PcPrimiPassi.it - informatica facile per tutti, home page
PcPrimiPassi.it - informatica facile per tutti, home page



Infezioni informatiche e Sicurezza informatica in generale

 PcPrimiPassi.it FORUMSICUREZZA INFORMATICAInfezioni informatiche e Sicurezza informatica in generale


Icona di Messaggio

Topic: adware Savenow?

Altre pagine della discussione:




gianmarco
Principiante Principiante
gianmarco
Principiante Principiante
gianmarco
Principiante
Principiante

Avatar


Iscritto dal : 30/Ottobre/2004
Da: United Kingdom
Status: Offline
Posts: 232
Riporta il testo di: gianmarco Rispondibullet Topic: Post n° 21.413 - Postato: 20/Giugno/2005 alle 23:06


Ciao Ragazzi,
su consiglio di Lucas in un'altra discussione riporto il registro che apparentemente e` stato attaccato da Savenow (rilevato solo da panda ma da nessun altro antivirus e anti adware tools)
Le uniche voci che non conosco sono quelle chiamate Pocketsoft.
Che sono?
Posso cancellarle?
Ciao a tutti



lucas
Esperto Esperto
lucas
Esperto Esperto
lucas
Esperto
Esperto

Avatar

Security Advisor

Iscritto dal : 14/Aprile/2005
Da: Italy
Status: Offline
Posts: 6.715
Riporta il testo di: lucas Rispondibullet Topic: Post n° 21.414 - Postato: 20/Giugno/2005 alle 23:16


avvia in modalita provvisoria,vai nell'opzioni cartelle e metti visualizza file e cartelle nascoste,poi quando dovrai usare l'opzione cerca metti tutte le opzioni di ricerca tranne distinzioni tra maiuscole e minuscole
STAMPA LA PAGINA

Start>esegui>regedit inserisci questo: regsvr32 /u "%path%\%dll_name%
Eliminate la registrazione di ognuno delle librerie a collegamento dinamico (DLL) che Savenow ha registrato
AGENTCTL.DLL
AUTPRX32.DLL
BONZITAPFILTERS.DLL
CNBABE.DLL
EMPOP3.DLL
EMSMTP.DLL
GOOGLETOOLBAR_EN_2.0.92-BIG.DLL
IEHELPERMIDDLEMAN.DLL
MSIMMSGR.DLL
MSIMNETC.DLL
ODKOB32.DLL
ONLINECHK.DLL
RACREG32.DLL
RUNMSC.DLL
SNDBMARK.DLL
SSUBTMR6.DLL
SYSTRAYUSER.DLL
TV_ENUA.DLL
TVENUAX.DLL
UTDNS.DLL
VBAR332.DLL


finito questo chiudi il registro poi rifai start>esegui>regedit>ok
trova e se ci sono cancella le seguenti chiavi
HKEY_CLASSES_ROOT\ CLSID\ {08351226-6472-43bd-8a40-d9221ff1c4ce}

HKEY_CLASSES_ROOT\ CLSID\ {c285d18d-43a2-4aef-83fb-bf280e660a97}

HKEY_CLASSES_ROOT\ CLSID\ {e2f2b9d0-96b9-4b25-b90c-636ecb207d18}

HKEY_CLASSES_ROOT\ CLSID\ {fee7fd53-3356-4d4d-8978-2c4ae3a7e109}

HKEY_CLASSES_ROOT\ typelib\ {e2f2b9d0-96b9-4b25-b90c-636ecb207d18}

HKEY_CLASSES_ROOT\ typelib\ {fc327b3f-377b-4cb7-8b61-27cd69816bc3}

HKEY_CLASSES_ROOT\ wusn.1

HKEY_LOCAL_MACHINE\ Software\ classes\ .gnu

HKEY_LOCAL_MACHINE\ Software\ classes\ CLSID\ {08351226-6472-43bd-8a40-d9221ff1c4ce}

HKEY_LOCAL_MACHINE\ Software\ classes\ CLSID\ {0837121a-6472-43bd-8a40-d9221ff1c4ce}

HKEY_LOCAL_MACHINE\ Software\ classes\ CLSID\ {4a2aacf3-adf6-11d5-98a9-00e018981b9e}

HKEY_LOCAL_MACHINE\ Software\ classes\ CLSID\ {9f95f736-0f62-4214-a4b4-caa6738d4c07}

HKEY_LOCAL_MACHINE\ Software\ classes\ interface\ {c285d18d-43a2-4aef-83fb-bf280e660a97}

HKEY_LOCAL_MACHINE\ Software\ classes\ magnet\ defaulticon

HKEY_LOCAL_MACHINE\ Software\ classes\ magnet\ shell\ open\ command

HKEY_LOCAL_MACHINE\ Software\ classes\ Runmsc.loader.1\ CLSID

HKEY_LOCAL_MACHINE\ Software\ classes\ Runmsc.loader\ CLSID

HKEY_LOCAL_MACHINE\ Software\ classes\ Runmsc.loader\ curver

HKEY_LOCAL_MACHINE\ Software\ classes\ tldctl2.urllink\ curver

HKEY_LOCAL_MACHINE\ Software\ classes\ wusn.1

HKEY_LOCAL_MACHINE\ Software\ classes\ wusn.1\ wusn_id

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run\ savenow

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run\ whenusave

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ RunOnce\ remove at boot 902

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ uninstall\ savenow

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ uninstall\ gdivx\ displayname

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ uninstall\ gdivx\ uninstallstring

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ uninstall\ weathercast\ displayicon

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ uninstall\ weathercast\ displayname

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ uninstall\ weathercast\ displayversion

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ uninstall\ weathercast\ helplink

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ uninstall\ weathercast\ publisher

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ uninstall\ weathercast\ uninstallstring

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ uninstall\ weathercast\ urlinfoabout

HKEY_LOCAL_MACHINE\ Software\ whenu

HKEY_LOCAL_MACHINE\ Software\ whenusave

HKEY_LOCAL_MACHINE\ Software\ whenusave\ city

HKEY_LOCAL_MACHINE\ Software\ whenusave\ db_incomplete

HKEY_LOCAL_MACHINE\ Software\ whenusave\ db_local_update

HKEY_LOCAL_MACHINE\ Software\ whenusave\ db_server_update

HKEY_LOCAL_MACHINE\ Software\ whenusave\ exitsurvey_url

HKEY_LOCAL_MACHINE\ Software\ whenusave\ extra_url

HKEY_LOCAL_MACHINE\ Software\ whenusave\ extraver_url

HKEY_LOCAL_MACHINE\ Software\ whenusave\ fulldbtime

HKEY_LOCAL_MACHINE\ Software\ whenusave\ heartbeattime

HKEY_LOCAL_MACHINE\ Software\ whenusave\ lastshown

HKEY_LOCAL_MACHINE\ Software\ whenusave\ partnerdesc

HKEY_LOCAL_MACHINE\ Software\ whenusave\ partners\ eepe\ partnerfile

HKEY_LOCAL_MACHINE\ Software\ whenusave\ partners\ rdlt\ installtime

HKEY_LOCAL_MACHINE\ Software\ whenusave\ partners\ rdlt\ partner

HKEY_LOCAL_MACHINE\ Software\ whenusave\ partners\ rdlt\ partnerdesc

HKEY_LOCAL_MACHINE\ Software\ whenusave\ partners\ vidg\ installtime

HKEY_LOCAL_MACHINE\ Software\ whenusave\ partners\ vidg\ partner

HKEY_LOCAL_MACHINE\ Software\ whenusave\ partners\ vidg\ partnerdesc

HKEY_LOCAL_MACHINE\ Software\ whenusave\ partners\ vidg\ partnerfile

HKEY_LOCAL_MACHINE\ Software\ whenusave\ pat_chunks_url

HKEY_LOCAL_MACHINE\ Software\ whenusave\ setupcmdline

HKEY_LOCAL_MACHINE\ Software\ whenusave\ update_url

HKEY_LOCAL_MACHINE\ Software\ whenusave\ updatetime

HKEY_LOCAL_MACHINE\ Software\ whenusave\ urlchangecount

HKEY_LOCAL_MACHINE\ Software\ whenusave\ zip

HKEY_LOCAL_MACHINE\ Software\ whenusave\ zip_old_rs

HKEY_USERS\ s-1-5-21-329068152-1677128483-854245398-500\ Software\ whenu

HKEY_USERS\ s-1-5-21-329068152-1677128483-854245398-500\ Software\ Microsoft\ Windows\ CurrentVersion\ Run\ weathercast

HKEY_USERS\ s-1-5-21-796845957-842925246-1060284298-500\ Software\ whenu

Cancellare i seguenti file, cambiati è nei file di programma, directory:
in the subfolder=nelle sottocartelle
SAVE.EXESAVE.DBSAVE.HTM y SAVEUNINST.EXE in the subfolder \SAVE.

SAVENOW.DBSAVENOW.EXESAVENOW.HTM y UNINST.EXE in the subfolder \SAVENOW.

S.CLASS in the subfolder \EBATESMOEMONEYMAKER\ SYSTEM\ CODE.

SAVENOWINST.EXE in the subfolder \IMESH\ CLIENT.

SBHC.EXE in the subfolder \SUPERBAR.

UNINSTALL.EXE in the subfolder \XOLOX.

Cancellate i seguenti file, che sono nel desktop Windows:
SPORTSINTERACTION.COM.URL e XOLOX DOWNLOAD FOLDER.LNK

Cancellate i seguenti file, che sono nella directory dove è installato Savenow:

AGENTCTL.DLL
AUTPRX32.DLL
BABE-BS.EXE
BAD_NAVIGATION.HTM
BAD_NAVIGATIONMAIN.HTM
BEARSHARE.TXT
BONZI.ACS
BONZITAPFILTERS.DLL
BSAVEINSTWM.EXE
CNBABE.DLL
EMPOP3.DLL
EMSMTP.DLL
FIVE ROSES.URL
GOOGLETOOLBAR_EN_2.0.92-BIG.DLL
HISTORY.TXT
HOSTS.DAT
IEHELPERMIDDLEMAN.DLL
IEHELPERMIDDLEMAN.TLB
INSTALL.LOG
J001.NBD
MAKE MONEY.URL
MSIMMSGR.DLL
MSIMNETC.DLL
MSINET.OCX
MSWINSCK.OCX
NOWBOX.EXE
NOWBOX.LNK
ODKOB32.DLL
OFFLINE.HTM
OFFLINEMAIN.HTM
ONLINECHK.DLL
ONLUCK.URL
RACREG32.DLL
REGICON.OCX
RICHTX32.OCX
SHORT.ACS
SNDBMARK.DLL
SPORTSINTERACTION.COM.URL
SSA3D30.OCX
SSUBTMR6.DLL
SYNC.EXE
SYSTRAYUSER.DLL
TV_ENUA.DLL
TV_ENUA.HLP
TVENUAX.DLL
UNINS.EXE
UNINSTALL NOWBOX.LNK
UNWISE.EXE
UTDNS.DLL
VBAR332.DLL
VSSVER.SCC
WEATHER.EXE

Cancellate le seguenti directory, se essi esistono:

%program files%\ SAVE

%program files%\ SAVENO

%pro
gram files%\ START MENU\ PROGRAMS\ WEATHERCAST


RIAVVIA IL PC

prima che fai tutto controlla se ho tradotto bene,poi ci sono diverse varianti controlla eccoti dove sono le istruzioni per la rimozione

1variante (questa che ti ho appena messo)
2variante la rimozione di questa e semplice e ci vuole poco!!!

CIAO CIAO







Modificato da lucas


gianmarco
Principiante Principiante
gianmarco
Principiante Principiante
gianmarco
Principiante
Principiante

Avatar


Iscritto dal : 30/Ottobre/2004
Da: United Kingdom
Status: Offline
Posts: 232
Riporta il testo di: gianmarco Rispondibullet Topic: Post n° 21.417 - Postato: 20/Giugno/2005 alle 23:26


Si Lucas, questo l'ho provato ma la maggior parte delle chiavi non e` nel registro e le poche che trovo sono utilizzate da windows e microsoft sconsiglia di eliminarle.
dubito che questo savenow sia nel pc perche` leggendo le review online non ho riconosciuto nessuno dei tipici sintomi.
L'unico indizio e` una rilevazione online del Panda.
Nient'altro.
Che dici?



lucas
Esperto Esperto
lucas
Esperto Esperto
lucas
Esperto
Esperto

Avatar

Security Advisor

Iscritto dal : 14/Aprile/2005
Da: Italy
Status: Offline
Posts: 6.715
Riporta il testo di: lucas Rispondibullet Topic: Post n° 21.418 - Postato: 20/Giugno/2005 alle 23:27


quello a cui ti riferisci tu è un software per fare le fatture e roba simile lo usi tu?ciao ciao


gianmarco
Principiante Principiante
gianmarco
Principiante Principiante
gianmarco
Principiante
Principiante

Avatar


Iscritto dal : 30/Ottobre/2004
Da: United Kingdom
Status: Offline
Posts: 232
Riporta il testo di: gianmarco Rispondibullet Topic: Post n° 21.422 - Postato: 20/Giugno/2005 alle 23:35


lo usavo prima, adesso l'ho disinstallato.
allora le cancello
Vedi quache traccia del savenow?
Cosa altro posso fare per sapere se c'e` o no?



lucas
Esperto Esperto
lucas
Esperto Esperto
lucas
Esperto
Esperto

Avatar

Security Advisor

Iscritto dal : 14/Aprile/2005
Da: Italy
Status: Offline
Posts: 6.715
Riporta il testo di: lucas Rispondibullet Topic: Post n° 21.423 - Postato: 20/Giugno/2005 alle 23:54


gianmarco mi chiedi un impresa assurda sapere se c'è nel tuo pc
lo puoi controllare solo tu comunque se non c'è niente vuol dire che non c'è a me no che hai sbagliato a cercare!!comunque vedi in uno dei miei post o di yusuke un programma regseeker ci dovrebbe essere anche una guida e usa quello per le chiavi!!!!!ciao ciao


gianmarco
Principiante Principiante
gianmarco
Principiante Principiante
gianmarco
Principiante
Principiante

Avatar


Iscritto dal : 30/Ottobre/2004
Da: United Kingdom
Status: Offline
Posts: 232
Riporta il testo di: gianmarco Rispondibullet Topic: Post n° 21.588 - Postato: 22/Giugno/2005 alle 00:32


Ciao Lucas,
avevo gia pulito il registro con regseeker, ma niente.
Io non ho nessun problema col PC, come ho detto solo il Panda mi rileva questo adware e alla fine della scansione mi chiede di acquistare il software per rimuoverlo
Comunque questo e` il log di highjackthis e se e` pulito allora non ne parliamo piu`, Promesso

Logfile of HijackThis v1.97.7
Scan saved at 12:51:54, on 21/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\RAMpage\RAMpage.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 5\StartupGuard.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Documents and Settings\Gianmarco\Desktop\Sistema\System control\Program in run.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://global.acer.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RAMpage] "C:\Program Files\RAMpage\RAMpage.exe" M=50 T=50 P="C:\Program Files\RAMpage\RAMpageConfig.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Program Files\iolo\System Mechanic 5\StartupGuard.exe"
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient. cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSn iff.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/ cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swfl ash.cab




lucas
Esperto Esperto
lucas
Esperto Esperto
lucas
Esperto
Esperto

Avatar

Security Advisor

Iscritto dal : 14/Aprile/2005
Da: Italy
Status: Offline
Posts: 6.715
Riporta il testo di: lucas Rispondibullet Topic: Post n° 21.591 - Postato: 22/Giugno/2005 alle 00:57


giammarco scaricati la versione nuova di hijach e ripostamelo ciao ciao
Hijack lo potete prelevare  Da QUI


gianmarco
Principiante Principiante
gianmarco
Principiante Principiante
gianmarco
Principiante
Principiante

Avatar


Iscritto dal : 30/Ottobre/2004
Da: United Kingdom
Status: Offline
Posts: 232
Riporta il testo di: gianmarco Rispondibullet Topic: Post n° 21.600 - Postato: 22/Giugno/2005 alle 01:52


Eccolo qui`

Logfile of HijackThis v1.99.1
Scan saved at 00:51:14, on 22/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\RAMpage\RAMpage.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 5\StartupGuard.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\GIANMA~1\LOCALS~1\Temp\Rar$EX00.528\HijackThis.e xe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RAMpage] "C:\Program Files\RAMpage\RAMpage.exe" M=50 T=50 P="C:\Program Files\RAMpage\RAMpageConfig.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Program Files\iolo\System Mechanic 5\StartupGuard.exe"
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient. cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSn iff.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/ cabsa.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe




Yusuke
Senior Senior
Yusuke
Senior Senior
Yusuke
Senior
Senior

Avatar


Iscritto dal : 20/Aprile/2005
Da: Italy
Status: Offline
Posts: 4.776
Riporta il testo di: Yusuke Rispondibullet Topic: Post n° 21.601 - Postato: 22/Giugno/2005 alle 02:03


Allora gianmarco, le procedure le sai, disattiva il ripristino di configurazione e vai in provvisoria e fissa questa voce:

O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab


Per il resto il log è pulito. Bravo!



La notte è più bello, si vive meglio, per chi fino alle cinque non conosce sbadiglio e la città riprende fiato, sembra che dorma e il buio la trasforma e le cambia forma...



Altre pagine della discussione:






Vai al Forum
Non puoi postare nuovi topic in questo forum
Non puoi rispondere ai topic in questo forum
Non puoi cancellare i tuoi post in questo forum
Non puoi modificare i tuoi post in questo forum
Non puoi creare sondaggi in questo forum
Non puoi votare i sondaggi in questo forum

Bulletin Board Software by Web Wiz Forums version PcPrimiPassi
Copyright ©2001-2006 Web Wiz Guide

Questa pagina è stata generata in 0,047 secondi.

Sostienici

Versione 5.7 Sviluppata da Stefano Ravagni