Aiutamici Forum
Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

Il pc si spegne e si riaccende per conto suo. Opzioni
Fleccer
Inviato: Friday, January 16, 2009 8:28:50 AM
Rank: AiutAmico

Iscritto dal : 5/19/2005
Posts: 566
Ciao a tutti, da ieri stanno succedendo un po di cose strane nel mio pc. Come detto il pc si spegne improvvisamente e si riavvia senza dare alcun messaggio di errore, su emule i file in download sono misteriosamente scomparsi , così come vengono azzerati i file temporanei di internet.
Inoltre il pc è diventato esasperatamente lento.
Come s.o. uso win xp.
Purtroppo temo si tratti di un virus (come è già accaduto in precedenza) anche se le scansioni fatte con Malwarebytes e Superantispyware hanno dato esito negativo.
Comunque provo a postare il log di Hijack sperando che qualcuno possa darmi una mano.
Grazie.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.20.11, on 16/01/2009
Platform: Windows XP SP2, v.2135 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2135)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\My Lockbox\flockbox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tot.co.th/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [flockbox] C:\Program Files\My Lockbox\flockbox.exe /a
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: PartMetBackup.lnk = C:\Program Files\Java\jre1.6.0_07\bin\javaw.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: InterCasino Italia - {3543D964-CE64-47E6-B730-152732DAF0E6} - http://italia.intercasino.com/ (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino Italia - {3543D964-CE64-47E6-B730-152732DAF0E6} - http://italia.intercasino.com/ (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.eu/Register/Branding/olr3313/OCX/v1018/flashax.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5199 bytes
Sponsor
Inviato: Friday, January 16, 2009 8:28:50 AM

 
r16
Inviato: Friday, January 16, 2009 6:10:29 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Ciao.
Avvia hijackthis, metti la spunta alle voci che andrò ad elencarti e con tutte le applicazioni chiuse e disconnesso da Internet,premi su fix checked
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O9 - Extra button: InterCasino Italia - {3543D964-CE64-47E6-B730-152732DAF0E6} - http://italia.intercasino.com/ (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino Italia - {3543D964-CE64-47E6-B730-152732DAF0E6} - http://italia.intercasino.com/ (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.eu/Register/Branding/olr3313/OCX/v1018/flashax.cab
Dai una pulita (registro compreso)con CCleaner http://www.aiutaamici.com/software?ID=11223

Provvedi a svuotare del suo contenuto la cartella Prefetch :
clicca su Risorse del Computer
clicca su Disco locale C:
cerca, all’interno delle cartelle che saranno visualizzate la cartella Windows, aprila ed, al suo interno, cerca la cartella Prefetch, la apri ed elimina tutte le voci conservate al suo interno ( non eliminare la cartella)
SVUOTA IL CESTINO
*********************************************************************************************************
Scarica Norman Malware Cleaner http://download.norman.no/public/Norman_Malware_Cleaner.exe e salvalo sul desktop
Avvia in MODALITA PROVVISORIA

Si avvia
si accetta la licenza
si clicca Start Scan
si attende la fine della scansione
Viene generato un log sul desktop, postalo qui.
In alcuni casi Norman Malware Cleaner potrebbe richiedere il riavvio del computer per rimuovere completamente l'infezione, in
questo caso è raccomandata una seconda esecuzione del programma dopo aver riavviato il PC per garantire la completa rimozione di tutti i files infetti.
Fleccer
Inviato: Saturday, January 17, 2009 7:43:39 AM
Rank: AiutAmico

Iscritto dal : 5/19/2005
Posts: 566
Ho eseguito tutte le tue istruzioni ,ora sono pronto a postare i risultati della scansione con Norman Malware. Mi pare di notare già qualche miglioramento, specie per quanto riguarda le prestazioni. E quindi ti ringrazio per l'aiuto.
Ciao.


Norman Malware Cleaner
Copyright ? 1990 - 2008, Norman ASA. Built 2009/01/16 07:12:29

Norman Scanner Engine Version: 5.93.01
Nvcbin.def Version: 5.93.00, Date: 2009/01/16 07:12:29, Variants: 2538985

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600(Safe mode) Service Pack 2, v.2135
Logged on user: MICROSOF-F2F4DE\Administrator

Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLS = "avgrsstx.dll" -> ""
Failed to remove registry value (0x00000005): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = ""
Failed to remove registry value (0x00000005): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableTaskMgr = ""
Failed to remove registry value (0x00000005): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoFolderOptions = ""
Failed to remove registry value (0x00000005): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoDispAppearancePage = ""
Failed to remove registry value (0x00000005): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoDispBackgroundPage = ""
Failed to remove registry value (0x00000005): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoDispScrSavPage = ""
Failed to remove registry value (0x00000005): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoDispCPL = ""
Failed to remove registry value (0x00000005): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoActiveDesktopChanges = ""
Failed to remove registry value (0x00000005): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoFolderOptions = ""
Failed to remove registry value (0x00000005): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = ""

Scan started: 17/01/2009 12:54:22


Scanning running processes and process memory...

Number of processes/threads found: 466
Number of processes/threads scanned: 466
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 21s


Scanning file system...

Scanning: C:\*.*

Scanning: D:\*.*

D:\BSINSTALL.exe (Infected with SaveNow.IP)
Deleted file

D:\SetupCasino.exe (Infected with W32/Banker.DWED)
Deleted file

D:\Casino online\SetupCasino.exe (Infected with W32/Banker.DWED)
Deleted file

D:\RECYCLER\S-1-5-21-527237240-1563985344-854245398-500\Dd1\eclbp323.zip/Babylon.Pro.exe (Infected with W32/Smalltroj.INWE)
Deleted file

D:\System Volume Information\_restore{56030D2B-B7BC-4A2C-B2F4-C5C557E645AE}\RP8\A0009619.exe (Infected with SaveNow.IP)
Deleted file

D:\System Volume Information\_restore{56030D2B-B7BC-4A2C-B2F4-C5C557E645AE}\RP8\A0009621.exe (Infected with W32/Banker.DWED)
Deleted file

D:\System Volume Information\_restore{56030D2B-B7BC-4A2C-B2F4-C5C557E645AE}\RP8\A0009687.exe (Infected with W32/Banker.DWED)
Deleted file

D:\System Volume Information\_restore{6D3D728D-C372-4FD1-86BD-E0AF4254E3C5}\RP27\A0002618.exe (Infected with SaveNow.AAK)
Deleted file

D:\System Volume Information\_restore{C8EAD1ED-1BEF-4F60-AE87-AAB2B79B9D03}\RP8\A0000317.exe (Infected with SaveNow.IP)
Deleted file

Scanning: d:\System Volume Information\*.*


Running post-scan cleanup routine:
Failed to remove registry value (0x00000005): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = ""
Failed to remove registry value (0x00000005): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableTaskMgr = ""
Failed to remove registry value (0x00000005): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoFolderOptions = ""
Failed to remove registry value (0x00000005): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoDispAppearancePage = ""
Failed to remove registry value (0x00000005): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoDispBackgroundPage = ""
Failed to remove registry value (0x00000005): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoDispScrSavPage = ""
Failed to remove registry value (0x00000005): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoDispCPL = ""
Failed to remove registry value (0x00000005): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoActiveDesktopChanges = ""
Failed to remove registry value (0x00000005): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoFolderOptions = ""
Failed to remove registry value (0x00000005): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = ""

Number of files found: 84672
Number of archives unpacked: 331
Number of files scanned: 84600
Number of files not scanned: 72
Number of files skipped due to exclude list: 0
Number of infected files found: 9
Number of infected files repaired/deleted: 9
Number of infections removed: 9
Total scanning time: 37m 55s
r16
Inviato: Saturday, January 17, 2009 12:17:21 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Ciao
Disattiva il ripristino configurazione di sistema, e tienilo disattivato, fino alla soluzione del problema http://guide.aiutamici.com/guide?C1=7&C2=68&ID=80121

Fai una scansione con Combofix:

Importante: Disabilita il tuo antivirus e chiudi TUTTI i programmi aperti,e dopo aver scaricato COMBOFIX, chiudi la connessione.

Scarica Combofix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Salvalo sul desktop.
Doppio click su combofix.exe (comparirà una videata.)
Digita 1 premi Invio e segui le indicazioni.
Al termine, verrà creato un file log chiamato C:\ComboFix.txt. Postalo qui.
Durante l'operazione di scansione è importante non usare il PC (neanche il mouse) e attendere pazientemente la fine delle operazioni.

Disinstalla combofix in questo modo: (dopo che avrò visto il log)
Start
Esegui
nella finestra di dialogo, digita (oppure, copia ed incolla) questo comando: Combofix /u e premi invio poi cancella le cartelle in "C" di combofix (qoobox)
Fleccer
Inviato: Saturday, January 17, 2009 5:17:17 PM
Rank: AiutAmico

Iscritto dal : 5/19/2005
Posts: 566
Ti posto il log di combofix.
Grazie per l'aiuto ciao.

ComboFix 09-01-16.04 - Administrator 2009-01-17 23.11.14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.874.1.1033.18.767.464 [GMT 7:00]
Running from: c:\documents and settings\Administrator\My Documents\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-12-17 to 2009-01-17 )))))))))))))))))))))))))))))))
.

2009-01-16 23:50 . 2009-01-16 23:50 <DIR> d-------- c:\documents and settings\Administrator\Application Data\TrueCrypt
2009-01-16 23:48 . 2009-01-16 23:48 <DIR> d-------- c:\program files\TrueCrypt
2009-01-16 23:48 . 2009-01-16 23:48 215,872 --a------ c:\windows\system32\drivers\truecrypt.sys
2009-01-16 14:19 . 2009-01-16 14:19 <DIR> d-------- c:\program files\Trend Micro
2009-01-16 13:25 . 2009-01-17 13:38 <DIR> d-------- c:\program files\MetFileRegenerator
2009-01-16 12:38 . 2009-01-17 13:39 <DIR> d-------- c:\program files\eMule
2009-01-11 15:18 . 2009-01-11 15:18 <DIR> d-------- c:\program files\directx
2009-01-11 15:07 . 2009-01-11 15:07 <DIR> d-------- c:\program files\LucasArts
2009-01-11 04:04 . 2009-01-11 04:04 <DIR> d-------- c:\documents and settings\Administrator\Application Data\DAEMON Tools Pro
2009-01-11 04:04 . 2009-01-11 04:04 <DIR> d-------- c:\documents and settings\Administrator\Application Data\DAEMON Tools
2009-01-11 04:03 . 2009-01-11 04:03 <DIR> d-------- c:\program files\DAEMON Tools Toolbar
2009-01-11 04:03 . 2009-01-11 04:03 <DIR> d-------- c:\program files\DAEMON Tools Lite
2009-01-11 04:03 . 2009-01-11 04:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-01-11 04:00 . 2009-01-11 12:17 <DIR> d-------- c:\documents and settings\Administrator\Application Data\DAEMON Tools Lite
2009-01-11 04:00 . 2009-01-11 04:00 717,296 --a------ c:\windows\system32\drivers\sptd.sys
2009-01-05 18:12 . 2009-01-14 10:33 <DIR> d-------- c:\program files\My Lockbox
2009-01-05 18:12 . 2007-12-13 20:13 17,264 --a------ c:\windows\system32\drivers\mprifl.sys
2009-01-03 23:13 . 2009-01-03 23:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Macrovision
2009-01-03 23:12 . 2009-01-03 23:12 <DIR> d-------- c:\program files\Common Files\Macromedia Shared
2009-01-03 23:12 . 2009-01-03 23:12 <DIR> d-------- c:\program files\Common Files\Macromedia
2009-01-03 23:12 . 2002-01-05 07:48 974,848 --------- c:\windows\system32\mfc70.dll
2009-01-03 23:12 . 2002-01-05 06:37 344,064 --------- c:\windows\system32\msvcr70.dll
2009-01-03 23:12 . 2002-01-05 07:10 61,440 --------- c:\windows\system32\mfc70ita.dll
2009-01-01 12:52 . 2009-01-03 23:12 <DIR> d-------- c:\program files\Macromedia
2008-12-21 11:31 . 2008-12-21 11:31 <DIR> d-------- c:\program files\AKVIS
2008-12-18 21:35 . 2009-01-16 11:54 <DIR> d-------- c:\windows\system32\dumps

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 17:30 --------- d-----w c:\program files\CD Recovery Toolbox Free
2009-01-16 04:54 --------- d-----w c:\documents and settings\Administrator\Application Data\Skype
2009-01-15 04:19 --------- d-----w c:\program files\SUPERAntiSpyware
2009-01-15 03:27 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-14 17:32 --------- d-----w c:\documents and settings\Administrator\Application Data\skypePM
2009-01-14 09:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 09:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-11 08:07 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-03 04:53 1,152 --sha-w C:\2j1jawta.sys
2008-12-11 05:29 --------- d-----w c:\program files\VS Revo Group
2008-12-10 09:12 --------- d-----w c:\program files\Atomic Clock
2008-12-10 05:35 --------- d-----w c:\program files\Smart Projects
2008-12-07 06:11 --------- d-----w c:\program files\YourWare Solutions
2008-12-07 06:08 --------- d-----w c:\program files\IObit
2008-12-07 06:07 --------- d-----w c:\documents and settings\Administrator\Application Data\GlarySoft
2008-12-07 06:05 --------- d-----w c:\program files\Glary Utilities
2008-11-25 05:00 --------- d-----w c:\program files\Astonsoft
2008-11-25 04:24 --------- d-----w c:\documents and settings\Administrator\Application Data\DeepBurner
2008-11-19 16:55 --------- d-----w c:\program files\Jasc Software Inc
2008-11-19 16:55 --------- d-----w c:\program files\Common Files\Jasc Software Inc
2008-11-19 16:53 --------- d-----w c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2008-11-17 05:08 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-10-03 16:44 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-05-19 14336]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"flockbox"="c:\program files\My Lockbox\flockbox.exe" [2007-12-14 1071472]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-05-19 14336]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
PartMetBackup.lnk - c:\program files\Java\jre1.6.0_07\bin\javaw.exe [2008-10-19 135168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDesktopIniCache"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-15 11:19 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IDW Logging Tool.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DevconDefaultDB]
c:\windows\READREG [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-11-29 11:33 1261336 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
--a------ 2006-03-23 00:13 1591808 c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-05-19 01:29 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2004-04-18 22:45 4882432 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2009-01-15 11:19 1830128 c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-08-11 14:56 17920 c:\windows\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-11 14:56 18944 c:\windows\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"DisplayTrayIcon"=c:\windows\system32\TrayIcon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\eMule\\LinkCreator.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 MPRIFL;MPRIFL;c:\windows\system32\drivers\mprifl.sys [2009-01-05 17264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-04 97928]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-09-03 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-09-03 55024]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-10-04 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-04 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-04 76040]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-12-01 09:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.it/
uInternet Connection Wizard,ShellNext = hxxp://www.tot.co.th/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\b37eqjo7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1210541&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\b37eqjo7.default\extensions\{bc4be15d-6a34-4356-9e97-79e43da32b1d}\components\FFAlert.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 23:12:28
Windows 5.1.2600 Service Pack 2, v.2135 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(728)
c:\windows\system32\dssenh.dll
.
Completion time: 2009-01-17 23.13.49
ComboFix-quarantined-files.txt 2009-01-17 16:13:42
ComboFix2.txt 2009-01-17 16:06:35

Pre-Run: 14.887.608.320 bytes free
Post-Run: 14,876,131,328 bytes free

164
r16
Inviato: Saturday, January 17, 2009 11:07:49 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Ciao.
Esegui queste operazioni:
Start\Esegui\ copia-incolla questo comando: %temp% e svuota la cartella Temp del suo contenuto.
Lancia Hijackthis e pulisci gli ADS in questo modo:
clicca sulla voce Open the misc tool section
clicca su Open ads spy
togli la spunta alla voce Quick scan (windows base folder only)
clicca su Scan
se venissero rilevati ADS, spunta tutte le caselline e clicca su Remove selected
*********************************************************************************************************
Provvedi a svuotare del suo contenuto la cartella Prefetch :
clicca su Risorse del Computer
clicca su Disco locale C:
cerca, all’interno delle cartelle che saranno visualizzate la cartella Windows, aprila ed, al suo interno, cerca la cartella Prefetch, la apri ed elimina tutte le voci conservate al suo interno ( non eliminare la cartella)
SVUOTA IL CESTINO
*********************************************************************************************************
Dai una pulita (registro compreso)con CCleaner http://www.aiutaamici.com/software?ID=11223
Dimmi se il pc ha ancora problemi.
Fleccer
Inviato: Sunday, January 18, 2009 4:59:50 AM
Rank: AiutAmico

Iscritto dal : 5/19/2005
Posts: 566
Ho eseguito le tue istruzioni compreso la scanzione con Hijack secondo le procedure da te indicate e non è stato rilevato nulla di anomalo.
Grazie mille per l'aiuto,
r16
Inviato: Sunday, January 18, 2009 11:46:58 AM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Ciao.
Volevo sapere se si spegne improvvisamente e si riavvia ancora.
Riattiva il ripristino configurazione di sistema e, se tutto è a posto, creane uno nuovo.
Fleccer
Inviato: Monday, January 19, 2009 12:08:00 PM
Rank: AiutAmico

Iscritto dal : 5/19/2005
Posts: 566
Si, l'ha fatto una volta questa mattina durante il caricamento di win.
r16
Inviato: Monday, January 19, 2009 7:11:35 PM
Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016
Ciao.
Adesso non prendermi per matto.
Un amico aveva più o meno lo stesso problema tuo.
Sai come ha risolto?
Ha cambiato la ciabatta, quella in cui vanno inserite tutte le prese. (probabilmente c'era un contatto)
Adesso, non dico che anche tu risolverai, ma tentare non nuoce.
Può essere anche un problema hardware.
Utenti presenti in questo topic
Guest


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.