msnchecker - hijackthis

[coniglia]

Ciao,
mi ritrovo in C:\ diversi file msnchecker.exe. Ho già fatto milioni di tentativi per debellarlo:
ripuito tutto con Ccleaner, scansioni in modalità provvisoria con Kaspersky, Avg, Ewido, PrevX... tutti appena scaricati e aggiornati. Ora, l'unico antivirus a riconoscere il file è stato Kaspersky - lo so, anche altri dovrebbero, ma così è. Una volta eliminato, comunque, spesso tentava di rientrare e Kaspersky me lo segnalava.
...Finché non mi sono ritrovata di nuovo un sacco di msnchecker in C:\, mentre Kaspersky stava lì zitto zitto con tutte le protezioni attive ma... senza avvertirmi di nulla. Allora provo a fargli scannare C:\, e vedo che tra i file esaminati passano gli msnchecker senza colpo ferire... "nessuna minaccia trovata" è la risposta finale.
Riesco a cancellarli manualmente, anche svuotando il cestino, ma poco dopo sono lì da capo.
Tra parentesi, mi è anche cambiata l'icona del disco C... per il resto, come problemi al pc ho solo rallentamenti e ogni tanto qualche crash, specialmente di explorer.exe - ma forse dipende dal caldo o.O

Se volete un hijackthis, così, tanto per gradire...

Logfile of HijackThis v1.99.1
Scan saved at 2.15.52, on 17/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Wintab32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
D:\programmi\Ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
D:\programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
D:\programmi\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\Wintime\Wtxpload.exe
D:\programmi\Masterizz DVD\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\Wintime\xpoint32.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\programmi\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Internet Explorer\iexplore.exe
D:\programmi\hijackthis\HijackThis_v1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {16DF6EBC-708E-59D6-0CF0-5B845D3CC112} - C:\WINDOWS\dgypp1.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [kav] "D:\programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] D:\programmi\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Wintime.Wtxpload] C:\WINDOWS\Wintime\Wtxpload.exe Wintime
O4 - HKLM\..\Run: [VirtualCloneDrive] "D:\programmi\Masterizz DVD\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Cerca con Google - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Traduci parola in italiano - res://c:\programmi\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Link a ritroso - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.it/kos/kavwebscan_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource...scbase5059.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...95/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A95B6510-42F3-480D-8A2C-3CE43B7DD09E}: NameServer = 85.37.17.52 85.38.28.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF74E5FC-8AC2-4156-B426-36268A72324C}: NameServer = 212.216.112.112,212.216.112.222
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - D:\programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\programmi\Ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Wintab32 - Unknown owner - C:\WINDOWS\System32\Wintab32.exe

[holifay]

Vai in Pannello di controllo e localizza l´icona JAVA. Cliccaci sopra 2 volte, poi dal tab Generale clicca sul pulsante Elimina file.... Dal tab Aggiornamento clicca invece Aggiorna adesso. Se non trovi come aggiornarlo o come cancellare i file java temporanei, disinstalla tutte le versioni di JAVA e JAVA RUNTIME che trovi in Pannello di Controllo >> Installazione applicazioni

Fatto questo scarica ATFCleaner da Atribune e salvalo sul desktop

Avvia HijackThis, poi chiudi tutte le finestre lasciando aperto solo HijackThis. Clicca Do a System Scan only, metti un segno di spunta sulla casella accanto a queste voci e al temine premi Fix checked

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {16DF6EBC-708E-59D6-0CF0-5B845D3CC112} - C:\\\\WINDOWS\\\\dgypp1.dll (file missing)

Riavvia in modalità provvisoria: premi F8 al Boot subito dopo il caricamento del BIOS e dal menu che comparirà seleziona modalità Provvisoria (safe mode)

Visualizza i file nascosti e di sistema:

- apri gestione risorse
- dal menu selezona strumenti >> opzioni cartella
- seleziona il tab visualizzazione
- metti la spunta alla casella visualizza file e cartelle nascoste
- togli la spunta alla casella nascondi file di sistema (consigliato) (trovi l´ozione più in basso)
- clicca Si, poi Applica, poi OK.

Cerca il file C:/WINDOWS/dgypp1.dll e mettilo in un file zip. Aggiungi all´archivio anche un file C:/msnchecker.exe.Poi cancella la dgypp1.dll e tutti i file msnchecker.exe che dovessi trovare.

Avvia ATF cleaner clicca sul menu main e poi seleziona la casella Select All. Se usi Firefox o Opera fai la stessa cosa premendo rispettivamente anche su Firefox e Opera (se vuoi mantenere le password deseleziona la rispettiva casella). Adesso clicca sul pulsante Empty selected e aspetta il messaggio Done Cleaning!.

Riavvia in modalità normale e ripeti la procedura con ATF Cleaner.

Manda per favore l´archivio zippato che hai creato prima a www.suspectfile.com

fai una scansione online con Panda. Al termine clicca sul pulsante See Report e salvalo sul pc.

Posta un nuovo log di HijackThis e il log di Panda.

Ciao

[coniglia]

Grazie...
ho seguito le tue istruzioni, ma:
- la dgypp1.dll non si trova, l'avevo già cercata anche prima
- panda non ha rilevato niente. Può darsi che in quel momento non avessi msnchecker su disco, dato che li avevo appena eliminati; ma... possibile che non ci sia nient'altro, e nonostante ciò continuino a riformarsi?

Ho inviato msnchecker zippato al sito che mi hai indicato.

Nel frattempo, mi è comparso un eraseme _XXXX.exe, dove le X stanno per numeri casuali. Non è la prima volta, ne ho avuti anche parecchi. Kaspersky continua a far finta di nulla, li trovo prima io guardando esplora risorse...
Altre volte invece me li aveva rilevati come trojan.

[holifay]

Strano perchè anche EWIDO lo riconosce....
http://www.suspectfile.com/forum/viewtopic.php?t=161


Senti, hai eliminato le voci dal log come ti avevo chiesto? Ti spiace postare un log di HijackThis fresco?

[coniglia]

Sì, le ho eliminate... ma sono di nuovo lì, e non ho idea di come ci sian tornate. Ho un folletto nel computer.



Logfile of HijackThis v1.99.1
Scan saved at 0.32.58, on 18/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Wintab32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
D:\programmi\Ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
D:\programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
D:\programmi\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\Wintime\Wtxpload.exe
D:\programmi\Masterizz DVD\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\WINDOWS\Wintime\xpoint32.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\programmi\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
D:\programmi\Shareaza\Shareaza.exe
C:\Programmi\Internet Explorer\iexplore.exe
D:\programmi\hijackthis\HijackThis_v1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {16DF6EBC-708E-59D6-0CF0-5B845D3CC112} - C:\WINDOWS\dgypp1.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [kav] "D:\programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] D:\programmi\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Wintime.Wtxpload] C:\WINDOWS\Wintime\Wtxpload.exe Wintime
O4 - HKLM\..\Run: [VirtualCloneDrive] "D:\programmi\Masterizz DVD\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Cerca con Google - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Traduci parola in italiano - res://c:\programmi\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Link a ritroso - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.it/kos/kavwebscan_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource...scbase5059.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...95/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A95B6510-42F3-480D-8A2C-3CE43B7DD09E}: NameServer = 85.37.17.52 85.38.28.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF74E5FC-8AC2-4156-B426-36268A72324C}: NameServer = 212.216.112.112,212.216.112.222
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - D:\programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\programmi\Ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Wintab32 - Unknown owner - C:\WINDOWS\System32\Wintab32.exe

[coniglia]

Se può servire: scannando con Kaspersky, gli msnchecker sono bypassati così:

18/07/2006 0.37.24 File: C:\msnchecke6.exe skipped by rights
18/07/2006 0.37.24 File: C:\msnchecker.exe skipped by rights

Che significa?

[holifay]

che kaspersky non ha i diritti per cancellarlo...


Scarica Sul desktop

Avvia HijackThisElimina e chiudi tutte le altre finestre. Metti un segno di spunta accanto a queste voci e premi Fix checked

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {16DF6EBC-708E-59D6-0CF0-5B845D3CC112} - C:\WINDOWS\dgypp1.dll (file missing)
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /wO4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

Avvia Killbox, premi File > Run as a System Task

Fai riferimento a questa immagine



Seleziona l'opzione Delete on Reboot, poi clicca All files. Ora copia negli appunti (premi CTRL+C) questo:

C:\WINDOWS\dgypp1.dll
C:\WINDOWS\system\smss.exe
C:\msnchecke6.exe
C:\msnchecker.exe

(aggiungi a questo elenco altri eventuali file da cancellare

Vai su Killbox e dal Menu File seleziona >> Paste from Clipboard

Se non si riavvia, riavvialo tu

Poi posta un nuovo log di HijackThis

Ciao

[coniglia]

Fatto. Ecco l'hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 18.19.32, on 19/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Wintab32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
D:\programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
D:\programmi\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\Wintime\Wtxpload.exe
D:\programmi\Masterizz DVD\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\programmi\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\Wintime\xpoint32.exe
C:\WINDOWS\System32\ctfmon.exe
D:\programmi\Ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
D:\programmi\hijackthis\HijackThis_v1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {16DF6EBC-708E-59D6-0CF0-5B845D3CC112} - C:\WINDOWS\dgypp1.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [kav] "D:\programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] D:\programmi\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Wintime.Wtxpload] C:\WINDOWS\Wintime\Wtxpload.exe Wintime
O4 - HKLM\..\Run: [VirtualCloneDrive] "D:\programmi\Masterizz DVD\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Cerca con Google - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Traduci parola in italiano - res://c:\programmi\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Link a ritroso - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.it/kos/kavwebscan_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource...scbase5059.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...95/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF74E5FC-8AC2-4156-B426-36268A72324C}: NameServer = 212.216.112.112,212.216.112.222
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - D:\programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\programmi\Ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Wintab32 - Unknown owner - C:\WINDOWS\System32\Wintab32.exe

Nel frattempo, ho attivato in Kaspersky la protezione per le modifiche al registro. Ogni volta che apro explorer, mi avverte che:

Process is trying to delete value in system registry key that belongs to group Internet Explorer Settings. These keys control Internet Explorer settings.

You are advised to grant access to these settings only if you are sure you want to allow these settings to be modified. Otherwise it is better to deny access.

Key: HKEY_USERS\S-1-5-21-117609710-1972579041-839522115-1004\Software\Microsoft\Internet Explorer\URLSearchHooks

Value:

Data(No value type):

C'entra con quel "R3 - Default URLSearchHook is missing" ? Io ho negato il permesso per la modifica, e in effetti ora quella voce non c'è più. Ma cos'è?

[holifay]

Strano messaggio... sembrerebbe ancora attivo qualcosa.

Riesci con HijackThis a eliminare questo?

O2 - BHO: Class - {16DF6EBC-708E-59D6-0CF0-5B845D3CC112} - C:\WINDOWS\dgypp1.dll (file missing)

Scarica RKR e fai un log. NON usare il PC finhè ha finito. Poi postalo qui

[coniglia]

No non si riesce a fixare...
ecco il log che mi hai chiesto!

HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version 17/07/06 22.11 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs 29/06/06 20.31 48 bytes Windows API length not consistent with raw hive data.
HKLM\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version 17/07/06 22.11 0 bytes Key name contains embedded nulls (*)
C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab\AVP6\PdmHist\830.5A5F009001C6ACC8.history 21/07/06 15.19 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab\AVP6\PdmHist\890.5BB3F0D601C6ACC8.history 21/07/06 15.19 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab\AVP6\PdmHist\aa8.48D967EE01C6ACB3.history\0000 0003.bak 21/07/06 15.21 3.07 MB Hidden from Windows API.
C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab\AVP6\PdmHist\b74.5C0500CA01C6ACC8.history 21/07/06 15.19 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Dati applicazioni\SecTaskMan\dgypp1.dll.q_2CF0_q.ini 15/07/06 13.43 314 bytes Hidden from Windows API.
C:\WINDOWS\dgypp1.del 20/07/06 16.56 63.16 KB Hidden from Windows API.
C:\WINDOWS\dgypp1.dll 20/07/06 16.56 63.16 KB Hidden from Windows API.
C:\WINDOWS\dgypp1.upd 20/07/06 16.56 61.04 KB Hidden from Windows API.
C:\WINDOWS\lpt7.rpd 21/07/06 15.19 139.16 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~d246c17fa.htp 21/07/06 15.31 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~d246c1ce5.htp 21/07/06 15.31 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~d27532a3b.htp 21/07/06 15.31 8.00 KB Visible in Windows API, MFT, but not in directory index.
C:\WINDOWS\Temp\cch~d2753d38d.htp 21/07/06 15.31 8.00 KB Visible in Windows API, MFT, but not in directory index.