Scaricamenti a go-go

[gione11]

Appena ho provato a fare il collegamento ad Internet il mio portatile ASUS si è messo immediatamente a scaricare roba sconosciuta e si bloccava tutto. Non sono nemmero riuscita ad aggiornare l'antivirus (PC-Cillin)!. Allora ho fatto passare diversi programmini, ho cambiato antivirus (ho messo BitDefender) e ho visto che c'era un sacco di robaccia. Dopo la pulizia il mio file di registro è quello che segue, ma ci sono ancora delle voci che mi lasciano qualche dubbio: cos'è winsi32.exe? e sp2hosts.exe? e MSAOL32? Quali sono le voci che posso cancellare senza pericolo?. Prima di riprovare la connessione vorrei essere sicura che tutto vada bene.
Grazie a chi vorrà rispondermi!

Simona
Logfile of HijackThis v1.98.2
Scan saved at 10.30.42, on 05/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.asus.com.tw
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com.tw
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asus.com.tw/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Progra~1\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Firewall Updater] msnupdateit.exe
O4 - HKLM\..\Run: [Microsoft AOL Instant Messenger] MSAOL32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BDMCon] C:\Programmi\Softwin\BitDefender Standard Edition\\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Programmi\Softwin\BitDefender Standard Edition\\bdnagent.exe
O4 - HKLM\..\RunServices: [Window_Protect] winsi32.exe
O4 - HKLM\..\RunServices: [Firewall Updater] msnupdateit.exe
O4 - HKLM\..\RunServices: [Microsoft AOL Instant Messenger] MSAOL32.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] sp2hosts.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: ASUS ChkMail.lnk = C:\Programmi\Asus\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Hotkey.lnk = C:\Programmi\Asus\ASUS Hotkey\Hotkey.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com.tw
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CD...ridge-c267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1113935490671

[dOLByrIDe]

credo proprio che siano dei WORM...

guarda questi link:

winsi32.exe

http://www.bleepingcomputer.com/star....exe-8576.html

MSAOL32.EXE

http://www.superadblocker.com/M/MSAOL32.EXE-4684.html

ciao

[Habanero]

comincia con l'usare una versione di HJT aggiornata (1.99).

[gione11]

Ecco qua.....

Logfile of HijackThis v1.99.1
Scan saved at 16.58.05, on 05/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Programmi\Softwin\BitDefender Standard Edition\bdmcon.exe
C:\Programmi\Softwin\BitDefender Standard Edition\bdnagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Asus\Asus ChkMail\ChkMail.exe
C:\Programmi\Asus\ASUS Hotkey\Hotkey.exe
C:\Programmi\Softwin\BitDefender Standard Edition\vsserv.exe
C:\WINDOWS\System32\1XConfig.exe
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com.tw
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Progra~1\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Firewall Updater] msnupdateit.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BDMCon] C:\Programmi\Softwin\BitDefender Standard Edition\\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Programmi\Softwin\BitDefender Standard Edition\\bdnagent.exe
O4 - HKLM\..\RunServices: [Firewall Updater] msnupdateit.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] sp2hosts.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Firewall Updater] msnupdateit.exe
O4 - Global Startup: ASUS ChkMail.lnk = C:\Programmi\Asus\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Hotkey.lnk = C:\Programmi\Asus\ASUS Hotkey\Hotkey.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com.tw
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CD...ridge-c267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1113935490671
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Programmi\Softwin\BitDefender Standard Edition\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


Simona

[gione11]

Ho cancellato le voci:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
msnupdateit
p2hosts
Trusted Zone: http://ny.contentmatch.net (HKLM)

Rimango perplessa per le seguenti:
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C...bridge-c267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1113935490671

Che succede se le cancello?
Aiutatemi, vi prego!

Simona

[gione11]

up

[amvinfe]

scaricati questo file, ti servirà poi:
http://www.mvps.org/winhelp2002/DelDomains.inf

scaricarti questi due file e mettili entrambi in una nuova cartella sul desktop.
http://www.trendmicro.com/ftp/products/tsc/sysclean.com
e le definizioni
http://www.trendmicro.com/ftp/produ...tern/lpt613.zip
dezippa il file sempre all'interno della stessa cartella.


apri HJT, fai lo scan metti la spunta, chiudi il browser, clicca su Fix checked:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [Firewall Updater] msnupdateit.exe
O4 - HKLM\..\RunServices: [Firewall Updater] msnupdateit.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] sp2hosts.exe
O4 - HKCU\..\Run: [Firewall Updater] msnupdateit.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C...bridge-c267.cab
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Programmi\Softwin\BitDefender Standard Edition\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

riavvia in modalità provvisoria ed elimina se presenti:

msnupdateit.exe
sp2hosts.exe


riavvia.
Clicca di dx sul file DelDomains.inf e seleziona dal menu a tendina "Installa".

Riavvia in modalità provvisoria, apri la cartella dove avevi dezippato il file, clicca sul file sysclean.
Riavvia.

Posta un nuovo log.

[gione11]

Allora! Ho fatto girare i vari programmi che mi hai detto e che mi hanno eliminato altri virus e spyware presenti. Ho pulito anche con CCleaner. Inoltre ho installato MS-Antispy e Sygate Firewall. Ho fatto girare anche XP TCP/IP Repair. Nella fretta mi sono dimentica di cancellare le voci di "file missing" ma al prossimo giro le cancello. Adesso il mio file di registro è:

Logfile of HijackThis v1.99.1
Scan saved at 10.29.36, on 06/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.it
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asus.com.tw/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Progra~1\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BDMCon] C:\Programmi\Softwin\BitDefender Standard Edition\\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Programmi\Softwin\BitDefender Standard Edition\\bdnagent.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: ASUS ChkMail.lnk = C:\Programmi\Asus\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Hotkey.lnk = C:\Programmi\Asus\ASUS Hotkey\Hotkey.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1113935490671
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Programmi\Softwin\BitDefender Standard Edition\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Io messenger non lo adopro. Posso cancellare le voci O9?. E la voce O16 a che serve? La posso cancellare?.

Grazie mille per l'aiuto!

Simona

[gione11]

up

[gione11]

UP