Salve amici, ho scritto due giorni fà ma nessuno mi ha risposto,probabilmante ho infettato il PC. Mi si è installato un programma tale "180 solutions" che si apre in continuazione e mi dice che nel PC ci sono degli spyware. Vi sarei grato se mi potete controllare il log: Grazie Aldo


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20.13.06, on 27/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\Programmi\Folder Shield\FSService.exe
F:\Programmi\Folder Shield\fsp.exe
F:\WINDOWS\system32\lvhidsvc.exe
F:\Programmi\CyberLink\Shared Files\RichVideo.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\system32\sbwltbxa.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE
F:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
F:\WINDOWS\system32\ctfmona.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Programmi\LHSP\L&H Power Translator Pro\ptpro.exe
F:\Programmi\Internet Explorer\iexplore.exe
F:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\Documents and Settings\Aldo\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=F:\WINDOWS\SYSTEM32\Userinit.exe,F:\WINDOWS\system32\sbwltbxa.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "F:\Programmi\StarModem\StarModem USB Network\CnxTrApp.dll",AppEntry -REG "Conexant\Conexant USB Network"
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus Photo R240 Series] F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P30 "EPSON Stylus Photo R240 Series" /O6 "USB002" /M "Stylus Photo R240"
O4 - HKLM\..\Run: [ZoneAlarm Client] "F:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ctfmona] F:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [WinIFixer] F:\Programmi\WinIFixer\WinIFixer.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA858] command /c del "F:\WINDOWS\mspphe.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1859] cmd /c del "F:\WINDOWS\mspphe.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2351] command /c del "F:\WINDOWS\bjam.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1256] cmd /c del "F:\WINDOWS\bjam.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4290] command /c del "F:\WINDOWS\2020search2.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1837] cmd /c del "F:\WINDOWS\2020search2.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8459] command /c del "F:\WINDOWS\2020search.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6311] cmd /c del "F:\WINDOWS\2020search.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1384] command /c del "F:\WINDOWS\cdsm32.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8159] cmd /c del "F:\WINDOWS\cdsm32.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1876] command /c del "F:\WINDOWS\system32\WER8274.DLL_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4165] cmd /c del "F:\WINDOWS\system32\WER8274.DLL_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6832] command /c del "F:\WINDOWS\system32\MSIXU.DLL_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3914] cmd /c del "F:\WINDOWS\system32\MSIXU.DLL_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4364] command /c del "F:\WINDOWS\mspphe.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9261] cmd /c del "F:\WINDOWS\mspphe.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB966] command /c del "F:\WINDOWS\bjam.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4270] cmd /c del "F:\WINDOWS\bjam.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7783] command /c del "F:\WINDOWS\2020search2.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1487] cmd /c del "F:\WINDOWS\2020search2.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3675] command /c del "F:\WINDOWS\2020search.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7851] cmd /c del "F:\WINDOWS\2020search.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7878] command /c del "F:\WINDOWS\cdsm32.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3497] cmd /c del "F:\WINDOWS\cdsm32.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1485] command /c del "F:\WINDOWS\system32\WER8274.DLL_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2037] cmd /c del "F:\WINDOWS\system32\WER8274.DLL_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3266] command /c del "F:\WINDOWS\system32\MSIXU.DLL_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4207] cmd /c del "F:\WINDOWS\system32\MSIXU.DLL_tobedeleted"
O4 - HKLM\..\Policies\Explorer\Run: [DvVideo32] F:\WINDOWS\dvvid32.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Organizzatore ricerche - {9455301C-CF6B-11D3-A266-00C04F689C50} - F:\Programmi\File comuni\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - F:\Programmi\File comuni\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103402189425
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://ercappe1614.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - file://H:\SOFTWARE\MagicMovie\setup.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Autodesk Licensing Service - Autodesk - F:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: FSService - Unknown owner - F:\Programmi\Folder Shield\FSService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote HID Service (LvHidSvc) - Animation Technologies Inc. - F:\WINDOWS\system32\lvhidsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - F:\Programmi\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - F:\Programmi\WinPcap\rpcapd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

Ciao.
Assicurati di avere accesso a file e cartelle nascosti
(Pannello di controllo-> Opzioni Cartella-> Visualizzazione)
1) Metti la spunta su: Visualizza file e cartelle nascoste
2) Togli la spunta: nascondi file protetti di sistema

Disattiva il ripristino configurazione di sistema http://guide.aiutamici.com/guide?C1=7&C2=68&ID=80121

Se non sai "fixare"le voci,segui questa guida dettagliata: http://www.aiutaamici.com/software?ID=11175

Avvia in modalità provvisoria http://guide.aiutamici.com/guide?C1=7&C2=68&ID=80122

Avvia hijackthis, metti la spunta alle voci che andrò ad elencarti e con tutte le applicazioni chiuse e disconnesso da Internet,premi su fix checked
O4 - HKLM\..\Run: [ctfmona] F:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [WinIFixer] F:\Programmi\WinIFixer\WinIFixer.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA858] command /c del "F:\WINDOWS\mspphe.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1859] cmd /c del "F:\WINDOWS\mspphe.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2351] command /c del "F:\WINDOWS\bjam.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1256] cmd /c del "F:\WINDOWS\bjam.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4290] command /c del "F:\WINDOWS\2020search2.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1837] cmd /c del "F:\WINDOWS\2020search2.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8459] command /c del "F:\WINDOWS\2020search.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3497] cmd /c del "F:\WINDOWS\cdsm32.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1485] command /c del "F:\WINDOWS\system32\WER8274.DLL
O4 - HKCU\..\RunOnce: [SpybotDeletingD2037] cmd /c del "F:\WINDOWS\system32\WER8274.DLL_tobedeleted"
Trova e cancella i file in rosso:
F:\WINDOWS\system32\sbwltbxa.exe
F:\WINDOWS\system32\ctfmona.exe
F:\WINDOWS\dvvid32.exe
Scarica VIRIT :
http://www.tgsoft.it/italy/download.htm lo aggiorni (cliccando sulla parabola in alto) e lo fai girare in Modalità Provvisoria (è molto importante).


Dai una pulita (registro compreso)con questo http://www.aiutaamici.com/software?ID=11223

Riavvia il computer.

Fai una scansione on-line con questo; http://www.pandasoftware.com/activescan/it/activescan_principal.htm

Ricordati di rinascondere le cartelle di sistema;
Riattiva il ripristino configurazione di sistema e, se tutto è a posto, creane uno nuovo.
riposta un nuovo log.

Ciao.
Disattiva il ripristino configurazione di sistema http://guide.aiutamici.com/guide?C1=7&C2=68&ID=80121
Scarica sul desktop Avenger: http://swandog46.geekstogo.com/avenger.zip
Scompattarlo, avviarlo,incollare (la dicitura in neretto) il seguente script e cliccare su execute,cliccare poi su OK.
Togli il segno di spunta dalla voce Scan for Rootkits

Files to delete:
F:\WINDOWS\system32\sbwltbxa.exe
F:\WINDOWS\dvvid32.exe


Posta qui il risultato di Avenger.
Fixa queste voci di hijackthis:
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM\..\Policies\Explorer\Run: [DvVideo32] F:\WINDOWS\dvvid32.exe


Scarica Spy-Bot da qui http://www.aiutaamici.com/software?ID=10831 e fai una scansione sempre in Modalità Provvisoria.

Dai una pulita (registro compreso)con questo http://www.aiutaamici.com/software?ID=11223
Dimmi come và.
Posta un nuovo log.

Ciao.
Il log è pulito.
Questo 180 solutions,è una brutta gatta da pelare.
Prova andare in Installazione Applicazioni,e cerca il programma 180solutions, (o similari)se lo trovi, lo Rimuovi.
Cerca e trova (con la funzione Cerca)questo file:msbb.exe se lo trovi lo elimini.
Dai un'occhiata nel Task Manager,e vedi in "Processi" se trovi qualcosa collegato a 180Solutions .
Poi fai Start>Esegui>scrivi REGEDIT e premi OK.Segui il percorso di questa chiave:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Fai click sulla cartellina "Run" e dal pannello di dx,cerca ed elimina tutti i valori in relazione col nome: MSBB
Controlla anche questa chiave:
Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run Once
Clicca sulla cartella "Run Once"e dal pannello di dx cerca ed elimina tutti i valori in relazione col nome:MSBB

Lo sò che non è semplicissimo,ma l'alternativa è la formattazione.