Aiutamici Forum
Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

Mi controllate il LOG di Hijack -grazie mille Opzioni
gmariot
Inviato: Wednesday, September 06, 2006 10:04:23 PM
Rank: Member

Iscritto dal : 9/6/2006
Posts: 0
Quando sono connesso in internet, parte una connessione (si sente dal cicalino del modem)
Logfile of HijackThis v1.99.1
Scan saved at 21.30.34, on 06/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Programmi\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Programmi\HP\HP Software Update\HPWuSchd.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\Temp\innp5.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Logitech\SetPoint\KEM.exe
C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmi\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\admin\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {257F3EBD-D54D-2A50-2953-3D5627B3AC7D} - C:\WINDOWS\tldwm1.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmi\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Programmi\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB002" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [TrustInstaller] "D:\Setup.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [innp5.exe] C:\WINDOWS\Temp\innp5.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.hastalavista.it
O15 - Trusted Zone: www.linkautomatici.com
O15 - Trusted Zone: www.redfunny.com
O15 - Trusted Zone: www.skymasters.biz
O15 - Trusted Zone: www.superspots.biz
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Sponsor
Inviato: Wednesday, September 06, 2006 10:04:23 PM

 
steven75
Inviato: Wednesday, September 06, 2006 11:45:18 PM
Rank: Member

Iscritto dal : 5/8/2006
Posts: 0
Ciao ,
nel tuo log c'è la presenza evidente del rootkit linkoptimizer , piu delle entrate maligne nella trusted zone ... fai cosi :

- Scarica ed installa questo <b><u>script</u></b> (---) <i>tasto destro sul link e salvalo sul desktop</i> -> Ora tasto destro sul file <b>.inf</b> e seleziona installa

Scarica ed esegui uno scan con l'ultimo tools della lista -> http://steven.altervista.org/files/antirootkit.html

(con tutti i programmi chiusi e disconnesso completamente da internet )

Alla fine posta sia il log del tool e sia quello aggiornato di hijackthis

PS__se hai una connessione ADSL ,disabilita completamente il modem analogico





Edited by - steven75 on 09/06/2006 23:48:11
gmariot
Inviato: Monday, September 11, 2006 10:51:21 PM
Rank: Member

Iscritto dal : 9/6/2006
Posts: 0
<BLOCKQUOTE id=quote><font size=1 face="Sans Serif, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>
Ciao ,
nel tuo log c'è la presenza evidente del rootkit linkoptimizer , piu delle entrate maligne nella trusted zone ... fai cosi :

- Scarica ed installa questo <b><u>script</u></b> (---) <i>tasto destro sul link e salvalo sul desktop</i> -> Ora tasto destro sul file <b>.inf</b> e seleziona installa

Scarica ed esegui uno scan con l'ultimo tools della lista -> http://steven.altervista.org/files/antirootkit.html

(con tutti i programmi chiusi e disconnesso completamente da internet )

Alla fine posta sia il log del tool e sia quello aggiornato di hijackthis

PS__se hai una connessione ADSL ,disabilita completamente il modem analogico





Edited by - steven75 on 09/06/2006 23:48:11
<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Sans Serif, Arial, Helvetica" size=2 id=quote>

Ciao
Ti descrivo le attività effettuate:

1)ho eseguito una prima volta il Tool removal (ti allego il Log)
2)ho aggiornato Avast (ver 4.7)perchè l'aggiornamento era settato manuale
3)ho eseguito la scansione e avast ha intercettato 10 file infetti che ho messo nel cestino dell' antivirus
4)ho eseguito una seconda volta il Tool removal (ti allego il Log)
5)ho eseguito Hijacktis (ti allego il Log)

Per terminare vorrei farti queste domande:
a)sono pulito ? se no, cosa devo fare?
b)i file presenti nel cestino di Avast li devo eliminare?
c)nella cartella TEMP trovo dei file (pxr3.tmp - pxr4.tmp - pxr5.tmp....)che non riesco a cancellare, i caratteri dei nomi sono verdi, cosa mi puoi dire?
p.s. non ho connessioni ADSL
grazie mille per la collaborazione
ciao

prima scansione
Removal tool loaded into memory

Executing rootkit removal engine....

Disabling rootkit file: C:\WINDOWS:wmsysprk.prx
Resetting file permissions...
Scanning: C:\WINDOWS
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\10.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\11.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\13.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\16.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\17.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\19.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\1B.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\1D.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\1E.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\2B.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\3.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\3A.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\4.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\5.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\6.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\7.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\8.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\E.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\tldwm1.dll
Removed!
Scanning: C:\Programmi\File comuni
Removing protected file: C:\Programmi\File comuni\System\aOT.exe
Removing protected file: C:\Programmi\File comuni\System\aXo.exe
Removing protected file: C:\Programmi\File comuni\System\mnLq.exe
Removing protected file: C:\Programmi\File comuni\System\nhH.exe
Removing protected file: C:\Programmi\File comuni\System\ppT.exe
Removing protected file: C:\Programmi\File comuni\System\wYb.exe


Trojan.Gromozon Removed!

seconda scansione
Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni


Trojan.Gromozon does not exist - your system is clean.

ultima scansione di Hijackitis
Logfile of HijackThis v1.99.1
Scan saved at 21.42.18, on 11/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Programmi\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Programmi\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Logitech\SetPoint\KEM.exe
C:\Programmi\Logitech\SetPoint\KHALMNPR.EXE
C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
C:\Documents and Settings\admin\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {257F3EBD-D54D-2A50-2953-3D5627B3AC7D} - C:\WINDOWS\tldwm1.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmi\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Programmi\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB002" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [TrustInstaller] "D:\Setup.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe





<u></u><b></b>
gmariot
Inviato: Monday, September 11, 2006 10:52:25 PM
Rank: Member

Iscritto dal : 9/6/2006
Posts: 0
<BLOCKQUOTE id=quote><font size=1 face="Sans Serif, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>
Ciao ,
nel tuo log c'è la presenza evidente del rootkit linkoptimizer , piu delle entrate maligne nella trusted zone ... fai cosi :

- Scarica ed installa questo <b><u>script</u></b> (---) <i>tasto destro sul link e salvalo sul desktop</i> -> Ora tasto destro sul file <b>.inf</b> e seleziona installa

Scarica ed esegui uno scan con l'ultimo tools della lista -> http://steven.altervista.org/files/antirootkit.html

(con tutti i programmi chiusi e disconnesso completamente da internet )

Alla fine posta sia il log del tool e sia quello aggiornato di hijackthis

PS__se hai una connessione ADSL ,disabilita completamente il modem analogico





Edited by - steven75 on 09/06/2006 23:48:11
<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Sans Serif, Arial, Helvetica" size=2 id=quote>

Ciao
Ti descrivo le attività effettuate:

1)ho eseguito una prima volta il Tool removal (ti allego il Log)
2)ho aggiornato Avast (ver 4.7)perchè l'aggiornamento era settato manuale
3)ho eseguito la scansione e avast ha intercettato 10 file infetti che ho messo nel cestino dell' antivirus
4)ho eseguito una seconda volta il Tool removal (ti allego il Log)
5)ho eseguito Hijacktis (ti allego il Log)

Per terminare vorrei farti queste domande:
a)sono pulito ? se no, cosa devo fare?
b)i file presenti nel cestino di Avast li devo eliminare?
c)nella cartella TEMP trovo dei file (pxr3.tmp - pxr4.tmp - pxr5.tmp....)che non riesco a cancellare, i caratteri dei nomi sono verdi, cosa mi puoi dire?
p.s. non ho connessioni ADSL
grazie mille per la collaborazione
ciao

prima scansione
Removal tool loaded into memory

Executing rootkit removal engine....

Disabling rootkit file: C:\WINDOWS:wmsysprk.prx
Resetting file permissions...
Scanning: C:\WINDOWS
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\10.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\11.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\13.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\16.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\17.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\19.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\1B.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\1D.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\1E.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\2B.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\3.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\3A.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\4.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\5.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\6.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\7.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\8.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\E.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\tldwm1.dll
Removed!
Scanning: C:\Programmi\File comuni
Removing protected file: C:\Programmi\File comuni\System\aOT.exe
Removing protected file: C:\Programmi\File comuni\System\aXo.exe
Removing protected file: C:\Programmi\File comuni\System\mnLq.exe
Removing protected file: C:\Programmi\File comuni\System\nhH.exe
Removing protected file: C:\Programmi\File comuni\System\ppT.exe
Removing protected file: C:\Programmi\File comuni\System\wYb.exe


Trojan.Gromozon Removed!

seconda scansione
Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni


Trojan.Gromozon does not exist - your system is clean.

ultima scansione di Hijackitis
Logfile of HijackThis v1.99.1
Scan saved at 21.42.18, on 11/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Programmi\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Programmi\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Logitech\SetPoint\KEM.exe
C:\Programmi\Logitech\SetPoint\KHALMNPR.EXE
C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
C:\Documents and Settings\admin\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {257F3EBD-D54D-2A50-2953-3D5627B3AC7D} - C:\WINDOWS\tldwm1.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmi\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Programmi\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB002" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [TrustInstaller] "D:\Setup.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


gmariot
Inviato: Monday, September 11, 2006 10:54:58 PM
Rank: Member

Iscritto dal : 9/6/2006
Posts: 0
<BLOCKQUOTE id=quote><font size=1 face="Sans Serif, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>
Ciao ,
nel tuo log c'è la presenza evidente del rootkit linkoptimizer , piu delle entrate maligne nella trusted zone ... fai cosi :

- Scarica ed installa questo <b><u>script</u></b> (---) <i>tasto destro sul link e salvalo sul desktop</i> -> Ora tasto destro sul file <b>.inf</b> e seleziona installa

Scarica ed esegui uno scan con l'ultimo tools della lista -> http://steven.altervista.org/files/antirootkit.html

(con tutti i programmi chiusi e disconnesso completamente da internet )

Alla fine posta sia il log del tool e sia quello aggiornato di hijackthis

PS__se hai una connessione ADSL ,disabilita completamente il modem analogico





Edited by - steven75 on 09/06/2006 23:48:11
<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Sans Serif, Arial, Helvetica" size=2 id=quote>

Ciao
Ti descrivo le attività effettuate:

1)ho eseguito una prima volta il Tool removal (ti allego il Log)
2)ho aggiornato Avast (ver 4.7)perchè l'aggiornamento era settato manuale
3)ho eseguito la scansione e avast ha intercettato 10 file infetti che ho messo nel cestino dell' antivirus
4)ho eseguito una seconda volta il Tool removal (ti allego il Log)
5)ho eseguito Hijacktis (ti allego il Log)

Per terminare vorrei farti queste domande:
a)sono pulito ? se no, cosa devo fare?
b)i file presenti nel cestino di Avast li devo eliminare?
c)nella cartella TEMP trovo dei file (pxr3.tmp - pxr4.tmp - pxr5.tmp....)che non riesco a cancellare, i caratteri dei nomi sono verdi, cosa mi puoi dire?
p.s. non ho connessioni ADSL
grazie mille per la collaborazione
ciao

prima scansione
Removal tool loaded into memory

Executing rootkit removal engine....

Disabling rootkit file: C:\WINDOWS:wmsysprk.prx
Resetting file permissions...
Scanning: C:\WINDOWS
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\10.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\11.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\13.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\16.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\17.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\19.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\1B.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\1D.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\1E.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\2B.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\3.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\3A.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\4.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\5.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\6.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\7.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\8.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\E.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\tldwm1.dll
Removed!
Scanning: C:\Programmi\File comuni
Removing protected file: C:\Programmi\File comuni\System\aOT.exe
Removing protected file: C:\Programmi\File comuni\System\aXo.exe
Removing protected file: C:\Programmi\File comuni\System\mnLq.exe
Removing protected file: C:\Programmi\File comuni\System\nhH.exe
Removing protected file: C:\Programmi\File comuni\System\ppT.exe
Removing protected file: C:\Programmi\File comuni\System\wYb.exe


Trojan.Gromozon Removed!

seconda scansione
Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni


Trojan.Gromozon does not exist - your system is clean.

ultima scansione di Hijackitis
Logfile of HijackThis v1.99.1
Scan saved at 21.42.18, on 11/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Programmi\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Programmi\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Logitech\SetPoint\KEM.exe
C:\Programmi\Logitech\SetPoint\KHALMNPR.EXE
C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
C:\Documents and Settings\admin\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {257F3EBD-D54D-2A50-2953-3D5627B3AC7D} - C:\WINDOWS\tldwm1.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmi\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Programmi\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB002" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [TrustInstaller] "D:\Setup.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


gmariot
Inviato: Monday, September 11, 2006 10:57:45 PM
Rank: Member

Iscritto dal : 9/6/2006
Posts: 0
<BLOCKQUOTE id=quote><font size=1 face="Sans Serif, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>
Ciao ,
nel tuo log c'è la presenza evidente del rootkit linkoptimizer , piu delle entrate maligne nella trusted zone ... fai cosi :

- Scarica ed installa questo <b><u>script</u></b> (---) <i>tasto destro sul link e salvalo sul desktop</i> -> Ora tasto destro sul file <b>.inf</b> e seleziona installa

Scarica ed esegui uno scan con l'ultimo tools della lista -> http://steven.altervista.org/files/antirootkit.html

(con tutti i programmi chiusi e disconnesso completamente da internet )

Alla fine posta sia il log del tool e sia quello aggiornato di hijackthis

PS__se hai una connessione ADSL ,disabilita completamente il modem analogico





Edited by - steven75 on 09/06/2006 23:48:11
<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Sans Serif, Arial, Helvetica" size=2 id=quote>

Ciao
Ti descrivo le attività effettuate:

1)ho eseguito una prima volta il Tool removal (ti allego il Log)
2)ho aggiornato Avast (ver 4.7)perchè l'aggiornamento era settato manuale
3)ho eseguito la scansione e avast ha intercettato 10 file infetti che ho messo nel cestino dell' antivirus
4)ho eseguito una seconda volta il Tool removal (ti allego il Log)
5)ho eseguito Hijacktis (ti allego il Log)

Per terminare vorrei farti queste domande:
a)sono pulito ? se no, cosa devo fare?
b)i file presenti nel cestino di Avast li devo eliminare?
c)nella cartella TEMP trovo dei file (pxr3.tmp - pxr4.tmp - pxr5.tmp....)che non riesco a cancellare, i caratteri dei nomi sono verdi, cosa mi puoi dire?
p.s. non ho connessioni ADSL
grazie mille per la collaborazione
ciao

prima scansione
Removal tool loaded into memory

Executing rootkit removal engine....

Disabling rootkit file: C:\WINDOWS:wmsysprk.prx
Resetting file permissions...
Scanning: C:\WINDOWS
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\10.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\11.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\13.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\16.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\17.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\19.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\1B.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\1D.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\1E.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\2B.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\3.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\3A.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\4.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\5.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\6.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\7.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\8.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\E.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\tldwm1.dll
Removed!
Scanning: C:\Programmi\File comuni
Removing protected file: C:\Programmi\File comuni\System\aOT.exe
Removing protected file: C:\Programmi\File comuni\System\aXo.exe
Removing protected file: C:\Programmi\File comuni\System\mnLq.exe
Removing protected file: C:\Programmi\File comuni\System\nhH.exe
Removing protected file: C:\Programmi\File comuni\System\ppT.exe
Removing protected file: C:\Programmi\File comuni\System\wYb.exe


Trojan.Gromozon Removed!

seconda scansione
Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni


Trojan.Gromozon does not exist - your system is clean.

ultima scansione di Hijackitis
Logfile of HijackThis v1.99.1
Scan saved at 21.42.18, on 11/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Programmi\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Programmi\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Logitech\SetPoint\KEM.exe
C:\Programmi\Logitech\SetPoint\KHALMNPR.EXE
C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
C:\Documents and Settings\admin\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {257F3EBD-D54D-2A50-2953-3D5627B3AC7D} - C:\WINDOWS\tldwm1.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmi\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Programmi\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB002" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [TrustInstaller] "D:\Setup.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


gmariot
Inviato: Monday, September 11, 2006 11:00:25 PM
Rank: Member

Iscritto dal : 9/6/2006
Posts: 0
<BLOCKQUOTE id=quote><font size=1 face="Sans Serif, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>
Ciao ,
nel tuo log c'è la presenza evidente del rootkit linkoptimizer , piu delle entrate maligne nella trusted zone ... fai cosi :

- Scarica ed installa questo <b><u>script</u></b> (---) <i>tasto destro sul link e salvalo sul desktop</i> -> Ora tasto destro sul file <b>.inf</b> e seleziona installa

Scarica ed esegui uno scan con l'ultimo tools della lista -> http://steven.altervista.org/files/antirootkit.html

(con tutti i programmi chiusi e disconnesso completamente da internet )

Alla fine posta sia il log del tool e sia quello aggiornato di hijackthis

PS__se hai una connessione ADSL ,disabilita completamente il modem analogico





Edited by - steven75 on 09/06/2006 23:48:11
<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Sans Serif, Arial, Helvetica" size=2 id=quote>

Ciao
Ti descrivo le attività effettuate:

1)ho eseguito una prima volta il Tool removal
2)ho aggiornato Avast (ver 4.7)perchè l'aggiornamento era settato manuale
3)ho eseguito la scansione e avast ha intercettato 10 file infetti che ho messo nel cestino dell' antivirus
4)ho eseguito una seconda volta il Tool removal (ti allego il Log)
5)ho eseguito Hijacktis (ti allego il Log)

Per terminare vorrei farti queste domande:
a)sono pulito ? se no, cosa devo fare?
b)i file presenti nel cestino di Avast li devo eliminare?
c)nella cartella TEMP trovo dei file (pxr3.tmp - pxr4.tmp - pxr5.tmp....)che non riesco a cancellare, i caratteri dei nomi sono verdi, cosa mi puoi dire?
p.s. non ho connessioni ADSL
grazie mille per la collaborazione
ciao


seconda scansione
Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni


Trojan.Gromozon does not exist - your system is clean.

ultima scansione di Hijackitis
Logfile of HijackThis v1.99.1
Scan saved at 21.42.18, on 11/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Programmi\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Programmi\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Logitech\SetPoint\KEM.exe
C:\Programmi\Logitech\SetPoint\KHALMNPR.EXE
C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
C:\Documents and Settings\admin\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {257F3EBD-D54D-2A50-2953-3D5627B3AC7D} - C:\WINDOWS\tldwm1.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmi\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Programmi\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB002" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [TrustInstaller] "D:\Setup.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


gmariot
Inviato: Monday, September 11, 2006 11:08:23 PM
Rank: Member

Iscritto dal : 9/6/2006
Posts: 0
<BLOCKQUOTE id=quote><font size=1 face="Sans Serif, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>
Ciao ,
nel tuo log c'è la presenza evidente del rootkit linkoptimizer , piu delle entrate maligne nella trusted zone ... fai cosi :

- Scarica ed installa questo <b><u>script</u></b> (---) <i>tasto destro sul link e salvalo sul desktop</i> -> Ora tasto destro sul file <b>.inf</b> e seleziona installa

Scarica ed esegui uno scan con l'ultimo tools della lista -> http://steven.altervista.org/files/antirootkit.html

(con tutti i programmi chiusi e disconnesso completamente da internet )

Alla fine posta sia il log del tool e sia quello aggiornato di hijackthis

PS__se hai una connessione ADSL ,disabilita completamente il modem analogico





Edited by - steven75 on 09/06/2006 23:48:11
<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Sans Serif, Arial, Helvetica" size=2 id=quote>

<BLOCKQUOTE id=quote><font size=1 face="Sans Serif, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>
Ciao
Ti descrivo le attività effettuate:

1)ho eseguito una prima volta il Tool removal
2)ho aggiornato Avast (ver 4.7)perchè l'aggiornamento era settato manuale
3)ho eseguito la scansione e avast ha intercettato 10 file infetti che ho messo nel cestino dell' antivirus
4)ho eseguito una seconda volta il Tool removal (ti allego il Log)
5)ho eseguito Hijacktis (ti allego il Log)

Per terminare vorrei farti queste domande:
a)sono pulito ? se no, cosa devo fare?
b)i file presenti nel cestino di Avast li devo eliminare?
c)nella cartella TEMP trovo dei file (pxr3.tmp - pxr4.tmp - pxr5.tmp....)che non riesco a cancellare, i caratteri dei nomi sono verdi, cosa mi puoi dire?
p.s. non ho connessioni ADSL
grazie mille per la collaborazione
ciao


seconda scansione
Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni


Trojan.Gromozon does not exist - your system is clean.

ultima scansione di Hijackitis
Logfile of HijackThis v1.99.1
Scan saved at 21.42.18, on 11/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Programmi\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Programmi\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Logitech\SetPoint\KEM.exe
C:\Programmi\Logitech\SetPoint\KHALMNPR.EXE
C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
C:\Documents and Settings\admin\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {257F3EBD-D54D-2A50-2953-3D5627B3AC7D} - C:\WINDOWS\tldwm1.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmi\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Programmi\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB002" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [TrustInstaller] "D:\Setup.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Sans Serif, Arial, Helvetica" size=2 id=quote>

gmariot
Inviato: Monday, September 11, 2006 11:13:37 PM
Rank: Member

Iscritto dal : 9/6/2006
Posts: 0
<BLOCKQUOTE id=quote><font size=1 face="Sans Serif, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>
Ciao ,
nel tuo log c'è la presenza evidente del rootkit linkoptimizer , piu delle entrate maligne nella trusted zone ... fai cosi :

- Scarica ed installa questo <b><u>script</u></b> (---) <i>tasto destro sul link e salvalo sul desktop</i> -> Ora tasto destro sul file <b>.inf</b> e seleziona installa

Scarica ed esegui uno scan con l'ultimo tools della lista -> http://steven.altervista.org/files/antirootkit.html

(con tutti i programmi chiusi e disconnesso completamente da internet )

Alla fine posta sia il log del tool e sia quello aggiornato di hijackthis

PS__se hai una connessione ADSL ,disabilita completamente il modem analogico





Edited by - steven75 on 09/06/2006 23:48:11
<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Sans Serif, Arial, Helvetica" size=2 id=quote>

Ciao
Ti descrivo le attività effettuate:

1)ho eseguito una prima volta il Tool removal (ti allego il Log)
2)ho aggiornato Avast (ver 4.7)perchè l'aggiornamento era settato manuale
3)ho eseguito la scansione e avast ha intercettato 10 file infetti che ho messo nel cestino dell' antivirus
4)ho eseguito una seconda volta il Tool removal (ti allego il Log)
5)ho eseguito Hijacktis (ti allego il Log)

Per terminare vorrei farti queste domande:
a)sono pulito ? se no, cosa devo fare?
b)i file presenti nel cestino di Avast li devo eliminare?
c)nella cartella TEMP trovo dei file (pxr3.tmp - pxr4.tmp - pxr5.tmp....)che non riesco a cancellare, i caratteri dei nomi sono verdi, cosa mi puoi dire?
p.s. non ho connessioni ADSL
grazie mille per la collaborazione
ciao

prima scansione
Removal tool loaded into memory

Executing rootkit removal engine....

Disabling rootkit file: C:\WINDOWS:wmsysprk.prx
Resetting file permissions...
Scanning: C:\WINDOWS
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\10.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\11.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\13.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\16.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\17.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\19.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\1B.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\1D.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\1E.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\2B.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\3.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\3A.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\4.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\5.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\6.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\7.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\8.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\E.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\tldwm1.dll
Removed!
Scanning: C:\Programmi\File comuni
Removing protected file: C:\Programmi\File comuni\System\aOT.exe
Removing protected file: C:\Programmi\File comuni\System\aXo.exe
Removing protected file: C:\Programmi\File comuni\System\mnLq.exe
Removing protected file: C:\Programmi\File comuni\System\nhH.exe
Removing protected file: C:\Programmi\File comuni\System\ppT.exe
Removing protected file: C:\Programmi\File comuni\System\wYb.exe


Trojan.Gromozon Removed!

seconda scansione
Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni


Trojan.Gromozon does not exist - your system is clean.

ultima scansione di Hijackitis
Logfile of HijackThis v1.99.1
Scan saved at 21.42.18, on 11/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Programmi\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Programmi\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Logitech\SetPoint\KEM.exe
C:\Programmi\Logitech\SetPoint\KHALMNPR.EXE
C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
C:\Documents and Settings\admin\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {257F3EBD-D54D-2A50-2953-3D5627B3AC7D} - C:\WINDOWS\tldwm1.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmi\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Programmi\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB002" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [TrustInstaller] "D:\Setup.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



alfonso
Inviato: Tuesday, September 12, 2006 12:26:42 PM

Rank: AiutAmico

Iscritto dal : 10/5/2000
Posts: 19,132
Ciao ,
esegui queste operazioni

Disattiva il ripristino di configurazione, leggi qui come fare
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=257&SH=N

Riavvia in modalità provvisoria, leggi qui come fare
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=344&SH=N

apri HIJAC THIS ed elimina come indicato in questo articolo
http://www.aiutamici.com/software/descrizione.asp?CodSw=1175
le righe che seguono.

==================================
R3 - Default URLSearchHook is missing
-
O2 - BHO: Class - {257F3EBD-D54D-2A50-2953-3D5627B3AC7D} - C:\WINDOWS\tldwm1.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
-
O4 - HKLM\..\Run: [TrustInstaller] "D:\Setup.exe"
==================================

Elimina i file in rosso nei percorsi indicati
==================================
C:\WINDOWS\<font color=red><b>tldwm1.dll</font id=red></b>
D:\<font color=red><b>Setup.exe</font id=red></b>
==================================


Vai a PANNELLO DI CONTROLLO e clicca su OPZIONI INTERNET
nella finestra che si apre clicca i tre pulsanti
ELIMINA COOKIES - ELIMINA FILE - CANCELLA CRONOOLOGIA
poi clicca il pulsante PAGINA PREDEFINITA e su OK

al termine utilizza i programmi AD-AWARE e SPYBOT indicati in questo articolo
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=388&SH=N

sempre in modalità provvisoria fai una scansione Antivirus

quindi riavvia il computer e controlla se il problema e risolto, se e tutto OK riattiva il ripristino configurazione disattivato all'inizio di questa procedura e crea un nuovo punto di ripristino, leggi qui alla voce 8
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=170&SH=N

Fai una scansione antivirus on line da questo indirizzo
http://security.symantec.com/sscv6/default.asp?productid=globalsites&langid=it&venid=sym

Utilizza questo programma
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=1041

Collaboratore Aiutamici
Utenti presenti in questo topic
Guest


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.