Aiutamici Forum
Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » Log File di Hijack This da controllare

Log File di Hijack This da controllare Opzioni
Topic Precedente · Topic Sucessivo
boundless
Inviato: Monday, May 21, 2007 8:22:47 PM
Rank: Member

Iscritto dal : 2/13/2002
Posts: 0
Salve, vi allego un Log File di Hijack This da controllare.
Grazie ancora.
Buon lavoro.




Logfile of HijackThis v1.99.1
Scan saved at 19.21.39, on 21/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programmi\Roper\AirBlue Bluetooth Software\bin\btwdins.exe
C:\Programmi\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Programmi\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Programmi\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Programmi\Zamaan's Software\Browser Hijack Retaliator 4.1\BHR4.1.exe
C:\Programmi\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programmi\Roper\AirBlue Bluetooth Software\BTTray.exe
C:\Programmi\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Programmi\Netropa\Onscreen Display\OSD.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\CA\CA Internet Security Suite\ccprovsp.exe
C:\Programmi Gianfry\Kit\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ansa.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Programmi\File comuni\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {98e99962-984c-4dd6-ba8c-65e60920277f} - C:\WINDOWS\system32\c_7905.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmi\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Programmi\ReGetDx\iebar.dll
O3 - Toolbar: andRadio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] :systemroot:\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CamMonitor] C:\Programmi\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [cctray] "C:\Programmi\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Programmi\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [TrustInstaller] G:\Setup.EXE
O4 - HKLM\..\Run: [BHR4.1] C:\Programmi\Zamaan's Software\Browser Hijack Retaliator 4.1\BHR4.1.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programmi\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: BTTray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Aggiungi all'elenco di stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Anteprima Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Eandsporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\Roper\AirBlue Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Scarica con Re&Get Deluxe - C:\Programmi\File comuni\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Scarica tutto con &ReGet Deluxe - C:\Programmi\File comuni\ReGet Shared\CC_All.htm
O8 - Extra context menu item: Stampa ad alta velocità Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\Roper\AirBlue Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\Roper\AirBlue Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1EDF25DE-DFB2-40CA-AA83-30AE7DA8C203} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/it/filesharingctrl.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095435555171
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{691AACF1-D997-49DE-9884-A81B229F89A3}: NameServer = 213.205.32.70 213.205.36.70
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: c_7905 - C:\WINDOWS\SYSTEM32\c_7905.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\Roper\AirBlue Bluetooth Software\bin\btwdins.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Programmi\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Programmi\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Programmi\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
Torna in alto
 
Sponsor
Inviato: Monday, May 21, 2007 8:22:47 PM

 
Torna in alto
 
a.roselli
Inviato: Tuesday, May 22, 2007 12:42:53 AM

Rank: Admin

Iscritto dal : 10/4/2000
Posts: 19,052
Ciao,
esegui queste operazioni

ATTENZIONE prima di procedere con le riparazioni, fate la copia di riserva dei vostri dati,
leggete questo articolo http://www.aiutamici.com/hardware/view.asp?codcat=8
a volte eliminando un virus il sistema potrebbe non riavviarsi.
____________________________

Disattiva il ripristino di configurazione, leggi qui come fare
http://www.aiutamici.com/hardware/view.asp?codcat=28

Riavvia in modalità provvisoria, leggi qui come fare
http://www.aiutamici.com/hardware/view.asp?codcat=29

apri HIJAC THIS ed elimina come indicato in questo articolo
http://www.aiutamici.com/software/descrizione.asp?CodSw=1175
le righe che seguono.

==================================
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {98e99962-984c-4dd6-ba8c-65e60920277f} - C:\WINDOWS\system32\c_7905.dll
-
O20 - Winlogon Notify: c_7905 - C:\WINDOWS\SYSTEM32\c_7905.dll
==================================


Con la funzione Cerca di Windows, cerca ed elimina i seguenti file
==================================
c_7905.dll
==================================


Elimina i file inutili del sistema utilizzando questo programma
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=1223

Utilizza questi due programmi per eliminare eventuali spyware
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=878
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=831

sempre in modalità provvisoria fai una scansione Antivirus,
se non hai un antivirus, utilizza questo programma
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=1485

quindi riavvia il computer e controlla se il problema e risolto, se e tutto OK riattiva il ripristino configurazione disattivato all'inizio di questa procedura e crea un nuovo punto di ripristino, leggi qui alla voce 8
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=170&SH=N
in caso di problemi lascialo disattivato fino alla soluzione dei problemi

Fai un controllo con questo programma
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=1486

Fai una scansione antivirus on line da questo indirizzo
http://security.symantec.com/sscv6/default.asp?productid=globalsites&langid=it&venid=sym
se la scansione on line rileva dei virus significa che il tuo antivirus è stato infettato o non è in grado di risolvere il problema, ti consiglio di formattare il disco fisso e reinstallare tutto, altrimenti prosegui

Nel sistema non é presente un Firewall, installa questo programma se non ne utilizzi già uno
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=56
e disattiva l'inutile firewall di XP, leggi qui
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=160&SH=N

Utilizza questo programma
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=1041

Se utilizzi XP ti consiglio di installare questo programma
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=1472

Devi aggiornare il sistema dal Windows Update.
alfonso_aiutamici@hotmail.it
Torna in alto
 
boundless
Inviato: Tuesday, May 22, 2007 7:19:13 PM
Rank: Member

Iscritto dal : 2/13/2002
Posts: 0
Ciao, purtroppo, non riesco assolutamente ad eliminare le righe seguenti e conseguente file, essendo un file di Sistema .dll:

O2 - BHO: (no name) - {98e99962-984c-4dd6-ba8c-65e60920277f} - C:\WINDOWS\system32\c_7905.dll
-
O20 - Winlogon Notify: c_7905 - C:\WINDOWS\SYSTEM32\c_7905.dll
==================================


Con la funzione Cerca di Windows, cerca ed elimina i seguenti file
==================================
c_7905.dll


Mi puoi suggerire un altra strada?... Ho provato anche con Unlocker, ma niente da fare...
Grazie.
Torna in alto
 
pidue
Inviato: Tuesday, May 22, 2007 8:09:03 PM

Rank: AiutAmico

Iscritto dal : 6/2/2005
Posts: 7,332
Ciao, potresti essere stato infettato dal LinkOptimizer o da una sua variante. Clicca sul link sottostante e segui le indicazioni.

http://www.aiutamici.com/aiutaforum/topic.asp?TOPIC_ID=40884&FORUM_ID=32&CAT_ID=3&Topic_Title=Possibile+dialer&Forum_Title=Sicurezza+Virus+e+privacy
Torna in alto
 
boundless
Inviato: Thursday, May 24, 2007 8:28:36 AM
Rank: Member

Iscritto dal : 2/13/2002
Posts: 0
Ciao, ho seguito le istruzioni riportate nel link e ti riporto qui di seguito i tre Log Files.

VirIT eXplorer Lite Log

[SCANSIONE DELLA MEMORIA]
OK
[SCANSIONE DELLA MEMORIA]
OK
23/05/2007 - 17:33:49

[SCANSIONE DEL REGISTRO]
OK

[A:]
BOOT SECTOR: OK


[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

C:\Documents and Settings\Demo\Impostazioni locali\Temp\fymuaa.exe Infetto da Trojan.Win32.Dialer.IH
* * * RIMOSSO * * *
C:\Programmi\IrfanView\Plugins\IPTC.dll Infetto da Backdoor.SdBot.G
* * * RIMOSSO * * *
C:\WINDOWS\fcbaya.dll Infetto da Trojan.Win32.Vundo.BL
* * * RIMOSSO * * *
C:\WINDOWS\mlkkkj.dll Infetto da Trojan.Win32.Vundo.BL
* * * RIMOSSO * * *
C:\WINDOWS\opoopp.dll Infetto da Trojan.Win32.Vundo.BL
* * * RIMOSSO * * *
C:\WINDOWS\vtutqq.dll Infetto da Trojan.Win32.Vundo.BL
* * * RIMOSSO * * *

[D:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK


Chiavi Registro infette: 0.
Files Infetti: 6.
Files Sospetti: 0.
Files Analizzati: 41438.
Files Totali: 41438.
Chiavi Registro rimosse: 0.
Virus Rimossi: 6.



____________________________________________

Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni


Trojan.Gromozon does not exist - your system is clean.

____________________________________________

Symantec Trojan.Linkoptimizer Removal Tool 1.0.8

Trojan.Linkoptimizer has not been found on your computer.

____________________________________________

Cosa mi consigli di fare, ora? Alla luce del fatto, che persistono sempre dei files che s'inseriscono nell'esecuzione automatica e che un programma, già precedentemente installato (Browser Hijack Retaliator) mi rileva che c'è sempre un file .dll da eliminare, ma che non riesce a farlo...
grazie ancora... ciao.
Torna in alto
 
pidue
Inviato: Thursday, May 24, 2007 5:34:16 PM

Rank: AiutAmico

Iscritto dal : 6/2/2005
Posts: 7,332
Ciao, scarica <b>Avenger</b> da qui.
http://swandog46.geekstogo.com/avenger.zip

Appena scaricato, decomprimilo, lancialo con un doppio clic. Poi esegui la seguente procedura alla lettera:

- Seleziona <b>Input Script Manually</b>;
- Clicca sulla lente di ingrandimento;
- si apre una finestra bianca con scritto in cima <b>View/edit script</b>;
- copia e incolla la seguente stringa in rosso <b>così come sta </b>;

<font color=red>files to delete:
C:\WINDOWS\system32\c_7905.dll</font id=red>

- clicca sul tasto <b>Done</b>;
- poi clicca sull'icona del semaforo;
- Rispondi Yes;
- ll pc dovrebbe riavviarsi ( se così non fosse, fallo tu).

Se Avenger rimuove il file poi ti sarà facile fixare la riga associata al file.
Torna in alto
 
boundless
Inviato: Friday, May 25, 2007 6:50:00 PM
Rank: Member

Iscritto dal : 2/13/2002
Posts: 0
Ciao, ho fatto come mi hai indicato tu, e sembra che tutto sia andato finalmente a buon fine.
Ti riporto il Log di Avenger e di Hi Jack This, qui di seguito.


Vedremo nei giorni a seguire se tutto si normalizza.

Ciao e grazie ancora per il prezioso aiuto :)


Avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wjrcooxc

*******************

Script file located at: \??\C:\Program Files\jnanoaob.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\c_7905.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

______________________________________________________________



Hi Jack This:

Logfile of HijackThis v1.99.1
Scan saved at 18.10.29, on 25/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programmi\Roper\AirBlue Bluetooth Software\bin\btwdins.exe
C:\Programmi\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\VEXPLITE\viritsvc.exe
C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Programmi\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Programmi\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Programmi\Zamaan's Software\Browser Hijack Retaliator 4.1\BHR4.1.exe
C:\Programmi\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programmi\Roper\AirBlue Bluetooth Software\BTTray.exe
C:\Programmi\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Programmi\Netropa\Onscreen Display\OSD.exe
C:\Programmi\CA\CA Internet Security Suite\ccprovsp.exe
C:\Programmi\Shareaza\Shareaza.exe
C:\Programmi Gianfry\Kit\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ansa.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\System32\tmp42.tmp.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmi\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Programmi\ReGetDx\iebar.dll
O3 - Toolbar: andRadio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] :systemroot:\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CamMonitor] C:\Programmi\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [cctray] "C:\Programmi\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Programmi\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [TrustInstaller] G:\Setup.EXE
O4 - HKLM\..\Run: [BHR4.1] C:\Programmi\Zamaan's Software\Browser Hijack Retaliator 4.1\BHR4.1.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programmi\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: BTTray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Aggiungi all'elenco di stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Anteprima Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Eandsporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\Roper\AirBlue Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Scarica con Re&Get Deluxe - C:\Programmi\File comuni\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Scarica tutto con &ReGet Deluxe - C:\Programmi\File comuni\ReGet Shared\CC_All.htm
O8 - Extra context menu item: Stampa ad alta velocità Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\Roper\AirBlue Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\Roper\AirBlue Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1EDF25DE-DFB2-40CA-AA83-30AE7DA8C203} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/it/filesharingctrl.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095435555171
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{691AACF1-D997-49DE-9884-A81B229F89A3}: NameServer = 213.205.32.70 213.205.36.70
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\Roper\AirBlue Bluetooth Software\bin\btwdins.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Programmi\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Programmi\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Programmi\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
Torna in alto
 
pidue
Inviato: Friday, May 25, 2007 8:09:05 PM

Rank: AiutAmico

Iscritto dal : 6/2/2005
Posts: 7,332
Ok, Avenger lo ha stritolato. Però c'è dell'altro.

Fixa questa riga:
<font color=red>
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\System32\tmp42.tmp.dll
</font id=red>

Elimina il file in rosso:
C:\WINDOWS\System32\<font color=red>tmp42.tmp.dll</font id=red>

Se non riesci a eliminarlo manualmente, procedi con Avenger. In questo caso la stringa da incollare è la seguente:

<font color=red>files to delete:
C:\WINDOWS\System32\tmp42.tmp.dll</font id=red>

Posta un log aggiornato.
Torna in alto
 
boundless
Inviato: Monday, May 28, 2007 8:20:58 PM
Rank: Member

Iscritto dal : 2/13/2002
Posts: 0
Ciao,
ecco gli ultimi log:

Avenger:


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bodyldgd

*******************

Script file located at: fcatncus

Could not open script file! Error

Could not open script file! Status: 0xc000003b Abort!


Hi Jack This:

Logfile of HijackThis v1.99.1
Scan saved at 12.16.27, on 28/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programmi\Roper\AirBlue Bluetooth Software\bin\btwdins.exe
C:\Programmi\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\VEXPLITE\viritsvc.exe
C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Programmi\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Programmi\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Programmi\Zamaan's Software\Browser Hijack Retaliator 4.1\BHR4.1.exe
C:\Programmi\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programmi\Roper\AirBlue Bluetooth Software\BTTray.exe
C:\Programmi\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Programmi\Netropa\Onscreen Display\OSD.exe
C:\Documents and Settings\Demo\Desktop\Pulitura Trojan\Kit\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ansa.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmi\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Programmi\ReGetDx\iebar.dll
O3 - Toolbar: andRadio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\Hamlet HDSL640S USB ADSL Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] :systemroot:\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CamMonitor] C:\Programmi\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [cctray] "C:\Programmi\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Programmi\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [TrustInstaller] G:\Setup.EXE
O4 - HKLM\..\Run: [BHR4.1] C:\Programmi\Zamaan's Software\Browser Hijack Retaliator 4.1\BHR4.1.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programmi\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: BTTray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Aggiungi all'elenco di stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Anteprima Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Eandsporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\Roper\AirBlue Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Scarica con Re&Get Deluxe - C:\Programmi\File comuni\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Scarica tutto con &ReGet Deluxe - C:\Programmi\File comuni\ReGet Shared\CC_All.htm
O8 - Extra context menu item: Stampa ad alta velocità Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\Roper\AirBlue Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\Roper\AirBlue Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1EDF25DE-DFB2-40CA-AA83-30AE7DA8C203} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/it/filesharingctrl.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095435555171
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\Roper\AirBlue Bluetooth Software\bin\btwdins.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Programmi\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Programmi\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Programmi\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

Devo fare qualcos'altro?

Ciao ciao.
Torna in alto
 
pidue
Inviato: Monday, May 28, 2007 9:26:52 PM

Rank: AiutAmico

Iscritto dal : 6/2/2005
Posts: 7,332
Il log è pulito (finalmente).
Dovresti installare il Sp2 per aumentare le difese di Windows e aggiornare InternetExplorer. Anzi, installa Firefox. Ciao.
Torna in alto
 
Utenti presenti in questo topic
Guest

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » Log File di Hijack This da controllare


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.