..Omega.Rav..
4th August 2004, 17:59
Che roba è?
Uno dei peggiori worm spyware in circolazione ultimamente [sembra si ascattata una vera e propria epidemia con la diffusione di questo worm spyware in molti siti rintracciabili con google]. Cambia l'homepage, la pagina di errore di Iexplorer, causa errori in Explorer causando riavvii se si cerca di raggiungere siti http dalle cartelle di file (ex. digitando indirizzi web nella barra di "documenti" ), lag in rete internat o lan in dosi a volte massicce.
Effettivamente la mia home page web cambia continuamente in un indirizzo res://C:\windows...
Significa che vi siete beccati questo poco simpatico worm spyware, che si trova spesso in accoppiata con un programma (rintracciabile nell'elenco installazioni da pannello di controllo, anche con il nome di "Shopping Wizard")
Non riesco a rimuoverlo! Ho provato con molti programmi di anti-spyware ma non sembra volersene andare!
Questo Home Search Assistent è rintracciabile solo da alcuni programmi anti spyware, dal momento che tende ad "infettare" le *.dll dei più famosi (tra cui Spybot Search&Destroy e le stesse applicazioni Symantec) e comunque non removibile dall'azione di uno solo dei programmi che riescono a rintracciarlo.
L'unico modo per eliminare questo spyware, non senza danni ai programmi di sistema, comunque, ed evitare il più classico e drastico formattone è questo:
[vi riporto una mia mail inviata ad un centro assistenza in seguito ad una azione di recupero e pulizia dall'Home Seach Assistent + Shopping Wizard]
Topic originale con richiesta d'aiuto contro "Home Search Assistent" e altri Spyware correlati
Ti rimando al link in fondo a questa stessa pagina per rintracciare i programmi indicati in questo topic
-------------------------------------------------------------------------------------------------------------------------
I programmi indicati sono tutti freeware.
N.B. HijackThis è un programma abbastanza comune e facilmente rintracciabile con Google
-------------------------------------------------------------------------------------------------------------------------
N.B. Il LOG di HijackThis riportato in questa pagina fa riferimento al computer ed all'elenco programmi specifico
della persona che ha chiesto aiuto nel topic stesso.
HijackThis tende a visualizzare alcuni ingressi che NON devono essere rimossi (sotto stringa 04) indicati come
Startup
Global Startup
le stringhe 012 fanno riferimento a PLugIn (generalmente innocui)
le stringhe 016 [per lo piu' DPF] fanno riferimento ad attività web in http (per lo più innocua anche in questo caso)
gli SpyWare tendono ad annidarsi nella maggior parte dei casi nelle stringhe
02
04
-------------------------------------------------------------------------------------------------------------------------
Topic Originale:
-------------------------------------------------------------------------------------------------------------------------
Hello please download About:Buster and unzip it to your desktop. Don´t run it yet.
How to use Ad-Aware to remove Spyware <= Please check this link for instructions on how to download, install
and then use adaware. Don´t use it yet.
1 You already have Adaware installed. Make sure it's up to date. Just open Adaware and
click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it
download and install the updates by clicking on *Finish* .This will return you to the main screen. You should
now see Reference File # : 01R333 18.07.2004 or higher listed.
2 Print out these instructions so you have them handy as most of the steps need to be
done in safe mode and you may not be able to go online.
3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called "Network Security Service". When you find it,
double-click on it. In the next window that opens, click the Stop button, then click
on properties and under the General Tab, change the Startup Type to Disabled. Now hit
Apply and then Ok and close any open windows. This service is installed by the malware.
If this service is not listed go ahead with the next step.
4. Reboot to Safe Mode
How to start the computer in
Safe mode
5. Make sure your PC is configured to show hidden files
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make
sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions
for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
6.CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to
all the following, then click "Fix Checked"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cgpxi.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cgpxi.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cgpxi.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cgpxi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cgpxi.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cgpxi.dll/sp.html#37049
O2 - BHO: (no name) - {D2338C40-0459-FC97-8B05-91E9716C5A89} - C:\WINDOWS\system32\appax.dll
O4 - HKLM\..\Run: [sdkwa32.exe] C:\WINDOWS\system32\sdkwa32.exe
O4 - HKLM\..\Run: [javaen.exe] C:\WINDOWS\system32\javaen.exe
O4 - HKLM\..\Run: [winju32.exe] C:\WINDOWS\winju32.exe
O4 - HKLM\..\RunOnce: [javaqp.exe] C:\WINDOWS\javaqp.exe
O4 - HKLM\..\RunOnce: [addme32.exe] C:\WINDOWS\addme32.exe
O4 - HKLM\..\RunOnce: [msmf32.exe] C:\WINDOWS\system32\msmf32.exe
O4 - HKLM\..\RunOnce: [ipfj.exe] C:\WINDOWS\ipfj.exe
O4 - HKLM\..\RunOnce: [mswj.exe] C:\WINDOWS\system32\mswj.exe
O4 - HKLM\..\RunOnce: [wintv32.exe] C:\WINDOWS\system32\wintv32.exe
O4 - HKLM\..\RunOnce: [atlgr.exe] C:\WINDOWS\atlgr.exe
O4 - HKLM\..\RunOnce: [sdkzt32.exe] C:\WINDOWS\system32\sdkzt32.exe
O4 - HKLM\..\RunOnce: [nttu.exe] C:\WINDOWS\nttu.exe
O4 - HKLM\..\RunOnce: [netyf32.exe] C:\WINDOWS\system32\netyf32.exe
O4 - HKLM\..\RunOnce: [winvd.exe] C:\WINDOWS\system32\winvd.exe
O4 - HKLM\..\RunOnce: [atlko32.exe] C:\WINDOWS\system32\atlko32.exe
O4 - HKLM\..\RunOnce: [atlzj.exe] C:\WINDOWS\atlzj.exe
O4 - HKLM\..\RunOnce: [mfcen32.exe] C:\WINDOWS\system32\mfcen32.exe
O4 - HKLM\..\RunOnce: [addsk.exe] C:\WINDOWS\addsk.exe
O4 - HKLM\..\RunOnce: [apivt32.exe] C:\WINDOWS\apivt32.exe
O4 - HKLM\..\RunOnce: [crwq32.exe] C:\WINDOWS\crwq32.exe
O4 - HKLM\..\RunOnce: [mfcat.exe] C:\WINDOWS\mfcat.exe
O4 - HKLM\..\RunOnce: [ntcl32.exe] C:\WINDOWS\system32\ntcl32.exe
O4 - HKLM\..\RunOnce: [sysnd32.exe] C:\WINDOWS\sysnd32.exe
O4 - HKLM\..\RunOnce: [appbb.exe] C:\WINDOWS\system32\appbb.exe
O4 - HKLM\..\RunOnce: [appzu32.exe] C:\WINDOWS\appzu32.exe
O4 - HKLM\..\RunOnce: [wingo.exe] C:\WINDOWS\system32\wingo.exe
O4 - HKLM\..\RunOnce: [syshv.exe] C:\WINDOWS\system32\syshv.exe
O4 - HKLM\..\RunOnce: [ieru32.exe] C:\WINDOWS\ieru32.exe
O4 - HKLM\..\RunOnce: [mscz.exe] C:\WINDOWS\mscz.exe
O4 - HKLM\..\RunOnce: [iexp32.exe] C:\WINDOWS\system32\iexp32.exe
O4 - HKLM\..\RunOnce: [msuz.exe] C:\WINDOWS\msuz.exe
O4 - HKLM\..\RunOnce: [sysnq.exe] C:\WINDOWS\sysnq.exe
O4 - HKLM\..\RunOnce: [appgh32.exe] C:\WINDOWS\appgh32.exe
O4 - HKLM\..\RunOnce: [atlqz32.exe] C:\WINDOWS\atlqz32.exe
O4 - HKLM\..\RunOnce: [mswe.exe] C:\WINDOWS\system32\mswe.exe
O4 - HKLM\..\RunOnce: [mfceu.exe] C:\WINDOWS\mfceu.exe
O4 - HKLM\..\RunOnce: [appxx32.exe] C:\WINDOWS\appxx32.exe
O4 - HKLM\..\RunOnce: [appxs.exe] C:\WINDOWS\system32\appxs.exe
O4 - HKLM\..\RunOnce: [javach32.exe] C:\WINDOWS\javach32.exe
O4 - HKLM\..\RunOnce: [wingf32.exe] C:\WINDOWS\system32\wingf32.exe
O4 - HKLM\..\RunOnce: [ntbh.exe] C:\WINDOWS\ntbh.exe
O4 - HKLM\..\RunOnce: [apixy.exe] C:\WINDOWS\apixy.exe
O4 - HKLM\..\RunOnce: [netso.exe] C:\WINDOWS\netso.exe
O4 - HKLM\..\RunOnce: [apinr.exe] C:\WINDOWS\system32\apinr.exe
O4 - HKLM\..\RunOnce: [mfcxe.exe] C:\WINDOWS\system32\mfcxe.exe
O4 - HKLM\..\RunOnce: [sysfb.exe] C:\WINDOWS\system32\sysfb.exe
O4 - HKLM\..\RunOnce: [ipez32.exe] C:\WINDOWS\system32\ipez32.exe
O4 - HKLM\..\RunOnce: [mstq32.exe] C:\WINDOWS\mstq32.exe
O4 - HKLM\..\RunOnce: [wintc.exe] C:\WINDOWS\wintc.exe
O4 - HKLM\..\RunOnce: [crqc.exe] C:\WINDOWS\crqc.exe
O4 - HKLM\..\RunOnce: [addmh.exe] C:\WINDOWS\addmh.exe
O4 - HKLM\..\RunOnce: [addro32.exe] C:\WINDOWS\addro32.exe
O4 - HKLM\..\RunOnce: [netbz32.exe] C:\WINDOWS\netbz32.exe
O4 - HKLM\..\RunOnce: [sysmx.exe] C:\WINDOWS\sysmx.exe
O4 - HKLM\..\RunOnce: [javauz.exe] C:\WINDOWS\system32\javauz.exe
O4 - HKLM\..\RunOnce: [apiox.exe] C:\WINDOWS\system32\apiox.exe
O4 - HKLM\..\RunOnce: [winns.exe] C:\WINDOWS\winns.exe
O4 - HKLM\..\RunOnce: [appxi32.exe] C:\WINDOWS\system32\appxi32.exe
O4 - HKLM\..\RunOnce: [javahl.exe] C:\WINDOWS\system32\javahl.exe
O4 - HKLM\..\RunOnce: [syste32.exe] C:\WINDOWS\syste32.exe
O4 - HKLM\..\RunOnce: [javabz32.exe] C:\WINDOWS\javabz32.exe
O4 - HKLM\..\RunOnce: [netlj32.exe] C:\WINDOWS\system32\netlj32.exe
O4 - HKLM\..\RunOnce: [ipbs32.exe] C:\WINDOWS\ipbs32.exe
O4 - HKLM\..\RunOnce: [appfy.exe] C:\WINDOWS\system32\appfy.exe
O4 - HKLM\..\RunOnce: [addpp.exe] C:\WINDOWS\system32\addpp.exe
O4 - HKLM\..\RunOnce: [nttm32.exe] C:\WINDOWS\nttm32.exe
O4 - HKLM\..\RunOnce: [iedb.exe] C:\WINDOWS\system32\iedb.exe
O4 - HKLM\..\RunOnce: [ntaf32.exe] C:\WINDOWS\system32\ntaf32.exe
O4 - HKLM\..\RunOnce: [mfcjo32.exe] C:\WINDOWS\mfcjo32.exe
O4 - HKLM\..\RunOnce: [winjx.exe] C:\WINDOWS\winjx.exe
O4 - HKLM\..\RunOnce: [crjp32.exe] C:\WINDOWS\crjp32.exe
O4 - HKLM\..\RunOnce: [addma32.exe] C:\WINDOWS\addma32.exe
O4 - HKLM\..\RunOnce: [ipjs.exe] C:\WINDOWS\system32\ipjs.exe
O4 - HKLM\..\RunOnce: [ntpu.exe] C:\WINDOWS\ntpu.exe
O4 - HKLM\..\RunOnce: [mszh32.exe] C:\WINDOWS\system32\mszh32.exe
O4 - HKLM\..\RunOnce: [sysoy32.exe] C:\WINDOWS\sysoy32.exe
O4 - HKLM\..\RunOnce: [sdkhd.exe] C:\WINDOWS\sdkhd.exe
O4 - HKLM\..\RunOnce: [d3sb32.exe] C:\WINDOWS\system32\d3sb32.exe
O4 - HKLM\..\RunOnce: [d3eo.exe] C:\WINDOWS\d3eo.exe
O4 - HKLM\..\RunOnce: [sdktd.exe] C:\WINDOWS\sdktd.exe
O4 - HKLM\..\RunOnce: [crvk32.exe] C:\WINDOWS\system32\crvk32.exe
O4 - HKLM\..\RunOnce: [atlye32.exe] C:\WINDOWS\system32\atlye32.exe
O4 - HKLM\..\RunOnce: [mfcrs32.exe] C:\WINDOWS\mfcrs32.exe
O4 - HKLM\..\RunOnce: [ntpy32.exe] C:\WINDOWS\system32\ntpy32.exe
O4 - HKLM\..\RunOnce: [crpb.exe] C:\WINDOWS\crpb.exe
O4 - HKLM\..\RunOnce: [mfcmb.exe] C:\WINDOWS\mfcmb.exe
O4 - HKLM\..\RunOnce: [sdkba.exe] C:\WINDOWS\sdkba.exe
7. Delete the following files if present.
C:\WINDOWS\system32\cgpxi.dll
Delete ALL the files related to the 02 and 04 entries.
8. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start,
then click OK. This will scan your computer for the bad files and delete them.
Save the report(copy and paste into notepad or wordpad and save as a .txt file)
and post a copy back here when you are done with all the steps.
9. Scan with Adaware and let it remove any bad files found.
10. Clean out temporary and TIF files. Go to Start > Run and type in the box:
cleanmgr. Let it scan your system for files to remove. Make sure these 3
are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin
11. Reboot to normal mode, scan again with Hijack This and post a new log here.
12. Finally, do an online scan HERE. Let it remove any infected files found.
Replace Deleted Files
It is also possible that the infection may have deleted up to three files from your
system. If these files are present, to be safe I suggest you overwrite them with a
new copy.
Go here and download the version of control.exe for your operating system. If you
are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it
to c:\windows\system32\.
Download the Hoster from here Press 'Restore Original Hosts' and press 'OK'
Exit Program.
If you have Spybot S&D installed you may also need to replace one file.
Go here and download SDHelper.dll. Copy the file to the folder containing you
Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
Additionally, Please check your ActiveX security settings. They may have been
changed by this CWS variant to allow ALL ActiveX!! If they have been changed,
reset your active x security settings in IE as recommended.
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to
'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set
'Initialize and Script ActiveX controls not marked as safe" to 'Disable'
--------------------------------------------------------------------------------------------------------------------------
LINK
--------------------------------------------------------------------------------------------------------------------------
- Topic Originale:
http://forums.spywareinfo.com/index.php?showtopic=18418
- Disattivazione servizio server DCOM in windows [Attività di mancata connessione servizio server in Registro Eventi Sistema]
(dal sito microsoft)
http://support.microsoft.com/default.aspx?scid=kb;IT;825750
Prima di rimuovere il servizio DCOM consigliano di eseguire una scansione per cercare di trovare il programma origine
richiedente la connessione al server.
--------------------------------------------------------------------------------------------------------
Buon divertimento.
Uno dei peggiori worm spyware in circolazione ultimamente [sembra si ascattata una vera e propria epidemia con la diffusione di questo worm spyware in molti siti rintracciabili con google]. Cambia l'homepage, la pagina di errore di Iexplorer, causa errori in Explorer causando riavvii se si cerca di raggiungere siti http dalle cartelle di file (ex. digitando indirizzi web nella barra di "documenti" ), lag in rete internat o lan in dosi a volte massicce.
Effettivamente la mia home page web cambia continuamente in un indirizzo res://C:\windows...
Significa che vi siete beccati questo poco simpatico worm spyware, che si trova spesso in accoppiata con un programma (rintracciabile nell'elenco installazioni da pannello di controllo, anche con il nome di "Shopping Wizard")
Non riesco a rimuoverlo! Ho provato con molti programmi di anti-spyware ma non sembra volersene andare!
Questo Home Search Assistent è rintracciabile solo da alcuni programmi anti spyware, dal momento che tende ad "infettare" le *.dll dei più famosi (tra cui Spybot Search&Destroy e le stesse applicazioni Symantec) e comunque non removibile dall'azione di uno solo dei programmi che riescono a rintracciarlo.
L'unico modo per eliminare questo spyware, non senza danni ai programmi di sistema, comunque, ed evitare il più classico e drastico formattone è questo:
[vi riporto una mia mail inviata ad un centro assistenza in seguito ad una azione di recupero e pulizia dall'Home Seach Assistent + Shopping Wizard]
Topic originale con richiesta d'aiuto contro "Home Search Assistent" e altri Spyware correlati
Ti rimando al link in fondo a questa stessa pagina per rintracciare i programmi indicati in questo topic
-------------------------------------------------------------------------------------------------------------------------
I programmi indicati sono tutti freeware.
N.B. HijackThis è un programma abbastanza comune e facilmente rintracciabile con Google
-------------------------------------------------------------------------------------------------------------------------
N.B. Il LOG di HijackThis riportato in questa pagina fa riferimento al computer ed all'elenco programmi specifico
della persona che ha chiesto aiuto nel topic stesso.
HijackThis tende a visualizzare alcuni ingressi che NON devono essere rimossi (sotto stringa 04) indicati come
Startup
Global Startup
le stringhe 012 fanno riferimento a PLugIn (generalmente innocui)
le stringhe 016 [per lo piu' DPF] fanno riferimento ad attività web in http (per lo più innocua anche in questo caso)
gli SpyWare tendono ad annidarsi nella maggior parte dei casi nelle stringhe
02
04
-------------------------------------------------------------------------------------------------------------------------
Topic Originale:
-------------------------------------------------------------------------------------------------------------------------
Hello please download About:Buster and unzip it to your desktop. Don´t run it yet.
How to use Ad-Aware to remove Spyware <= Please check this link for instructions on how to download, install
and then use adaware. Don´t use it yet.
1 You already have Adaware installed. Make sure it's up to date. Just open Adaware and
click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it
download and install the updates by clicking on *Finish* .This will return you to the main screen. You should
now see Reference File # : 01R333 18.07.2004 or higher listed.
2 Print out these instructions so you have them handy as most of the steps need to be
done in safe mode and you may not be able to go online.
3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called "Network Security Service". When you find it,
double-click on it. In the next window that opens, click the Stop button, then click
on properties and under the General Tab, change the Startup Type to Disabled. Now hit
Apply and then Ok and close any open windows. This service is installed by the malware.
If this service is not listed go ahead with the next step.
4. Reboot to Safe Mode
How to start the computer in
Safe mode
5. Make sure your PC is configured to show hidden files
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make
sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions
for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
6.CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to
all the following, then click "Fix Checked"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cgpxi.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cgpxi.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cgpxi.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cgpxi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cgpxi.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cgpxi.dll/sp.html#37049
O2 - BHO: (no name) - {D2338C40-0459-FC97-8B05-91E9716C5A89} - C:\WINDOWS\system32\appax.dll
O4 - HKLM\..\Run: [sdkwa32.exe] C:\WINDOWS\system32\sdkwa32.exe
O4 - HKLM\..\Run: [javaen.exe] C:\WINDOWS\system32\javaen.exe
O4 - HKLM\..\Run: [winju32.exe] C:\WINDOWS\winju32.exe
O4 - HKLM\..\RunOnce: [javaqp.exe] C:\WINDOWS\javaqp.exe
O4 - HKLM\..\RunOnce: [addme32.exe] C:\WINDOWS\addme32.exe
O4 - HKLM\..\RunOnce: [msmf32.exe] C:\WINDOWS\system32\msmf32.exe
O4 - HKLM\..\RunOnce: [ipfj.exe] C:\WINDOWS\ipfj.exe
O4 - HKLM\..\RunOnce: [mswj.exe] C:\WINDOWS\system32\mswj.exe
O4 - HKLM\..\RunOnce: [wintv32.exe] C:\WINDOWS\system32\wintv32.exe
O4 - HKLM\..\RunOnce: [atlgr.exe] C:\WINDOWS\atlgr.exe
O4 - HKLM\..\RunOnce: [sdkzt32.exe] C:\WINDOWS\system32\sdkzt32.exe
O4 - HKLM\..\RunOnce: [nttu.exe] C:\WINDOWS\nttu.exe
O4 - HKLM\..\RunOnce: [netyf32.exe] C:\WINDOWS\system32\netyf32.exe
O4 - HKLM\..\RunOnce: [winvd.exe] C:\WINDOWS\system32\winvd.exe
O4 - HKLM\..\RunOnce: [atlko32.exe] C:\WINDOWS\system32\atlko32.exe
O4 - HKLM\..\RunOnce: [atlzj.exe] C:\WINDOWS\atlzj.exe
O4 - HKLM\..\RunOnce: [mfcen32.exe] C:\WINDOWS\system32\mfcen32.exe
O4 - HKLM\..\RunOnce: [addsk.exe] C:\WINDOWS\addsk.exe
O4 - HKLM\..\RunOnce: [apivt32.exe] C:\WINDOWS\apivt32.exe
O4 - HKLM\..\RunOnce: [crwq32.exe] C:\WINDOWS\crwq32.exe
O4 - HKLM\..\RunOnce: [mfcat.exe] C:\WINDOWS\mfcat.exe
O4 - HKLM\..\RunOnce: [ntcl32.exe] C:\WINDOWS\system32\ntcl32.exe
O4 - HKLM\..\RunOnce: [sysnd32.exe] C:\WINDOWS\sysnd32.exe
O4 - HKLM\..\RunOnce: [appbb.exe] C:\WINDOWS\system32\appbb.exe
O4 - HKLM\..\RunOnce: [appzu32.exe] C:\WINDOWS\appzu32.exe
O4 - HKLM\..\RunOnce: [wingo.exe] C:\WINDOWS\system32\wingo.exe
O4 - HKLM\..\RunOnce: [syshv.exe] C:\WINDOWS\system32\syshv.exe
O4 - HKLM\..\RunOnce: [ieru32.exe] C:\WINDOWS\ieru32.exe
O4 - HKLM\..\RunOnce: [mscz.exe] C:\WINDOWS\mscz.exe
O4 - HKLM\..\RunOnce: [iexp32.exe] C:\WINDOWS\system32\iexp32.exe
O4 - HKLM\..\RunOnce: [msuz.exe] C:\WINDOWS\msuz.exe
O4 - HKLM\..\RunOnce: [sysnq.exe] C:\WINDOWS\sysnq.exe
O4 - HKLM\..\RunOnce: [appgh32.exe] C:\WINDOWS\appgh32.exe
O4 - HKLM\..\RunOnce: [atlqz32.exe] C:\WINDOWS\atlqz32.exe
O4 - HKLM\..\RunOnce: [mswe.exe] C:\WINDOWS\system32\mswe.exe
O4 - HKLM\..\RunOnce: [mfceu.exe] C:\WINDOWS\mfceu.exe
O4 - HKLM\..\RunOnce: [appxx32.exe] C:\WINDOWS\appxx32.exe
O4 - HKLM\..\RunOnce: [appxs.exe] C:\WINDOWS\system32\appxs.exe
O4 - HKLM\..\RunOnce: [javach32.exe] C:\WINDOWS\javach32.exe
O4 - HKLM\..\RunOnce: [wingf32.exe] C:\WINDOWS\system32\wingf32.exe
O4 - HKLM\..\RunOnce: [ntbh.exe] C:\WINDOWS\ntbh.exe
O4 - HKLM\..\RunOnce: [apixy.exe] C:\WINDOWS\apixy.exe
O4 - HKLM\..\RunOnce: [netso.exe] C:\WINDOWS\netso.exe
O4 - HKLM\..\RunOnce: [apinr.exe] C:\WINDOWS\system32\apinr.exe
O4 - HKLM\..\RunOnce: [mfcxe.exe] C:\WINDOWS\system32\mfcxe.exe
O4 - HKLM\..\RunOnce: [sysfb.exe] C:\WINDOWS\system32\sysfb.exe
O4 - HKLM\..\RunOnce: [ipez32.exe] C:\WINDOWS\system32\ipez32.exe
O4 - HKLM\..\RunOnce: [mstq32.exe] C:\WINDOWS\mstq32.exe
O4 - HKLM\..\RunOnce: [wintc.exe] C:\WINDOWS\wintc.exe
O4 - HKLM\..\RunOnce: [crqc.exe] C:\WINDOWS\crqc.exe
O4 - HKLM\..\RunOnce: [addmh.exe] C:\WINDOWS\addmh.exe
O4 - HKLM\..\RunOnce: [addro32.exe] C:\WINDOWS\addro32.exe
O4 - HKLM\..\RunOnce: [netbz32.exe] C:\WINDOWS\netbz32.exe
O4 - HKLM\..\RunOnce: [sysmx.exe] C:\WINDOWS\sysmx.exe
O4 - HKLM\..\RunOnce: [javauz.exe] C:\WINDOWS\system32\javauz.exe
O4 - HKLM\..\RunOnce: [apiox.exe] C:\WINDOWS\system32\apiox.exe
O4 - HKLM\..\RunOnce: [winns.exe] C:\WINDOWS\winns.exe
O4 - HKLM\..\RunOnce: [appxi32.exe] C:\WINDOWS\system32\appxi32.exe
O4 - HKLM\..\RunOnce: [javahl.exe] C:\WINDOWS\system32\javahl.exe
O4 - HKLM\..\RunOnce: [syste32.exe] C:\WINDOWS\syste32.exe
O4 - HKLM\..\RunOnce: [javabz32.exe] C:\WINDOWS\javabz32.exe
O4 - HKLM\..\RunOnce: [netlj32.exe] C:\WINDOWS\system32\netlj32.exe
O4 - HKLM\..\RunOnce: [ipbs32.exe] C:\WINDOWS\ipbs32.exe
O4 - HKLM\..\RunOnce: [appfy.exe] C:\WINDOWS\system32\appfy.exe
O4 - HKLM\..\RunOnce: [addpp.exe] C:\WINDOWS\system32\addpp.exe
O4 - HKLM\..\RunOnce: [nttm32.exe] C:\WINDOWS\nttm32.exe
O4 - HKLM\..\RunOnce: [iedb.exe] C:\WINDOWS\system32\iedb.exe
O4 - HKLM\..\RunOnce: [ntaf32.exe] C:\WINDOWS\system32\ntaf32.exe
O4 - HKLM\..\RunOnce: [mfcjo32.exe] C:\WINDOWS\mfcjo32.exe
O4 - HKLM\..\RunOnce: [winjx.exe] C:\WINDOWS\winjx.exe
O4 - HKLM\..\RunOnce: [crjp32.exe] C:\WINDOWS\crjp32.exe
O4 - HKLM\..\RunOnce: [addma32.exe] C:\WINDOWS\addma32.exe
O4 - HKLM\..\RunOnce: [ipjs.exe] C:\WINDOWS\system32\ipjs.exe
O4 - HKLM\..\RunOnce: [ntpu.exe] C:\WINDOWS\ntpu.exe
O4 - HKLM\..\RunOnce: [mszh32.exe] C:\WINDOWS\system32\mszh32.exe
O4 - HKLM\..\RunOnce: [sysoy32.exe] C:\WINDOWS\sysoy32.exe
O4 - HKLM\..\RunOnce: [sdkhd.exe] C:\WINDOWS\sdkhd.exe
O4 - HKLM\..\RunOnce: [d3sb32.exe] C:\WINDOWS\system32\d3sb32.exe
O4 - HKLM\..\RunOnce: [d3eo.exe] C:\WINDOWS\d3eo.exe
O4 - HKLM\..\RunOnce: [sdktd.exe] C:\WINDOWS\sdktd.exe
O4 - HKLM\..\RunOnce: [crvk32.exe] C:\WINDOWS\system32\crvk32.exe
O4 - HKLM\..\RunOnce: [atlye32.exe] C:\WINDOWS\system32\atlye32.exe
O4 - HKLM\..\RunOnce: [mfcrs32.exe] C:\WINDOWS\mfcrs32.exe
O4 - HKLM\..\RunOnce: [ntpy32.exe] C:\WINDOWS\system32\ntpy32.exe
O4 - HKLM\..\RunOnce: [crpb.exe] C:\WINDOWS\crpb.exe
O4 - HKLM\..\RunOnce: [mfcmb.exe] C:\WINDOWS\mfcmb.exe
O4 - HKLM\..\RunOnce: [sdkba.exe] C:\WINDOWS\sdkba.exe
7. Delete the following files if present.
C:\WINDOWS\system32\cgpxi.dll
Delete ALL the files related to the 02 and 04 entries.
8. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start,
then click OK. This will scan your computer for the bad files and delete them.
Save the report(copy and paste into notepad or wordpad and save as a .txt file)
and post a copy back here when you are done with all the steps.
9. Scan with Adaware and let it remove any bad files found.
10. Clean out temporary and TIF files. Go to Start > Run and type in the box:
cleanmgr. Let it scan your system for files to remove. Make sure these 3
are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin
11. Reboot to normal mode, scan again with Hijack This and post a new log here.
12. Finally, do an online scan HERE. Let it remove any infected files found.
Replace Deleted Files
It is also possible that the infection may have deleted up to three files from your
system. If these files are present, to be safe I suggest you overwrite them with a
new copy.
Go here and download the version of control.exe for your operating system. If you
are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it
to c:\windows\system32\.
Download the Hoster from here Press 'Restore Original Hosts' and press 'OK'
Exit Program.
If you have Spybot S&D installed you may also need to replace one file.
Go here and download SDHelper.dll. Copy the file to the folder containing you
Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
Additionally, Please check your ActiveX security settings. They may have been
changed by this CWS variant to allow ALL ActiveX!! If they have been changed,
reset your active x security settings in IE as recommended.
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to
'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set
'Initialize and Script ActiveX controls not marked as safe" to 'Disable'
--------------------------------------------------------------------------------------------------------------------------
LINK
--------------------------------------------------------------------------------------------------------------------------
- Topic Originale:
http://forums.spywareinfo.com/index.php?showtopic=18418
- Disattivazione servizio server DCOM in windows [Attività di mancata connessione servizio server in Registro Eventi Sistema]
(dal sito microsoft)
http://support.microsoft.com/default.aspx?scid=kb;IT;825750
Prima di rimuovere il servizio DCOM consigliano di eseguire una scansione per cercare di trovare il programma origine
richiedente la connessione al server.
--------------------------------------------------------------------------------------------------------
Buon divertimento.
