Condividi:        

vcodec...trojan

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

vcodec...trojan

Postdi rnando » 27/12/05 03:51

Ciao a tutti e auguri....in questi giorni mi so beccato un Trojan
AVG sembra che abbia rimosso il virus ma spyBot continua a rilevarmi un file Vcodec...precisamente allocato in c:\windows\system32\ncompat.tlb
apparentemente spyboot mi corregge il problema...ma dopo il riavvio mi si ripresenta il tutto, ho anche provato a rimuovere manualmente il file...ma sempre lo stesso problema.Ho provato anche a fare il tutto in modalità provvisoria...ma niente...io non so più cosa fare!!!!
c'è qualcuno che può aiutarmi?
rnando
Newbie
 
Post: 6
Iscritto il: 27/12/05 03:26

Sponsor
 

Postdi Luke57 » 27/12/05 08:38

Ciao Rnando, scarica hijackthis, non va installato, è un file zip, lo scompatti e metti l'eseguibile in una cartella del disco fisso (nè temporanea nè desktop), apri l'eseguibile, premi "do a system scan and save a log file", aspetti l'elaborazione, si apre un file di testo, copi il contenuto e lo incolli in un post. Comunque, qui trovi tutte le istruzioni e il link per scaricare il programma:
http://www.pc-facile.com/guida_hijackthis_t148946/
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi rnando » 27/12/05 09:15

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\Roper\Connect Bluetooth USB Tiny Adapter\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\MessengerPlus! 3\MsgPlus.exe
C:\Programmi\Java\jre1.5.0_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Creative\MediaSource\Detector\CTDetect.exe
C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmi\Roper\Connect Bluetooth USB Tiny Adapter\BTTray.exe
C:\Programmi\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\A\Desktop\HijackThis.exe
rnando
Newbie
 
Post: 6
Iscritto il: 27/12/05 03:26

Postdi Luke57 » 27/12/05 10:16

Ciao, il log è incompleto, non l'hai attaccato tutto. Per valutarlo è indispensabile avederlo nella sua interezza :)
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi rnando » 27/12/05 12:00

Logfile of HijackThis v1.99.1
Scan saved at 9.10.05, on 27/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\Roper\Connect Bluetooth USB Tiny Adapter\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\MessengerPlus! 3\MsgPlus.exe
C:\Programmi\Java\jre1.5.0_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Creative\MediaSource\Detector\CTDetect.exe
C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmi\Roper\Connect Bluetooth USB Tiny Adapter\BTTray.exe
C:\Programmi\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\A\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programmi\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Programmi\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\Roper\Connect Bluetooth USB Tiny Adapter\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmi\File comuni\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmi\Roper\Connect Bluetooth USB Tiny Adapter\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
rnando
Newbie
 
Post: 6
Iscritto il: 27/12/05 03:26

Postdi Luke57 » 27/12/05 13:42

Ciao, devi eliminare C/windows/system32/mssearchnet.exe. Metti l’eseguibile di hijackthis in una cartella del disco fisso, nè temporanea nè desktop, in modo da poter fare il backup in caso di errori. Apri hijackthis , in modalità normale, clicca su "Open the misc tool section" clicca su "open process manager"
seleziona il processo suddetto e clicca su "Kill process"
Poi premi back, “scan”, metti il segno di spunta alle seguenti voci:
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) – è un file inutile –
Riavvia in modalità provvisoria , cerca con esplora risorse , dopo aver reso visibili file e cartelle con stumenti>opzioni cartella>visualizzazione, metti il segno di spunta a “visualizza cartelle e file nascosti”, il file C/windows/system32/mssearchnet.exe e lo elimini.
In caso di difficoltà nell’eliminazione usa hijack this, cioè :
Cancella i file temporanei di windows (tmp e temp), quelli di IE, cookies, svuota cestino.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi rnando » 27/12/05 14:19

Grandeeeeeee...problema risolto :D :D
Dott Luke57.....sei da nobel ;)
Ti Auguro Un buon Anno...e auguro un buon Anno anche a tutti gli utenti Pc-facile
Ciaooooooo
rnando
Newbie
 
Post: 6
Iscritto il: 27/12/05 03:26

Postdi bamyan » 29/12/05 00:43

ciao a tutti
posto qui perchè ho lo stesso problema del vcodec che ricompare sempre oltre ai continui popups.
spero possiate aiutarmi ecco il log di hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 0.39.04, on 29/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\windows\system\hpsysdrv.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Programmi\File comuni\InterVideo\SchSvr\SchSvr.exe
C:\Programmi\Multimedia Card Reader\shwicon2k.exe
C:\Programmi\File comuni\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Proprietario\Documenti\HijackThis.exe
C:\Programmi\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-it9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-it9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daoc.goa.com/it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-it9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-it9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-it9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mysoftwarechoice.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - {D9A2E129-68D7-523C-C215-F0921CAD0362} - media64.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Vista HP - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Programmi\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Programmi\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Programmi\File comuni\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Programmi\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmi\File comuni\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Norton Antivirus AV] C:\WINDOWS\FVProtect.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Olympic] C:\Documents and Settings\Proprietario\Dati applicazioni\sgrunt\IE4321.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [new32] driver64.exe
O4 - HKLM\..\Run: [ATLIEHELPER] FLKPT.exe
O4 - HKLM\..\Run: [dmoll.exe] C:\WINDOWS\system32\dmoll.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Programmi\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [BoundRec] prgsys0984.exe
O4 - HKCU\..\Run: [sbin] JAguAr.exe
O4 - HKCU\..\Run: [sysconf16] clamav.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra button: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Programmi\UnSpyPC\UnSpyPC.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Programmi\UnSpyPC\UnSpyPC.exe (file missing) (HKCU)
O15 - Trusted Zone: http://www.archiviosex.net
O15 - Trusted Zone: http://www.redfunny.com
O15 - Trusted Zone: http://www.skymasters.biz
O15 - Trusted Zone: http://www.xbeta69.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 5086311906
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14166E72-1FD6-440D-8083-0DB8A9209FA0}: NameServer = 85.255.115.61,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5B1FACD-3C1E-429D-8BDA-8445E6B3AC60}: NameServer = 85.255.115.61,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2F30705-2928-4FB2-ACE0-D22AC92635FC}: NameServer = 85.255.115.61,85.255.112.6
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe

grazie

Luca
bamyan
Utente Junior
 
Post: 16
Iscritto il: 29/12/05 00:37

Postdi Luke57 » 29/12/05 09:35

Scarica KillSgunt da qui:
http://www.francydelorenzi.it/component ... ecatid,105
Scarica CCleaner da qui: http://www.filehippo.com/download_ccleaner/
Scarica questo tool
scarica CwShredder da qui: http://www.ilsoftware.it/querydl.asp?ID=750
Avvia KillSgrunt. Esegui CwShredder, lanciandolo e premendo fix.
Con il task manager termina, se ci sono, questi processi:
FVProtect.exe
ALCXMNTR.EXE
Fai girare hijackthis, premi “do a system scan only”, cerca e metti il segno di spunta alle seguenti voci:
C:\WINDOWS\ALCXMNTR.EXE
R3 - URLSearchHook: (no name) - {D9A2E129-68D7-523C-C215-F0921CAD0362} - media64.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Vista HP - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
C:\Documents and Settings\Proprietario\Dati applicazioni\sgrunt\IE4321.exe
O4 - HKLM\..\Run: [Norton Antivirus AV] C:\WINDOWS\FVProtect.exe
O4 - HKLM\..\Run: [Olympic] C:\Documents and Settings\Proprietario\Dati applicazioni\sgrunt\IE4321.exe
O4 - HKCU\..\Run: [sbin] JAguAr.exe
O4 - HKCU\..\Run: [sysconf16] clamav.exe
O9 - Extra button: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Programmi\UnSpyPC\UnSpyPC.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Programmi\UnSpyPC\UnSpyPC.exe (file missing) (HKCU)
O15 - Trusted Zone: http://www.archiviosex.net
O15 - Trusted Zone: http://www.redfunny.com
O15 - Trusted Zone: http://www.skymasters.biz
Tutte le voci 017
premi fix checked
Avvia in modalità provvisoria, rendi visibili file e cartelle da esplora risorse cliccando strumenti>opzionicartella>visualizzazione, metti il segno di spunta a “visualizza file e cartelle nascoste”
Esegui il tool di rimozione.
Cerca con esplora risorse, se ci sono, i seguenti file ed eliminali:
C:\Documents and Settings\Proprietario\Dati applicazioni\sgrunt\IE4321.exe ( tutta la cartella Sgrunt)
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll.
Con Ccleaner elimini file temporanei di windows, di IE, cookies, cartella prefetch, cestino. Fai una scansione con antivirus aggiornato, una scansione on line con Kaspersky http://www.kaspersky.com/scanforvirus e posta nuovo log di hijackthis. Sicuramente mi è sfuggito qualcosa.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi bamyan » 29/12/05 10:32

wow! sapevo che mi avresti risposto ma non pensavo così in fretta...
grazie mille per ora.
mi metto a scaricare e fare il tutto poi riposto il log... a dopooo :P
bamyan
Utente Junior
 
Post: 16
Iscritto il: 29/12/05 00:37

Postdi bamyan » 29/12/05 14:53

fatto tutto ma il problema persiste.. forse ho sbagliato qualcosa ma alcune voci che mi hai detto di spuntare non erano + presenti dopo i primi step
cmq ecco il log di hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 14.48.17, on 29/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mssearchnet.exe
C:\windows\system\hpsysdrv.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Programmi\File comuni\InterVideo\SchSvr\SchSvr.exe
C:\Programmi\Multimedia Card Reader\shwicon2k.exe
C:\Programmi\File comuni\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Proprietario\Documenti\LUCA\DC++\pc facile\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-it9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-it9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daoc.goa.com/it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-it9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-it9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-it9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mysoftwarechoice.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Programmi\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Programmi\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Programmi\File comuni\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Programmi\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmi\File comuni\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [new32] driver64.exe
O4 - HKLM\..\Run: [ATLIEHELPER] FLKPT.exe
O4 - HKLM\..\Run: [dmkue.exe] C:\WINDOWS\system32\dmkue.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Programmi\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [BoundRec] prgsys0984.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 5086311906
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe

e il log di kaspersky spero possa essere utile anche questo che mi ha notificato diversi virus ma direi molti dalla quarantena di norton.
grazie ancora.. comincio a preoccuparmi :neutral:
bamyan
Utente Junior
 
Post: 16
Iscritto il: 29/12/05 00:37

Postdi bamyan » 29/12/05 14:56

dimenticato kaspersky^^

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, December 29, 2005 14:45:30
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 29/12/2005
Kaspersky Anti-Virus database records: 157943
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 132307
Number of viruses found: 22
Number of infected objects: 73
Number of suspicious objects: 1
Duration of the scan process: 5055 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Proprietario\.jpi_cache\jar\1.0\java.jar-8fba448-7c66744e.zip/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Documents and Settings\Proprietario\.jpi_cache\jar\1.0\java.jar-8fba448-7c66744e.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Documents and Settings\Proprietario\.jpi_cache\jar\1.0\java.jar-8fba448-7c66744e.zip Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Documents and Settings\Proprietario\Impostazioni locali\Dati applicazioni\Identities\{C907BF69-2465-4A33-B0D5-E4314455941C}\Microsoft\Outlook Express\Posta in arrivo.dbx/[From "Assistenza" <assistenza@ibs.it>][Date Fri, 29 Oct 2004 12:16:04 +0100]/UNNAMED/Price.cpl Infected: Email-Worm.Win32.Bagle.at
C:\Documents and Settings\Proprietario\Impostazioni locali\Dati applicazioni\Identities\{C907BF69-2465-4A33-B0D5-E4314455941C}\Microsoft\Outlook Express\Posta in arrivo.dbx/[From "Assistenza" <assistenza@ibs.it>][Date Fri, 29 Oct 2004 12:16:04 +0100]/UNNAMED Infected: Email-Worm.Win32.Bagle.at
C:\Documents and Settings\Proprietario\Impostazioni locali\Dati applicazioni\Identities\{C907BF69-2465-4A33-B0D5-E4314455941C}\Microsoft\Outlook Express\Posta in arrivo.dbx/[From "Assistenza" <assistenza@ibs.it>][Date Tue, 02 Nov 2004 08:08:08 +0100]/UNNAMED/price.exe Infected: Email-Worm.Win32.Bagle.at
C:\Documents and Settings\Proprietario\Impostazioni locali\Dati applicazioni\Identities\{C907BF69-2465-4A33-B0D5-E4314455941C}\Microsoft\Outlook Express\Posta in arrivo.dbx/[From "Assistenza" <assistenza@ibs.it>][Date Tue, 02 Nov 2004 08:08:08 +0100]/UNNAMED Infected: Email-Worm.Win32.Bagle.at
C:\Documents and Settings\Proprietario\Impostazioni locali\Dati applicazioni\Identities\{C907BF69-2465-4A33-B0D5-E4314455941C}\Microsoft\Outlook Express\Posta in arrivo.dbx Infected: Email-Worm.Win32.Bagle.at
C:\Programmi\Norton AntiVirus\Quarantine\00106362.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Programmi\Norton AntiVirus\Quarantine\00106362.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify
C:\Programmi\Norton AntiVirus\Quarantine\00106362.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Programmi\Norton AntiVirus\Quarantine\00106362.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Programmi\Norton AntiVirus\Quarantine\00106362.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Programmi\Norton AntiVirus\Quarantine\075C2379.tmp Infected: Trojan.Java.ClassLoader.ak
C:\Programmi\Norton AntiVirus\Quarantine\13FF0847.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Programmi\Norton AntiVirus\Quarantine\13FF0847.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify
C:\Programmi\Norton AntiVirus\Quarantine\13FF0847.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Programmi\Norton AntiVirus\Quarantine\13FF0847.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Programmi\Norton AntiVirus\Quarantine\13FF0847.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Programmi\Norton AntiVirus\Quarantine\19541732.exe Infected: Trojan.Win32.Dialer.hh
C:\Programmi\Norton AntiVirus\Quarantine\19721111.exe Infected: Trojan.Win32.Dialer.hh
C:\Programmi\Norton AntiVirus\Quarantine\198C60F5.exe Infected: Trojan.Win32.Dialer.hh
C:\Programmi\Norton AntiVirus\Quarantine\1F44715A.tmp Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\Programmi\Norton AntiVirus\Quarantine\29B95728.exe Infected: Trojan.Win32.Dialer.hh
C:\Programmi\Norton AntiVirus\Quarantine\29BC0124.exe Infected: Trojan.Win32.Dialer.hh
C:\Programmi\Norton AntiVirus\Quarantine\29C3551D.exe Infected: Trojan.Win32.Dialer.hh
C:\Programmi\Norton AntiVirus\Quarantine\29C67F1A.exe Infected: Trojan.Win32.Dialer.hh
C:\Programmi\Norton AntiVirus\Quarantine\29CC5312.exe Infected: Trojan.Win32.Dialer.hh
C:\Programmi\Norton AntiVirus\Quarantine\29D07D0F.exe Infected: Trojan.Win32.Dialer.hh
C:\Programmi\Norton AntiVirus\Quarantine\29D3270B.exe Infected: Trojan.Win32.Dialer.hh
C:\Programmi\Norton AntiVirus\Quarantine\29D97B04.exe Infected: Trojan.Win32.Dialer.hh
C:\Programmi\Norton AntiVirus\Quarantine\29DD2501.exe Infected: Trojan.Win32.Dialer.hh
C:\Programmi\Norton AntiVirus\Quarantine\29E04EFD.exe Infected: Trojan.Win32.Dialer.hh
C:\Programmi\Norton AntiVirus\Quarantine\29E622F6.exe Infected: Trojan.Win32.Dialer.hh
C:\Programmi\Norton AntiVirus\Quarantine\3A6710AA.tmp Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\Programmi\Norton AntiVirus\Quarantine\4C094CB1.tmp Infected: Trojan.Java.ClassLoader.ak
C:\Programmi\Norton AntiVirus\Quarantine\50191218.htm Suspicious: Exploit.HTML.Mht
C:\Programmi\Norton AntiVirus\Quarantine\504333E9.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c
C:\Programmi\Norton AntiVirus\Quarantine\504333E9.zip/Counter.class Infected: Trojan.Java.ClassLoader.h
C:\Programmi\Norton AntiVirus\Quarantine\504333E9.zip/Parser.class Infected: Trojan.Java.ClassLoader.d
C:\Programmi\Norton AntiVirus\Quarantine\504333E9.zip Infected: Trojan.Java.ClassLoader.d
C:\Programmi\Norton AntiVirus\Quarantine\51AF0A12.tmp Infected: Trojan.Java.ClassLoader.ak
C:\Programmi\Norton AntiVirus\Quarantine\60636CC5.tmp/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Programmi\Norton AntiVirus\Quarantine\60636CC5.tmp Infected: Email-Worm.Win32.NetSky.q
C:\Programmi\Norton AntiVirus\Quarantine\6094101E.htm Infected: Exploit.VBS.Phel.a
C:\Programmi\Norton AntiVirus\Quarantine\640639D8.htm Infected: Exploit.HTML.Mht
C:\Programmi\Norton AntiVirus\Quarantine\640D0DD1.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Programmi\Norton AntiVirus\Quarantine\640D0DD1.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify
C:\Programmi\Norton AntiVirus\Quarantine\640D0DD1.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Programmi\Norton AntiVirus\Quarantine\640D0DD1.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Programmi\Norton AntiVirus\Quarantine\640D0DD1.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Programmi\Norton AntiVirus\Quarantine\65AF0C05.htm Infected: Exploit.HTML.Mht
C:\Programmi\Norton AntiVirus\Quarantine\693E4E1A.htm Infected: Exploit.HTML.Mht
C:\Programmi\Norton AntiVirus\Quarantine\69452213.htm Infected: Exploit.VBS.Phel.a
C:\Programmi\Norton AntiVirus\Quarantine\69524A04.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Programmi\Norton AntiVirus\Quarantine\69524A04.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify
C:\Programmi\Norton AntiVirus\Quarantine\69524A04.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Programmi\Norton AntiVirus\Quarantine\69524A04.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Programmi\Norton AntiVirus\Quarantine\69524A04.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Programmi\Norton AntiVirus\Quarantine\6BE556C6.tmp Infected: Trojan.Java.ClassLoader.ak
C:\Programmi\Norton AntiVirus\Quarantine\73F71E46.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\Programmi\Norton AntiVirus\Quarantine\746307D0.exe Infected: Backdoor.Win32.Agent.rw
C:\Programmi\Norton AntiVirus\Quarantine\77637D94.tmp/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Programmi\Norton AntiVirus\Quarantine\77637D94.tmp Infected: Email-Worm.Win32.NetSky.q
C:\System Volume Information\_restore{095CEB95-91F3-4601-85D2-FAC038518042}\RP331\A0045789.exe Infected: Trojan-Downloader.Win32.Small.cby
C:\System Volume Information\_restore{095CEB95-91F3-4601-85D2-FAC038518042}\RP331\A0045790.exe Infected: Trojan-Downloader.Win32.Small.cby
C:\System Volume Information\_restore{095CEB95-91F3-4601-85D2-FAC038518042}\RP339\A0046526.exe Infected: Trojan-Downloader.Win32.Zlob.bn
C:\WINDOWS\Downloaded Program Files\adulto_ax.exe Infected: Trojan.Win32.Dialer.hh
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\new.exe Infected: Trojan.Win32.Dialer.hh
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\new.exe Infected: Trojan.Win32.Dialer.hh
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\new.exe Infected: Trojan.Win32.Dialer.hh
C:\WINDOWS\Downloaded Program Files\webdesk2.exe Infected: Trojan.Win32.Dialer.hz
C:\WINDOWS\system32\ld7908.tmp Infected: Trojan-Downloader.Win32.Zlob.dk
C:\WINDOWS\system32\mscornet.exe Infected: Trojan-Downloader.Win32.Zlob.dm

Scan process completed.

ciao ciao
bamyan
Utente Junior
 
Post: 16
Iscritto il: 29/12/05 00:37

Postdi Luke57 » 29/12/05 15:46

Ciao di nuovo, fai girare hijackthis, premi "config", "misctools", "open process manager", cerca il processo
C:\WINDOWS\system32\mssearchnet
premi "kill process"
con "back" torni indietro , poi "scan", cerchi e spunti le seguenti voci:
C:\WINDOWS\system32\mssearchnet
O4 - HKLM\..\Run: [new32] driver64.exe
O4 - HKLM\..\Run: [ATLIEHELPER] FLKPT.exe
O4 - HKCU\..\Run: [BoundRec] prgsys0984.exe
premi "fix checked".
Dalla modalità provvisoria, cerca ed elimina il file
C:\WINDOWS\system32\mssearchnet
Pulitona con CCleaner, posta nuovo log.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi bamyan » 29/12/05 16:13

fatto ecco il log:

Logfile of HijackThis v1.99.1
Scan saved at 16.11.03, on 29/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe
C:\Programmi\File comuni\InterVideo\SchSvr\SchSvr.exe
C:\Programmi\Multimedia Card Reader\shwicon2k.exe
C:\Programmi\File comuni\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Documents and Settings\Proprietario\Documenti\LUCA\DC++\pc facile\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-it9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-it9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daoc.goa.com/it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-it9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-it9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-it9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mysoftwarechoice.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Programmi\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Programmi\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Programmi\File comuni\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Programmi\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmi\File comuni\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dmetp.exe] C:\WINDOWS\system32\dmetp.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Programmi\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 5086311906
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe

ne ho fatto uno anche mentre ero in modalità provvisoria ma non so se serve..
per ora nessun avviso o popups.
sto facendo girare in questo momento spybot, se non trova niente posso ritenermi pulito? :undecided:
bamyan
Utente Junior
 
Post: 16
Iscritto il: 29/12/05 00:37

Postdi Luke57 » 29/12/05 16:39

Ciao, a parte questo
O4 - HKLM\..\Run: [dmetp.exe] C:\WINDOWS\system32\dmetp.exe
che anche su Google non ho trovato niente, sembra a posto. Se non lo conosci, fissalo con hijackthis, poi cerchi anche il file C:\WINDOWS\system32\dmetp.exe e lo elimini.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi bamyan » 29/12/05 16:40

spybot ha trovato vcodec e un altro file di cui non ricordo il nome :oops:
solita trafila che uno lo ha corretto e il vcodec al riavvio.
per ora nessun messagio o popup... spero bene :D

comunque luke ti ringraziotantissimo per la tua disponibilità e gentilezza

ciao

Luca
bamyan
Utente Junior
 
Post: 16
Iscritto il: 29/12/05 00:37

Postdi Luke57 » 29/12/05 16:41

Di niente, figurati ;) abbiamo quasi scritto in contemporanea.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi bamyan » 29/12/05 16:42

ecco.. arrivato il casinò online :evil:

avevo notato anche io quel file facendo esaminare il log dal tool di pc facile

ora provo
bamyan
Utente Junior
 
Post: 16
Iscritto il: 29/12/05 00:37

Postdi Luke57 » 29/12/05 17:20

Fai analizzare il file qui:
http://www.virustotal.com/flash/index_en.html
sarà esaminato da più antivirus
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi bamyan » 29/12/05 17:30

ok pare tutto a posto anche dall'analisi del tuo ultimo link

prima dmetp.exe era sparito e al suo posto c'era dmebw.exe
ho fixato ed eliminato quello, di nuovo mssearchnet.exe.
ora sembra tutto a posto.

grazie ancora davvero
ciao e buone feste :D

Luca
bamyan
Utente Junior
 
Post: 16
Iscritto il: 29/12/05 00:37

Prossimo

Torna a Sicurezza e Privacy


Topic correlati a "vcodec...trojan":

trojan win32/sirefef
Autore: marzianu
Forum: Sicurezza e Privacy
Risposte: 27

Chi c’è in linea

Visitano il forum: Nessuno e 38 ospiti

cron