Trojan rilevato da AVG

[Professor X]

Questo è il log d HijackThis del mio pc,cosa c'è ke nn va??? AVG mi rileva un trojan ma nn riesco ad eliminarlo...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18.30.19, on 22/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\D-Tools\daemon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programmi\Logitech\Video\LogiTray.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
C:\Programmi\HP\Digital Imaging\bin\hpqgalry.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\eMule\emule.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\865d1.exe
C:\Documents and Settings\Francesco\Documenti\Altro PC\Sicurezza PC\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://7255.com/?g
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://client.jogo.cn/cdn/browser/si...search-en.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.cn/cdn/browser/cu...search-en.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ff Class - {B9751A53-4494-4d7c-9732-AE3058D8145F} - C:\WINDOWS\system32\3861.dll
O2 - BHO: Century Class - {B9893324-6B8F-4C54-98A8-D22194403550} - C:\WINDOWS\system32\SoTools.dll
O2 - BHO: BHO Class - {BCBD80C9-6AD7-48ed-8DF1-6963414B3649} - C:\WINDOWS\system32\flym.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmi\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\RunOnce: [CPushSetup] "C:\WINDOWS\system32\regsvr32.exe" /s "C:\Programmi\File comuni\CPUSH\cpush.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programmi\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [a09oc] rundll32 "C:\WINDOWS\Downlo~1\a09oc.dll",start
O4 - HKLM\..\Policies\Explorer\Run: [qbjk] rundll32 "C:\WINDOWS\Downlo~1\qbjk.dll",Run
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio rapido di HP Image Zone.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1192279606750
O17 - HKLM\System\CCS\Services\Tcpip\..\{D66C1D12-D600-4B60-9263-95DE550A6AB2}: NameServer = 85.37.17.51 85.38.28.97
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Fax 2Client (ms_2fax) - Unknown owner - C:\WINDOWS\system32\865d1.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Programmi\Windows Live\installer\WLSetupSvc.exe

--
End of file - 9465 bytes

[Deifobe]

Non lo elimina? Sei diventato cinese, praticamente... Allora:

Scarica: Avenger, SpyBot , Superantispyware, DelDomains (salvalo sul desktop), hosts (salvalo sul desktop)
Installa e aggiorna spybot e SUPERAntiSpyware

stampa/salva queste indicazioni e disconnetti il pc da internet.

Disattiva il ripristino configurazione di sistema: start - pannello di controllo - sistema - ripristino configurazione di sistema - spunta "disattiva ripristino configuraz. di sistema"
Visualizza file nascosti: da una cartella clicca su strumenti - opzioni cartella - visualizza - visualizza file nascosti

Lancia Hijackthis, clicca sul tasto "Do a system scan only", spunta le seguenti voci e clicca su "fix Checked"
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http: //7255.com/?g
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http: //client.jogo.cn/cdn/browser/sidesearch/sidesearch-en.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http: //client.jogo.cn/cdn/browser/customsearch/customsearch-en.html
O2 - BHO: (no name) - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ff Class - {B9751A53-4494-4d7c-9732-AE3058D8145F} - C:\WINDOWS\system32\3861.dll
O2 - BHO: Century Class - {B9893324-6B8F-4C54-98A8-D22194403550} - C:\WINDOWS\system32\SoTools.dll
O2 - BHO: BHO Class - {BCBD80C9-6AD7-48ed-8DF1-6963414B3649} - C:\WINDOWS\system32\flym.dll
O4 - HKLM\..\RunOnce: [CPushSetup] "C:\WINDOWS\system32\regsvr32.exe" /s "C:\Programmi\File comuni\CPUSH\cpush.dll"
O4 - HKLM\..\Policies\Explorer\Run: [a09oc] rundll32 "C:\WINDOWS\Downlo~1\a09oc.dll",start
O4 - HKLM\..\Policies\Explorer\Run: [qbjk] rundll32 "C:\WINDOWS\Downlo~1\qbjk.dll",Run
O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\WINDOWS\system32\shdocvw.dll

Esegui avenger, seleziona l'opzione "Input Script Manually" e clicca sulla lente d'ingrandimento. All'interno della finestra "Wiew/edit script", nel box bianco, copia/incolla:

files to delete:
C:\WINDOWS\system32\3861.dll
C:\WINDOWS\system32\SoTools.dll
C:\WINDOWS\system32\flym.dll
C:\WINDOWS\system32\cdnns.dll
C:\WINDOWS\Downlo~1\a09oc.dll

folders to delete:
C:\Programmi\File comuni\CPUSH
%program_files%\cnnic
C:\WINDOWS\system32\drivers\cdn

registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewAdPopup.Pop upBlock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewAdPopup.Pop upBlock.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewAdPopup.Too lbarDetector
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewAdPopup.Too lbarDetector.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewMediaPopup. DdLogic
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewMediaPopup. DdLogic.1
HKEY_LOCAL_MACHINE\SOFTWARE\cpush
HKEY_LOCAL_MACHINE\SOFTWARE\Sohu R&D
HKEY_CURRENT_USER\Software\cpush
HKEY_CURRENT_USER\software\cnnic
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\advancedoptions\cdnclient
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\r oot\legacy_cdnprot
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\r oot\legacy_cdnprot nextinstance
HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\cdnprot group
HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\cdnprot\enum

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Clicca sul pulsante "Done", poi sul semaforo verde, rispondi 2 volte Yes. Il pc dovrebbe riavviarsi da solo, altrimenti riavvialo tu. Posta il report rilasciato

Esegui CCleaner e ripulisci sia i file temporanei e cookie (2 volte) che il registro.

Esegui le scansioni con Spybot e SUPERAntiSpyware

Per ripristinare la Trusted Zone fai clic su DelDomains con tasto destro del mouse e scegli "Installa".

Scompatta il file Hosts, => clic con il tasto destro del mouse - "copia" - e "incolla" il file nella cartella C:\Windows\system32\drivers\etc (NB: in questa cartella troverai già un altro file hosts, devi accettare la sostituzione).

Posta anche un nuovo log di hjt.

in sospeso..
O23 - Service: Fax 2Client (ms_2fax) - Unknown owner - C:\WINDOWS\system32\865d1.exe

[Professor X]

DelDomains ma è un file d testo????

p.s.: sorry... cmq sto provvedendo a sistemare tutto e per quel file in sospeso?

[Deifobe]

Non esiste ma e' meglio se lo controlli su Virustotal. Fammi sapere il risultato.