Trojan-Downloader.Zlob [era: problemi spyware]

**laser_uk** · 13-06-2008, 21:07

Salve, potete aiutarmi...ho alcuni problemi che non riesco a risolvere con antivirus come avast e adware..questo il log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17.40.55, on 13/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Twain_32\NX VEGA 300\SnapTrap.exe
C:\WINDOWS\vsnpstd.exe
C:\Programmi\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Programmi\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe
C:\Programmi\Skype\Phone\Skype.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\netdde.exe
C:\Programmi\Apache Group\Apache2\bin\Apache.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Apache Group\Apache2\bin\Apache.exe
C:\Programmi\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Programmi\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\Programmi\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\CA\CA Internet Security Suite\ccprovsp.exe
C:\Programmi\FreePOPs\freepopsd.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\Programmi\Macromedia\Flash 8\Flash.exe
C:\Programmi\FileZilla\FileZilla.exe
C:\Programmi\Outlook Express\msimn.exe
C:\Programmi\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\qoeapp.exe
C:\Programmi\Macromedia\Dreamweaver 8\Dreamweaver.exe
C:\Programmi\Spybot - Search & Destroy\SpybotSD.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 212.150.54.250 dv-networks.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: WarningBHO Class - {56FA7933-DC3E-403b-8D47-BB5E3F345A21} - C:\Programmi\AntiSpyCheck\IEWarning.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: 514852 helper - {9420D9C5-E151-4D83-B9A6-27DE1A7A0E5F} - C:\WINDOWS\system32\514852\514852.dll
O2 - BHO: (no name) - {99BA268B-4021-4739-9945-3C774217FE75} - C:\Programmi\NetProject\sbmdl.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301. 7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [STICAP] C:\WINDOWS\Twain_32\NX VEGA 300\SnapTrap.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [cctray] "C:\Programmi\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Programmi\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AntiSpyCheck 2.1.0] "C:\Programmi\AntiSpyCheck\AntiSpyCheck.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WinSpywareProtect] "C:\Documents and Settings\All Users\Dati applicazioni\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe" /autorun
O4 - HKCU\..\Run: [AntiSpyCheck] C:\Programmi\AntiSpyCheck\AntiSpyCheck.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingD2829] cmd /c del "C:\WINDOWS\system32\kfcpnd.dll_old"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Programmi\File comuni\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - C:\Programmi\LingoCom\Translator.lnk (file missing)
O9 - Extra 'Tools' menuitem: LingoWare Translator... - {87680762-4A83-11B4-885B-0000E8ECA40F} - C:\Programmi\LingoCom\Translator.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Programmi\File comuni\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Programmi\File comuni\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=IT_IT&c=Q105&bd=pavili on&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...lscbase370.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.gisonweb.it/provincia.mil...m/mgaxctrl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/Driver...aSmartScan.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/si...Install_it.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: campaniform - {5c7b71bb-6d49-4bdc-b60d-f9fe0481eb5f} - C:\WINDOWS\system32\kfcpnd.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Programmi\Apache Group\Apache2\bin\Apache.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Programmi\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Programmi\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. -

**Habanero** · 13-06-2008, 21:55

e quali sarebbero questi problemi??

scusami se sono un po' brusco, ma non potete pretendere che vi si aiuti senza nemmeno sapere cosa si deve affrontare.
A tal proposito mi sembra che il regolamento parli abbastanza chiaro.

Grazie.

**Deifobe** · 14-06-2008, 00:45

Scarica Norman Malware Cleaner e SmitfraudFix

avvia il PC in modalità provvisoria (*) ed esegui Norman Malware Cleaner.
Finita la scansione, viene generato un log sul desktop (che dovrai postare).

Sempre in modalità provvisoria, esegui SmitfraudFix. Seleziona l'opzione 2 (Clean) e premi invio (elimina i file infetti). Alla domanda "Registry cleaning - Do you want to clean the registry ?" digita "Y" e dai l'invio (rimuove tutto quanto associato con l'infezione - potrebbe reimpostare lo sfondo del desktop).
Il computer si riavviera' per completare il processo di pulizia (altrimenti riavvialo tu in modalita' normale). Sul desktop verra' visualizzato un file di testo che dovrai postare (lo trovi anche in C:\rapport.txt).

Posta il log di SmitfraudFix, quello di Norman Malware Cleaner e un nuovo log di hjt

Ciao

(*) Per entrare in modalità provvisoria: all'avvio del pc, prima che inizi a caricare Windows, premi ripetutamente F8. Uscirà la finestra del menu Opzioni avanzate di Windows
=> scegli modalità provvisoria (usa il tasto freccia ^).

**laser_uk** · 14-06-2008, 11:51

allora: posto il log di Norman:
Number of processes/threads found: 600
Number of processes/threads scanned: 600
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 29s
Scanning file system...

Scanning: C:\*.*

C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus\Quarantine\0FAE736D.com (Infected with Agent.FHFC)
Deleted file

C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus\Quarantine\2CBD51FF.com (Infected with Agent.FHFC)
Deleted file

C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus\Quarantine\48DA4C75.com (Infected with Agent.FHFC)
Deleted file

C:\Documents and Settings\All Users\Dati applicazioni\Symantec\Norton AntiVirus\Quarantine\4901444A.com (Infected with Agent.FHFC)
Deleted file

C:\Documents and Settings\sergio\ccppglsy.exe (Infected with Dialer.HN)
Deleted file

C:\Documents and Settings\sergio\ptgxqpbn.exe (Infected with Dialer.HN)
Deleted file

C:\Documents and Settings\sergio\rxirgucd.exe (Infected with Dialer.HN)
Deleted file

C:\Documents and Settings\sergio\Impostazioni locali\Temp\_addon.exe (Infected with Horst.gen29.dropper)
Deleted file

C:\Programmi\MediaCoder\xulapp\Dati applicazioni\Mozilla\Firefox\Profiles\r8kotsdm.def ault\Cache\90487342d01/unknown0 (Error whilst scanning file: I/O Error)

C:\Sistema1\casinoeuropa_profilo.exe (Infected with W32/DLoader.DZNY)
Deleted file

C:\System Volume Information\_RESTO~1\RP26\A0010714.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP26\A0010715.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP26\A0010716.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP26\A0010717.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP26\A0010718.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP26\A0010719.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP26\A0010720.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP26\A0010721.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP26\A0010722.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP26\A0010723.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP26\A0010724.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP26\A0010725.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP26\A0010726.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP26\A0010727.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP26\A0010728.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP26\A0010729.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP26\A0010730.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP26\A0010731.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP26\A0010732.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP26\A0010733.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP26\A0010734.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP32\A0012047.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP52\A0016042.com (Infected with Agent.FHFC)
Deleted file

C:\System Volume Information\_RESTO~1\RP52\A0016043.com (Infected with Agent.FHFC)
Deleted file

C:\System Volume Information\_RESTO~1\RP52\A0016044.com (Infected with Agent.FHFC)
Deleted file

C:\System Volume Information\_RESTO~1\RP52\A0016045.com (Infected with Agent.FHFC)
Deleted file

C:\System Volume Information\_RESTO~1\RP52\A0016046.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP52\A0016047.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP52\A0016048.exe (Infected with Dialer.HN)
Deleted file

C:\System Volume Information\_RESTO~1\RP52\A0016049.exe (Infected with W32/DLoader.DZNY)
Deleted file

Scanning: c:\System Volume Information\*.*

Running post-scan cleanup routine:

Number of files found: 194996
Number of archives unpacked: 6206
Number of files scanned: 194974
Number of files not scanned: 22
Number of files skipped due to exclude list: 0
Number of infected files found: 39
Number of infected files repaired/deleted: 39
Number of infections removed: 39
Total scanning time: 1h 58m 14s

il log di :
SmitFraudFix v2.324

Scan done at 11.36.38,70, 14/06/2008
Run from C:\Documents and Settings\sergio\Desktop\software\SmitfraudFix
OS: Microsoft Windows XP [Versione 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{5c7b71bb-6d49-4bdc-b60d-f9fe0481eb5f}"="campaniform"

[HKEY_CLASSES_ROOT\CLSID\{5c7b71bb-6d49-4bdc-b60d-f9fe0481eb5f}\InProcServer32]
@="C:\WINDOWS\system32\kfcpnd.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{5c7b71b b-6d49-4bdc-b60d-f9fe0481eb5f}\InProcServer32]
@="C:\WINDOWS\system32\kfcpnd.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost
212.150.54.250 dv-networks.com

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\WINDOWS\system32\514852\514852.dll deleted.
C:\WINDOWS\system32\514852\ deleted.

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Belkin 54g Wireless USB Network Adapter #2 - Miniport dell'Utilità di pianificazione pacchetti
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{B34F540C-E298-46DD-B62E-710CED026A58}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{900CF119-FDE5-479B-BB53-F1E10CA7FD4A}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B34F540C-E298-46DD-B62E-710CED026A58}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B34F540C-E298-46DD-B62E-710CED026A58}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{5c7b71bb-6d49-4bdc-b60d-f9fe0481eb5f}"="campaniform"

[HKEY_CLASSES_ROOT\CLSID\{5c7b71bb-6d49-4bdc-b60d-f9fe0481eb5f}\InProcServer32]
@="C:\WINDOWS\system32\kfcpnd.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{5c7b71b b-6d49-4bdc-b60d-f9fe0481eb5f}\InProcServer32]
@="C:\WINDOWS\system32\kfcpnd.dll"

»»»»»»»»»»»»»»»»»»»»»»»» End

**laser_uk** · 14-06-2008, 11:53

e il nuovo log di hjt:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:10, on 14/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Programmi\Apache Group\Apache2\bin\Apache.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Programmi\Apache Group\Apache2\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Programmi\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Twain_32\NX VEGA 300\SnapTrap.exe
C:\WINDOWS\vsnpstd.exe
C:\Programmi\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Programmi\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Skype\Plugin Manager\skypePM.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 212.150.54.250 dv-networks.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301. 7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [STICAP] C:\WINDOWS\Twain_32\NX VEGA 300\SnapTrap.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [cctray] "C:\Programmi\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Programmi\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WinSpywareProtect] "C:\Documents and Settings\All Users\Dati applicazioni\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe" /autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Programmi\File comuni\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - C:\Programmi\LingoCom\Translator.lnk (file missing)
O9 - Extra 'Tools' menuitem: LingoWare Translator... - {87680762-4A83-11B4-885B-0000E8ECA40F} - C:\Programmi\LingoCom\Translator.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Programmi\File comuni\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Programmi\File comuni\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=IT_IT&c=Q105&bd=pavili on&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...lscbase370.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.gisonweb.it/provincia.mil...m/mgaxctrl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/Driver...aSmartScan.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/si...Install_it.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: campaniform - {5c7b71bb-6d49-4bdc-b60d-f9fe0481eb5f} - C:\WINDOWS\system32\kfcpnd.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Programmi\Apache Group\Apache2\bin\Apache.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Programmi\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Programmi\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:/mysql2/bin/mysqld-nt.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Programmi\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Programmi\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Utilità di pianificazione di LiveUpdate automatico - Unknown owner - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.e xe (file missing)

--
End of file - 12194 bytes

**Deifobe** · 14-06-2008, 12:18

ok, ci sono ancora cose da eliminare.
scarica SystemScan, disconnetti il pc da internet => disattiva l'antivirus => esegui systemscan => clicca su "Scan Now". Finita la scansione, riattiva l'antivirus

carica il rapporto che trovi sul desktop su Savefile e posta il link ottenuto.

**laser_uk** · 14-06-2008, 16:06

eccolo:
http://www.savefile.com/files/1609212

**Deifobe** · 14-06-2008, 19:37

Scarica Avenger e CCleaner

Disinstalla i seguenti programmi da installazione applicazioni (e presenti):
WinSpywareProtect
AntiSpyCheck

Apri il blocco note e nella pagina copia/incolla:

Windows Registry Editor Version 5.00

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WinSpywareProtect"=-

[-HKCR\CLSID\{5c7b71bb-6d49-4bdc-b60d-f9fe0481eb5f}]

salvalo in c:\ con il nome nome: fix.reg
tipo di file: tutti i file

Esegui avenger e nella finestra copia/incolla tutta la citazione:

files to delete:
C:\WINDOWS\system32\kfcpnd.dll
C:\Programmi\AntiSpyCheck\AntiSpyCheck.exe
C:\Documents and Settings\sergio\Dati applicazioni\Mozilla\Firefox\Profiles\23ncf8e8.def ault\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}\components\nsCatcher.dll
C:\WINDOWS\system32\fixflash.exe
C:\Documents and Settings\All Users\Dati applicazioni\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe

folders to delete:
C:\Programmi\AntiSpyCheck
C:\Documents and Settings\All Users\Dati applicazioni\Adsl Software Limited\WinSpywareProtect

registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler | {5c7b71bb-6d49-4bdc-b60d-f9fe0481eb5f}
HKLM\SYSTEM\CurrentControlSet\Services\SharedAcces s\Parameters\FirewallPolicy\StandardProfile\Author izedApplications | C:\Programmi\AntiSpyCheck\AntiSpyCheck.exe

programs to launch on reboot:
c:\fix.reg

Spunta "Automatically disable any rootkits found" e clicca su "execute".
Il pc dovrebbe riavviarsi da solo, altrimenti riavvialo tu. Posta il report rilasciato

Esegui CCleaner e ripulisci i file temporanei e i cookie (eseguilo 2 volte).

Svuota C:\WINDOWS\Prefetch

Usa la funzione "cerca" di windows ed elimina tutto quello che trovi con il nome di:
WinSpywareProtect
AntiSpyCheck

Da hjt fixa (magari non li troverai tutti):

(se conosci O1 - Hosts: 212.150.54.250 dv-networks.com non fixarla...)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 212.150.54.250 dv-networks.com
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [WinSpywareProtect] "C:\Documents and Settings\All Users\Dati applicazioni\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe" /autorun
O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - C:\Programmi\LingoCom\Translator.lnk (file missing)
O9 - Extra 'Tools' menuitem: LingoWare Translator... - {87680762-4A83-11B4-885B-0000E8ECA40F} - C:\Programmi\LingoCom\Translator.lnk (file missing)
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/s...eInstall_it.cab
O22 - SharedTaskScheduler: campaniform - {5c7b71bb-6d49-4bdc-b60d-f9fe0481eb5f} - C:\WINDOWS\system32\kfcpnd.dll (file missing)

Posta un nuovo rapporto di systemscan (hjt compreso) e il rapporto di avenger

**laser_uk** · 14-06-2008, 20:56

inizio a postare il rapporto di avenger e appena fatto quello di systemscan

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: file "C:\WINDOWS\system32\kfcpnd.dll" not found!
Deletion of file "C:\WINDOWS\system32\kfcpnd.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not open file "C:\Programmi\AntiSpyCheck\AntiSpyCheck.exe"
Deletion of file "C:\Programmi\AntiSpyCheck\AntiSpyCheck.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

File "C:\Documents and Settings\sergio\Dati applicazioni\Mozilla\Firefox\Profiles\23ncf8e8.def ault\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}\components\nsCatcher.dll" deleted successfully.
File "C:\WINDOWS\system32\fixflash.exe" deleted successfully.

Error: could not open file "C:\Documents and Settings\All Users\Dati applicazioni\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe"
Deletion of file "C:\Documents and Settings\All Users\Dati applicazioni\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Error: folder "C:\Programmi\AntiSpyCheck" not found!
Deletion of folder "C:\Programmi\AntiSpyCheck" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not open folder "C:\Documents and Settings\All Users\Dati applicazioni\Adsl Software Limited\WinSpywareProtect"
Deletion of folder "C:\Documents and Settings\All Users\Dati applicazioni\Adsl Software Limited\WinSpywareProtect" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Error: could not delete registry value "HKLM\SYSTEM\CurrentControlSet\Services\SharedAcce ss\Parameters\FirewallPolicy\StandardProfile\Autho rizedApplications|C:\Programmi\AntiSpyCheck\AntiSp yCheck.exe"
Deletion of registry value "HKLM\SYSTEM\CurrentControlSet\Services\SharedAcce ss\Parameters\FirewallPolicy\StandardProfile\Autho rizedApplications|C:\Programmi\AntiSpyCheck\AntiSp yCheck.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Explorer\SharedTaskScheduler|{5c7b71bb-6d49-4bdc-b60d-f9fe0481eb5f}" deleted successfully.
Program "c:\fix.reg" successfully queued to run on reboot.

Completed script processing.

*******************

Finished! Terminate.

**laser_uk** · 14-06-2008, 22:11

log di systemscan

http://www.savefile.com/files/1609807

Discussione: Trojan-Downloader.Zlob [era: problemi spyware]

Strumenti discussione

Ricerca discussione

Visualizza

problemi spyware

Permessi di invio