Aiutatemi Ad Eliminare Ezula!

[luigi1986]

E' da parecchio che sul mio pc si è intromesso eZula, e più di preciso nel registro, infatti ad-aware se, me lo riconosce come chiave di registro:(questo è quello che so su di lui)

Tipo : RegKey

Dati :

Valutazione TAC : 6

Categoria : Data Miner

Commento :

RootKey : HKEY_CLASSES_ROOT

Oggetto : clsid\{0288b94b-0288-b94b-0288-b94b0288b94b}.

ho provato con tanti programmi ma nessuno riesce ad eliminarlo!(spyboot,spyware doctor, ad-aware,ecc.)ho provato ad eliminarlo dal registro di sistema ma mi impediva di farlo, figuratevi che con spyware doctor sono riuscito ad eliminare "istbar" che da come ho potuto capire leggendo sui forum è più difficile, ma con eZula non so più cosa fare!!!!Vi prego aiutatemi!

ps. se qualche anima pia mi aiuterà vi prego anticipatamente di non usare terminologie troppo difficili, in quanto non sono troppo pratico in merito!GRAZIE!

[Steve Fox]

Ciao e benvenuto

L'errore è dovuto ad un'alterazione dell'algoritmo principale della base presente nell'... :andy:

Inanzitutto disinstallalo da Installazione Applicazioni!

Poi trova ed elimina questi file se ci sono:

apev.exe

cucu.exe

4rlnibim.exe

ezinstall[1].exe

ezinstall.exe

ezulains.exe

ezstubseedcorn.exe

ezstub22.exe

ezpopstub.exe

nsvsvc.exe

mudsc.exe

mmttil.exe

mmod.exe

kgnjas.exe

removedisplayutility.exe

sed.exe

se.exe

sedk.exe

sfwqi.exe

c:\sepinst.exe

c:\ezstub.exe

woinstall[1].exe

woinstall.exe

wo.exe

umqltg4cl_.exe

ttupt.exe

desktop\funcade_icmediax_install.exe

Queste chiavi nel registro sono da eliminare:

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run mudsc

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce web offer

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run sesync

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run ezwo

Elimina queste dll:

sepng.dll

seng.dll

nsz85.dll

pcnayifm.dll

eapbh.dll

eabh.dll

chpon.dll

9uv.dll

chcon.dll

Altre chiavi da eliminare che inserisce nel registro:

HKEY_CLASSES_ROOT\appid\{0818d423-6247-11d1-abee-00d049c10000}

HKEY_CLASSES_ROOT\atlbrcon.atlbrcon.1

HKEY_CLASSES_ROOT\bho.incredifindbho.1\clsid

HKEY_CLASSES_ROOT\bho.incredifindbho\clsid

HKEY_CLASSES_ROOT\bho.incredifindbho\curver

HKEY_CLASSES_ROOT\clsid\{00320615-b6c2-40a6-8f99-f1c52d674fad}

HKEY_CLASSES_ROOT\clsid\{1115bae4-62c1-00f9-699a-573366dc900}\{b740471d-0554-fd37-0643-9d563903067} 8whww3zulo4aweqd

HKEY_CLASSES_ROOT\clsid\{1a9880a9-5a48-15ac-b6e5-4a07a1f4df7a}

HKEY_CLASSES_ROOT\clsid\{220f9cb2-acf1-ae12-1d11-536411e35dfe}

HKEY_CLASSES_ROOT\clsid\{23358854-c851-a9c8-7858-954990bc2490}

HKEY_CLASSES_ROOT\clsid\{25630b47-53c6-4e66-a945-9d7b6b2171ff}

HKEY_CLASSES_ROOT\clsid\{2720f083-325e-7d8d-c082-7d07a8eade87}

HKEY_CLASSES_ROOT\clsid\{2ada082b-9f11-a314-9431-d7c29f458b6e}

HKEY_CLASSES_ROOT\clsid\{370f6354-41c4-4fa6-a2df-1ba57ee0fbb9}

HKEY_CLASSES_ROOT\clsid\{3a411476-c94b-4cdc-8700-6f7901ce9eeb}

HKEY_CLASSES_ROOT\clsid\{4368aaa5-c359-2ce0-c7df-4246bb5b4cb2}

HKEY_CLASSES_ROOT\clsid\{4cd4be40-22e3-ccac-bceb-69a27ddf5f89}

HKEY_CLASSES_ROOT\clsid\{4d335fff-080f-8f89-e1c4-75220c35322e}

HKEY_CLASSES_ROOT\clsid\{50b4d2b3-723f-41b3-aec4-0bd66f0f45ff}

HKEY_CLASSES_ROOT\clsid\{5c9df9e7-8687-05a2-17a3-036319e3786d}

HKEY_CLASSES_ROOT\clsid\{6df5e318-6994-4a41-85bd-45ccada616f8}

HKEY_CLASSES_ROOT\clsid\{788c6f6f-c2ea-4a63-9c38-ce7d8f43bce4}

HKEY_CLASSES_ROOT\clsid\{78bcf937-45b0-40a7-9391-dcc03420db35}

HKEY_CLASSES_ROOT\clsid\{8940e505-72c6-44de-be85-1d746780efbf}

HKEY_CLASSES_ROOT\clsid\{9bcf9f0e-80c2-bd69-8c3e-b1ced587cbff}

HKEY_CLASSES_ROOT\clsid\{9cfa26c0-81da-4c9d-a501-f144a4a000fa}

HKEY_CLASSES_ROOT\clsid\{a166c1b0-5cdb-447a-894a-4b9fd7149d51}

HKEY_CLASSES_ROOT\clsid\{c256d608-29d9-bcf2-1c2a-6e01a66a8b51}

HKEY_CLASSES_ROOT\clsid\{c68924a3-c49a-37c2-eb92-1645f73d3e1e}

HKEY_CLASSES_ROOT\clsid\{e08b462d-2fb7-0489-54b7-1b6aafc2ecba}

HKEY_CLASSES_ROOT\clsid\{e7a05400-4cfa-4df3-a643-e40f86e8e3d7}

HKEY_CLASSES_ROOT\clsid\{f75521b8-76f1-4a4d-84b1-9e642e9c51d0}

HKEY_CLASSES_ROOT\clsid\{fa66d870-8368-1b50-fb12-631748c9752d}

HKEY_CLASSES_ROOT\clsid\{fb87796b-c1d1-a2cf-468a-03e77186d7b5}

HKEY_CLASSES_ROOT\clsid\{fc2a685e-3d0f-87b0-2045-18023d80bb50}

HKEY_CLASSES_ROOT\ezulaagent.ezulactrlhost.1\clsid

HKEY_CLASSES_ROOT\ezulaagent.ieobject.1\clsid

HKEY_CLASSES_ROOT\ezulaagent.plugprot.1\clsid

HKEY_CLASSES_ROOT\ezulaagent.toolbarband.1\clsid

HKEY_CLASSES_ROOT\ezulaagent.toolbarband\clsid

HKEY_CLASSES_ROOT\ezulabootexe.installctrl.1\clsid

HKEY_CLASSES_ROOT\ezulafsearcheng.ezulacode.1\clsid

HKEY_CLASSES_ROOT\ezulafsearcheng.ezulahash.1\clsid

HKEY_CLASSES_ROOT\ezulafsearcheng.ezulasearch.1\clsid

HKEY_CLASSES_ROOT\ezulafsearcheng.popupdispla

HKEY_CLASSES_ROOT\ezulafsearcheng.popupdisplay.1\clsid

HKEY_CLASSES_ROOT\ezulafsearcheng.resulthelpe

HKEY_CLASSES_ROOT\ezulafsearcheng.resulthelper.1\clsid

HKEY_CLASSES_ROOT\ezulafsearcheng.searchhelpe

HKEY_CLASSES_ROOT\ezulafsearcheng.searchhelper.1\clsid

HKEY_CLASSES_ROOT\ezulamain.ezulapopsearchpipe

HKEY_CLASSES_ROOT\ezulamain.ezulapopsearchpipe.1

HKEY_CLASSES_ROOT\ezulamain.ezulasearchpipe.1\clsid

HKEY_CLASSES_ROOT\ezulamain.trayiconm.1\clsid

HKEY_CLASSES_ROOT\f1.organizer.1\clsid

HKEY_CLASSES_ROOT\f1.organizer\clsid

HKEY_CLASSES_ROOT\f1.organizer\curver

HKEY_CLASSES_ROOT\interface\{241667a3-ec83-4885-84dd-c2daafc1c5ea}

HKEY_CLASSES_ROOT\interface\{25630b50-53c6-4e66-a945-9d7b6b2171ff}

HKEY_CLASSES_ROOT\interface\{370f6327-41c4-4fa6-a2df-1ba57ee0fbb9}

HKEY_CLASSES_ROOT\interface\{370f6353-41c4-4fa6-a2df-1ba57ee0fbb9}

HKEY_CLASSES_ROOT\interface\{3a951af0-53f8-4803-a565-0e1dee4b11f5}

HKEY_CLASSES_ROOT\interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}

HKEY_CLASSES_ROOT\interface\{788c6f6e-c2ea-4a63-9c38-ce7d8f43bce4}

HKEY_CLASSES_ROOT\interface\{78bcf936-45b0-40a7-9391-dcc03420db35}

HKEY_CLASSES_ROOT\interface\{7edc96e1-5dd3-11d4-b185-0050dab79376}

HKEY_CLASSES_ROOT\interface\{830d3aed-2fa9-454f-b266-d931862bbf34}

HKEY_CLASSES_ROOT\interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}

HKEY_CLASSES_ROOT\interface\{8ebb1743-9a2f-11d4-8a7e-0050da2ee1be}

HKEY_CLASSES_ROOT\interface\{955cbf48-4313-4b1f-872b-254b7822ccf2}

HKEY_CLASSES_ROOT\interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}

HKEY_CLASSES_ROOT\interface\{9cfa26c2-81da-4c9d-a501-f144a4a000fa}

HKEY_CLASSES_ROOT\interface\{a42dc659-33b5-409e-a433-650ac42ecca4}

HKEY_CLASSES_ROOT\interface\{a8516f49-8046-4295-8ee9-c59d5041c9e2}

HKEY_CLASSES_ROOT\interface\{a986f4db-792e-4571-8974-0bb6e024766f}

HKEY_CLASSES_ROOT\interface\{af286cea-635d-40c5-a891-b40a0f520539}

HKEY_CLASSES_ROOT\interface\{bccab53d-0895-40c3-a942-a03538ce227a}

HKEY_CLASSES_ROOT\interface\{bd6f129a-08db-4cc5-a75a-f2ab79e55b6e}

HKEY_CLASSES_ROOT\interface\{c03351a3-6755-11d4-8a73-0050da2ee1be}

HKEY_CLASSES_ROOT\interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}

HKEY_CLASSES_ROOT\interface\{c4fee4a6-4b8b-11d4-8a6d-0050da2ee1be}

HKEY_CLASSES_ROOT\interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}

HKEY_CLASSES_ROOT\interface\{ef0372dc-f552-11d3-8528-0050dab79376}

HKEY_CLASSES_ROOT\interface\{ef0372de-f552-11d3-8528-0050dab79376}

HKEY_CLASSES_ROOT\interface\{efa52460-8822-4191-ba38-facdd2007910}

HKEY_CLASSES_ROOT\interface\{fb82ccd5-174b-4379-bc37-72d9b5adaeda}

HKEY_CLASSES_ROOT\software\classes\quicksearch.searchband

HKEY_CLASSES_ROOT\typelib\{370f6327-41c4-4fa6-a2df-1ba57ee0fbb9}

HKEY_CLASSES_ROOT\typelib\{4e627a1e-bc4b-4faf-8de8-1d9a54d37da3}\1.0 sep 1.0 type library

HKEY_CLASSES_ROOT\typelib\{4e627a1e-bc4b-4faf-8de8-1d9a54d37da3}\1.0\0\win32 c:\program files\sep\sep.dll

HKEY_CLASSES_ROOT\typelib\{4e627a1e-bc4b-4faf-8de8-1d9a54d37da3}\1.0\flags 0

HKEY_CLASSES_ROOT\typelib\{4e627a1e-bc4b-4faf-8de8-1d9a54d37da3}\1.0\helpdir c:\program files\sep\

HKEY_CLASSES_ROOT\typelib\{5e594162-60a9-487d-84b8-dbdd716cb862}

HKEY_CLASSES_ROOT\typelib\{8992b6ca-b8c9-4aed-bf89-0a17f6296a06}

HKEY_CLASSES_ROOT\typelib\{9cfa26c0-81da-4c9d-a501-f144a4a000fa}

HKEY_CLASSES_ROOT\typelib\{9cfa26c1-81da-4c9d-a501-f144a4a000fa}

HKEY_CLASSES_ROOT\typelib\{baf13496-8f72-47a1-9cee-09238efc75f0}

HKEY_CLASSES_ROOT\typelib\{eb5e961f-f519-303c-9744-0d4376b1b0b5}

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run ezwo

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run sesync

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce web offer

HKEY_CURRENT_USER\software\web offer

HKEY_LOCAL_MACHINE\software\classes\typelib\{8a044396-5da2-11d4-b185-0050dab79376}

HKEY_LOCAL_MACHINE\software\coupondeals

HKEY_LOCAL_MACHINE\software\interads

HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\explorer bars\{50b4d2b3-723f-41b3-aec4-0bd66f0f45ff}

HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\explorer bars\{a166c1b0-5cdb-447a-894a-4b9fd7149d51}

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{9cfa26c0-81da-4c9d-a501-f144a4a000fa}

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{fc2a685e-3d0f-87b0-2045-18023d80bb50}

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\internet settings\user agent\post platform {b47b2b1f-0c0f-47bd-ad5d-219f2688fb72}

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run mudsc

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions\approved {8e953c77-dfad-4e26-9c21-49d6f1625c62}

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\amyshorse.zip displayname

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\amyshorse.zip uninstallstring

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\dmo displayname

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\dmo uninstallstring

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\web offer

HKEY_LOCAL_MACHINE\software\updater cid

HKEY_LOCAL_MACHINE\software\updater exename

HKEY_LOCAL_MACHINE\software\updater install_dir

HKEY_LOCAL_MACHINE\software\updater installdate

HKEY_LOCAL_MACHINE\software\updater puid

HKEY_LOCAL_MACHINE\software\updater versionnumber

HKEY_LOCAL_MACHINE\software\updater\{8d15a72d-62e0-4733-b057-0a81b4ffeb3d}

HKEY_LOCAL_MACHINE\software\updater\{8d15a72d-62e0-4733-b057-0a81b4ffeb3d} installdate

HKEY_LOCAL_MACHINE\software\updater\{8d15a72d-62e0-4733-b057-0a81b4ffeb3d} trackguid

HKEY_LOCAL_MACHINE\software\updater\{8d15a72d-62e0-4733-b057-0a81b4ffeb3d} versionnumber

Altri files da cancellare: (dove desktopdir+ sta per indicare il Desktop e favorites+ per i Preferiti

desktopdir+\funcade_icmediax_install.exe

desktopdir+\internet .lnk

desktopdir+\investing .lnk

desktopdir+\online dating.url

desktopdir+\pacman.lnk

desktopdir+\printer cartridges.lnk

desktopdir+\travel .lnk

desktopdir+\travel specials.url

desktopdir+\website hosting.lnk

desktopdir+\winsock2.reg

favorites+\ adult entertainment\adult dvd.url

favorites+\ adult entertainment\dating\christian dating.url

favorites+\ adult entertainment\dating\dating agency.url

favorites+\ adult entertainment\dating\dating service.url

favorites+\ adult entertainment\dating\internet dating.url

favorites+\ adult entertainment\dating\jewish dating.url

favorites+\ adult entertainment\dating\online dating.url

favorites+\ adult entertainment\dvd.url

favorites+\ adult entertainment\fetish.url

favorites+\ adult entertainment\gay.url

favorites+\ adult entertainment\hardcore.url

favorites+\ adult entertainment\lesbian.url

favorites+\ adult entertainment\live video feeds.url

favorites+\ adult entertainment\matchmaking.url

favorites+\ adult entertainment\photos.url

favorites+\ adult entertainment\sex movies.url

favorites+\ adult entertainment\sex toys.url

favorites+\ adult entertainment\shemale sex.url

favorites+\ adult entertainment\******.url

favorites+\ adult items\adult education.url

favorites+\ adult items\adult personals.url

favorites+\ adult items\adult toys.url

favorites+\ adult items\breast enhancement.url

favorites+\ adult items\buy adipex.url

favorites+\ adult items\buy ******.url

favorites+\ adult items\diet pill.url

favorites+\ adult items\penis enlargement.url

favorites+\ adult items\personals.url

favorites+\ computers\antivirus.url

favorites+\ computers\communication technology.url

favorites+\ computers\computer jobs .url

favorites+\ computers\computer programming.url

favorites+\ computers\domain hosting.url

favorites+\ computers\dvd.url

favorites+\ computers\games\computer game.url

favorites+\ computers\games\gamecube.url

favorites+\ computers\games\microsoft.url

favorites+\ computers\games\playstation.url

favorites+\ computers\games\quake.url

favorites+\ computers\games\sega dreamcast.url

favorites+\ computers\games\xbox.url

favorites+\ computers\hosting.url

favorites+\ computers\inkjet cartridge.url

favorites+\ computers\instant messenger.url

favorites+\ computers\internet.url

favorites+\ computers\working from home.url

favorites+\ cool stuff\dating.url

favorites+\ cool stuff\descrambler.url

favorites+\ cool stuff\dvd to cd.url

favorites+\ cool stuff\mp3.url

favorites+\ cool stuff\online pharmacy.url

favorites+\ cool stuff\pass drug test.url

favorites+\ cool stuff\printer cartridge.url

favorites+\ cool stuff\satellite television.url

favorites+\ cool stuff\scratch card.url

favorites+\ cool stuff\video surveillance.url

favorites+\ dating\christian dating.url

favorites+\ dating\dating agency.url

favorites+\ dating\dating service.url

favorites+\ dating\internet dating.url

favorites+\ dating\jewish dating.url

favorites+\ dating\online dating.url

favorites+\ home\adjustable bed.url

favorites+\ home\food nutrition.url

favorites+\ home\health plan.url

favorites+\ home\home equity loan.url

favorites+\ home\home improvements.url

favorites+\ home\home refinancing.url

favorites+\ home\home security.url

favorites+\ home\interior decorating .url

favorites+\ home\office space.url

favorites+\ home\outdoor cooking.url

favorites+\ home\outdoor furniture.url

favorites+\ home\phone system.url

favorites+\ home\satellite television.url

favorites+\ home\sleep aids.url

favorites+\ home\timeshare.url

favorites+\ home\working from home.url

favorites+\ internet\domain registrations.url

favorites+\ internet\education\adult education.url

favorites+\ internet\education\book.url

favorites+\ internet\education\college.url

favorites+\ internet\education\community.url

favorites+\ internet\education\education.url

favorites+\ internet\education\essay.url

favorites+\ internet\education\school.url

favorites+\ internet\firewall.url

favorites+\ internet\flowers.url

favorites+\ internet\free long distance.url

favorites+\ internet\hosting.url

favorites+\ internet\internet business.url

favorites+\ internet\investing money.url

favorites+\ internet\jokes.url

favorites+\ internet\newsgroup.url

favorites+\ internet\online football games.url

favorites+\ internet\online gaming.url

favorites+\ internet\spyware.url

favorites+\ internet\starting a business.url

favorites+\ internet\web marketing.url

favorites+\ online gaming\bingo.url

favorites+\ online gaming\black jack poker.url

favorites+\ online gaming\casino online.url

favorites+\ online gaming\craps.url

favorites+\ online gaming\gamble.url

favorites+\ online gaming\jackpot.url

favorites+\ online gaming\roulette gambling.url

favorites+\ online gaming\slots.url

favorites+\ online gaming\sport betting.url

favorites+\ online gaming\sport book.url

favorites+\ online gaming\time cards.url

favorites+\ online pharmacy\buy adipex.url

favorites+\ online pharmacy\buy celebrex.url

favorites+\ online pharmacy\buy fidrex.url

favorites+\ online pharmacy\buy ionamin.url

favorites+\ online pharmacy\buy meridia .url

favorites+\ online pharmacy\buy phentermine.url

favorites+\ online pharmacy\buy propecia.url

favorites+\ online pharmacy\buy soma.url

favorites+\ online pharmacy\buy tenuate.url

favorites+\ online pharmacy\buy ultram online.url

favorites+\ online pharmacy\buy ******.url

favorites+\ online pharmacy\buy xenical.url

favorites+\ online pharmacy\consumer consulting.url

favorites+\ online pharmacy\doctor.url

favorites+\ online pharmacy\mexican pharmacy.url

favorites+\ online pharmacy\pass drug test.url

favorites+\ online pharmacy\pet med.url

favorites+\ online pharmacy\pharmacy online.url

favorites+\ shopping gifts\birthday gift.url

favorites+\ shopping gifts\cellular.url

favorites+\ shopping gifts\christmas gift.url

favorites+\ shopping gifts\corporate gift.url

favorites+\ shopping gifts\digital cameras.url

favorites+\ shopping gifts\dress fashion.url

favorites+\ shopping gifts\dvd players.url

favorites+\ shopping gifts\gift basket.url

favorites+\ shopping gifts\jewelry.url

favorites+\ shopping gifts\leather jackets.url

favorites+\ shopping gifts\perfume.url

favorites+\ shopping gifts\sexy lingerie.url

favorites+\ shopping gifts\shoes.url

favorites+\ shopping gifts\smoke shop.url

favorites+\ shopping gifts\underwear.url

favorites+\ shopping gifts\video surveillance.url

favorites+\ shopping gifts\watches.url

favorites+\ shopping gifts\wedding gifts.url

favorites+\ shopping gifts\wine gifts.url

favorites+\ shopping gifts\womens clothing.url

favorites+\ travel\air travel.url

favorites+\ travel\cancun vacation.url

favorites+\ travel\car rental.url

favorites+\ travel\cruises.url

favorites+\ travel\discount travel.url

favorites+\ travel\europe travel.url

favorites+\ travel\family vacation.url

favorites+\ travel\hawaii travel.url

favorites+\ travel\hotels.url

favorites+\ travel\las vegas hotel.url

favorites+\ travel\london hotel.url

favorites+\ travel\new york.url

favorites+\ travel\orlando hotel.url

favorites+\ travel\resort.url

favorites+\ travel\skiing.url

favorites+\ travel\timeshare.url

favorites+\ travel\travel agent.url

favorites+\ travel\travel insurance.url

favorites+\ travel\vacation.url

favorites+\ travel\world travel.url

favorites+\ antivirus.url

favorites+\ casino online.url

favorites+\ computers.url

favorites+\ instant messaging.url

favorites+\ internet.url

apev.exe

basis.dst

basis.kwd

basis.pu

basis.pu.dyn

basis.rst

basisp.dst

basisp.kwd

basisp.pu

basisp.rst

bsx32.ini

4rlnibim.exe

4rlnibim.ini

9uv.dll

chcon.dll

chpon.dll

cucu.exe

eabh.dll

eapbh.dll

ezinstall.exe

ezinstall[1].exe

ezpopstub.exe

ezstub.exe

ezstub22.exe

ezstubseedcorn.exe

ezula.txt

ezulains.exe

gendis.ez

install.log

kgnjas.exe

legend.lgn

mmod.exe

mmttil.exe

mudsc.exe

nsz85.dll

param.ez

paramp.ez

c:\sepinst.exe

commonprograms+\pacman.lnk

desktopdir+\amazon.com.url

desktopdir+\amazon.url

desktopdir+\bingo .lnk

desktopdir+\block spyware.url

desktopdir+\bsx32.ini

desktopdir+\card games.lnk

desktopdir+\casino online.lnk

desktopdir+\cheap holiday travel.url

desktopdir+\ebay.com.url

desktopdir+\ebay.url

desktopdir+\expedia.com.url

desktopdir+\free casino.url

desktopdir+\free online music.url

desktopdir+\free spyware scanner.url

nsvsvc.exe

pcnayifm.dll

removedisplayutility.exe

rwdsp.rst

se.exe

sed.exe

sedk.exe

seng.dll

sepng.dll

sfwqi.exe

spec1.bsx

ttupt.exe

tvmx.bsx

umqltg4cl_.exe

upgrade.vrn

version.vrn

vidctrl.inf

wndbannnp.src

wo.exe

woinstall.exe

woinstall[1].exe

c:\ezstub.exe

E infine:

program files\ezula\images

program files\web offer

systemroot+\ezstub.exe

Buon lavoro!

[luigi1986]

Innanzittutto, grazie per la risposta.

volevo chiederti se cè un modo piu veloce perchè a quanto pare faccio prima a formattare tutto, poichè dovrei fare la ricerca per ogni singolo file all'interno del sistema, poi dovrei cercare ogni singola chiave di registro ecc.quindi ti chiedo se conosci qualche programma ingrado eliminare eZula così come ho fatto per istbar che mi ha dato comunque filo da torcere!

grazie

[Kuma]

Usa AD-AWARE in modalità provvisoria

Oppure in alternativa (sempre in modalità provvisoria) questo TOOL APPOSITO

[luigi1986]

ok ora provo

[luigi1986]

niente da fare!ho provato in modalità provvisoria ma niente da fare, come al solito dice di averlo eliminato ma alla scansione successiva ricompare,anzi ora ho trovato un nuovo file che si chiama vx2 dovrebbe essere un malware.vi prego aiutatemiiiiiii!

[Kuma]

Posta un log di HIJACK che lo controlliamo

[luigi1986]

Logfile of HijackThis v1.99.1
Scan saved at 21.57.00, on 15/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Programmi\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\Ahead\InCD\InCD.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Creative\MediaSource\Detector\CTDetect.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmi\Creative\MediaSource\RemoteControl\OSDMenu.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\PUCA\IMPOST~1\Temp\Rar$EX05.859\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url=http://www.libero.it/]http://www.libero.it/[/url]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.libero.it:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Toolbar\01.01.2607.0\it\msntb.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Programmi\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Programmi\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Programmi\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [shell32] C:\WINDOWS\system32\shell32.exe
O4 - HKLM\..\Run: [I downloaded pirated Software from P2P] C:\WINDOWS\system32\Battlefield2 .exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DVD43] "C:\Programmi\DVD Region+CSS Free\DVDRegionFree.exe" /hidden
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [RemoteCenter] C:\Programmi\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Programmi\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Programmi\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [SpyBan] "C:\Programmi\SpyBan\SpyBan.exe" /s
O4 - Startup: Eurobarre.lnk = C:\Programmi\eurobarre\eb.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Organizzatore ricerche - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programmi\File comuni\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programmi\File comuni\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O15 - Trusted Zone: www.playitalia.com
O16 - DPF: {01347765-1965-426B-91A4-AA6BB342B9A3} (InstallerObj Class) - [url=http://www.1-click.com/common/files/installer-hidden-test.cab]http://www.1-click.com/common/files/instal...hidden-test.cab[/url]
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - [url=http://www.creative.com/su/ocx/15015/CTSUEng.cab]http://www.creative.com/su/ocx/15015/CTSUEng.cab[/url]
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [url=http://download.bitdefender.com/resources/scan8/oscan8.cab]http://download.bitdefender.com/resources/scan8/oscan8.cab[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url=http://messenger.msn.com/download/msnmessengersetupdownloader.cab]http://messenger.msn.com/download/msnmesse...pdownloader.cab[/url]
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - [url=http://creative.com/su/ocx/15016/CTPID.cab]http://creative.com/su/ocx/15016/CTPID.cab[/url]
O16 - DPF: {F7FD91D1-45E6-4349-B698-F976062DAC26} - [url=http://www.storage-tasp.com/gs/gsa1646.exe]http://www.storage-tasp.com/gs/gsa1646.exe[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{C37487D7-9FC0-44C5-88CE-88B0C887950B}: NameServer = 193.70.192.25,193.70.152.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD76E65D-5E47-4084-9BA4-8D769E89F3A8}: NameServer = 172.19.10.40,172.19.10.35
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Programmi\Power Translator\LogoMedia TranslateDotNet Server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

QUESTO E IL LOG CHE MI DA' HIJACK

Modificato December 16, 2005 da Kuma

[gurdjieff]

Scusa se mi intrometto, ma il log devi postarlo in allegato al massaggio. Non cosi :dia:

Devi prima salvarlo su una cartella del tuo pc, poi cliccare in basso al topic su sfoglia e andare a cercarlo dove lo hai salvato. Quindi cliccare su aggiungi questo allegato.Ti consiglio di modificare cosi' il messaggio.

Vedrai che poi qui ,sicuramente , ti risolveranno il problema.

[Steve Fox]

Ti sbagli gurdjieff, le regole sono cambiate E' scritto in alto alla sezione Sicurezza

[luigi1986]

penso vada bene come ho fatto io..

[gurdjieff]

Ti sbagli gurdjieff, le regole sono cambiate E' scritto in alto alla sezione Sicurezza

Ovviamente.......era uno scherzo........scherzavo Si faceva per dire, per ammazzare il tempo

[Kuma]

Prima di procedere scaricati questi programmi (quelli che ti mancano)

Microsoft AntiSpy

SpyBot 1.4(antispy)

Ad_Aware 1.06(antispy) + Languages (ITA)

Bit Defender Free (un secondo antivirus NON residente)

:::::::::::::::::::::::::::::: questi sopra AGGIORNALI::::::::::::::::::::::::::::::

CwShredder (controllo infezione CoolWebSearch)

SpyWare Blaster (Protezioni pagine dannose)

RegSeeker (Pulizia del Registro)

Ccleaner (pulizia file inutili)

_____________________________________

Scarica anche L2M remover

e lo Script per riparare la trusted zone

DISINSTALLA SPYBAN da "installazione Applicazioni"

SpyBan (spyban.net) is an anti-spyware application from NicTech Networks (nictechnetworks.com), who also operate the system-destabilising and extremely difficult-to-remove Look2Me parasite. SpyBan installs Look2Me when loaded, which can then install other parasites.

Ricordati di mettere HIJACK in una cartella a lui dedicata (in Programmi o Documenti), l'importante è che non si trovi sul desktop o in cartelle temporanee

Esegui queste operazioni ------ > (Stampa la pagina)

Assicurati che l'opzione "Visualizza cartelle e file nascosti" sia attivata.

(Pannello di controllo > Opzioni Cartella > Visualizzazione)

Disabilita il Ripristino di configurazione su tutte le unità

(nota che questo ELIMINERà TUTTI i punti di ripristino, quindi se non riscontri più problemi, crea almeno un nuovo punto di ripristino dopo questa procedura)

Avvia L2M Remover

Esegui lo SCRIPT per riparare la TRUSTED ZONE

(click con il tasto destro sul file e seleziona Installa)

Avvia il sistema in Modalità Provvisoria

.Avvia Hijack e clicca su "do a system scan only"

Metti la spunta a queste voci (potrebbero non esseci tutte) e clicca su "fix checked

O4 - HKLM\..\Run: [shell32] C:\WINDOWS\system32\shell32.exe

O4 - HKLM\..\Run: [i downloaded pirated Software from P2P] C:\WINDOWS\system32\Battlefield2 .exe

O4 - HKCU\..\Run: [spyBan] "C:\Programmi\SpyBan\SpyBan.exe" /s

O15 - Trusted Zone: www.playitalia.com

O16 - DPF: {01347765-1965-426B-91A4-AA6BB342B9A3} (InstallerObj Class) - ht tp://www.1-click.com/common/files/instal...hidden-test.cab

O16 - DPF: {F7FD91D1-45E6-4349-B698-F976062DAC26} - ht tp://www.storage-tasp.com/gs/gsa1646.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{DD76E65D-5E47-4084-9BA4-8D769E89F3A8}: NameServer = 172.19.10.40,172.19.10.35

Trova e se ci sono elimina questi files

C:\WINDOWS\system32\shell32.exe

C:\WINDOWS\system32\Battlefield2 .exe

C:\Programmi\SpyBan\ < --cartella

Sempre dalla modalità provvisoria ripeti le scansioni di sicurezza

(SpyBot, e Ad-Aware e antivirus AGGIORNATI) ... APPLICA LE PROTEZIONI DI CwShredder e SpyWare Blaster.

Pulisci il registro con RegSeeker

Dai anche una ripulita a Cache e Cookies e file prefetch (XP) con: Ccleaner

(non modificare le opzioni)

Riavvia il pc in modalità normale ristabilisci il ripristino di configurazione

Collegati per una scansione On-line a:

Kaspersky

rifai il log e mettilo qui per un ultimo controllo

NB___se le voci non compaiono in modalità provvisoria vanno fissate da quella normale.

Ricordati di creare un nuovo punto di RIPRISTINO al termine di questa procedura

_____________________________________________

Installa un firewall migliore --> Zone Alarm FREE

[luigi1986]

NIENTE DA FARE! :sigh: :sigh: :sigh:

ho fatto tutto cio' :leggi: che avevi detto ma al riavvio ho rifatto uno scan con ad-aware ed ecco che ricompare ezula(maledetto!) kuma ho capito, ti ho rotto!comunque se ti va ancora di aiutarmi questo e' il log di hijack dopo la procedura che mi hai postato:

Logfile of HijackThis v1.99.1
Scan saved at 18.04.52, on 16/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Programmi\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\Ahead\InCD\InCD.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Microsoft AntiSpyware\gcasServ.exe
C:\Programmi\Softwin\BitDefender8\bdmcon.exe
C:\Programmi\Softwin\BitDefender8\bdnagent.exe
C:\Programmi\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Creative\MediaSource\Detector\CTDetect.exe
C:\Programmi\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Creative\MediaSource\RemoteControl\OSDMenu.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\PUCA\IMPOST~1\Temp\Rar$EX02.359\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url=http://www.libero.it/]http://www.libero.it/[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.libero.it:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Toolbar\01.01.2607.0\it\msntb.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Programmi\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Programmi\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Programmi\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DVD43] "C:\Programmi\DVD Region+CSS Free\DVDRegionFree.exe" /hidden
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Programmi\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Programmi\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Programmi\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Programmi\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Programmi\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Startup: Eurobarre.lnk = C:\Programmi\eurobarre\eb.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Organizzatore ricerche - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programmi\File comuni\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programmi\File comuni\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - [url=http://www.creative.com/su/ocx/15015/CTSUEng.cab]http://www.creative.com/su/ocx/15015/CTSUEng.cab[/url]
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [url=http://download.bitdefender.com/resources/scan8/oscan8.cab]http://download.bitdefender.com/resources/scan8/oscan8.cab[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url=http://messenger.msn.com/download/msnmessengersetupdownloader.cab]http://messenger.msn.com/download/msnmesse...pdownloader.cab[/url]
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - [url=http://creative.com/su/ocx/15016/CTPID.cab]http://creative.com/su/ocx/15016/CTPID.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{C37487D7-9FC0-44C5-88CE-88B0C887950B}: NameServer = 193.70.192.25,193.70.152.25
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Programmi\Power Translator\LogoMedia TranslateDotNet Server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Modificato December 16, 2005 da Kuma

[Kuma]

Non mi hai affatto "rotto"

sono qui apposta per aiutare

Comunque il log è pulito... (Ezula non risultava caricato neppure prima)

Avevi qualche TROJAN che però hai eliminato ed ora il log è perfetto.

A questo punto penso che si tratti di un "falso Positivo", cioè solo una voce nel registro.... anche perchè dal log non risulta nessuno dei file che Ezula usa...

Per ultima cosa, prova a farmi una scansione on-line su Kaspersky

(e naturalmente postami il responso)

Un'altra cosa.....

Ho visto che usi EUROBARRE <_<

Non vorrei che fosse lui il responsabile, questa è l'unica cosa che risulta dal log che non ti ho fatto eliminare, anche perchè non avevo informazioni a sufficienza... se fossi in te, proverei a disinstallarla e quindi a vedere se la voce malefica ricompare

[luigi1986]

davvero????cmq grzie di tutto!!!!sei davvero una potenza nel settore della sicurezza, dove passi tu non crese piu' lo spyware!!!per quanto riguarda eurobarre, lo installai tempo fa, poi l'ho disinstallato ma giustamente era rimasto un file in C:\Programmi\eurobarre\eb.exe e l'ho cancellato!ora faccio la scansione e poi ti posto il responso

[luigi1986]

questo è il primo scan:

------------------------------------------- ------------------------------------

KASPERSKY ON-LINE SCANNER REPORT

Friday, December 16, 2005 23:28:52

Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)

Kaspersky On-line Scanner version: 5.0.67.0

Kaspersky Anti-Virus database last update: 16/12/2005

Kaspersky Anti-Virus database records: 165581

-------------------------------------------------------------------------------

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

Scan Target - Critical Areas:

C:\WINDOWS

C:\DOCUME~1\PUCA\IMPOST~1\Temp\

Scan Statistics:

Total number of scanned objects: 12915

Number of viruses found: 3

Number of infected objects: 3

Number of suspicious objects: 0

Duration of the scan process: 478 sec

Infected Object Name - Virus Name

C:\WINDOWS\Downloaded Program Files\AUTO_267_N.exe Infected: Trojan.Win32.Dialer.hh

C:\WINDOWS\system32\wuauclt10.exe Infected: Trojan-Downloader.Win32.IstBar.is

C:\WINDOWS\system32\wudupdate.exe Infected: Trojan.Win32.Pakes

Scan process completed.

Modificato December 16, 2005 da falco180

[luigi1986]

scan 2:

-------------------------------------------------------------------------------

KASPERSKY ON-LINE SCANNER REPORT

Saturday, December 17, 2005 00:25:06

Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)

Kaspersky On-line Scanner version: 5.0.67.0

Kaspersky Anti-Virus database last update: 16/12/2005

Kaspersky Anti-Virus database records: 165581

-------------------------------------------------------------------------------

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

Scan Target - My Computer:

A:\

C:\

D:\

E:\

Scan Statistics:

Total number of scanned objects: 58128

Number of viruses found: 8

Number of infected objects: 15

Number of suspicious objects: 0

Duration of the scan process: 2542 sec

Infected Object Name - Virus Name

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\LQBUMD9M\CP[1].IST2 Infected: Trojan.Win32.Crypt.t

C:\Documents and Settings\PUCA\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-7fb5dbb4-76453007.class Infected: Trojan.Java.ClassLoader.f

C:\Documents and Settings\PUCA\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-4b76fffc-7e6603cb.zip/BlackBox.class Infected: Exploit.Java.ByteVerify

C:\Documents and Settings\PUCA\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-4b76fffc-7e6603cb.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify

C:\Documents and Settings\PUCA\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-4b76fffc-7e6603cb.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa

C:\Documents and Settings\PUCA\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-4b76fffc-7e6603cb.zip Infected: Trojan-Downloader.Java.OpenConnection.aa

C:\Documents and Settings\PUCA\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\pizdec.jar-64bb7731-33886e61.zip/BlackBox.class Infected: Exploit.Java.ByteVerify

C:\Documents and Settings\PUCA\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\pizdec.jar-64bb7731-33886e61.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify

C:\Documents and Settings\PUCA\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\pizdec.jar-64bb7731-33886e61.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa

C:\Documents and Settings\PUCA\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0\jar\pizdec.jar-64bb7731-33886e61.zip Infected: Trojan-Downloader.Java.OpenConnection.aa

C:\WINDOWS\Downloaded Program Files\AUTO_267_N.exe Infected: Trojan.Win32.Dialer.hh

C:\WINDOWS\system32\wuauclt10.exe Infected: Trojan-Downloader.Win32.IstBar.is

C:\WINDOWS\system32\wudupdate.exe Infected: Trojan.Win32.Pakes

C:\winupd.bat Infected: Trojan.BAT.Zapchast

C:\winupd2.bat Infected: Trojan.BAT.Zapchast

Scan process completed.

[Kuma]

Apri il pannello di controllo, clicca su JAVA e quindi svuota la cache (elimina file)

Usa Ccleaner per pulire i file temporanei,

ma prima vai in OPZIONI\Avanzate e togli la spunta come da foto:

Avvia il sistema in Modalità Provvisoria, ed elimina i seguenti files:

C:\WINDOWS\Downloaded Program Files\AUTO_267_N.exe

C:\WINDOWS\system32\wuauclt10.exe

C:\WINDOWS\system32\wudupdate.exe

C:\winupd.bat

C:\winupd2.bat

Riavvia e ripeti la scansione su Kaspersky

[luigi1986]

come faccio ad eliminare questi files:

C:\WINDOWS\Downloaded Program Files\AUTO_267_N.exe

C:\WINDOWS\system32\wuauclt10.exe

C:\WINDOWS\system32\wudupdate.exe

C:\winupd.bat

C:\winupd2.bat

faccio la ricerca in xp o con hijack?

[Kuma]

Non occorre che fai la ricerca, visto che il percorso è completo.

Quindi apri Esplora Risorse ti porti nel percorso indicato

(per Es: C:\WINDOWS\system32 per i file wudupdate.exe e wuauclt10.exe) e li elimini

DOPO RICORDATI DI SVUOTARE ANCHE IL CESTINO

Una cosa... i file potrebbero essere nascosti (invisibili) assicurati (prima di eliminarli)

che l'opzione "Visualizza cartelle e file nascosti" sia attivata.

(Pannello di controllo > Opzioni Cartella > Visualizzazione)

[luigi1986]

C:\WINDOWS\Downloaded Program Files\AUTO_267_N.exe

questo file non l'ho trovato nel percorso descrtitto,

ora faccio lo scan online dell' intero hd con kaspersky e ti posto il responso.

[luigi1986]

------------------------------------------------------------------------------

KASPERSKY ON-LINE SCANNER REPORT

Sunday, December 18, 2005 16:14:22

Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)

Kaspersky On-line Scanner version: 5.0.67.0

Kaspersky Anti-Virus database last update: 18/12/2005

Kaspersky Anti-Virus database records: 165863

-------------------------------------------------------------------------------

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

Scan Target - My Computer:

A:\

C:\

D:\

E:\

Scan Statistics:

Total number of scanned objects: 55347

Number of viruses found: 5

Number of infected objects: 6

Number of suspicious objects: 0

Duration of the scan process: 2609 sec

Infected Object Name - Virus Name

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\LQBUMD9M\CP[1].IST2 Infected: Trojan.Win32.Crypt.t

C:\System Volume Information\_restore{B0F99B5A-BD82-4120-9277-476DED4F0C51}\RP3\A0000178.exe Infected: Trojan-Downloader.Win32.IstBar.is

C:\System Volume Information\_restore{B0F99B5A-BD82-4120-9277-476DED4F0C51}\RP3\A0000179.bat Infected: Trojan.BAT.Zapchast

C:\System Volume Information\_restore{B0F99B5A-BD82-4120-9277-476DED4F0C51}\RP3\A0000180.bat Infected: Trojan.BAT.Zapchast

C:\WINDOWS\Downloaded Program Files\AUTO_267_N.exe Infected: Trojan.Win32.Dialer.hh

C:\WINDOWS\system32\wudupdate.exe Infected: Trojan.Win32.Pakes

Scan process completed.

questo è lo scan fatto dopo aver eliminato in mod.provv. i files che dicevi, ad eccezione del file citato nel messagio precedente.

[Kuma]

1 . Disabilita il Ripristino di configurazione su tutte le unità

2. Scarica Killbox

Inserisci il percorso completo di questi due file (uno alla volta ... 2 riavvii quindi)

AUTO_267_N.exe (C:\WINDOWS\Downloaded Program Files\AUTO_267_N.exe)

wudupdate.exe (C:\WINDOWS\system32\wudupdate.exe)

3. terminate queste operazioni riabilita il ripristino di configurazione e crea un nuovo punto di ripristino

[luigi1986]

mr. kuma, ho fatto tutto cio che mi hai suggerito. in seguito ho fatto lo scan della critical area con kaspersky e mi ha dato esito negativo, NO MALWARE FOUND!!!!!!!!!!!, GRAZIE per l'immenso aiuto datomi e COMPLIMENTI a te e tutto lo staff, spero di risentirci presto, non per altri malware ma al massimo per delle delucidazione in materia di sicurezza!CIAO!!! :up1: