[Risolto] mi si aprono pagine da sole!!

jeangrey

Ciao

Le fastidiose pagine di pubblicità durante la navigazione sono provocate da questo file: c:\users\utente\appdata\local**oggffyfa.exe
**Inoltre sei incappata in un falso programma di sicurezza:Spyware-Secure.
Segui queste indicazioni.

Tasto destro sull'icona di Hijackthis -> esegui come amministratore
Clicca su "do a system scan only"
Metti la spunta a queste voci e clicca su "fix checked"

O4 - HKLM..\Run: [Spyware-Secure] C:\Program Files\Spyware-Secure\Spyware-Secure_trial.exe

O4 - HKCU..\Run: [oggffyfa] "c:\users\utente\appdata\local\oggffyfa.exe" oggffyfa

Scarica the Avenger
http:/ /swandog46.geekstogo.com/avenger.zip
Lo salvi in una cartella, scompatti il file .zip
Individua avenger.exe, lo avvii
Inserisci questo script nel box bianco

Files to delete:
c:\users\utente\appdata\local\oggffyfa_navps.dat
c:\users\utente\appdata\local\oggffyfa.dat
c:\users\utente\appdata\local\oggffyfa_nav.dat
c:\users\utente\appdata\local\oggffyfa.exe
C:\Program Files\Spyware-Secure\Spyware-Secure_trial.exe
**
folders to delete:
C:\WINDOWS\temp
C:\WINDOWS\Tasks**
**C:\Program Files\Spyware-Secure

**Clicca su Execute
Il pc dovrebbe riavviarsi (se così non fosse, fallo tu)
Posta il log che verrà creato in C:\Avenger

Esegui Combofix come ti ho consigliato ed allega il rapporto.
Tasto destro sull'icona di Combofix -> esegui come amministratore

Come antivirus stai già usando Nod32, perchè comprarne un'altro?
Se proprio vuoi cambiare opta per Antivir, oltre che ottimo è pure free.

dialcrises

@JeanGrey said:

Tasto destro sull'icona di Hijackthis -> esegui come amministratore
Clicca su "do a system scan only"

Abbi pazienza. Mi dici che devo andare con tasto destro su icona, ma se clicco su icona estrapolata da winzip non mi esci "esegui come amm...". Quindi mi dovresti anche spiegare come estrapolare icona correttamente.
Ti ringrazio. Buon appetito vista l'ora.

jeangrey

Hijackthis non va eseguito da cartelle temporanee.

Prima estrai correttamente l'exe con Winzip
Per decomprimere un file basta cliccare sull'icona e compare una finestra con all'interno il suo contenuto:
Cliccare su **ACTIONS e dopo scegliere SELECT ALL **cioè seleziona tutto, vediamo che i file all'interno della finestra diventano blu.
Cliccare di nuovo su **ACTIONS **e questa volta scegliere **EXTRACT **e si aprirà una finestra per scegliere dove salvare i file in essa contenuti
Se si vogliono salvare i file in un'altra cartella basta selezionarla cliccando sui segni "+" , e trovarla.

Posizioni Hijackthis.exe in una cartella in programmi
Avvi hijackthis come ti ho suggerito

dialcrises

Ecco il rapporto :

Logfile of The Avenger Version 2.0, (c) by Swandog46

Platform: Windows Vista

Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger

Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "c:\users\utente\appdata\local\oggffyfa_navps.dat" deleted successfully.
File "c:\users\utente\appdata\local\oggffyfa.dat" deleted successfully.
Error: could not open file "c:\usesr\utente\appdata\local\oggffyfa_nav.dat"
Deletion of file "c:\usesr\utente\appdata\local\oggffyfa_nav.dat" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
File "c:\users\utente\appdata\local\oggffyfa.exe" deleted successfully.
File "C:\Program Files\Spyware-Secure\Spyware-Secure_trial.exe" deleted successfully.
Folder "C:\WINDOWS\temp" deleted successfully.
Folder "C:\WINDOWS\Tasks" deleted successfully.
Folder "C:\Program Files\Spyware-Secure" deleted successfully.
Completed script processing.

Finished! Terminate.

jeangrey

Ciao dialcrises,
nello script di avenger c'è stato un errore, forse per via degli errori di digitazione, comunque nulla di grave.

Error: could not open file "c:\usesr\utente\appdata\local\oggffyfa_nav.da t
c:*users*\utente\appdata\local\oggffyfa_nav.dat

Sei riuscita ad avviare Combofix?

dialcrises

Buongiorno.
Per quanto mi hai detto sopra, devo fare qualcosa?

COMBOFIX report :

ComboFix 08-12-07.01 - utente 2008-12-08 15.06.46.1 - NTFSx86
Microsoft Windows Vista? Home Basic 6.0.6001.1.1252.1.1040.18.167 [GMT 1:00]
Eseguito da: c:\users\utente\Application Data\ComboFix.exe

Creato nuovo punto di ripristino
Resident AV is active
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\utente\AppData\Local\oggffyfa_nav.dat
.
((((((((((((((((((((((((( Files Creati Da 2008-11-08 al 2008-12-08 )))))))))))))))))))))))))))))))))))
.
2008-12-07 20:44 . 2008-12-07 20:44 <DIR> d-------- c:\users\All Users\Avira
2008-12-07 20:44 . 2008-12-07 20:44 <DIR> d-------- c:\programdata\Avira
2008-12-07 20:44 . 2008-12-07 20:44 <DIR> d-------- c:\program files\Avira
2008-12-06 18:06 . 2008-12-06 18:07 <DIR> d-------- c:\program files\Common Files\Adobe
2008-12-03 20:52 . 2008-12-03 20:52 <DIR> d-------- c:\users\All Users\CheckPoint
2008-12-03 20:52 . 2008-12-03 20:52 <DIR> d-------- c:\programdata\CheckPoint
2008-12-03 20:52 . 2008-03-03 15:06 279,440 --a------ c:\windows\System32\drivers~GLH0014.TMP
2008-12-03 20:39 . 2008-12-08 13:16 <DIR> d-a------ c:\users\All Users\TEMP
2008-12-03 20:39 . 2008-12-08 13:16 <DIR> d-a------ c:\programdata\TEMP
2008-12-03 20:39 . 2008-08-25 12:36 81,288 --a------ c:\windows\System32\drivers\iksyssec.sys
2008-12-03 20:39 . 2008-08-25 12:36 66,952 --a------ c:\windows\System32\drivers\iksysflt.sys
2008-12-03 20:39 . 2008-08-25 12:36 40,840 --a------ c:\windows\System32\drivers\ikfilesec.sys
2008-12-03 20:39 . 2008-06-02 16:19 29,576 --a------ c:\windows\System32\drivers\kcom.sys
2008-12-03 20:33 . 2008-12-03 20:33 <DIR> d-------- c:\users\utente\AppData\Roaming\PC Tools
2008-12-03 20:33 . 2008-12-03 20:41 <DIR> d-------- c:\program files\Spyware Doctor
2008-11-27 14:16 . 2008-11-27 14:17 <DIR> d-------- c:\program files\eMule
2008-11-26 21:49 . 2008-12-08 13:16 <DIR> d-------- c:\users\utente\AppData\Roaming\skypePM
2008-11-26 21:49 . 2008-11-26 21:49 56 --ah----- c:\users\All Users\ezsidmv.dat
2008-11-26 21:49 . 2008-11-26 21:49 56 --ah----- c:\programdata\ezsidmv.dat
2008-11-26 21:48 . 2008-12-08 14:16 <DIR> d-------- c:\users\utente\AppData\Roaming\Skype
2008-11-26 21:48 . 2008-12-04 06:57 <DIR> d-------- c:\users\All Users\Google
2008-11-26 21:47 . 2008-12-04 07:01 <DIR> d-------- c:\program files\Google
2008-11-26 21:46 . 2008-11-26 21:47 <DIR> d-------- c:\users\All Users\Skype
2008-11-26 21:46 . 2008-11-26 21:47 <DIR> d-------- c:\programdata\Skype
2008-11-26 21:46 . 2008-11-26 21:47 <DIR> d-------- c:\program files\Skype
2008-11-26 21:46 . 2008-11-26 21:46 <DIR> d-------- c:\program files\Common Files\Skype
2008-11-21 07:45 . 2008-11-21 07:45 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-11-12 06:30 . 2008-08-27 02:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-11-09 20:27 . 2008-11-10 19:36 <DIR> d-------- c:\program files\McDonaldsDragons
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 09:36 --------- d-----w c:\programdata\Spybot - Search & Destroy
2008-12-04 09:36 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-03 19:34 --------- d-----w c:\program files\ESET
2008-11-15 18:10 13,072 ----a-w c:\users\utente\AppData\Roaming\nvModes.dat
2008-10-28 06:15 174 --sha-w c:\program files\desktop.ini
2008-10-28 06:04 --------- d-----w c:\program files\Windows Calendar
2008-10-28 06:03 --------- d-----w c:\program files\Windows Sidebar
2008-10-28 06:03 --------- d-----w c:\program files\Windows Photo Gallery
2008-10-28 06:03 --------- d-----w c:\program files\Windows Mail
2008-10-28 06:03 --------- d-----w c:\program files\Windows Defender
2008-10-28 06:03 --------- d-----w c:\program files\Windows Collaboration
2008-10-28 05:38 82,432 ----a-w c:\windows\System32\axaltocm.dll
2008-10-28 05:38 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2008-10-22 03:57 241,152 ----a-w c:\windows\System32\PortableDeviceApi.dll
2008-10-21 05:25 1,645,568 ----a-w c:\windows\System32\connect.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\System32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\System32\wuapi.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\System32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\System32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\System32\wups.dll
2008-10-16 20:56 1,524,736 ----a-w c:\windows\System32\wucltux.dll
2008-10-16 20:55 83,456 ----a-w c:\windows\System32\wudriver.dll
2008-10-16 13:08 162,064 ----a-w c:\windows\System32\wuwebv.dll
2008-10-16 12:56 31,232 ----a-w c:\windows\System32\wuapp.exe
2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-30 15:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-09-10 03:40 1,334,272 ----a-w c:\windows\System32\msxml6.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Nota i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{34ea1c70-42cc-42c5-aa29-ec58b95a343e}"= "c:\program files\myBabylon\tbmyBa.dll" [2008-02-14 1555480]
[HKEY_CLASSES_ROOT\clsid{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]
2008-02-14 13:54 1555480 --a------ c:\program files\myBabylon\tbmyBa.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{34ea1c70-42cc-42c5-aa29-ec58b95a343e}"= "c:\program files\myBabylon\tbmyBa.dll" [2008-02-14 1555480]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{34EA1C70-42CC-42C5-AA29-EC58B95A343E}"= "c:\program files\myBabylon\tbmyBa.dll" [2008-02-14 1555480]
[HKEY_CLASSES_ROOT\clsid{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-06-21 949376]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-11-29 58928]
"lxbkbmgr.exe"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2007-04-26 74672]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-04-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-12 81920]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 c:\windows\RtHDVCpl.exe]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-06-21 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKLM~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{416B5E0E-3872-4BEA-8D4B-FF6E0F144B73}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{F9FA6A3E-9B03-4112-BE35-86003DCAABFB}"= UDP:c:\windows\System32\lxbkcoms.exe:Lexmark Communications System
"{8AB98A3D-E5EE-4C87-A03C-706A50CC52BA}"= TCP:c:\windows\System32\lxbkcoms.exe:Lexmark Communications System
"{BEACD3E5-9C23-4F84-ABB2-7623B5ABE5AE}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxbkpswx.exe:Printer Status Window
"{787C8185-E316-4FD1-BCDB-C7AE6599755B}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxbkpswx.exe:Printer Status Window
"{D544BEA9-0698-48AB-AD63-15B6DF6203F5}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{EBE8686C-0281-4394-9CA7-674DFA9C1B65}c:\program files\emule\emule.exe"= UDP:c:\program files\emule\emule.exe:eMule
"UDP Query User{FE951C24-697D-4A15-823E-FE978511D2A4}c:\program files\emule\emule.exe"= TCP:c:\program files\emule\emule.exe:eMule
R0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2006-11-20 38400]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2006-11-17 31360]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-06-21 15424]
R2 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe -service []
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-03 356920]
R3 rt61x86;Ralink RT61 Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr61.sys [2007-02-05 274432]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{258b5c27-393c-11dd-b01b-e747205e809f}]
\shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d0246ea5-397e-11dd-9f8d-bf6de1532937}]
\shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d0246eb3-397e-11dd-9f8d-bf6de1532937}]
\shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d0246eb4-397e-11dd-9f8d-bf6de1532937}]
\shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{fb856ba2-393a-11dd-8374-f1b0c79f0fb0}]
\shell\AutoRun\command - E:\StartVMCLite.exe
.
.
------- Supplementare di scansione -------
.
uStart Page =

IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
O16 -: Microsoft XML Parser for Java -

c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,

Rootkit scan 2008-12-08 15:10:27
Windows 6.0.6001 Service Pack 1 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0

.
Ora fine scansione: 2008-12-08 15.12.01
ComboFix-quarantined-files.txt 2008-12-08 14:11:45
Pre-Run: 68.222.320.640 byte disponibili
Post-Run: 68,267,180,032 byte disponibili
166 --- E O F --- 2008-12-05 05:51:36

Grazie mille per l'aiuto!!

jeangrey

Per questo file non devi fare nulla, perchè è stato eliminato da Combofix.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
c:\users\utente\AppData\Local\oggffyfa_nav.datIndividua avenger.exe, lo avvii
Inserisci questo script nel box bianco

Files to delete:
c:\windows\System32\drivers~GLH0014.TMP

Clicca su Execute
Il pc dovrebbe riavviarsi (se così non fosse, fallo tu)
Posta il log che verrà creato in C:\Avenger

(Fai un copia/incolla dello script nel box)

Scarica, installa, aggiorna Malwarebytes ed esegui una scansione completa.
download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Copia il rapporto nella tua risposta.

dialcrises

Ecco log Avenger :

Logfile of The Avenger Version 2.0, (c) by Swandog46

Platform: Windows Vista

Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger

Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "c:\windows\System32\drivers~GLH0014.TMP" deleted successfully.
Completed script processing.

Finished! Terminate

dialcrises

Ed ecco log Malware :

Malwarebytes' Anti-Malware 1.31
Versione del database: 1456
Windows 6.0.6001 Service Pack 1
08/12/2008 22.06.11
mbam-log-2008-12-08 (22-06-11).txt
Tipo di scansione: Scansione completa (C:|)
Elementi scansionati: 109865
Tempo trascorso: 1 hour(s), 38 minute(s), 17 second(s)
Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 0
Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)
Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)
Chiavi di registro infette:
(Nessun elemento malevolo rilevato)
Valori di registro infetti:
(Nessun elemento malevolo rilevato)
Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)
Cartelle infette:
(Nessun elemento malevolo rilevato)
File infetti:
(Nessun elemento malevolo rilevato)

Buonanotte. Grazie mille.

jeangrey

Bene, direi che abbiamo risolto! Sono contenta per te!

dialcrises

Ma grazie mille a te! Sei stata eccezzzzionale!!!!