Utility
Home Messaggi odierni FAQ Ricerca avanzata Lo staff del forum Regolamento Utenti Archivio
Pagina 1 di 3 1 2 3 ultimoultimo
Visualizzazione dei risultati da 1 a 10 su 23
  1. 08-12-2007, 12:07 #1
    Roby_72
    Roby_72 non è in linea
    Moderatore di ASP e MS Server L'avatar di Roby_72
    Registrato dal
    Aug 2001
    Messaggi
    19,559

    Pc probabilmente violato

    Sintomi: lento, impossibilità di inviare email da outlook con allegati (le stesse email senza allegati partono), cancalleazione automatica (non voluta) dei cookies di IE ad ogni riavvio del pc.... Questi i più significativi.
    Come da regolamento, dopo aver adottato i provvedimenti di cui ai punti 1-3 mostro qui il log di HijackThis nel caso qualcuna possa suggerirmi cosa bloccare.

    Grazie.

    codice:
    Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10.59.36, on 08/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\Apoint2K\Apoint.exe
C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programmi\TOSHIBA\E-KEY\CeEKey.exe
C:\Programmi\TOSHIBA\TouchPad\TPTray.exe
C:\Programmi\Apoint2K\Apntex.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Programmi\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Programmi\TOSHIBA\Tvs\TvsTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\domino.exe
C:\WINDOWS\VMSnap1.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Programmi\Windows Desktop Search\WindowsSearch.exe
C:\Programmi\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN03.EXE
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.repubblica.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programmi\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Programmi\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Programmi\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Programmi\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Programmi\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [CeEKEY] C:\Programmi\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [HWSetup] C:\Programmi\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [TPNF] C:\Programmi\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Zooming] ZoomingHook.exe
O4 - HKLM\..\Run: [Tvs] C:\Programmi\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [domino] C:\WINDOWS\domino.exe
O4 - HKLM\..\Run: [VMSnap1] C:\WINDOWS\VMSnap1.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Monitor Apache Servers.lnk = C:\Programmi\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Programmi\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Programmi\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.coolstreaming.us/consolle.../KooPlayer.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1179864841578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sederoma.novacomitalia.com
O17 - HKLM\Software\..\Telephony: DomainName = sederoma.novacomitalia.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F868D25-4997-49E6-94F6-75FFC4C7725A}: NameServer = 85.255.116.119,85.255.112.62
O17 - HKLM\System\CCS\Services\Tcpip\..\{26FAC87A-6AA1-4692-9C5D-84D08A03BF8C}: NameServer = 85.255.116.119,85.255.112.62
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9731F51-FD86-49E7-A68E-310BDFC6F0AD}: NameServer = 85.255.116.119,85.255.112.62
O17 - HKLM\System\CCS\Services\Tcpip\..\{E87076CD-BFAA-45FF-A368-428D7DE26A29}: NameServer = 85.255.116.119,85.255.112.62
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sederoma.novacomitalia.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.119 85.255.112.62
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sederoma.novacomitalia.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.119 85.255.112.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.119 85.255.112.62
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Servizio di configurazione Atheros (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Programmi\Apache Group\Apache2\bin\Apache.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: MySQL - Unknown owner - C:\Programmi\MySQL\MySQL.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 10871 bytes
    Roby

    www.creamweb.it [v. 3.0]
    :: Script ASP!
    :: Web directory gratuita!
    :: Campioni del mondo!
    Rispondi quotando Rispondi quotando
  2. 08-12-2007, 12:17 #2
    OYS
    OYS non è in linea
    Utente di HTML.it L'avatar di OYS
    Registrato dal
    Apr 2006
    Messaggi
    3,142
    1) Avvia Hijackthis, clicca do a system scan only, seleziona le voci che ti indicherò e premi fix checked in basso a sinistra:


    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\ntos.exe,

    TUTTE le voci O17 (apparte quelle con sederoma.novacomitalia.com se e il tuo dominio)



    2) Scarica SmitFraudFix (avvialo, srivi 2, quando ti fa una domanda premi Y, al termine posta il log).



    3) Scarica http://swandog46.geekstogo.com/avenger.zip

    clicca su input script manually e poi sulla lente di ingrandimento.
    nello spazio bianco inserisci con copia incolla questo:


    files to delete:
    C:\WINDOWS\system32\ntos.exe

    clicca su done.
    poi sul semaforo con luce verde
    due volte si, il pc si riavviera' e al ritorno posta il log di avenger (C:/avenger.txt).
    Internet Assigned Numbers Authority
    Rispondi quotando Rispondi quotando
  3. 08-12-2007, 12:53 #3
    Roby_72
    Roby_72 non è in linea
    Moderatore di ASP e MS Server L'avatar di Roby_72
    Registrato dal
    Aug 2001
    Messaggi
    19,559
    Innanzitutto grazie.

    1) Fatto
    2) Fatto, ecco il log:
    codice:
    SmitFraudFix v2.258

Scan done at 11.26.42,70, 08/12/2007
Run from C:\Documents and Settings\Roberto\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Versione 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1       localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VM Network Connection - Miniport dell'Utilità di pianificazione pacchetti
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{26FAC87A-6AA1-4692-9C5D-84D08A03BF8C}: DhcpNameServer=85.255.116.119,85.255.112.62
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B9731F51-FD86-49E7-A68E-310BDFC6F0AD}: DhcpNameServer=85.255.116.119,85.255.112.62
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E87076CD-BFAA-45FF-A368-428D7DE26A29}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{26FAC87A-6AA1-4692-9C5D-84D08A03BF8C}: DhcpNameServer=85.255.116.119,85.255.112.62
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B9731F51-FD86-49E7-A68E-310BDFC6F0AD}: DhcpNameServer=85.255.116.119,85.255.112.62
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E87076CD-BFAA-45FF-A368-428D7DE26A29}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1F868D25-4997-49E6-94F6-75FFC4C7725A}: NameServer=85.255.116.119,85.255.112.62
HKLM\SYSTEM\CS2\Services\Tcpip\..\{26FAC87A-6AA1-4692-9C5D-84D08A03BF8C}: DhcpNameServer=85.255.116.119,85.255.112.62
HKLM\SYSTEM\CS2\Services\Tcpip\..\{26FAC87A-6AA1-4692-9C5D-84D08A03BF8C}: NameServer=85.255.116.119,85.255.112.62
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B9731F51-FD86-49E7-A68E-310BDFC6F0AD}: DhcpNameServer=85.255.116.119,85.255.112.62
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B9731F51-FD86-49E7-A68E-310BDFC6F0AD}: NameServer=85.255.116.119,85.255.112.62
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E87076CD-BFAA-45FF-A368-428D7DE26A29}: NameServer=85.255.116.119,85.255.112.62
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kdmaw.exe"

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

»»»»»»»»»»»»»»»»»»»»»»»» Reboot

C:\WINDOWS\system32\kdmaw.exe Deleted
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
 

»»»»»»»»»»»»»»»»»»»»»»»» End
    3) Fatto, ecco il log:
    codice:
    Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\avwyosrm

*******************

Script file located at: \??\C:\jhschtpu.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\ntos.exe not found!
Deletion of file C:\WINDOWS\system32\ntos.exe failed!

Could not process line:
C:\WINDOWS\system32\ntos.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished!  Terminate.

    Roby

    www.creamweb.it [v. 3.0]
    :: Script ASP!
    :: Web directory gratuita!
    :: Campioni del mondo!
    Rispondi quotando Rispondi quotando
  4. 08-12-2007, 13:01 #4
    Roby_72
    Roby_72 non è in linea
    Moderatore di ASP e MS Server L'avatar di Roby_72
    Registrato dal
    Aug 2001
    Messaggi
    19,559
    Situazione.
    Non mi sembra abbia fatto tutto ma al momento il pc è decisamente più veloce, Outlook invia le email con allegati e nelle ricerche su google non vengo reindirizzato a casaccio su siti improponibili.
    Per ora ti ringrazio, attendo da te ulteriori miglioramenti (eventuali).

    Roby

    www.creamweb.it [v. 3.0]
    :: Script ASP!
    :: Web directory gratuita!
    :: Campioni del mondo!
    Rispondi quotando Rispondi quotando
  5. 08-12-2007, 13:07 #5
    OYS
    OYS non è in linea
    Utente di HTML.it L'avatar di OYS
    Registrato dal
    Apr 2006
    Messaggi
    3,142
    Esegui queste procedure per sicurezza..

    1)Con avenger esegui il seguente script:


    files to delete:
    C:\windows\system32\\wsnpoem\audio.dll
    C:\windows\system32\wsnpoem\video.dll

    folders to delete:
    C:\windows\system32\wsnpoem




    2) start-->esegui-->regedit

    Anche se probabilmente è già stato eliminato, per un controllo portati fino a questa chiave di registro ed elimina ntos:


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = C:\windows\system32\userinit.exe, C:\windows\system32\ntos.exe"


    Il risultato finale deve essere:


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = C:\windows\system32\userinit.exe,     (ricordati di NON cancellare la virgola dopo usrinit.exe).



    Poi elimina queste chiavi di registro:


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\"WinCode" = "[CHIAVE DI CODIFICA]"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\"Win32" = "[VALORE PER LA MAIL]"


    Dove:
    [CHIAVE DI CODIFICA] è una chiave unica di 4 byte generata a caso per il computer specifico.
    [VALORE PER LA MAIL] è un numero scelto a caso tra 1 e 4 usato per selezionare l’indirizzo email dell’utente malintenzionato.




    Riposta un log di >HijackThis per vedere se ha eliminato tutto.




    Cmq è tutto spiegato qui:

    http://www.nod32.it/threat-center/en...a1.php?id=1771
    Internet Assigned Numbers Authority
    Rispondi quotando Rispondi quotando
  6. 08-12-2007, 13:47 #6
    Roby_72
    Roby_72 non è in linea
    Moderatore di ASP e MS Server L'avatar di Roby_72
    Registrato dal
    Aug 2001
    Messaggi
    19,559
    1) Intanto ecco il log chiesto:
    codice:
    Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wyppobrg

*******************

Script file located at: \??\C:\WINDOWS\system32\gvuhcerk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\windows\system32\wsnpoem\audio.dll deleted successfully.
File C:\windows\system32\wsnpoem\video.dll deleted successfully.
Folder C:\windows\system32\wsnpoem deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.
    Tra i problemi che ancora riscontro:
    1) Quando riavvio i cookies di IE non ci sono
    2) Outlook non invia le email con allegati in modalità (rispondi/inoltra)

    www.creamweb.it [v. 3.0]
    :: Script ASP!
    :: Web directory gratuita!
    :: Campioni del mondo!
    Rispondi quotando Rispondi quotando
  7. 08-12-2007, 13:54 #7
    Roby_72
    Roby_72 non è in linea
    Moderatore di ASP e MS Server L'avatar di Roby_72
    Registrato dal
    Aug 2001
    Messaggi
    19,559
    2) Fatto.
    Le altre due chiavi di registro:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\"WinCode" = "[CHIAVE DI CODIFICA]"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\"Win32" = "[VALORE PER LA MAIL]"

    non ci sono... forse stanno in un altro percorso...

    3) Ecco il log di HijackThis:
    codice:
    Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12.52.41, on 08/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\Apoint2K\Apoint.exe
C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programmi\TOSHIBA\E-KEY\CeEKey.exe
C:\Programmi\TOSHIBA\TouchPad\TPTray.exe
C:\Programmi\Apoint2K\Apntex.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Programmi\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Programmi\TOSHIBA\Tvs\TvsTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\domino.exe
C:\WINDOWS\VMSnap1.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Programmi\Windows Desktop Search\WindowsSearch.exe
C:\Programmi\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN03.EXE
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.repubblica.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programmi\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Programmi\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Programmi\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Programmi\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Programmi\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [CeEKEY] C:\Programmi\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [HWSetup] C:\Programmi\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [TPNF] C:\Programmi\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Zooming] ZoomingHook.exe
O4 - HKLM\..\Run: [Tvs] C:\Programmi\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [domino] C:\WINDOWS\domino.exe
O4 - HKLM\..\Run: [VMSnap1] C:\WINDOWS\VMSnap1.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Monitor Apache Servers.lnk = C:\Programmi\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Programmi\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Programmi\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.coolstreaming.us/consolle.../KooPlayer.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1179864841578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sederoma.novacomitalia.com
O17 - HKLM\Software\..\Telephony: DomainName = sederoma.novacomitalia.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sederoma.novacomitalia.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sederoma.novacomitalia.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Servizio di configurazione Atheros (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Programmi\Apache Group\Apache2\bin\Apache.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: MySQL - Unknown owner - C:\Programmi\MySQL\MySQL.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 10140 bytes
    Rispondi quotando Rispondi quotando
  8. 08-12-2007, 14:34 #8
    OYS
    OYS non è in linea
    Utente di HTML.it L'avatar di OYS
    Registrato dal
    Apr 2006
    Messaggi
    3,142
    Log di HijackThis pulito.


    Il fatto che i cookies di IE non ci sono non può essere legato a qualche programma che usi? Tipo ccleaner o cose del genere?



    Per gli allegati, prova a guardare questo:
    http://www.megalab.it/articoli.php?id=154



    P.s. Apri il file HOSTS (C:\windows\system32\drivers\etc) con il blocco note ed in fondo aggiungici questa riga:


    127.0.0.1 http://martin-golf.net/
    Internet Assigned Numbers Authority
    Rispondi quotando Rispondi quotando
  9. 08-12-2007, 14:39 #9
    Roby_72
    Roby_72 non è in linea
    Moderatore di ASP e MS Server L'avatar di Roby_72
    Registrato dal
    Aug 2001
    Messaggi
    19,559
    Quando l'email contiene allegati Outlook dice che non riesce a connettersi alla rete... e il messaggio rimane in posta in uscita...
    Mentre se lo invio senza l'allegato parte.

    Roby

    www.creamweb.it [v. 3.0]
    :: Script ASP!
    :: Web directory gratuita!
    :: Campioni del mondo!
    Rispondi quotando Rispondi quotando
  10. 08-12-2007, 16:03 #10
    OYS
    OYS non è in linea
    Utente di HTML.it L'avatar di OYS
    Registrato dal
    Apr 2006
    Messaggi
    3,142
    E questo succede da quando hai preso il virus?
    Internet Assigned Numbers Authority
    Rispondi quotando Rispondi quotando
« Discussione precedente | Prossima discussione »

Permessi di invio

  • Non puoi inserire discussioni
  • Non puoi inserire repliche
  • Non puoi inserire allegati
  • Non puoi modificare i tuoi messaggi
  •  

Regole del Forum

Powered by vBulletin® Version 4.2.1
Copyright © 2025 vBulletin Solutions, Inc. All rights reserved.