-Ltd certificate not found !

4)Search known files :

*** Search completed on 06/09/2008 at 12.47.55,92 ***

**Deifobe** · 06-09-2008, 13:20

Riavvia il computer in modalità provvisoria: all'avvio del pc, prima che inizi a caricare Windows, premi ripetutamente F8. Uscirà la finestra del menu Opzioni avanzate di Windows => scegli modalità provvisoria (usa il tasto freccia ^).
Esegui Navilog1 e scegli l'opzione 2 (Automatic Cleaning) e dai l'ok (eseguirà la pulizia dei files infetti trovati)
Quando finisce, riavvia il pc in modalità normale

Svuota C:\WINDOWS\Prefetch
Ripulisci con CCleaner i file temporanei e cookie (eseguilo 2 volte).

riesegui navilog in modalità normale (opzione 1) e posta i risultati

**orken** · 06-09-2008, 15:50

*** Search with GenericNaviSearch ***
!!! Possibility of legitimate files in the result !!!
!!! Must always be checked before manually deleting !!!

* Scan in "C:\Windows\system32" *

* Scan in "C:\Users\Gaetano\AppData\Local\Microsoft" *

* Scan in "C:\Users\Gaetano\AppData\Local\virtualstore\windo ws\system32" *

* Scan in "C:\Users\Gaetano\AppData\Local" *

*** Search files ***

*** Search specific Registry keys ***

*** Complementary Search ***
(Search specific files)

1)Search new Instant Access files :

2)Heuristic Search :

* In "C:\Windows\system32" :

* In "C:\Users\Gaetano\AppData\Local\Microsoft" :

* In "C:\Users\Gaetano\AppData\Local\virtualstore\windo ws\system32" :

* In "C:\Users\Gaetano\AppData\Local" :

3)Certificates Search :

Egroup certificate not found !
Electronic-Group certificate not found !
Montorgueil certificate not found !
OOO-Favorit certificate not found !
Sunny-Day-Design-Ltd certificate not found !

4)Search known files :

*** Search completed on 06/09/2008 at 15.49.09,56 ***

**Deifobe** · 06-09-2008, 16:39

ok, il primo problema è risolto.

posta un nuovo systemscan

Hai eliminato i vari file postati a inizio procedura? Compreso in msconfig?

**orken** · 06-09-2008, 20:08

http://www.savefile.com/files/1772529

**Deifobe** · 06-09-2008, 20:15

lo controllo e più tardi ti faccio sapere..

Discussione: Eliminare CiD e Navipromo da Windows Vista [ho uno spyware che rompe...]

Strumenti discussione

Ricerca discussione

Visualizza

ho uno spyware che rompe...

ecco il rapporto di navilog

ecco qua

ecco qua

Permessi di invio