Aiutamici Forum
Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

problema enorme Opzioni
misterx1984
Inviato: Saturday, April 09, 2005 9:50:55 PM
Rank: Member

Iscritto dal : 5/30/2004
Posts: 1
salve alfonso ho fatto una scansione ad aware spyobt e cwsredder ma non hanno trovato nulla.la vado a fare con norton e ottengo come risultato:NDNuninstall4 85.exe
NDNuninstall5 48.exe NDNuninstall5 64.exe NDNuninstall6 10.exe affetti da un ADWARE.NDotNet.sono andato sul sito di norton e mi è uscito questa spiegazione
Adware.NDotNet
Last Updated on: March 09, 2005 01:33:27 PM






Type: Adware

Name: n/a
Version: 3.8
Publisher: NewDotNet
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP


Risk Impact: High




Intelligent Updater Definitions*
February 05, 2004


LiveUpdateâ„¢ Definitions **
February 11, 2004


*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.

**
LiveUpdate definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.





This risk can be detected only by Symantec products that support security risks. For more information on security risks, please go here.




Behavior
Adware.NDotNet is an adware program that displays advertisements based on keywords. This adware component works as a Browser Helper Object.

Symptoms
Your Symantec antivirus program detects Adware.NDotNet.

Transmission
This adware component must be manually installed or installed as a component of another program that you install.




File names:
Newdotnet3_88.dkk
Nnezt388.exe
NDNuninstall6_38.exe
tldctl2.inf
tldctl2.ocx
newdotnet6_38.dll
uninstall6_38.exe

When Adware.NDotNet is installed, it performs the following actions:


Creates the folder, %ProgramFiles%\NewDotNet, and copies files into it.

Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.


Adds the value:

"New.net Startup" = "rundll32 C:\Progra~1\Newdot~1\Newdot~1.dll, NewDotNetStartup"

to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


Creates the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net
HKEY_LOCAL_MACHINE\SOFTWARE\New.net
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2
\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2
\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2
\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2
\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2
\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015
HKEY_CLASSES_ROOT\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Tldctl2.Tldctl2c
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Tldctl2.Tldctl2c.1
HKEY_CLASSES_ROOT\Tldctl2.URLLink
HKEY_CLASSES_ROOT\Tldctl2.URLLink.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD521A1D-1F98-11D4-9676-00E018981B9E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Tldctl2.URLLink
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Tldctl2.URLLink.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Browser Helper Objects\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage
\C:/WINDOWS/Downloaded Program Files/tldctl2.ocx


Attempts to automatically update itself.




Notes:
Adware.NDotNet runs as a Browser Helper Object, which means that the adware component receives information regarding all the actions inside Internet Explorer. This Browser Helper Object requires Internet Explorer 4.0 or later to function.
This adware component appears to track Internet usage habits, but without using any identification parameters. It does not appear to track personally identifiable information.






This adware program must be manually installed. However, there are several known programs that have Adware.NDotNet within them and that install it as the program itself is installed.





Note: Removing this adware component from the system will likely cause the program that installed it to not function as intended. The uninstaller generally identifies the programs that will not work after uninstallation.



The following instructions pertain to all Symantec antivirus products that support Security Risk detection.

Update the definitions.
Uninstall New.net using the Add/Remove Programs utility in Control Panel or NDNuninstall6_38.exe found in the %Windows% folder.
Run a full system scan, and delete all files that are detected as Adware.NDotNet.
Delete the value that was added to the registry.

For specific details on each of these steps, read the following instructions.

1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To uninstall the Adware
Do one of the following:
On the Windows 98 taskbar:
Click Start > Settings > Control Panel.
In the Control Panel window, double-click Add/Remove Programs.


On the Windows Me taskbar:
Click Start > Settings > Control Panel.
In the Control Panel window, double-click Add/Remove Programs.
If you do not see the Add/Remove Programs icon, click "...view all Control Panel options."


On the Windows 2000 taskbar:
By default, Windows 2000 is set up the same as Windows 98, so follow the instructions for Windows 98. If otherwise, click Start, point to Settings > Control Panel, and then click Add/Remove Programs.


On the Windows XP taskbar:
Click Start > Control Panel.
In the Control Panel window, double-click Add or Remove Programs.


Click New.net Domains 3.88.


Note: You may need to use the scroll bar to view the entire list.


Click Add/Remove, Change/Remove, or Remove (depending on the operating system). Follow the prompts.

3. Scanning for and deleting the files
Start your Symantec antivirus program, and run a full system scan.
If any files are detected as Adware.NDotNet, click Delete



Notes:
If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.
If you ran the Add/Remove programs applet as described in the previous section, it is possible that all files were removed; therefore, none will be detected.




4. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document, "How to make a backup of the Windows registry," for instructions.


Click Start > Run.
Type regedit

Then click OK.


Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete the value:

"New.net Startup"="rundll32 C:\Progra~1\Newdot~1\Newdot~1.dll, NewDotNetStartup"


Navigate to and delete the subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net
HKEY_LOCAL_MACHINE\SOFTWARE\New.net
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2
\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2
\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2
\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2
\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2
\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015
HKEY_CLASSES_ROOT\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Tldctl2.Tldctl2c
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Tldctl2.Tldctl2c.1
HKEY_CLASSES_ROOT\Tldctl2.URLLink
HKEY_CLASSES_ROOT\Tldctl2.URLLink.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD521A1D-1F98-11D4-9676-00E018981B9E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Tldctl2.URLLink
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Tldctl2.URLLink.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Browser Helper Objects\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage
\C:/WINDOWS/Downloaded Program Files/tldctl2.ocx


Exit the Registry Editor

ora per me è ostrogoto quel poco che ho capito...alfonso dammi tu una mano!!

Sponsor
Inviato: Saturday, April 09, 2005 9:50:55 PM

 
alfonso
Inviato: Saturday, April 09, 2005 10:56:00 PM

Rank: AiutAmico

Iscritto dal : 10/5/2000
Posts: 19,132
Vai a questo indirizzo, e segui le istruzioni, fai la scansione antivirus in modalità provvisoria e sempre in provvisoria lancia Ad-aware e Spybot

poi riavvia in modo normale, fai il log con Hijack e inseriscilo qui nel forum

http://www.aiutamici.com/software/descrizione.asp?CodSw=1175

Collaboratore Aiutamici
misterx1984
Inviato: Sunday, April 10, 2005 10:45:00 AM
Rank: Member

Iscritto dal : 5/30/2004
Posts: 1
ad aware e spybot non hanno trovato nulla.questo è il log

Logfile of HijackThis v1.99.1
Scan saved at 10.45.03, on 10/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\LVComS.exe
C:\Programmi\Winamp\winampa.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
C:\Programmi\ARESCOM\Modem Telindus Arescom ND220\dslmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Winamp\Winamp.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.creative.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\System32\LVComS.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: DSLMON.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093014179640
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://ww3.atlanteitaliano.it/ecwplugins/ncs.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{03AC6F3A-77E1-4582-B3E7-5807589375B4}: NameServer = 85.37.17.15 151.99.125.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{03AC6F3A-77E1-4582-B3E7-5807589375B4}: NameServer = 85.37.17.15 151.99.125.1
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

alfonso
Inviato: Monday, April 11, 2005 11:43:29 AM

Rank: AiutAmico

Iscritto dal : 10/5/2000
Posts: 19,132
Il log e pulito da spyware, se fai il controllo antivirus in modalità provvisoria e l'antivirus trova ma non rimuove i file infetti, non rimane che formattare il disco e reinstallare tutto.

Anche se segui le indicazioni indicate penso non risolvi nulla in quanto il norton dovrebbe rimuovere da solo quel problema e se non ci riesce e inutile farlo manualmente.

Prima di fare la scansione in modalità provvisoria, devi disattivare il ripristino di configurazione, leggi questo articolo
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=257&SH=N

Collaboratore Aiutamici
Utenti presenti in questo topic
Guest


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.