• User

    ... in effetti eseguendo di nuovo la scansione mi trova un cavallo di troia Generic 3.QHC... lo stesso che avevo già trovato ed eliminato, almeno credevo... che cos'è? come si elimina visto che avg a quanto pare non ci riesce? Rinnovo i ringraziamenti...


  • User Attivo

    @elliot said:

    ... in effetti eseguendo di nuovo la scansione mi trova un cavallo di troia Generic 3.QHC... lo stesso che avevo già trovato ed eliminato, almeno credevo... che cos'è? come si elimina visto che avg a quanto pare non ci riesce? Rinnovo i ringraziamenti...

    Se l'antivirus non agisce vuol dire che manca ancora l'aggiornamento risolutivo per lo stesso. Dato che hai il nome, una soluzione è fare una bella ricerca sui motori, sperando di beccare in qualche discussione se esiste una possibile rimozione manuale.


  • Super User

    Visto che è un problema di virus sposto in Sicurezza, dove potrai ricevere un aiuto più adeguato 😉


  • Consiglio Direttivo

    Ciao elliot,
    ti consiglio un primo scan con Hijackthis, postando poi qui nel forum, il log "txt" generato!

    Sistema hijack nell'unita' C:\

    poi ---> clic "Do a System scan and save logfile" ---> ricopia il file txt e postalo qui nel forum!

    :ciauz:


  • User

    ... allora... il log file che ho ottenuto è

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 10.41.35, on 02/04/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\windows\system32\winlogon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\sysrss32.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\TEMP\bak\zfzeaa.exe
    C:\WINDOWS\System32\crsss.exe
    C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
    C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
    C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe
    C:\WINDOWS\ATK0100\Hcontrol.exe
    C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\1XConfig.exe
    C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\WINDOWS\ATK0100\ATKOSD.exe
    C:\PROGRA~1\Webshots\webshots.scr
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Francy\Desktop\HiJackThis_v2.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.corriere.it/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com.tw
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
    O4 - HKLM..\Run: [zfzeaa.exe] C:\WINDOWS\TEMP\bak\zfzeaa.exe
    O4 - HKLM..\Run: [Windows Service Update] C:\WINDOWS\System32\crsss.exe
    O4 - HKLM..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM..\Run: [QuickTime Task] "C:\Programmi\K-Lite Codec Pack\QuickTime\bak\qttask.exe" -atboottime
    O4 - HKLM..\Run: [PRONoMgr.exe] c:\Programmi\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM..\Run: [Power_Gear] C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe 1
    O4 - HKLM..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
    O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
    O4 - HKLM..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
    O4 - HKLM..\Run: [cpsqba.exe] C:\WINDOWS\TEMP\cpsqba.exe
    O4 - HKLM..\Run: [ATIPTA] C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM..\Run: [ASUS Live Update] C:\Programmi\ASUS\ASUS Live Update\ALU.exe
    O4 - HKLM..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
    O4 - HKLM..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU..\Run: [Windows Service Update] C:\WINDOWS\System32\crsss.exe
    O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
    O4 - HKUS\S-1-5-19..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
    O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
    O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Webshots.lnk = C:\Programmi\Webshots\Launcher.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com.tw
    O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: Windows Server Management Services (Server Management Services) - Unknown owner - C:\WINDOWS\sysrss32.exe

    End of file - 5901 bytes


  • Super User

    Da una prima occhiata veloce, puoi intanto eliminare queste chiavi:

    O4 - HKLM..\Run: [zfzeaa.exe] C:\WINDOWS\TEMP\bak\zfzeaa.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


  • Consiglio Direttivo

    @Gorka said:

    Da una prima occhiata veloce, puoi intanto eliminare queste chiavi:

    O4 - HKLM..\Run: [zfzeaa.exe] C:\WINDOWS\TEMP\bak\zfzeaa.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    Ciao elliot,
    elimina anche questi chiavi:
    O4 - HKLM..\Run: [cpsqba.exe] C:\WINDOWS\TEMP\cpsqba.exe

    O4 - HKCU..\Run: [Windows Service Update] C:\WINDOWS\System32\crsss.exe

    Ti consiglio anche di fare delle scansioni con: Ad-Aware e SuperAntiSpyware "aggiornati"! Fatte queste operazioni, posta un nuovo log "hijackthis"!!


  • User

    ... grazie per l'aiuto che mi state dando... ma ora ho scoperto altri problemi... quando accendo il pc e lo connetto, scarica gli aggiornamenti di avg ma subito dopo mi dice rilevata minaccia e mi segnala gmlaqben.exe.. lo correggo ma al riavvio successivo si ripete tutto nello stesso modo.. l'avviso compare solo quando scarico gli aggiormanenti... inoltre facendo la scansione in modalità provvisoria mi segnala la presenza del virus cavallo di troia dialer.CKN.. al termine della scansiona lo elimina ma alla scansione successiva è di nuovo lì... ho effettuato la scansione con spybot, non mi trova niente che non va, ma proprio niente...


  • Consiglio Direttivo

    Ciao elliot,
    effettua cmq tutti i passaggi suggeriti nel precedente post; poi scarica l'ultima versione di Virit! Aggiornala e prima di avviare la scansione, disattiva momentaneamente il tuo Anti-Virus!

    Fatto questo, posta un nuovo log con hijackthis!

    :ciauz:


  • User

    ... fatto tutto... e questo è il log file...

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 20.03.57, on 02/04/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\windows\system32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\sysrss32.exe
    C:\VEXPLITE\viritsvc.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
    C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
    C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe
    C:\WINDOWS\ATK0100\Hcontrol.exe
    C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\VEXPLITE\MONLITE.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\System32\1XConfig.exe
    C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\PROGRA~1\Webshots\webshots.scr
    C:\WINDOWS\ATK0100\ATKOSD.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Francy\Desktop\HiJackThis_v2.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.corriere.it/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com.tw
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
    O4 - HKLM..\Run: [zfzeaa.exe] C:\WINDOWS\TEMP\bak\zfzeaa.exe
    O4 - HKLM..\Run: [Windows Service Update] C:\WINDOWS\System32\crsss.exe
    O4 - HKLM..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM..\Run: [QuickTime Task] "C:\Programmi\K-Lite Codec Pack\QuickTime\bak\qttask.exe" -atboottime
    O4 - HKLM..\Run: [PRONoMgr.exe] c:\Programmi\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM..\Run: [Power_Gear] C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe 1
    O4 - HKLM..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
    O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
    O4 - HKLM..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
    O4 - HKLM..\Run: [cpsqba.exe] C:\WINDOWS\TEMP\cpsqba.exe
    O4 - HKLM..\Run: [ATIPTA] C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM..\Run: [ASUS Live Update] C:\Programmi\ASUS\ASUS Live Update\ALU.exe
    O4 - HKLM..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
    O4 - HKLM..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
    O4 - HKCU..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU..\Run: [Windows Service Update] C:\WINDOWS\System32\crsss.exe
    O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
    O4 - HKUS\S-1-5-19..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
    O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
    O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Webshots.lnk = C:\Programmi\Webshots\Launcher.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
    O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com.tw
    O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
    O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: Windows Server Management Services (Server Management Services) - Unknown owner - C:\WINDOWS\sysrss32.exe
    O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

    End of file - 6313 bytes


  • Consiglio Direttivo

    Ciao elliot,
    il log, presenta ancora chiavi sospette: avvia "hijackthis" ---> inserisci il segno di spunta nella casellina di sinistra per ogni chiave qui elencata ---> clicca su "FiX Checked"

          O4 - HKLM\..\Run: [zfzeaa.exe] C:\WINDOWS\TEMP\bak\zfzeaa.exe
    
          O4 - HKLM\..\Run: [Windows Service Update] C:\WINDOWS\System32\crsss.exe
    

    O4 - HKLM..\Run: [cpsqba.exe] C:\WINDOWS\TEMP\cpsqba.exe

          O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
    
          O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
    

    Rimosse queste chiavi con hijackthis, posta ancora una volta un nuovo log!

    *Virit ha rimosso qualcosa?? Ad-Aware?? SuperAntispyware??


  • User

    ... si, virit ha rimosso tre file infetti da virus... adaware ha trovato dei cookies e superantisyware un trojan horse generator... ecco il nuovo log file..

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 10.14.58, on 03/04/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\windows\system32\winlogon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\sysrss32.exe
    C:\VEXPLITE\viritsvc.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
    C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
    C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe
    C:\WINDOWS\ATK0100\Hcontrol.exe
    C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\VEXPLITE\MONLITE.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\System32\1XConfig.exe
    C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\PROGRA~1\Webshots\webshots.scr
    C:\WINDOWS\ATK0100\ATKOSD.exe
    C:\PROGRA~1\Grisoft\AVG7\avgw.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Francy\Desktop\HiJackThis_v2.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.corriere.it/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com.tw
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
    O4 - HKLM..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM..\Run: [QuickTime Task] "C:\Programmi\K-Lite Codec Pack\QuickTime\bak\qttask.exe" -atboottime
    O4 - HKLM..\Run: [PRONoMgr.exe] c:\Programmi\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM..\Run: [Power_Gear] C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe 1
    O4 - HKLM..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
    O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
    O4 - HKLM..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
    O4 - HKLM..\Run: [ATIPTA] C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM..\Run: [ASUS Live Update] C:\Programmi\ASUS\ASUS Live Update\ALU.exe
    O4 - HKLM..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
    O4 - HKLM..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
    O4 - HKCU..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU..\Run: [Windows Service Update] C:\WINDOWS\System32\crsss.exe
    O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
    O4 - HKUS\S-1-5-19..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
    O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
    O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Webshots.lnk = C:\Programmi\Webshots\Launcher.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com.tw
    O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
    O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: Windows Server Management Services (Server Management Services) - Unknown owner - C:\WINDOWS\sysrss32.exe
    O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

    End of file - 5905 bytes


  • Consiglio Direttivo

    Ciao elliot,
    fixa queste due chiavi con hijackthis:

    O4 - HKCU..\Run: [Windows Service Update] C:\WINDOWS\System32\crsss.exe

    O23 - Service: Windows Server Management Services (Server Management Services) - Unknown owner - C:\WINDOWS\sysrss32.exe

    Se hijack non riesce ad eliminare queste chiavi, useremo The avenger;

    Avvia the avenger, seleziona la funzione Input Script Manually; clicca poi sulla lente d'ingrandimento; si aprira' subito una finestra!

    Inserisci queste righe:

    Files to delete:
    C:\WINDOWS\sysrss32.exe
    C:\WINDOWS\System32\crsss.exe

    Poi:
    clicca su Done ---> semaforo Verde ---> Yes, su tutte le domande.

    Il pc dovrebbe riavviarsi da solo! Fatto questo posta il log di the avenger, lo trovi in C:/avenger.txt

    :ciauz:

    p.s. installa il service pack 2, per una maggiore protezione! 😉


  • User

    .. grazie del consiglio... penso che neanche avenger sia riuscito ad eliminare uno dei file... la pagina di IE ho scoperto che si è sbloccata, ma ora cade la connessione dopo pochi secondi...

    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\dosbqodm


    Script file located at: ??\C:\Documents and Settings\dchcfplg.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger


    Beginning to process script file:

    File C:\WINDOWS\sysrss32.exe deleted successfully.

    File C:\WINDOWS\System32\crsss.exe not found!
    Deletion of file C:\WINDOWS\System32\crsss.exe failed!

    Could not process line:
    C:\WINDOWS\System32\crsss.exe
    Status: 0xc0000034

    Completed script processing.


    Finished! Terminate.


  • User

    allora avenger non ha trovato crsss e ha eliminato l'altro... però poi facendo di nuovo la scansione con Hijack è di nuovo lì... nel frattempo ho scoperto che la pagina prinicpale di IE si è sbloccata, ma si apre sempre in modalità non in linea, se reimposto la modalità in linea, chiudo e riapro è di nuovo non in linea... in più adesso la connessione cade dopo pochi secondi.. cmq...

    questo è il log file di avenger

    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\dosbqodm


    Script file located at: ??\C:\Documents and Settings\dchcfplg.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger


    Beginning to process script file:

    File C:\WINDOWS\sysrss32.exe deleted successfully.

    File C:\WINDOWS\System32\crsss.exe not found!
    Deletion of file C:\WINDOWS\System32\crsss.exe failed!

    Could not process line:
    C:\WINDOWS\System32\crsss.exe
    Status: 0xc0000034

    Completed script processing.


    Finished! Terminate.

    ... e questo il log file di Hijack..

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 18.49.03, on 03/04/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\windows\system32\services.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\VEXPLITE\viritsvc.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
    C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
    C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe
    C:\WINDOWS\ATK0100\Hcontrol.exe
    C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\1XConfig.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\VEXPLITE\MONLITE.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\PROGRA~1\Webshots\webshots.scr
    C:\WINDOWS\ATK0100\ATKOSD.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Francy\Desktop\HiJackThis_v2.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.corriere.it/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com.tw
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
    O4 - HKLM..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM..\Run: [QuickTime Task] "C:\Programmi\K-Lite Codec Pack\QuickTime\bak\qttask.exe" -atboottime
    O4 - HKLM..\Run: [PRONoMgr.exe] c:\Programmi\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM..\Run: [Power_Gear] C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe 1
    O4 - HKLM..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
    O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
    O4 - HKLM..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
    O4 - HKLM..\Run: [ATIPTA] C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM..\Run: [ASUS Live Update] C:\Programmi\ASUS\ASUS Live Update\ALU.exe
    O4 - HKLM..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
    O4 - HKLM..\Run: [kqzlaa.exe] C:\WINDOWS\TEMP\kqzlaa.exe
    O4 - HKLM..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
    O4 - HKCU..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
    O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
    O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Webshots.lnk = C:\Programmi\Webshots\Launcher.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com.tw
    O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: Windows Server Management Services (Server Management Services) - Unknown owner - C:\WINDOWS\sysrss32.exe (file missing)
    O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

    End of file - 5110 bytes


  • User

    allora avenger non ha trovato crsss e ha eliminato l'altro... però poi facendo di nuovo la scansione con Hijack è di nuovo lì... nel frattempo ho scoperto che la pagina prinicpale di IE si è sbloccata, ma si apre sempre in modalità non in linea, se reimposto la modalità in linea, chiudo e riapro è di nuovo non in linea... in più adesso la connessione cade dopo pochi secondi.. cmq...

    questo è il log file di avenger

    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Service s\dosbqodm


    Script file located at: ??\C:\Documents and Settings\dchcfplg.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger


    Beginning to process script file:

    File C:\WINDOWS\sysrss32.exe deleted successfully.

    File C:\WINDOWS\System32\crsss.exe not found!
    Deletion of file C:\WINDOWS\System32\crsss.exe failed!

    Could not process line:
    C:\WINDOWS\System32\crsss.exe
    Status: 0xc0000034

    Completed script processing.


    Finished! Terminate.

    ... e questo il log file di Hijack..

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 18.49.03, on 03/04/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\windows\system32\services.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\VEXPLITE\viritsvc.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
    C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
    C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe
    C:\WINDOWS\ATK0100\Hcontrol.exe
    C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\1XConfig.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\VEXPLITE\MONLITE.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\PROGRA~1\Webshots\webshots.scr
    C:\WINDOWS\ATK0100\ATKOSD.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Francy\Desktop\HiJackThis_v2.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.corriere.it/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com.tw
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
    O4 - HKLM..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM..\Run: [QuickTime Task] "C:\Programmi\K-Lite Codec Pack\QuickTime\bak\qttask.exe" -atboottime
    O4 - HKLM..\Run: [PRONoMgr.exe] c:\Programmi\Intel\PROSetWireless\NCS\PROSet\PRONo Mgr.exe
    O4 - HKLM..\Run: [Power_Gear] C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe 1
    O4 - HKLM..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
    O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 3.exe
    O4 - HKLM..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
    O4 - HKLM..\Run: [ATIPTA] C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM..\Run: [ASUS Live Update] C:\Programmi\ASUS\ASUS Live Update\ALU.exe
    O4 - HKLM..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
    O4 - HKLM..\Run: [kqzlaa.exe] C:\WINDOWS\TEMP\kqzlaa.exe
    O4 - HKLM..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
    O4 - HKCU..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128 .5462\GoogleToolbarNotifier.exe
    O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
    O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
    O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Webshots.lnk = C:\Programmi\Webshots\Launcher.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com.tw
    O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: Windows Server Management Services (Server Management Services) - Unknown owner - C:\WINDOWS\sysrss32.exe (file missing)
    O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

    End of file - 5110 bytes


  • Consiglio Direttivo

    Ciao elliot,
    fixa con hijackthis questa chiave:
    O4 - HKLM..\Run: [kqzlaa.exe] C:\WINDOWS\TEMP\kqzlaa.exe

    Se ricompare, eliminala con the avenger; stessa procedura di prima!

    Ecco il testo da inserire:

    **Files to delete:
    C:\WINDOWS\TEMP\kqzlaa.exe

    **Ti consiglio anche di fare una bella ripulita con ccleaner!

    p.s. resta cmq **sysrss32.exe **un po' sospetto!!!


  • User

    ... scusate ho messo diverse volte la stessa riposta ma non avevo visto che i messaggi venivano postati nella pagina successiva.. ho provato ad eliminare di nuovo sysrss32 con avenger, mi dice che non trova il file, quindi in teoria dovrebbe essere stato eliminato, ma se faccio ripartire Hijack nel log file compare di nuovo sempre nello stesso posto...


  • Consiglio Direttivo

    Puoi allegare qui nel forum, la lista dei processi attivi del task manager??

    Dal Prompt dei comandi:

    *tasklist -v >processi.txt

    *Il file verra' salvato nella cartella: C:\Documents and Settings


  • User

    Ciao a tutti!!! Ho finalmente risolto i miei problemi... ora il pc funziona perfettamente!!! Il problema originario non si presenta più... IE si apre regolarmente, nella pagina principale da me impostata, il pc resta connesso finchè non lo disconnetto io, non compaiono più avvisi di nessun genere, e la scansione sia in modalità normale che provvisoria non rileva alcuna traccia di virus... grazie mille a tutti, in particolare a Wolf Otakar che mi ha suggerito come risolvere tutti i problemi via via che si presentavano! Penso, nella mia ignoranza, che il problema fosse proprio il famigerato sysrss32, che ora non compare più nella lista dei processi del task manager... infatti finchè c'era quello i virus venivano eliminati ma poi puntualmente si ripresentavano, mentre dopo la sua eliminazione l'antivirus ha cancellato gli ultimi virus entrati e il pc dopo, anche in seguito a nuove connessioni, è rimasto pulito e ha ripreso a funzionare alla perfezione.
    Ancora grazie Wolf Otakar!!! :ciauz: