Valutazione 4.87/ 5 (100.00%) 5838 voti

Condividi:        

virus serwab?!?

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: kadosh, Luke57

virus serwab?!?

Postdi babbas » 18/07/06 18:37

Ciao ragazzi. Ho un problemino con un virus. Dovrebbe chiamarsi "serwab", accade che quando apro internet si aprono una miriade di finestre, publicita per lo più, (ad esempio: http://www.dofact.com/t164461100.html oppure http://www.goodrumor.com/t164461100.html, senza che io faccia nulla). Inoltre si apre un sito (http://amaena.com/securityworm5/it/?aid ... =os&h=&b=0) che dice di scaricare l'antivirus da lui consigliato per sistemare il problema, ma io ho norton istallato (e aggiornato) e ho paura di fare casini. Spero che con il log qui sotto ci capiate qualcosa. Grazie ragazzi. :eeh:

Logfile of HijackThis v1.99.1
Scan saved at 19.22.37, on 18/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\c2ltb25l\command.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Programmi\Network Monitor\netmon.exe
C:\Programmi\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Documents and Settings\All Users\Dati applicazioni\avservice.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\Trust\DS-3300X Wireless Optical Deskset\Keyboard\kbdap32a.EXE
C:\Programmi\Trust\DS-3300X Wireless Optical Deskset\Mouse\mouse32a.exe
C:\dfndrad_5.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\FILECO~1\zmuo\zmuom.exe
C:\WINDOWS\system32\mioengine.exe
c:\dfndrac_6.exe
C:\WINDOWS\explorer.exe
C:\Programmi\eMule\emule.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\simone\IMPOST~1\Temp\Rar$EX00.062\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Programmi\Pirelli\Access Gateway USB Network\CnxTrApp.dll",AppEntry -REG "Pirelli\Access Gateway USB"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [OFFICEKB] C:\Programmi\Trust\DS-3300X Wireless Optical Deskset\Keyboard\kbdap32a.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Programmi\Trust\DS-3300X Wireless Optical Deskset\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrac_6.exe
O4 - HKLM\..\Run: [newname] c:\\nwnmac_6.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdaca_6.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Programmi\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [zmuo] C:\PROGRA~1\FILECO~1\zmuo\zmuom.exe
O4 - Startup: My Vodafone.it.lnk = C:\Documents and Settings\simone\Dati applicazioni\mioObjects\[objects]\69GWEU9386MTAR08.mio
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{093FDAA3-6859-4370-885D-4056A68B5B67}: NameServer = 85.37.17.16 85.38.28.68
O17 - HKLM\System\CS1\Services\Tcpip\..\{093FDAA3-6859-4370-885D-4056A68B5B67}: NameServer = 85.37.17.16 85.38.28.68
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: DIFx - C:\WINDOWS\system32\t0r80a9ued.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjgf32 - C:\WINDOWS\SYSTEM32\winjgf32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\c2ltb25l\command.exe
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Programmi\Network Monitor\netmon.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programmi\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: AVCore (SrvMain) - Unknown owner - C:\Documents and Settings\All Users\Dati applicazioni\avservice.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
babbas
Utente Junior
 
Post: 17
Iscritto il: 02/07/06 20:09

Sponsor
 

Postdi andorra24 » 18/07/06 19:38

Ciao, apri hijackthis, premi su ''open the misc tools section'', poi premi ''open process manager'', individua le voci indicate sotto e premi ''kill process'':

C:\WINDOWS\c2ltb25l\command.exe
C:\Programmi\Network Monitor\netmon.exe
C:\Documents and Settings\All Users\Dati applicazioni\avservice.exe
C:\dfndrad_5.exe
C:\PROGRA~1\FILECO~1\zmuo\zmuom.exe
c:\dfndrac_6.exe

Poi vai in basso e premi il tasto back e subito dopo il tasto scan. Metti la spunta nella casellina accanto alle voci indicate sotto e premi ''fix checked'' :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [defender] c:\\dfndrac_6.exe
O4 - HKLM\..\Run: [newname] c:\\nwnmac_6.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdaca_6.exe
O4 - HKCU\..\Run: [zmuo] C:\PROGRA~1\FILECO~1\zmuo\zmuom.exe
O20 - Winlogon Notify: DIFx - C:\WINDOWS\system32\t0r80a9ued.dll
O20 - Winlogon Notify: winjgf32 - C:\WINDOWS\SYSTEM32\winjgf32.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\c2ltb25l\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Programmi\Network Monitor\netmon.exe
O23 - Service: AVCore (SrvMain) - Unknown owner - C:\Documents and Settings\All Users\Dati applicazioni\avservice.exe

Vai sul Pannello di controllo e se hai installato Network Monitor disinstallalo.

Vai su start/risorse del computer/strumenti/opzioni cartella/visualizzazione e metti la spunta su ''visualizza cartelle e file nascosti'' e togli la spunta da ''nascondi i file protetti di sistema (consigliato)''.

Scarica killbox da qui:
http://www.bleepingcomputer.com/files/killbox.php

Con killbox elimina i seguenti files:
C:\WINDOWS\c2ltb25l\command.exe
C:\Programmi\Network Monitor\netmon.exe (dopo aver eliminato il file netmon.exe elimina l'intera cartella Network Monitor)
C:\Documents and Settings\All Users\Dati applicazioni\avservice.exe
C:\dfndrad_5.exe
C:\PROGRA~1\FILECO~1\zmuo\zmuom.exe (dopo aver eliminato il file zmuom.exe elimina anche la cartella zmuo)
c:\dfndrac_6.exe
C:\WINDOWS\system32\t0r80a9ued.dll
C:\WINDOWS\SYSTEM32\winjgf32.dll

Fai una scansione con ewido:
http://www.grisoft.cz/softw/70/filedir/ ... 0.172b.exe
e una con questo tool antivirus:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
andorra24
Utente Senior
 
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi babbas » 19/07/06 09:38

Innanzitutto grazie mille, ma ho qualche problema nell'operazione.
Ho fatto tutto bene con hijackthis, ma poi non mi si disistalla Network Monitor, mi appare una finestra che dice: "removing this application may cause dependent applications to stop", vado comunque a confermare e mi appare un'altra finestra con scritto: "an error has occured removing Network Monitor. Network Monitor has not been removed".
Poi con Killbox non riesco a trovare i file da te elencati (per alcuni trovo solo la cartella ma non l'exe), nonostante abbia seguito alla lettera i tuoi suggerimenti (naturalmente ho messo visualizza i file nascosti ecc ecc).
Sbaglio io?? :?:
Ti ringrazio ancora per la tua pazienza.
babbas
Utente Junior
 
Post: 17
Iscritto il: 02/07/06 20:09

Postdi andorra24 » 19/07/06 09:55

Fai le scansioni che ti ho linkato nel post precedente e al termine posta un nuovo log di hijackthis.
andorra24
Utente Senior
 
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi babbas » 19/07/06 11:18

Fatto. Sono nelle tue mani. Ancora grazie. :roll:

Logfile of HijackThis v1.99.1
Scan saved at 12.10.46, on 19/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\Trust\DS-3300X Wireless Optical Deskset\Keyboard\kbdap32a.EXE
C:\Programmi\Trust\DS-3300X Wireless Optical Deskset\Mouse\mouse32a.exe
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mioengine.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\eMule\emule.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Google\Google Earth\GoogleEarth.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\simone\IMPOST~1\Temp\Rar$EX00.859\HijackThis.exe
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Programmi\Pirelli\Access Gateway USB Network\CnxTrApp.dll",AppEntry -REG "Pirelli\Access Gateway USB"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [OFFICEKB] C:\Programmi\Trust\DS-3300X Wireless Optical Deskset\Keyboard\kbdap32a.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Programmi\Trust\DS-3300X Wireless Optical Deskset\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Programmi\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: My Vodafone.it.lnk = C:\Documents and Settings\simone\Dati applicazioni\mioObjects\[objects]\69GWEU9386MTAR08.mio
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{093FDAA3-6859-4370-885D-4056A68B5B67}: NameServer = 85.37.17.16 85.38.28.68
O17 - HKLM\System\CS1\Services\Tcpip\..\{093FDAA3-6859-4370-885D-4056A68B5B67}: NameServer = 85.37.17.16 85.38.28.68
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\p8n8li5u18.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjgf32 - winjgf32.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\c2ltb25l\command.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programmi\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: AVCore (SrvMain) - Unknown owner - C:\Documents and Settings\All Users\Dati applicazioni\avservice.exe (file missing)
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
babbas
Utente Junior
 
Post: 17
Iscritto il: 02/07/06 20:09

Postdi andorra24 » 19/07/06 11:41

Ci sono ancora alcune cosine da eliminare con hijackthis:

O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\p8n8li5u18.dll
O20 - Winlogon Notify: winjgf32 - winjgf32.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\c2ltb25l\command.exe (file missing)
O23 - Service: AVCore (SrvMain) - Unknown owner - C:\Documents and Settings\All Users\Dati applicazioni\avservice.exe (file missing)

Lancia questo tool di rimozione dell'adware look2me:
http://www.atribune.org/content/view/28/

Poi con killbox elimina se c'e' il seguente file:
C:\WINDOWS\system32\p8n8li5u18.dll

Per eliminare le due voci 023 (se hijackthis non riesce ad eliminarle) usa questo metodo:

start>esegui>sc stop SrvMain>OK
start>esegui>sc delete SrvMain>OK



start>esegui>sc stop cmdService>OK
start>esegui>sc delete cmdService>OK
andorra24
Utente Senior
 
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi babbas » 20/07/06 08:21

Il problema sembra essere risolto. Ti volevo ringraziare. Sei un grande! :D :D
babbas
Utente Junior
 
Post: 17
Iscritto il: 02/07/06 20:09

Postdi andorra24 » 20/07/06 11:06

babbas ha scritto:Il problema sembra essere risolto. Ti volevo ringraziare. Sei unA grande! :D :D

Prego :)
andorra24
Utente Senior
 
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi Nez » 26/07/06 11:15

Ho lo stesso problema....
per cortesia mi potete aiutare ?

questo è il mio log file:

Logfile of HijackThis v1.99.1
Scan saved at 11.44.02, on 26/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\Programmi\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Programmi\ORL\VNC\WinVNC.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Programmi\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\winnt\system32\rlvknlg.exe
C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\HbTools\Bin\4.8.0.0\HbtOEAddOn.exe
C:\Programmi\SaveNow\SaveNow.exe
C:\Programmi\Hbtools\HBTV\HBTV.exe
C:\Programmi\PrestoNotes\PrestoNotes.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\PROGRA~1\EZSTUB.EXE
C:\Lotus\Notes\NLNOTES.EXE
C:\programmi\ibm\client access\emulator\pcsws.exe
C:\Programmi\IBM\Client Access\Emulator\PCSCM.EXE
C:\programmi\ibm\client access\emulator\pcsws.exe
C:\programmi\ibm\client access\emulator\pcsws.exe
C:\Lotus\Notes\nhldaemn.EXE
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINNT\system32\msiexec.exe
C:\WINNT\system32\taskmgr.exe
C:\Documents and Settings\anlora\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster.com/SmartOffers/Se ... ftPane.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = null:1240
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.gruppobonazzi.com;www.aquafabric.info;bonazzi.lan;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: TVEngine Helper /fleok=1D8A83A5C2E6107C91A475760EA83FA5EF80752B94E3D77B5E75412F3DC2 - {4B18DD50-C996-44fc-AC52-0FECFF82ED58} - c:\programmi\hbtools\hbtv\hbtvhelper.dll
O2 - BHO: WeeklyExecuter Class - {590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} - C:\WINNT\inetloader.dll
O2 - BHO: HbTools - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Programmi\HbTools\Bin\4.8.0.0\HbtHostIE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: H&otbar - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Programmi\HbTools\Bin\4.8.0.0\HbtHostIE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Smapp] C:\Programmi\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Programmi\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Programmi\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Programmi\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Programmi\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Programmi\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Synchronization Manager] brouteuse.exe
O4 - HKLM\..\Run: [Rcf Driver] rcf.exe
O4 - HKLM\..\Run: [RelevantKnowledge] c:\winnt\system32\rlvknlg.exe -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HbTools] C:\Programmi\HbTools\Bin\4.8.0.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [ezzqsizg] C:\WINNT\system32\gfdsjzcs.exe
O4 - HKLM\..\Run: [SaveNow] C:\Programmi\SaveNow\SaveNow.exe
O4 - HKLM\..\Run: [NI.UWA6PT_0001_N73M1104] "C:\Documents and Settings\anlora\Desktop\WinAntiVirusPro2006FreeInstall_it.exe" -nag
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] brouteuse.exe
O4 - HKLM\..\RunServices: [Windows Fix] integator.exe
O4 - HKLM\..\RunServices: [Rcf Driver] rcf.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Programmi\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [PrestoNotes] C:\Programmi\PrestoNotes\PrestoNotes.exe
O4 - HKCU\..\RunOnce: [eZstub] C:\PROGRA~1\EZSTUB.EXE
O4 - Startup: AS400logon.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://lnqp.secure.gruppobonazzi.com/qp2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bonazzi.lan
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bonazzi.lan
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bonazzi.lan
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Comando remoto Client Access Express (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: luwjs - Unknown owner - \\10.15.4.109\VisualPlanTex400_RW\vmsvc32.exe" -service (file missing)
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: ohloib - Unknown owner - \\10.15.4.109\VisualPlanTex400_RW\vmsvc32.exe" -service (file missing)
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Programmi\ORL\VNC\WinVNC.exe" -service (file missing)
Nez
Newbie
 
Post: 6
Iscritto il: 26/07/06 11:11

Postdi BilloKenobi » 26/07/06 11:28

fixiamo (in provvisoria, ripristino configurazione del sistema disattivato)


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = null:1240
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: TVEngine Helper /fleok=1D8A83A5C2E6107C91A475760EA83FA5EF80752B94E3D77B5E75412F3DC2 - {4B18DD50-C996-44fc-AC52-0FECFF82ED58} - c:\programmi\hbtools\hbtv\hbtvhelper.dll
O2 - BHO: HbTools - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Programmi\HbTools\Bin\4.8.0.0\HbtHostIE.dll
O3 - Toolbar: H&otbar - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Programmi\HbTools\Bin\4.8.0.0\HbtHostIE.dll
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Rcf Driver] rcf.exe
O4 - HKLM\..\Run: [RelevantKnowledge] c:\winnt\system32\rlvknlg.exe -boot
O4 - HKLM\..\Run: [HbTools] C:\Programmi\HbTools\Bin\4.8.0.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [ezzqsizg] C:\WINNT\system32\gfdsjzcs.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] brouteuse.exe
O4 - HKLM\..\RunServices: [Windows Fix] integator.exe
O4 - HKLM\..\RunServices: [Rcf Driver] rcf.exe
O4 - HKCU\..\RunOnce: [eZstub] C:\PROGRA~1\EZSTUB.EXE
O4 - Startup: AS400logon.bat

questo se non lo conosci fixalo

O4 - Startup: AS400logon.bat

dovrebbe essere tutto. elimina

c:\winnt\tour.reg
c:\winnt\system32\rlvknlg.exe
C:\Programmi\HbTools\Bin\4.8.0.0\HbtOEAddOn.exe
C:\WINNT\system32\gfdsjzcs.exe
brouteuse.exe
integator.exe
rcf.exe
C:\PROGRA~1\EZSTUB.EXE
AS400logon.bat

giusto andorra?
Begun the Clone War has

Sì sì, mi hanno fatto redattore --- SuspectFile
BilloKenobi
Utente Senior
 
Post: 348
Iscritto il: 08/07/06 11:05

Postdi Nez » 26/07/06 11:38

fatto tutto....

grazie intanto.....
Nez
Newbie
 
Post: 6
Iscritto il: 26/07/06 11:11

Postdi andorra24 » 26/07/06 11:52

Ci sono altre voci da fixare:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster.com/SmartOffers/Se ... ftPane.htm
O2 - BHO: WeeklyExecuter Class - {590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} - C:\WINNT\inetloader.dll
O4 - HKLM\..\Run: [SaveNow] C:\Programmi\SaveNow\SaveNow.exe
O4 - HKLM\..\Run: [NI.UWA6PT_0001_N73M1104] "C:\Documents and Settings\anlora\Desktop\WinAntiVirusPro2006FreeInstall_it.exe" -nag
O23 - Service: luwjs - Unknown owner - \\10.15.4.109\VisualPlanTex400_RW\vmsvc32.exe" -service (file missing)
O23 - Service: ohloib - Unknown owner - \\10.15.4.109\VisualPlanTex400_RW\vmsvc32.exe" -service (file missing)

Vai nel Pannello di controllo/installazione applicazioni e se c'e' una voce SaveNow la devi disinstallare.

Elimina i seguenti files con killbox (http://www.bleepingcomputer.com/files/killbox.php ) :
C:\WINNT\inetloader.dll
C:\Programmi\SaveNow\SaveNow.exe (elimina prima il file exe e dopo la cartella che lo contiene)
C:\Documents and Settings\anlora\Desktop\WinAntiVirusPro2006FreeInstall_it.exe
C:\Programmi\Hbtools\HBTV\HBTV.exe

Fai una scansione con ewido:
http://www.grisoft.cz/softw/70/filedir/ ... 0.172c.exe
andorra24
Utente Senior
 
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi andorra24 » 26/07/06 11:54

andorra24 ha scritto:Elimina i seguenti files con killbox

Il link: http://www.bleepingcomputer.com/files/killbox.php
andorra24
Utente Senior
 
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi Nez » 26/07/06 12:00

Grazie....
Visto che siete esperti volevo capire il grado di pericolosità di questo virus....
Mi date qualche spiegazione ?

Grazie mille :)
Nez
Newbie
 
Post: 6
Iscritto il: 26/07/06 11:11

Postdi andorra24 » 26/07/06 12:07

Avevi degli adwares e un worm. Dopo aver fixato le varie voci con hijackthis ed aver eliminato i files incriminati fai un paio di scansioni antivirus/antispyware. Nel link precedente ti ho indicato ewido, aggiungi anche questa:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
andorra24
Utente Senior
 
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi Nez » 26/07/06 12:22

Grazie mille Andorra.....
Nez
Newbie
 
Post: 6
Iscritto il: 26/07/06 11:11

Postdi andorra24 » 26/07/06 13:39

Nez ha scritto:Grazie mille Andorra.....

Prego. :)
andorra24
Utente Senior
 
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi Nez » 26/07/06 14:25

Un' ultima domanda....
Nel mio portatile ho installato XP Pro e quando ho installato i driver della scheda video (nVidia Ge force 6200 go) mi è uscito un avviso di un problema di incompatibilità....
prima avevo win Home....

hai qualche consiglio da darmi in merito ?
poi ti farò un monumento in silicio nella piazza della mia città....

grazie
Nez
Newbie
 
Post: 6
Iscritto il: 26/07/06 11:11

Postdi Nez » 26/07/06 14:28

DIMENTICAVO DI RINGRAZIARE ANCHE BILLOKENOBI
Nez
Newbie
 
Post: 6
Iscritto il: 26/07/06 11:11

Postdi BilloKenobi » 26/07/06 14:30

Nez ha scritto:DIMENTICAVO DI RINGRAZIARE ANCHE BILLOKENOBI


volevo ben dire :lol: :lol:
Begun the Clone War has

Sì sì, mi hanno fatto redattore --- SuspectFile
BilloKenobi
Utente Senior
 
Post: 348
Iscritto il: 08/07/06 11:05

Prossimo

Torna a Sicurezza e Privacy


Topic correlati a "virus serwab?!?":


Chi c’è in linea

Visitano il forum: Nessuno e 5 ospiti