aiuto "disinfestazione" mio pc /trojan + redirect/

[incasinatocolpc]

ciao ragazzi, ho notato che su questo forum aiutate anime idiote come la mia che infestano il proprio pc senza volerlo con trojan e cose simili...per favore se potete datemi una mano..
ecco la mia situazione:
/software antivirus installati:
Panda antivirus 2008 + firewall.

/problemi che l'antivirus mi riscontra ogni 5 minuti:
presenza di file .exe nella cartella c:\documents and settings\..\impostazioni locali\temp.. che tentano di modificare il mio registro (i files sono del tipo 1018328252.exe) se riesco a cancellarli si ripresentano al riavvio,altrimenti mi dice che sonoin uso da un altro programma #forse l'antivirus!?#

/per quanto riguarda la navigazione ho un duplice problema:
a. presenza di pop up che si aprono, queste finestre che appaiono, hanno il titolo sempre preceduto dal simbolo ~
b. ogni tanto la mia navigazione viene deviata mediante redirect su sito del tipo poiskin.ru e simili. (sono riuscito temporaneamente a risolvere mediante l'utilizzo di certo Gooredfix ma ogni tanto mi si ripropone il problema)

vi inserisco il log di Hijackthis /visto che non si puo' allegare/
e ringrazio in anticipo coloro i quali vorranno aiutarmi
michele b.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15.39.03, on 20/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
C:\Programmi\Panda Security\Panda Antivirus + Firewall 2008\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programmi\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\Programmi\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
C:\Programmi\File comuni\Panda Software\PavShld\pavprsrv.exe
C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\ctfmon.exe
c:\programmi\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
C:\documents and settings\proprietario\impostazioni locali\dati applicazioni\aaesc.exe
C:\Programmi\DAEMON Tools Lite\daemon.exe
C:\Programmi\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
C:\Programmi\Windows Live\Messenger\msnmsgr.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Free Download Manager\fdm.exe
C:\DOCUME~1\PROPRI~1\IMPOST~1\Temp\1079487410.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Programmi\Windows Live\Contacts\wlcomm.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Panda Security\Panda Antivirus + Firewall 2008\Apvxdwin.exe
C:\Programmi\Panda Security\Panda Antivirus + Firewall 2008\WebProxy.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Panda Security\Panda Antivirus + Firewall 2008\AvltMain.exe
C:\Programmi\Panda Security\Panda Antivirus + Firewall 2008\avciman.exe
C:\Programmi\Panda Security\Panda Antivirus + Firewall 2008\psimreal.exe
C:\Programmi\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: C:\WINDOWS\system32\jh9fgo4ksdgf.dll - {d7bf4552-94f1-42bd-f434-3604812c856d} - C:\WINDOWS\system32\jh9fgo4ksdgf.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Programmi\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NodLogin] C:\Programmi\ESET\ESET NOD32 Antivirus\nodlogin.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Programmi\Stardock\WinCustomize\BootSkin\boots kin.exe" /StartupJobs
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programmi\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LClock] C:\Programmi\LClock\LClock.exe
O4 - HKCU\..\Run: [Vista Sidebar] C:\Programmi\Vista Sidebar\sidebar.exe
O4 - HKCU\..\Run: [ViStart] C:\Programmi\ViStart\ViStart.exe
O4 - HKCU\..\Run: [ViOrb] C:\Programmi\ViOrb\ViOrb.exe
O4 - HKCU\..\Run: [VisualTooltip] C:\Programmi\VisualTooltip\VisualToolTip.exe
O4 - HKCU\..\Run: [WinFlip] C:\Programmi\WinFlip\WinFlip.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [aaesc] "c:\documents and settings\proprietario\impostazioni locali\dati applicazioni\aaesc.exe" aaesc
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programmi\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Free Download Manager] "C:\Programmi\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\PROPRI~1\IMPOST~1\Temp\1079487410.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\vmauy.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\vmauy.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\361667420.exe (User 'Default user')
O4 - Startup: Aero Gmail.lnk = C:\Programmi\Stardock\Object Desktop\DesktopX\Widgets\Aero Gmail.exe
O4 - Startup: DesktopX Welcome.lnk = C:\Programmi\Stardock\Object Desktop\DesktopX\Widgets\Welcome.exe
O4 - Startup: Silica Picture Frame.lnk = C:\Programmi\Stardock\Object Desktop\DesktopX\Widgets\Silica Picture Frame.exe
O4 - Startup: Silica Weather.lnk = C:\Programmi\Stardock\Object Desktop\DesktopX\Widgets\Silica Weather.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Programmi\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Programmi\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Programmi\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Programmi\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSC...ws-i586-jc.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/s...vest/gwCID.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programmi\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: sfdawtawgreage4tregrgae34 - {D7BF4552-94F1-42BD-F434-3604812C856D} - C:\WINDOWS\system32\jh9fgo4ksdgf.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Servizio trasferimento intelligente in background (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
O23 - Service: Panda Software Controller (panda software controller) - Panda Software International - C:\Programmi\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
O23 - Service: Panda Software Controller (panda software controller) - Panda Software International - C:\Programmi\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
O23 - Service: Panda Function Service (pavfnsvr) - Panda Software International - C:\Programmi\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (pavprsrv) - Panda Software - C:\Programmi\File comuni\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (pavsrv) - Panda Software International - C:\Programmi\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Panda Host Service (pshost) - Panda Software International - c:\programmi\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (psimsvc) - Panda Software International - C:\Programmi\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Panda TPSrv (tpsrv) - Panda Software International - C:\Programmi\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
O23 - Service: Aggiornamenti automatici (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 11614 bytes

[amvinfe]

Scarica Navolog1

- disconnettiti da internet
- disattiva l'antivirus

- esegui il file Navilog1.exe
- dopo aver selezionato la lingua, scegli l'opzione 1
- finita la scansione seleziona questa volta l'opzione 2 dopo il riavvio portati in C:\ e copia/incolla il contenuto del file cleannavi.txt


==

per verificare altre possibili infezioni:

scarica sul desktop
http://www.suspectfile.com/systemscan
aprilo ed assicurati che tutte le opzioni siano spuntate, clicca su "Scan Now" al termine della scansione verranno rilasciati (sempre sul desktop all'interno della cartella suspectfile) due file.
Vai su http://www.savefile.com/ carica il file con estensione .zip e scrivi, nella tua prossima replica l'URL per poterlo scaricare.

Ricordati d'effettuare la scansione senza connessione attiva e con l'antivirus disabilitato salvo poi riattivarlo a scansione terminata.




SystemScan viene riconosciuto, erroneamente, da alcuni antivirus come infetto.

[incasinatocolpc]

ciao grazie per la risposta, del tuo procedimento riesco a fare solo l'opzione 1!!
l'opzione 2 non me la fa fare... mi dice
cleanning stage not possible!
cleanning stage must be in safe mode
please give this information to the helper.
ti allego il fixnavi.txt qua sotto:
per quanto riguarda il programma systemscan non me lo fa proprio scaricare..mi appare la barra con scritto scarica il file ma non partcun download, la pagina web infatti inizia un inutile conto alla rovescia, che non porta a nulla.
vedi tu se puoi aiutarmi ancora. grazie in anticipo

Search Navipromo version 3.7.6 began on 21/04/2009 at 10.20.37,54

!!! Warning, this report may include legitimate files/programs !!!
!!! Post this report on the forum you are being helped !!!
!!! Don't continue with removal unless instructed by an authorized helper !!!

Fix running from C:\Programmi\navilog1

Updated on 14.03.2009 at 18h00 by IL-MAFIOSO

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3
X86-based PC ( Uniprocessor Free : Intel(R) Pentium(R) M processor 1.86GHz )
BIOS : Rev 1.0
USER : Proprietario ( Administrator )
BOOT : Normal boot

Antivirus : Panda Antivirus + Firewall 2008 7.01.00 (Not Activated)
Firewall : Panda Antivirus 2008 Personal Firewall 7.01.00 (Not Activated)

C:\ (Local Disk) - NTFS - Total:49 Go (Free:24 Go)
D:\ (CD or DVD)
E:\ (Local Disk) - NTFS - Total:43 Go (Free:43 Go)
G:\ (CD or DVD)


Search done in normal mode


*** Search folders in "C:\WINDOWS" ***


*** Search folders in "C:\Programmi" ***

...\WebMediaPlayer found !

*** Search folders in "C:\Documents and Settings\All Users\menuav~1\progra~1" ***


*** Search folders in "C:\Documents and Settings\All Users\menuav~1" ***


*** Search folders in "c:\docume~1\alluse~1\datiap~1" ***


*** Search folders in "C:\Documents and Settings\Proprietario\datiap~1" ***


*** Search folders in "C:\DOCUME~1\ADMINI~1\datiap~1" ***


*** Search folders in "C:\Documents and Settings\Proprietario\impost~1\datiap~1" ***


*** Search folders in "C:\DOCUME~1\ADMINI~1\impost~1\datiap~1" ***


*** Search folders in "C:\Documents and Settings\Proprietario\menuav~1\progra~1" ***


*** Search folders in "C:\DOCUME~1\ADMINI~1\menuav~1\progra~1" ***


*** Search with Catchme-rootkit/stealth malware detector by gmer ***
for more info : http://www.gmer.net

Scan with Catchme not done.
No administrator rights on this user account.

*** Search with GenericNaviSearch ***
!!! Possibility of legitimate files in the result !!!
!!! Must always be checked before manually deleting !!!

* Scan in "C:\WINDOWS\system32" *

* Scan in "C:\Documents and Settings\Proprietario\impost~1\datiap~1" *

* Scan in "C:\DOCUME~1\ADMINI~1\impost~1\datiap~1" *



*** Search files ***



*** Search specific Registry keys ***
!! Following keys are not certainly all infected !!


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"aaesc"="\"c:\\documents and settings\\proprietario\\impostazioni locali\\dati applicazioni\\aaesc.exe\" aaesc"


*** Complementary Search ***
(Search specific files)

1)Search new Instant Access files :


2)Heuristic Search :

* In "C:\WINDOWS\system32" :


* In "C:\Documents and Settings\Proprietario\impost~1\datiap~1" :

aaesc.exe found !
aaesc.dat found !
aaesc_nav.dat found !
aaesc_navps.dat found !
dctdccrb.exe found !
dctdccrb.dat found !
dctdccrb_nav.dat found !
dctdccrb_navps.dat found !

* In "C:\DOCUME~1\ADMINI~1\impost~1\datiap~1" :


3)Certificates Search :

Egroup certificate not found !
Electronic-Group certificate not found !
Montorgueil certificate not found !
OOO-Favorit certificate not found !
Sunny-Day-Design-Ltd certificate not found !

4)Search others known folders and files :



*** Search completed on 21/04/2009 at 10.21.28,26 ***

[SkinBonno]

Ti do una mano finchè amv non torna online, così puoi fare prima. Per finire con navilog, prova a riavviare in provvisoria e vedere se da li ti è possibile eseguire l'opzione 2. Per riavviare in provvisoria, dopo la schermata di boot (3 secondi dall'accensione del pc) premi ripetutamente f8, ti si aprirà la pagina di selezione modalità. Aiutandoti con la freccia ^ seleziona Modalità provvisoria. Vedi se riesci a fare la scansione 2 e riavvia in normale..