Buonasera, questa mail è diretta al Sig. Alfonso su diretta segnalazione di un mio collega (vedi nick “Margheritone” sul forum Sicurezza virus e privacy, del 11-16 novembre 2004). Mi ritrovo con un problema simile (virus Trojan) e seguendo le indicazioni del mio collega e di questo utilissimo sito, penso di aver risolto quasi del tutto, eliminando quel virus tramite i programmi Ad-Aware e Spybot-S&D, (qui scaricati) usati in modalità provvisoria.
In particolare e successivamente, il programma Ad-Aware mi segnala costantemente un’anomalia, non eliminabile, nel HKEY_LOCAL_MACHINE ---- Categoria: “Malfare” ---- Localizzato in: software\microsoft\internet explorer\toolbar “06ABAA2D-34AB-4902-A326-409BD9B9A7A5 ((probabilmente legata al “KERNEL32.DLL” del quale compare l’errore sullo schermo dopo alcuni minuti di connessione e riscontrando notevoli rallentamenti della linea ADSL 2 mega)) Utilizzando il programma “HIJACK THIS”, in modalità normale, riporto il LOG completo per conoscere da Lei se vi è l’opportunità di eliminare completamente (in automatico o manualmente) tale anomalia riscontrata, in modo da avere così il sistema pulito.
Grazie infinite per il possibile aiuto.
Paolo
******** ********* *********
Logfile of HijackThis v1.99.1
Scan saved at 16.54.03, on 03/04/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMMI\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL PRO\AVPCC.EXE
C:\PROGRAMMI\ESET\NOD32KRN.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMMI\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL PRO\AVPCC.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAMMI\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAMMI\ESET\NOD32KUI.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAMMI\ADSL\STARMODEM ADSL USB MODEM\DSLMON.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMMI\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://directatrading.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Name - {62E3405B-9715-46B6-8C5C-AD35545B1F8B} - C:\WINDOWS\SYSTEM\MSVYL.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1040,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\Run: [9xadiras] 9xadiras.exe
O4 - HKLM\..\Run: [2kadiras] 2kadiras.exe
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
O4 - HKLM\..\Run: [AVPCC] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [IOMON98.EXE] "C:\Programmi\Trend PC-cillin 98\IOMON98.EXE"
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAMMI\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AVPCC Service] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /service
O4 - HKLM\..\RunServices: [IOMON98.EXE] "C:\Programmi\Trend PC-cillin 98\IOMON98.EXE"
O4 - HKLM\..\RunServices: [PAV.EXE] C:\PROGRA~1\PERSYS~1\PERAV\PAV.EXE
O4 - HKLM\..\RunServices: [NOD32kernel] "C:\Programmi\Eset\nod32krn.exe"
O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan
O4 - Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Startup: DSLMON.lnk = C:\Programmi\ADSL\StarModem ADSL USB MODEM\dslmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/msnmessengersetupdownloader.cabO16 - DPF: {F57D27AE-CE57-4BC8-B232-EA57747BE5B7} - ms-its:mhtml:file://C:\PATH.MHT!http://195.225.176.5//d//gontrgj//gvqmpoc//eoxhang//girapw//IT//arct.chm::/painter.dll
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} -
http://deposito.hostance.net/dialer/606791.exeO16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe