Aiutamici Forum
Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » LinkOptimizer (xSteven75)

LinkOptimizer (xSteven75) Opzioni
Topic Precedente · Topic Sucessivo
Ronny77
Inviato: Thursday, August 24, 2006 1:03:53 PM
Rank: Member

Iscritto dal : 3/1/2005
Posts: 15
Ciao Steven e ancora grazie per l'aiuto che mi hai fornito per

eliminare il dannato LinkOptimizer.
Poichè anche un'altro Pc è stato infettato da questo Malware ti elenco

i risultati della tua procedura così puoi dirmi cosa andare a

cancellare.

1) Ho disinstallato la JavaMachine
2) Ho eseguito la scansione con RootKit ottenendo questi risultati

HKLM\S-1-5-21-3453533240-2756935945-3101563722-1006\RemoteAccess\InternetProfile 20/01/2005 12.17 15 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs 21/06/2006 20.14 46 bytes Windows API length not consistent with raw hive data.

C:\Programmi\IncrediMail\bin\ SSCE5232.dll 31/10/1662 21.34 152.00 KB Visible in Windows API, but not in MFT or directory index.

C:\Programmi\IncrediMail\bin\SSCE5232.dll 19/03/26812 14.07 152.00 KB Hidden from Windows API.

C:\WINDOWS 24/08/2006 11.03 0 bytes Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS:q3291j0.log 24/08/2006 11.03 143.08 KB Hidden from Windows API.

C:\WINDOWS\lfgip1.dll 10/07/2006 19.52 63.16 KB Hidden from Windows API.

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 24/08/2006 11.04 64.00 KB Visible in Windows API, but not in MFT or directory index.




3) Ho cancellato la cartella Random generata
4) Ho cancellato i file *.tmp,anche se in Temp non riesco ad eliminare

unfile TMP pioichè mi dice che è già in uso. Si chiama ZLT0502b.TMP

(ma cambia nome)
5) La cartella LinkOptimizer non esiste
6) Allego il Log di HiJackThis

Logfile of HijackThis v1.99.1
Scan saved at 11.43.55, on 24/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\VEXPLITE\viritsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmi\TOSHIBA\TouchED\TouchED.Exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\LTSMMSG.exe
C:\Programmi\SigmaTel\Driver audio di SigmaTel AC97\stacmon.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\spnpinst.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe
C:\Programmi\Roland\VSC32\vsc32cnf.exe
C:\Programmi\Roland\VSC32\vscvol.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\VEXPLITE\MONLITE.EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\Sysocmgr.exe
C:\Programmi\ATnotes\ATnotes.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Programmi\Digisoft AntiDialer\AntiDialer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: andGoogle - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TouchED] C:\Programmi\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Programmi\SigmaTel\Driver audio di SigmaTel AC97\stacmon.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [vsc32cnf.exe] C:\Programmi\Roland\VSC32\vsc32cnf.exe
O4 - HKLM\..\Run: [vscvol.exe] C:\Programmi\Roland\VSC32\vscvol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [ATnotes.exe] C:\Programmi\ATnotes\ATnotes.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digisoft AntiDialer.lnk = C:\Programmi\Digisoft AntiDialer\AntiDialer.exe
O8 - Extra context menu item: andAdd animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: andCerca con Google - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: andTraduci parola in italiano - res://c:\programmi\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Eandsporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Link a ritroso - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - :windir:\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - :windir:\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152816353924
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents/setup/downloader_sp1/imloader.cab
O16 - DPF: {FFD1E45F-2B11-4742-BF47-3822FE02EE0F} (Yahoo! Foto - salva e condividi le tue foto su Yahoo! E' facile!l Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4it.cab
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



7) Ho cancellato il servizio creato dall'infezione
8) In Open ADS Spy non mi ha trovato niente
9) Allego il Log del ProcessList

Process list saved on 11.56.25, on 24/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
788 C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
888 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
936 C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
948 C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
1096 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1220 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1312 C:\WINDOWS\System32\S24EvMon.exe 8.0.0.161 Intel Corporation
1904 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2696 Microsoft Corporation
2008 C:\Programmi\AntiVir PersonalEdition Classic\sched.exe 7.0.0.17 Avira GmbH
2028 C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe 7.0.0.29 AVIRA GmbH
164 C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe 4.50.0.2 TOSHIBA CORPORATION
192 C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe 2.2.0.0 SEIKO EPSON CORPORATION
232 C:\Programmi\ewido anti-spyware 4.0\guard.exe 4.0.0.172 Anti-Malware Development a.s.
328 C:\WINDOWS\System32\nvsvc32.exe 6.14.10.4562 NVIDIA Corporation
472 C:\WINDOWS\System32\RegSrvc.exe 8.0.0.161 Intel Corporation
620 C:\WINDOWS\system32\spupdsvc.exe 6.2.29.0 Microsoft Corporation
744 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
856 C:\VEXPLITE\viritsvc.exe 1.1.0.1 TG Soft Sas www.tgsoft.it
1052 C:\WINDOWS\system32\ZoneLabs\vsmon.exe 4.5.594.0 Zone Labs Inc.
1424 C:\WINDOWS\system32\spnpinst.exe 5.1.2600.2180 Microsoft Corporation
1728 C:\WINDOWS\system32\Sysocmgr.exe 5.1.2600.2180 Microsoft Corporation
2240 C:\WINDOWS\system32\ZCfgSvc.exe 8.0.0.161 Intel Corporation
2396 C:\WINDOWS\Explorer.EXE 6.0.2900.2180 Microsoft Corporation
2608 C:\WINDOWS\System32\1XConfig.exe 8.0.0.161 Intel
2700 C:\Programmi\TOSHIBA\TouchED\TouchED.Exe 2.5.0.0 TOSHIBA Corporation
2708 C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe 4.5.594.0 Zone Labs Inc.
2716 C:\WINDOWS\System32\00THotkey.exe 1.0.0.21 TOSHIBA Corp.
2760 C:\WINDOWS\LTSMMSG.exe 3.1.118.2 LT
2800 C:\Programmi\SigmaTel\Driver audio di SigmaTel AC97\stacmon.exe 1.0.0.3 SigmaTel Inc.
2824 C:\Programmi\Synaptics\SynTP\SynTPEnh.exe 7.5.11.0 Synaptics, Inc.
2852 C:\Programmi\Synaptics\SynTP\SynTPLpr.exe 7.5.11.0 Synaptics, Inc.
2932 C:\WINDOWS\system32\TFNF5.exe 2.2.0.0 TOSHIBA Corp.
2960 C:\WINDOWS\system32\TPSMain.exe 1.0.1.1 TOSHIBA Corporation
3016 C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe 7.0.0.10 Avira GmbH
3052 C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe 1.1.0.316 Crawler.com
3080 C:\Programmi\Roland\VSC32\vsc32cnf.exe 3.2.0.0 Roland
3128 C:\Programmi\Roland\VSC32\vscvol.exe 3.2.0.0 Roland
3188 C:\Programmi\iTunes\iTunesHelper.exe 6.0.0.18 Apple Computer, Inc.
3208 C:\WINDOWS\system32\TPSBattM.exe 1.0.1.0 TOSHIBA Corporation
3224 C:\VEXPLITE\MONLITE.EXE 5.1.0.1 TG Soft S.a.s.
3284 C:\Programmi\iPod\bin\iPodService.exe 6.0.0.18 Apple Computer, Inc.
3412 C:\Programmi\ATnotes\ATnotes.exe 9.4.1.0 Thomas Ascher
3464 C:\Programmi\Digisoft AntiDialer\AntiDialer.exe 1.0.4.3 Digisoft
3556 C:\WINDOWS\system32\wuauclt.exe 5.8.0.2469 Microsoft Corporation
3912 C:\Programmi\Internet Explorer\iexplore.exe 6.0.2900.2180 Microsoft Corporation
228 C:\HJT\HijackThis.exe 1.99.0.1 Soeperman Enterprises Ltd.


DLLs loaded by process C:\WINDOWS\System32\smss.exe:

[full path to filename] [file version] [company name]
C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 Microsoft Corporation



10) Allego i Log di GMER Rootkit e Autostart

Rootkit

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-24 12:06:19
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT \??\C:\Documents and Settings\All Users\Dati applicazioni\Spyware Terminator\sp_rsdrv2.sys ZwClose
SSDT \??\C:\WINDOWS\System32\vsdatant.sys ZwConnectPort
SSDT \??\C:\Documents and Settings\All Users\Dati applicazioni\Spyware Terminator\sp_rsdrv2.sys ZwCreateFile
SSDT \??\C:\Documents and Settings\All Users\Dati applicazioni\Spyware Terminator\sp_rsdrv2.sys ZwCreateKey
SSDT \??\C:\Documents and Settings\All Users\Dati applicazioni\Spyware Terminator\sp_rsdrv2.sys ZwCreateSection
SSDT \??\C:\Documents and Settings\All Users\Dati applicazioni\Spyware Terminator\sp_rsdrv2.sys ZwDeleteKey
SSDT \??\C:\Documents and Settings\All Users\Dati applicazioni\Spyware Terminator\sp_rsdrv2.sys ZwDeleteValueKey
SSDT \??\C:\Documents and Settings\All Users\Dati applicazioni\Spyware Terminator\sp_rsdrv2.sys ZwLoadDriver
SSDT \??\C:\Documents and Settings\All Users\Dati applicazioni\Spyware Terminator\sp_rsdrv2.sys ZwOpenFile
SSDT \??\C:\WINDOWS\System32\vsdatant.sys ZwOpenProcess
SSDT \??\C:\Documents and Settings\All Users\Dati applicazioni\Spyware Terminator\sp_rsdrv2.sys ZwSetValueKey
SSDT \??\C:\Documents and Settings\All Users\Dati applicazioni\Spyware Terminator\sp_rsdrv2.sys ZwTerminateProcess
SSDT \??\C:\Documents and Settings\All Users\Dati applicazioni\Spyware Terminator\sp_rsdrv2.sys ZwWriteFile

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [F1F9AE90] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F1F9AE90] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [F1F9AE90] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F1F9AE90] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [F1F9AE90] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F1F9AE90] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [F1F9AE90] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F1F9AE90] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSEIRP_MJ_READ [F1F9AE90] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F1F9AE90] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_CREATE [F1F94B50] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_CLOSEIRP_MJ_READ [F1F94B50] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_INTERNAL_DEVICE_CONTROL [F1F94B50] vsdatant.sys

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\WINDOWS\lfgip1.dll
File E:\System Volume Information\MountPointManagerRemoteDatabase
File E:\System Volume Information\tracking.log

---- EOF - GMER 1.0.10 ----



Autostart


GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-08-24 12:06:58
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = :SystemRoot:\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Sebring@DLLName = c:\WINDOWS\System32\LgNotify.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = C:\WINDOWS:q3291j0.log

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AntiVirScheduler /*AntiVir Scheduler*/@ = C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
AntiVirService /*AntiVir PersonalEdition Classic Service*/@ = C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
CFSvcs /*ConfigFree Service*/@ = C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
EPSONStatusAgent2 /*EPSON Printer Status Agent2*/@ = C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
ewido anti-spyware 4.0 guard /*ewido anti-spyware 4.0 guard*/@ = C:\Programmi\ewido anti-spyware 4.0\guard.exe
NVSvc /*NVIDIA Driver Helper Service*/@ = :SystemRoot:\System32\nvsvc32.exe
RegSrvc /*RegSrvc*/@ = C:\WINDOWS\System32\RegSrvc.exe
S24EventMonitor /*Spectrum24 Event Monitor*/@ = C:\WINDOWS\System32\S24EvMon.exe
ScsiPort@ = :SystemRoot:\system32\drivers\scsiport.sys
Spooler /*Spooler di stampa*/@ = :SystemRoot:\system32\spoolsv.exe
spupdsvc /*Windows Service Pack Installer update service*/@ = C:\WINDOWS\system32\spupdsvc.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\System32\wdfmgr.exe
viritsvclite /*Virit eXplorer Lite*/@ = C:\VEXPLITE\viritsvc.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@TouchEDC:\Programmi\TOSHIBA\TouchED\TouchED.Exe = C:\Programmi\TOSHIBA\TouchED\TouchED.Exe
@Zone Labs ClientC:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
@00THotkeyC:\WINDOWS\System32\00THotkey.exe = C:\WINDOWS\System32\00THotkey.exe
@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
@nwiznwiz.exe /installquiet = nwiz.exe /installquiet
@LTSMMSGLTSMMSG.exe = LTSMMSG.exe
@000StTHK000StTHK.exe = 000StTHK.exe
@SigmaTel StacMonC:\Programmi\SigmaTel\Driver audio di SigmaTel AC97\stacmon.exe = C:\Programmi\SigmaTel\Driver audio di SigmaTel AC97\stacmon.exe
@SynTPEnhC:\Programmi\Synaptics\SynTP\SynTPEnh.exe = C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
@SynTPLprC:\Programmi\Synaptics\SynTP\SynTPLpr.exe = C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
@TFNF5TFNF5.exe = TFNF5.exe
@TPSMainTPSMain.exe = TPSMain.exe
@REGSHAVEC:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN = C:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN
@avgnt"C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min = "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
@SpywareTerminator"C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe" = "C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe"
@vsc32cnf.exeC:\Programmi\Roland\VSC32\vsc32cnf.exe = C:\Programmi\Roland\VSC32\vsc32cnf.exe
@vscvol.exeC:\Programmi\Roland\VSC32\vscvol.exe = C:\Programmi\Roland\VSC32\vscvol.exe
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@iTunesHelper"C:\Programmi\iTunes\iTunesHelper.exe" = "C:\Programmi\iTunes\iTunesHelper.exe"
@VIRIT LITE MONITORC:\VEXPLITE\MONLITE.EXE = C:\VEXPLITE\MONLITE.EXE

HKCU\Software\Microsoft\Windows\CurrentVersion\Run@ATnotes.exe = C:\Programmi\ATnotes\ATnotes.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{57B86673-276A-48B2-BAE7-C6DBB3020EB8} = C:\Programmi\ewido anti-spyware 4.0\shellexecutehook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll
@{C4213067-97B3-4929-9B98-B5600FBBBA13} /*TouchED*/C:\PROGRA~1\TOSHIBA\TouchED\TouchED.dll = C:\PROGRA~1\TOSHIBA\TouchED\TouchED.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} /*Adobe.Acrobat.ContextMenu*/C:\Programmi\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll = C:\Programmi\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Programmi\iTunes\iTunesMiniPlayer.dll = C:\Programmi\iTunes\iTunesMiniPlayer.dll
@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} /*Shell Extension for Malware scanning*/C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll = C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll
@{40950107-FEA6-4d53-A65F-B2DCBA57DD58} /*Nokia Phone Browser*/C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll = C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
@{FBFE7864-D495-41f0-B7DC-4BB601CC295E} /*Contact View*/C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll = C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll
@{C0C4375A-5B72-4efe-929D-3B848C3A1E91} /*Message View*/C:\Programmi\Nokia\Nokia PC Suite 6\MessageView.dll = C:\Programmi\Nokia\Nokia PC Suite 6\MessageView.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Adobe.Acrobat.ContextMenu@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Programmi\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\ewido anti-spyware 4.0\context.dll
IMMenuShellExt@{F8984111-38B6-11D5-8725-0050DA2761C4} = C:\PROGRA~1\INCRED~1\bin\ImShExt.dll
moveonboot_delete@{12B23346-6BD8-4812-BF8C-75E7C386ACB8} = C:\Programmi\GiPo@Utilities\GiPo@MoveOnBoot\mboot.dll
Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\ewido anti-spyware 4.0\context.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\programmi\google\googletoolbar2.dll = c:\programmi\google\googletoolbar2.dll
@{AE7CD045-E861-484f-8273-0445EE161910}C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll = C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ieandpver=6andar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ieandpver=6andar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}andclcid={SUB_CLSID}andpver={SUB_PVER}andar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}andclcid={SUB_CLSID}andpver={SUB_PVER}&ar=home

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.libero.it/ = http://www.libero.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
mhtml@CLSID = :SystemRoot:\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CE808FAB-C3DF-40A8-8BAE-787A2690CCE0} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress100.100.100.1 = 100.100.100.1
@NameServer =
@DefaultGateway =
@Domain =

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Adobe Gamma Loader.lnk = Adobe Gamma Loader.lnk
Digisoft AntiDialer.lnk = Digisoft AntiDialer.lnk

---- EOF - GMER 1.0.10 ----



Qui mi son fermato in attesa di tue news ti ringrazio.
Ronny
Torna in alto
 
Sponsor
Inviato: Thursday, August 24, 2006 1:03:53 PM

 
Torna in alto
 
steven75
Inviato: Thursday, August 24, 2006 2:41:16 PM
Rank: Member

Iscritto dal : 5/8/2006
Posts: 0
fai cosi:

Recati nel pannello di controllo e vedi se presente una voce con il nome LinkOptimizer, se si non toccarla , scarica e decomprimi MyUninstaller,(se lo vuoi tradurre in italiano,scarica questo file.zip
decomprimilo ,prendi il file e copialo nella cartella dove c'è Myuninstaller) .
Adesso avvia l'applicazione,attendi che siano visibili tutti i programmi installati, seleziona la voce in oggetto e premi sull'iconcina a forma di cestino per disinstallarla.....

Poi vai su Start->esegui->digita control userpasswords2 e dai l'ok....
Nella finestra che si aprira controlla di non avere un utenza sospetta oltre alle solite , se c'è cliccaci sopra con il tasto destro ed eliminala .....
(se hai XP PRO,semore nella finestra degli account,clicca su avanzate,poi ancora su avanzate, e controlla sia in user , che in groups di non avere alcuna utenza strana)

- Ora scarica e decomprimi the avenger ,
http://swandog46.geekstogo.com/avenger.zip
- Avvia Avenger.exe e seleziona Input Script Manually
- Clicca sulla lente d'ingrandimento e si aprirà la finestra View/edit script,
- All'interno copiaci quanto segue:

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Files to delete:
C:\WINDOWS\lfgip1.dll

- Clicca sul pulsante Done
- Clicca sull'icona del semaforo verde
- Rispondi due volte Yes
- Il pc dovrebbe riavviarsi da solo,(altrimenti fallo tu)

E quindi posta il log di Avenger che trovi in (C:\avenger.txt)

Se questi passaggi vanno a buon fine molto probabilmente te ne sei sbarazzato di questa porcheria...
Torna in alto
 
Ronny77
Inviato: Thursday, August 24, 2006 3:14:30 PM
Rank: Member

Iscritto dal : 3/1/2005
Posts: 15
Ecco il log di Avenger

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bvocuhoh

*******************

Script file located at: \??\C:\xwihochl.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\lfgip1.dll deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.
Torna in alto
 
steven75
Inviato: Thursday, August 24, 2006 4:03:31 PM
Rank: Member

Iscritto dal : 5/8/2006
Posts: 0
Ok , avenger il suo lavoro lo ha fatto ... adesso fai quest'ultimo controllo.
Scarica Registry Search Tools.zip dalla guida , estrailo e avvialo con un doppio click , nello spazio bianco inserisci il nome della dll (lfgip1.dll) e dai l'ok ....
Riportami quello che ti viene segnalato , nel caso ci fosse qualcosa , altrimenti direi che sei apposto ...
Torna in alto
 
Ronny77
Inviato: Thursday, August 24, 2006 5:02:53 PM
Rank: Member

Iscritto dal : 3/1/2005
Posts: 15
Ciao, con il registry search tools mi da: Nessun collegamento trovato, quindi dovremmo essere ok.
Però facendo una scansione con VirIt mi individua 3 virus. Uno lo elimina gli altri no. Ti allego il relativo Log dell'utlima scansione.
Come posso eliminarli?

24/08/2006 - 16:32:57

[SCANSIONE DEL REGISTRO]
OK

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

C:\WINDOWS:q3291j0.log:$DATA Infetto da Trojan.Win32.RootKit.D
* * * RIMOSSO * * *
C:\WINDOWS\Downloaded Program Files\on-line.exe Possibile variante da Trojan.Win32.Dialer.EI
C:\WINDOWS\system32:awgis.exe:$DATA Possibile infezione da virus di nuova generazione

Chiavi Registro infette: 0.
Files Infetti: 2.
Files Sospetti: 1.
Files Analizzati: 68386.
Files Totali: 68386.
Chiavi Registro rimosse: 0.
Virus Rimossi: 1.
Torna in alto
 
steven75
Inviato: Thursday, August 24, 2006 8:24:46 PM
Rank: Member

Iscritto dal : 5/8/2006
Posts: 0
Ciao ,
la scansione con Viritl'hai fatta dalla modalità normale? se si falla dalla provvisoria e aggiungici anche una scansione con Ewido ...
alla fine posta i due log , piu quello hijackthis....
Disattiva anche il ripristino configurazione di sistema
Torna in alto
 
Ronny77
Inviato: Saturday, August 26, 2006 8:42:42 PM
Rank: Member

Iscritto dal : 3/1/2005
Posts: 15
Ciao, ti allego i tre log eseguti in modalità provvisoria:

VirIt

26/08/2006 - 17:48:23

[SCANSIONE DEL REGISTRO]
OK

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

C:\WINDOWS\system32:awgis.exe:$DATA Possibile infezione da virus di nuova generazione

[D:]


[E:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK


Chiavi Registro infette: 0.
Files Infetti: 0.
Files Sospetti: 1.
Files Analizzati: 100256.
Files Totali: 100256.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.


Ewido


ewido anti-spyware - Scan Report

+ Created at: 20.00.35 26/08/2006

+ Scan result:



C:\Documents and Settings\RR\Desktop\Documenti Papà\Software\Aggiornamento IncrediMail\incredimail_install.exe -> Not-A-Virus.Downloader.Win32.ImLoader.c : Ignored.
C:\WINDOWS\Downloaded Program Files\imloader.exe -> Not-A-Virus.Downloader.Win32.ImLoader.c : Ignored.


::Report end



HiJackThis


Logfile of HijackThis v1.99.1
Scan saved at 20.03.29, on 26/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: andGoogle - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TouchED] C:\Programmi\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Programmi\SigmaTel\Driver audio di SigmaTel AC97\stacmon.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [vsc32cnf.exe] C:\Programmi\Roland\VSC32\vsc32cnf.exe
O4 - HKLM\..\Run: [vscvol.exe] C:\Programmi\Roland\VSC32\vscvol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [ATnotes.exe] C:\Programmi\ATnotes\ATnotes.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digisoft AntiDialer.lnk = C:\Programmi\Digisoft AntiDialer\AntiDialer.exe
O8 - Extra context menu item: andAdd animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: andCerca con Google - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: andTraduci parola in italiano - res://c:\programmi\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Link a ritroso - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - :windir:\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - :windir:\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152816353924
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents/setup/downloader_sp1/imloader.cab
O16 - DPF: {FFD1E45F-2B11-4742-BF47-3822FE02EE0F} (Yahoo! Foto - salva e condividi le tue foto su Yahoo! E' facile!l Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4it.cab
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Attendo tue istruzioni e ancora grazie.
Ronny
Torna in alto
 
steven75
Inviato: Tuesday, August 29, 2006 4:22:04 PM
Rank: Member

Iscritto dal : 5/8/2006
Posts: 0
Ciao,
scusami ero assente , se ancora non hai risolto fammi un cenno e continueremo con le procedure
Torna in alto
 
Ronny77
Inviato: Wednesday, August 30, 2006 8:07:03 AM
Rank: Member

Iscritto dal : 3/1/2005
Posts: 15
Ciao Steven e ben tornato, ancora non ho risolto del tutto il problema. Nel post precedente al tuo ti avevo allegato i tre log di VirIt, Ewido e HiJackThis fatti in modalità provvisoria come mi avevi richiesto.Rimango in attesa di nuove istruzioni e ancora grazie per l'aiuto.
Torna in alto
 
steven75
Inviato: Wednesday, August 30, 2006 8:10:01 PM
Rank: Member

Iscritto dal : 5/8/2006
Posts: 0
Ciao ,
grazie del bentornato....
Il log hijackthis devi farlo dalla modalità normale ,non dalla provvisoria....
quindi postane uno aggiornato , e dimmi quali sono i problemi che riscontri attualmente
Torna in alto
 
Ronny77
Inviato: Wednesday, August 30, 2006 8:25:50 PM
Rank: Member

Iscritto dal : 3/1/2005
Posts: 15
Ciao,ti posto il log di HiJackThis fatto in modalità normale. I miei dubbi sono i seguenti: dal log di VirIt rileva il seguente virus

C:\WINDOWS\system32:awgis.exe:$DATA Possibile infezione da virus di nuova generazione


dal log di ewido rileva i seguenti problemi

C:\Documents and Settings\RR\Desktop\Documenti Papà\Software\Aggiornamento IncrediMail\incredimail_install.exe -> Not-A-Virus.Downloader.Win32.ImLoader.c : Ignored.
C:\WINDOWS\Downloaded Program Files\imloader.exe -> Not-A-Virus.Downloader.Win32.ImLoader.c : Ignored.

Ciò che riscontro io è una difficoltà a connettersi ad internet, avolte devo annullare e ritentare la connessione perchè si pianta quando compare la voce "Proiezione del computer in corso" ed inoltre ogni volta che avvio la macchina mi produce il suono di "arresto critico" di windows, anche se poi il pc funziona.

questo il log di HiJackThis

Logfile of HijackThis v1.99.1
Scan saved at 20.14.37, on 30/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\VEXPLITE\viritsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spnpinst.exe
C:\WINDOWS\system32\Sysocmgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\Programmi\TOSHIBA\TouchED\TouchED.Exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\LTSMMSG.exe
C:\Programmi\SigmaTel\Driver audio di SigmaTel AC97\stacmon.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe
C:\Programmi\Roland\VSC32\vsc32cnf.exe
C:\Programmi\Roland\VSC32\vscvol.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\VEXPLITE\MONLITE.EXE
C:\Programmi\ATnotes\ATnotes.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Programmi\Digisoft AntiDialer\AntiDialer.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: andGoogle - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TouchED] C:\Programmi\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Programmi\SigmaTel\Driver audio di SigmaTel AC97\stacmon.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [vsc32cnf.exe] C:\Programmi\Roland\VSC32\vsc32cnf.exe
O4 - HKLM\..\Run: [vscvol.exe] C:\Programmi\Roland\VSC32\vscvol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [ATnotes.exe] C:\Programmi\ATnotes\ATnotes.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digisoft AntiDialer.lnk = C:\Programmi\Digisoft AntiDialer\AntiDialer.exe
O8 - Extra context menu item: andAdd animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: andCerca con Google - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: andTraduci parola in italiano - res://c:\programmi\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Link a ritroso - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - :windir:\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - :windir:\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152816353924
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents/setup/downloader_sp1/imloader.cab
O16 - DPF: {FFD1E45F-2B11-4742-BF47-3822FE02EE0F} (Yahoo! Foto - salva e condividi le tue foto su Yahoo! E' facile!l Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4it.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{94660B76-AFA0-4D4F-9E7C-79B6BC413F7F}: NameServer = 212.151.136.246 130.244.127.169
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Torna in alto
 
steven75
Inviato: Wednesday, August 30, 2006 8:43:51 PM
Rank: Member

Iscritto dal : 5/8/2006
Posts: 0
Ciao ,
allora il log hijackthis è pulito...
le voci rilevate da ewido ,a mio avviso non sono infette,anche per quello le ha ignorate
(appartengono a incredimail)-> http://www.fileresearchcenter.com/I/IMLOADER.EXE-3792.html

Comunque prova a sottoporle alla scansione su www.virustotal.com
(anche il file segnalato da virit)

- Carica il file mediante il tasto sfoglia
- Clicca su Send e attendi il responso

Per la connessione prova a fare un fix con il WinsockFix XP -> http://steven.altervista.org/files/utility.html
Torna in alto
 
Ronny77
Inviato: Monday, September 04, 2006 8:25:45 AM
Rank: Member

Iscritto dal : 3/1/2005
Posts: 15
Ciao Steven, ho seguito la procedura e credo a questo punto di aver eliminato ogni problema. Anche perchè dopo aver fatto i fix con i due programmi che mi hai indicato sono riuscito a rimuovere il virus individuato da VirIt

C:\WINDOWS\system32:awgis.exe:$DATA Possibile infezione da virus di nuova generazione

Ti ringrazio tanto per l'aiuto che mi hai fornito e speriamo che ora tutto funzioni bene. Ciao e grazie ancora!
Torna in alto
 
steven75
Inviato: Monday, September 04, 2006 10:21:16 AM
Rank: Member

Iscritto dal : 5/8/2006
Posts: 0
ciao ,
di niente figurati.... a disposione <img src=icon_smile_wink.gif border=0 align=middle>
Torna in alto
 
Utenti presenti in questo topic
Guest

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » LinkOptimizer (xSteven75)


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.