• User Attivo

    l


  • User Attivo

    Please datemi un aiutino......non vorre fare qualche sbaglio. Ho-già il pc abbastanza incasinato. Merci


  • User

    Ciao dialcrises,
    cosa non riesci a fare?
    Salvare il log o caricare il filelog sul server?

    Scarica Hijackthis
    ww.trendsecure.com/portal/en-US/_download/HiJackThis.zip
    1.Chiudi tutte le applicazioni aperte
    2.Avvia HiJackThis con doppio click sull'eseguibile
    3.Clicca su DO A SYSTEM SCAN AND SAVE LOGFILE
    4.Attendi che finisca la scansione e che si apra in automatico un foglio di blocco note scritto
    5.Salva il log

    Prova a fare un copia/incolla nella tua risposta, eliminando i link

    Oppure prova a salvare il log su ww.wikifortio.com/
    Cliccando su "sfoglia" (selezioni il file log) e poi "upload"
    Copia il link per poterlo scaricare nella tua risposta, eliminando la parte htt e ww...

    In alternativa a Hijackthis prova a fare una scansione con Combofix
    Chiudi i programmi di sicurezza: Scarica Combofix
    http:/ /download.bleepingcomputer.com/sUBs/ComboFix.exe
    Disconnettiti da internet

    1. Doppio click su combofix.exe
    2. Digita 1, premi Invio e segui le indicazioni.
    3. Al termine, verrà creato un file log chiamato C:\ComboFix.txt

    Non usare il pc durante la scansione.

    :ciauz:


  • User Attivo

    Ciao. Mi si apre una finestra con scritto :
    "For some reason your system denied write access to the Host file.............".

    Ci riprovo. Poi faccio sapere. Comunque domani vado a comprare un antivirus! Scrivo in discussione apposita. Merci.


  • User Attivo

    Dopo doppio click su icona del programma mi esce :

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 17.50.39, on 07/12/2008
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18000)
    Boot mode: Normal
    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Lexmark X1100 Series\LXBKbmgr.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Users\utente\AppData\Local\oggffyfa.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\Internet Explorer\ieuser.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Users\utente\AppData\Local\Temp\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: myBabylon Toolbar - {34ea1c70-42cc-42c5-aa29-ec58b95a343e} - C:\Program Files\myBabylon\tbmyBa.dll
    O1 - Hosts: ::1 localhost
    O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: myBabylon Toolbar - {34ea1c70-42cc-42c5-aa29-ec58b95a343e} - C:\Program Files\myBabylon\tbmyBa.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: myBabylon Toolbar - {34ea1c70-42cc-42c5-aa29-ec58b95a343e} - C:\Program Files\myBabylon\tbmyBa.dll
    O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM..\Run: [lxbkbmgr.exe] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
    O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKLM..\Run: [Spyware-Secure] C:\Program Files\Spyware-Secure\Spyware-Secure_trial.exe
    O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKCU..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
    O4 - HKCU..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU..\Run: [oggffyfa] "c:\users\utente\appdata\local\oggffyfa.exe" oggffyfa
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O13 - Gopher Prefix:
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O17 - HKLM\System\CCS\Services\Tcpip..{064492E3-0D26-4C52-BB07-15C3C939D2B0}: NameServer = 88.149.128.22 88.149.128.12
    O17 - HKLM\System\CS1\Services\Tcpip..{064492E3-0D26-4C52-BB07-15C3C939D2B0}: NameServer = 88.149.128.22 88.149.128.12
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
    O23 - Service: lxbk_device - - C:\Windows\system32\lxbkcoms.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\Windows\system32\o2flash.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

    End of file - 6346 bytes


  • User

    Ciao 🙂

    Le fastidiose pagine di pubblicità durante la navigazione sono provocate da questo file: c:\users\utente\appdata\local**oggffyfa.exe
    **Inoltre sei incappata in un falso programma di sicurezza:Spyware-Secure.
    Segui queste indicazioni.

    Tasto destro sull'icona di Hijackthis -> esegui come amministratore
    Clicca su "do a system scan only"
    Metti la spunta a queste voci e clicca su "fix checked"

    O4 - HKLM..\Run: [Spyware-Secure] C:\Program Files\Spyware-Secure\Spyware-Secure_trial.exe

    O4 - HKCU..\Run: [oggffyfa] "c:\users\utente\appdata\local\oggffyfa.exe" oggffyfa

    Scarica the Avenger
    http:/ /swandog46.geekstogo.com/avenger.zip
    Lo salvi in una cartella, scompatti il file .zip
    Individua avenger.exe, lo avvii
    Inserisci questo script nel box bianco

    Files to delete:
    c:\users\utente\appdata\local\oggffyfa_navps.dat
    c:\users\utente\appdata\local\oggffyfa.dat
    c:\users\utente\appdata\local\oggffyfa_nav.dat
    c:\users\utente\appdata\local\oggffyfa.exe
    C:\Program Files\Spyware-Secure\Spyware-Secure_trial.exe

    **
    folders to delete:
    C:\WINDOWS\temp
    C:\WINDOWS\Tasks**
    **C:\Program Files\Spyware-Secure

    **Clicca su Execute
    Il pc dovrebbe riavviarsi (se così non fosse, fallo tu)
    Posta il log che verrà creato in C:\Avenger

    Esegui Combofix come ti ho consigliato ed allega il rapporto.
    Tasto destro sull'icona di Combofix -> esegui come amministratore

    Come antivirus stai già usando Nod32, perchè comprarne un'altro?
    Se proprio vuoi cambiare opta per Antivir, oltre che ottimo è pure free.

    :ciauz:


  • User Attivo

    @JeanGrey said:

    Tasto destro sull'icona di Hijackthis -> esegui come amministratore
    Clicca su "do a system scan only"

    :ciauz:

    Abbi pazienza. 😢Mi dici che devo andare con tasto destro su icona, ma se clicco su icona estrapolata da winzip non mi esci "esegui come amm...". Quindi mi dovresti anche spiegare come estrapolare icona correttamente.
    Ti ringrazio. Buon appetito vista l'ora.


  • User

    Hijackthis non va eseguito da cartelle temporanee.

    Prima estrai correttamente l'exe con Winzip
    Per decomprimere un file basta cliccare sull'icona e compare una finestra con all'interno il suo contenuto:
    Cliccare su **ACTIONS e dopo scegliere SELECT ALL **cioè seleziona tutto, vediamo che i file all'interno della finestra diventano blu.
    Cliccare di nuovo su **ACTIONS **e questa volta scegliere **EXTRACT **e si aprirà una finestra per scegliere dove salvare i file in essa contenuti
    Se si vogliono salvare i file in un'altra cartella basta selezionarla cliccando sui segni "+" , e trovarla.

    Posizioni Hijackthis.exe in una cartella in programmi
    Avvi hijackthis come ti ho suggerito

    :ciauz:


  • User Attivo

    Ecco il rapporto :

    Logfile of The Avenger Version 2.0, (c) by Swandog46

    Platform: Windows Vista


    Script file opened successfully.
    Script file read successfully.
    Backups directory opened successfully at C:\Avenger


    Beginning to process script file:
    Rootkit scan active.
    No rootkits found!
    File "c:\users\utente\appdata\local\oggffyfa_navps.dat" deleted successfully.
    File "c:\users\utente\appdata\local\oggffyfa.dat" deleted successfully.
    Error: could not open file "c:\usesr\utente\appdata\local\oggffyfa_nav.dat"
    Deletion of file "c:\usesr\utente\appdata\local\oggffyfa_nav.dat" failed!
    Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
    --> bad path / the parent directory does not exist
    File "c:\users\utente\appdata\local\oggffyfa.exe" deleted successfully.
    File "C:\Program Files\Spyware-Secure\Spyware-Secure_trial.exe" deleted successfully.
    Folder "C:\WINDOWS\temp" deleted successfully.
    Folder "C:\WINDOWS\Tasks" deleted successfully.
    Folder "C:\Program Files\Spyware-Secure" deleted successfully.
    Completed script processing.


    Finished! Terminate.


  • User

    Ciao dialcrises,
    nello script di avenger c'è stato un errore, forse per via degli errori di digitazione, comunque nulla di grave.

    Error: could not open file "c:\usesr\utente\appdata\local\oggffyfa_nav.da t
    c:*users*\utente\appdata\local\oggffyfa_nav.dat

    Sei riuscita ad avviare Combofix?

    :ciauz:


  • User Attivo

    Buongiorno.
    Per quanto mi hai detto sopra, devo fare qualcosa?

    COMBOFIX report :

    ComboFix 08-12-07.01 - utente 2008-12-08 15.06.46.1 - NTFSx86
    Microsoft® Windows Vista? Home Basic 6.0.6001.1.1252.1.1040.18.167 [GMT 1:00]
    Eseguito da: c:\users\utente\Application Data\ComboFix.exe

    • Creato nuovo punto di ripristino
    • Resident AV is active
      .
      ((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      c:\users\utente\AppData\Local\oggffyfa_nav.dat
      .
      ((((((((((((((((((((((((( Files Creati Da 2008-11-08 al 2008-12-08 )))))))))))))))))))))))))))))))))))
      .
      2008-12-07 20:44 . 2008-12-07 20:44 <DIR> d-------- c:\users\All Users\Avira
      2008-12-07 20:44 . 2008-12-07 20:44 <DIR> d-------- c:\programdata\Avira
      2008-12-07 20:44 . 2008-12-07 20:44 <DIR> d-------- c:\program files\Avira
      2008-12-06 18:06 . 2008-12-06 18:07 <DIR> d-------- c:\program files\Common Files\Adobe
      2008-12-03 20:52 . 2008-12-03 20:52 <DIR> d-------- c:\users\All Users\CheckPoint
      2008-12-03 20:52 . 2008-12-03 20:52 <DIR> d-------- c:\programdata\CheckPoint
      2008-12-03 20:52 . 2008-03-03 15:06 279,440 --a------ c:\windows\System32\drivers~GLH0014.TMP
      2008-12-03 20:39 . 2008-12-08 13:16 <DIR> d-a------ c:\users\All Users\TEMP
      2008-12-03 20:39 . 2008-12-08 13:16 <DIR> d-a------ c:\programdata\TEMP
      2008-12-03 20:39 . 2008-08-25 12:36 81,288 --a------ c:\windows\System32\drivers\iksyssec.sys
      2008-12-03 20:39 . 2008-08-25 12:36 66,952 --a------ c:\windows\System32\drivers\iksysflt.sys
      2008-12-03 20:39 . 2008-08-25 12:36 40,840 --a------ c:\windows\System32\drivers\ikfilesec.sys
      2008-12-03 20:39 . 2008-06-02 16:19 29,576 --a------ c:\windows\System32\drivers\kcom.sys
      2008-12-03 20:33 . 2008-12-03 20:33 <DIR> d-------- c:\users\utente\AppData\Roaming\PC Tools
      2008-12-03 20:33 . 2008-12-03 20:41 <DIR> d-------- c:\program files\Spyware Doctor
      2008-11-27 14:16 . 2008-11-27 14:17 <DIR> d-------- c:\program files\eMule
      2008-11-26 21:49 . 2008-12-08 13:16 <DIR> d-------- c:\users\utente\AppData\Roaming\skypePM
      2008-11-26 21:49 . 2008-11-26 21:49 56 --ah----- c:\users\All Users\ezsidmv.dat
      2008-11-26 21:49 . 2008-11-26 21:49 56 --ah----- c:\programdata\ezsidmv.dat
      2008-11-26 21:48 . 2008-12-08 14:16 <DIR> d-------- c:\users\utente\AppData\Roaming\Skype
      2008-11-26 21:48 . 2008-12-04 06:57 <DIR> d-------- c:\users\All Users\Google
      2008-11-26 21:47 . 2008-12-04 07:01 <DIR> d-------- c:\program files\Google
      2008-11-26 21:46 . 2008-11-26 21:47 <DIR> d-------- c:\users\All Users\Skype
      2008-11-26 21:46 . 2008-11-26 21:47 <DIR> d-------- c:\programdata\Skype
      2008-11-26 21:46 . 2008-11-26 21:47 <DIR> d-------- c:\program files\Skype
      2008-11-26 21:46 . 2008-11-26 21:46 <DIR> d-------- c:\program files\Common Files\Skype
      2008-11-21 07:45 . 2008-11-21 07:45 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
      2008-11-12 06:30 . 2008-08-27 02:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys
      2008-11-09 20:27 . 2008-11-10 19:36 <DIR> d-------- c:\program files\McDonaldsDragons
      .
      (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2008-12-04 09:36 --------- d-----w c:\programdata\Spybot - Search & Destroy
      2008-12-04 09:36 --------- d-----w c:\program files\Spybot - Search & Destroy
      2008-12-03 19:34 --------- d-----w c:\program files\ESET
      2008-11-15 18:10 13,072 ----a-w c:\users\utente\AppData\Roaming\nvModes.dat
      2008-10-28 06:15 174 --sha-w c:\program files\desktop.ini
      2008-10-28 06:04 --------- d-----w c:\program files\Windows Calendar
      2008-10-28 06:03 --------- d-----w c:\program files\Windows Sidebar
      2008-10-28 06:03 --------- d-----w c:\program files\Windows Photo Gallery
      2008-10-28 06:03 --------- d-----w c:\program files\Windows Mail
      2008-10-28 06:03 --------- d-----w c:\program files\Windows Defender
      2008-10-28 06:03 --------- d-----w c:\program files\Windows Collaboration
      2008-10-28 05:38 82,432 ----a-w c:\windows\System32\axaltocm.dll
      2008-10-28 05:38 101,888 ----a-w c:\windows\System32\ifxcardm.dll
      2008-10-22 03:57 241,152 ----a-w c:\windows\System32\PortableDeviceApi.dll
      2008-10-21 05:25 1,645,568 ----a-w c:\windows\System32\connect.dll
      2008-10-16 21:13 1,809,944 ----a-w c:\windows\System32\wuaueng.dll
      2008-10-16 21:12 561,688 ----a-w c:\windows\System32\wuapi.dll
      2008-10-16 21:09 51,224 ----a-w c:\windows\System32\wuauclt.exe
      2008-10-16 21:09 43,544 ----a-w c:\windows\System32\wups2.dll
      2008-10-16 21:08 34,328 ----a-w c:\windows\System32\wups.dll
      2008-10-16 20:56 1,524,736 ----a-w c:\windows\System32\wucltux.dll
      2008-10-16 20:55 83,456 ----a-w c:\windows\System32\wudriver.dll
      2008-10-16 13:08 162,064 ----a-w c:\windows\System32\wuwebv.dll
      2008-10-16 12:56 31,232 ----a-w c:\windows\System32\wuapp.exe
      2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll
      2008-09-30 15:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
      2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
      2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
      2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
      2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
      2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
      2008-09-10 03:40 1,334,272 ----a-w c:\windows\System32\msxml6.dll
      .
      ((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      Nota i valori vuoti & legittimi/default non sono visualizzati.
      REGEDIT4
      [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
      "{34ea1c70-42cc-42c5-aa29-ec58b95a343e}"= "c:\program files\myBabylon\tbmyBa.dll" [2008-02-14 1555480]
      [HKEY_CLASSES_ROOT\clsid{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]
      [HKEY_LOCAL_MACHINE~\Browser Helper Objects{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]
      2008-02-14 13:54 1555480 --a------ c:\program files\myBabylon\tbmyBa.dll
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
      "{34ea1c70-42cc-42c5-aa29-ec58b95a343e}"= "c:\program files\myBabylon\tbmyBa.dll" [2008-02-14 1555480]
      [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
      "{34EA1C70-42CC-42C5-AA29-EC58B95A343E}"= "c:\program files\myBabylon\tbmyBa.dll" [2008-02-14 1555480]
      [HKEY_CLASSES_ROOT\clsid{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]
      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
      "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
      "ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
      "Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
      "nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-06-21 949376]
      "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
      "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-11-29 58928]
      "lxbkbmgr.exe"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2007-04-26 74672]
      "NvSvc"="c:\windows\system32\nvsvc.dll" [2007-04-12 86016]
      "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
      "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-12 81920]
      "ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
      "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
      "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
      "RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 c:\windows\RtHDVCpl.exe]
      c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup
      WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-06-21 118784]
      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
      "EnableUIADesktopToggle"= 0 (0x0)
      [HKLM~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
      "{416B5E0E-3872-4BEA-8D4B-FF6E0F144B73}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
      "{F9FA6A3E-9B03-4112-BE35-86003DCAABFB}"= UDP:c:\windows\System32\lxbkcoms.exe:Lexmark Communications System
      "{8AB98A3D-E5EE-4C87-A03C-706A50CC52BA}"= TCP:c:\windows\System32\lxbkcoms.exe:Lexmark Communications System
      "{BEACD3E5-9C23-4F84-ABB2-7623B5ABE5AE}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxbkpswx.exe:Printer Status Window
      "{787C8185-E316-4FD1-BCDB-C7AE6599755B}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxbkpswx.exe:Printer Status Window
      "{D544BEA9-0698-48AB-AD63-15B6DF6203F5}"= c:\program files\Skype\Phone\Skype.exe:Skype
      "TCP Query User{EBE8686C-0281-4394-9CA7-674DFA9C1B65}c:\program files\emule\emule.exe"= UDP:c:\program files\emule\emule.exe:eMule
      "UDP Query User{FE951C24-697D-4A15-823E-FE978511D2A4}c:\program files\emule\emule.exe"= TCP:c:\program files\emule\emule.exe:eMule
      R0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2006-11-20 38400]
      R0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2006-11-17 31360]
      R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-06-21 15424]
      R2 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe -service []
      R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-03 356920]
      R3 rt61x86;Ralink RT61 Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr61.sys [2007-02-05 274432]
      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
      LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{258b5c27-393c-11dd-b01b-e747205e809f}]
      \shell\AutoRun\command - E:\StartVMCLite.exe
      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d0246ea5-397e-11dd-9f8d-bf6de1532937}]
      \shell\AutoRun\command - E:\StartVMCLite.exe
      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d0246eb3-397e-11dd-9f8d-bf6de1532937}]
      \shell\AutoRun\command - E:\StartVMCLite.exe
      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d0246eb4-397e-11dd-9f8d-bf6de1532937}]
      \shell\AutoRun\command - E:\StartVMCLite.exe
      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{fb856ba2-393a-11dd-8374-f1b0c79f0fb0}]
      \shell\AutoRun\command - E:\StartVMCLite.exe
      .
      .
      ------- Supplementare di scansione -------
      .
      uStart Page =

    IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    LSP: c:\windows\system32\imon.dll
    O16 -: Microsoft XML Parser for Java -

    c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
    .


    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,

    Rootkit scan 2008-12-08 15:10:27
    Windows 6.0.6001 Service Pack 1 NTFS
    scansione processi nascosti ...
    scansione entrate autostart nascoste ...
    Scansione files nascosti ...
    Scansione completata con successo
    Files nascosti: 0


    .
    Ora fine scansione: 2008-12-08 15.12.01
    ComboFix-quarantined-files.txt 2008-12-08 14:11:45
    Pre-Run: 68.222.320.640 byte disponibili
    Post-Run: 68,267,180,032 byte disponibili
    166 --- E O F --- 2008-12-05 05:51:36

    Grazie mille per l'aiuto!!


  • User

    Per questo file non devi fare nulla, perchè è stato eliminato da Combofix.

    ((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) )
    .
    c:\users\utente\AppData\Local\oggffyfa_nav.datIndividua avenger.exe, lo avvii
    Inserisci questo script nel box bianco

    Files to delete:
    c:\windows\System32\drivers~GLH0014.TMP

    Clicca su Execute
    Il pc dovrebbe riavviarsi (se così non fosse, fallo tu)
    Posta il log che verrà creato in C:\Avenger

    (Fai un copia/incolla dello script nel box)

    Scarica, installa, aggiorna Malwarebytes ed esegui una scansione completa.
    download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
    Copia il rapporto nella tua risposta.

    :ciauz:


  • User Attivo

    Ecco log Avenger :

    Logfile of The Avenger Version 2.0, (c) by Swandog46

    Platform: Windows Vista


    Script file opened successfully.
    Script file read successfully.
    Backups directory opened successfully at C:\Avenger


    Beginning to process script file:
    Rootkit scan active.
    No rootkits found!
    File "c:\windows\System32\drivers~GLH0014.TMP" deleted successfully.
    Completed script processing.


    Finished! Terminate


  • User Attivo

    Ed ecco log Malware :

    Malwarebytes' Anti-Malware 1.31
    Versione del database: 1456
    Windows 6.0.6001 Service Pack 1
    08/12/2008 22.06.11
    mbam-log-2008-12-08 (22-06-11).txt
    Tipo di scansione: Scansione completa (C:|)
    Elementi scansionati: 109865
    Tempo trascorso: 1 hour(s), 38 minute(s), 17 second(s)
    Processi delle memoria infetti: 0
    Moduli della memoria infetti: 0
    Chiavi di registro infette: 0
    Valori di registro infetti: 0
    Elementi dato del registro infetti: 0
    Cartelle infette: 0
    File infetti: 0
    Processi delle memoria infetti:
    (Nessun elemento malevolo rilevato)
    Moduli della memoria infetti:
    (Nessun elemento malevolo rilevato)
    Chiavi di registro infette:
    (Nessun elemento malevolo rilevato)
    Valori di registro infetti:
    (Nessun elemento malevolo rilevato)
    Elementi dato del registro infetti:
    (Nessun elemento malevolo rilevato)
    Cartelle infette:
    (Nessun elemento malevolo rilevato)
    File infetti:
    (Nessun elemento malevolo rilevato)

    Buonanotte. Grazie mille.


  • User

    Bene, direi che abbiamo risolto! 🙂 Sono contenta per te!

    :ciauz:


  • User Attivo

    Ma grazie mille a te! Sei stata eccezzzzionale!!!!