Aiuto rimozione Spyware.

[kiapparo]

Salve,
purtroppo dopo aver eseguito tutte le procedure spiegate nel topic in rilievo per la rimozione di spyware ecc. Mi ritrovo ancora il pc infetto.
All'apertura di internet explorer mentre navigo mi si aprono pop up che mi vogliono far scaricare windows antispyware 2007.

Di seguito il log di hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 18.02.20, on 25/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmi\File comuni\Maxtor\Schedule2\schedul2.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\iPod Access for Windows\iPAHelper.exe
C:\Programmi\Microsoft LifeCam\MSCamS32.exe
C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\CNAB4RPK.EXE
C:\Programmi\NetLimiter\NetLimiter.exe
C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\vVX1000.exe
C:\Programmi\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Programmi\Maxtor\MaxBlast\TimounterMonitor.exe
C:\WINDOWS\system32\devldr32.exe
C:\Programmi\File comuni\Maxtor\Schedule2\schedhlp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleTo olbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\MSN Messenger\livecall.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\explorer.exe
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programmi\Internet Explorer\iexplore.exe
c:\progra~1\azureus\Azureus.exe
C:\Documents and Settings\Drugo\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NetLimiter] C:\Programmi\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe "
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Programmi\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Programmi\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Programmi\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programmi\File comuni\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\vufuxnvi.dll",sitypnow
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleTo olbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B85ED64-AFCB-4F83-95A4-160122935B81}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B85ED64-AFCB-4F83-95A4-160122935B81}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{1B85ED64-AFCB-4F83-95A4-160122935B81}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programmi\File comuni\Maxtor\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Programmi\Ares\chatServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Programmi\iPod Access for Windows\iPAHelper.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programmi\File comuni\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Cosa devo eliminare??
Grazie

[tecnico24]

ciao kiapparo,dal log non ci sono schifezze,solo questa mi insospettisce:

O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\vufuxnvi.dll",sitypnow

intanto scansione con superantispyware e nanoscan
l'ultimo rilascia un log,postalo qui.

[kiapparo]

Grazie mille..
ho eseguito quello che mi hai appena consigliato.
Per quanto riguarda nanoscan mi dice:
Scan result
Summary:
Your PC doesn't have viruses

Details:
Dangerous Threat name (0) Type Status

Time:
126 seconds
Antivirus:
GRISOFT AVG 7.5.488 (active and up-to-date)

SuperAntispyware sta facendo la scansione. ti faccio sapere appena terminato.
Grazie mille

[tecnico24]

di niente,fai sapere con superantispyware

[kiapparo]

Ho fatto anche la scansione con totalscan.
Questo è il log di fine analisi.
Ma per eliminarli devo iscrivermi per forza?
Ad ogni modo superantispyware continua con la sua scansione. ti faccio sapere appena completata.
ciao e grazie mille.

;************************************************* ************************************************** ************************************************** ******************************
ANALYSIS: 2007-09-25 19:07:37
PROTECTIONS: 1
MALWARE: 8
SUSPECTS: 0
;************************************************* ************************************************** ************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;================================================= ================================================== ================================================== ==============================
AVG 7.5.488 7.5.488 Yes Yes
;================================================= ================================================== ================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;================================================= ================================================== ================================================== ==============================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Drugo\Cookies\drugo@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Drugo\Cookies\drugo@atdmt[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Drugo\Cookies\drugo@fastclick[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Drugo\Cookies\drugo@ad.yieldmanager[1].txt
00172483 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\Drugo\Cookies\drugo@int.sitestat[1].txt
00172484 Cookie/Cassava TrackingCookie No 0 Yes No C:\Documents and Settings\Drugo\Cookies\drugo@int.sitestat[2].txt
00186469 Cookie/Reliablestats TrackingCookie No 0 Yes No C:\Documents and Settings\Drugo\Cookies\drugo@stats1.reliablestats[2].txt
00517598 Exploit/LoadImage HackTools No 0 Yes No C:\Documents and Settings\Drugo\Impostazioni locali\Temporary Internet Files\Content.IE5\UM0BYCAR\obysbxej[1].ani
;================================================= ================================================== ================================================== ==============================
SUSPECTS
Location
;================================================= ================================================== ================================================== ==============================
;================================================= ================================================== ================================================== ==============================

[tecnico24]

ciao,pare che hai un exploit,quindi,dopo fatto la scansione con superantispyware,scarica avenger http://swandog46.geekstogo.com/avenger.zip
clicca su input scirpt manually e poi sulla lente di ingrandimento.
nel'box bianco,inserisci questa stringa rossa con copia|incolla:


files to delete:
C:\Documents and Settings\Drugo\Impostazioni locali\Temporary Internet Files\Content.IE5\UM0BYCAR\obysbxej[1].ani



poi clicca su Done,sul semaforo con luce verde.
poi due volte si,riavvia il pc e postami qui il log di avenger(c:/avenger.txt)+l'esito di superantispyware.

[ste_95]

fai semplicemente una pulizia con CClenaer per eliminare tutti i file temp i IE...

[bdori@no]

Se scarichi ATF-Cleaner, fai prima.
Avvia ATF-Cleaner
Metti il segno di spunta a Select All
(se vuoi conservare i files del cestino, togli il segno di spunta a Recycle bin)
Clicca su Empty selected