zerotre
21-09-2006, 10:21
Salve a tutti,
da ieri ho un problema il nod mi rileva dei file infetti con una variante di Win32/medbot.bd, quindi cancella il file, la cosa prosegue per vai minuti poi smette, solo se sono connesso ad internet, ho provato a fare varie scansioni ma nulla, anche il file di hijackthis mi lascia perplesso:
Logfile of HijackThis v1.99.1
Scan saved at 11.13.51, on 21/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\programmi\antivirus\ewido anti-spyware 4.0\guard.exe
D:\programmi\antivirus\nod32\nod32krn.exe
D:\programmi\varie\norton ghost\Agent\PQV2iSvc.exe
C:\Programmi\File comuni\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\svchost.exe
D:\programmi\antivirus\nod32\nod32kui.exe
D:\programmi\varie\VNC4\WinVNC4.exe
D:\programmi\driver\logitech\MouseWare\system\em_exec.exe
D:\programmi\antivirus\ewido anti-spyware 4.0\ewido.exe
C:\Documents and Settings\Administrator\Desktop\rmclock_21_bin_fix\RMClock.exe
C:\WINDOWS\System32\svchost.exe
E:\emule2\emule.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\internet\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Smapp] C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [nod32kui] "D:\programmi\antivirus\nod32\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] D:\programmi\varie\norton ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [!ewido] "D:\programmi\antivirus\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [RMClock] "C:\Documents and Settings\Administrator\Desktop\rmclock_21_bin_fix\RMClock.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://D:\PROGRA~1\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scarica con FlashGet - D:\programmi\internet\FlashGet\jc_link.htm
O8 - Extra context menu item: Scarica tutto con FlashGet - D:\programmi\internet\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\OFFICE~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programmi\File comuni\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\internet\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\internet\FlashGet\flashget.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{42B2CFC3-2A72-4A86-9B67-8DA19AE0A841}: NameServer = 193.12.150.2 212.247.152.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{78982D01-D02F-4628-A270-4054F2E0E5C7}: NameServer = 130.244.127.161,130.244.127.169
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D71AB1C-EB15-4C93-B76D-8ACFDC94E7CF}: NameServer = 130.244.127.161,130.244.127.169
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\programmi\antivirus\ewido anti-spyware 4.0\guard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\programmi\antivirus\nod32\nod32krn.exe
O23 - Service: Norton Ghost - Symantec Corporation - D:\programmi\varie\norton ghost\Agent\PQV2iSvc.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Programmi\File comuni\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - D:\programmi\varie\VNC4\WinVNC4.exe" -service (file missing)
giusto quegli indirizzi ip, il primo si riferisce a tele2 e penso sia sospetto, mentre gli altri due sono sempre di teledue ma sono i dns che ho impostato io.
Qualcuno mi puo' dare un consiglio? Grazie.
Ciao.
Zerotre.
da ieri ho un problema il nod mi rileva dei file infetti con una variante di Win32/medbot.bd, quindi cancella il file, la cosa prosegue per vai minuti poi smette, solo se sono connesso ad internet, ho provato a fare varie scansioni ma nulla, anche il file di hijackthis mi lascia perplesso:
Logfile of HijackThis v1.99.1
Scan saved at 11.13.51, on 21/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\programmi\antivirus\ewido anti-spyware 4.0\guard.exe
D:\programmi\antivirus\nod32\nod32krn.exe
D:\programmi\varie\norton ghost\Agent\PQV2iSvc.exe
C:\Programmi\File comuni\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\svchost.exe
D:\programmi\antivirus\nod32\nod32kui.exe
D:\programmi\varie\VNC4\WinVNC4.exe
D:\programmi\driver\logitech\MouseWare\system\em_exec.exe
D:\programmi\antivirus\ewido anti-spyware 4.0\ewido.exe
C:\Documents and Settings\Administrator\Desktop\rmclock_21_bin_fix\RMClock.exe
C:\WINDOWS\System32\svchost.exe
E:\emule2\emule.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\internet\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Smapp] C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [nod32kui] "D:\programmi\antivirus\nod32\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] D:\programmi\varie\norton ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [!ewido] "D:\programmi\antivirus\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [RMClock] "C:\Documents and Settings\Administrator\Desktop\rmclock_21_bin_fix\RMClock.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://D:\PROGRA~1\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scarica con FlashGet - D:\programmi\internet\FlashGet\jc_link.htm
O8 - Extra context menu item: Scarica tutto con FlashGet - D:\programmi\internet\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\OFFICE~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programmi\File comuni\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\internet\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\internet\FlashGet\flashget.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{42B2CFC3-2A72-4A86-9B67-8DA19AE0A841}: NameServer = 193.12.150.2 212.247.152.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{78982D01-D02F-4628-A270-4054F2E0E5C7}: NameServer = 130.244.127.161,130.244.127.169
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D71AB1C-EB15-4C93-B76D-8ACFDC94E7CF}: NameServer = 130.244.127.161,130.244.127.169
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\programmi\antivirus\ewido anti-spyware 4.0\guard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\programmi\antivirus\nod32\nod32krn.exe
O23 - Service: Norton Ghost - Symantec Corporation - D:\programmi\varie\norton ghost\Agent\PQV2iSvc.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Programmi\File comuni\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - D:\programmi\varie\VNC4\WinVNC4.exe" -service (file missing)
giusto quegli indirizzi ip, il primo si riferisce a tele2 e penso sia sospetto, mentre gli altri due sono sempre di teledue ma sono i dns che ho impostato io.
Qualcuno mi puo' dare un consiglio? Grazie.
Ciao.
Zerotre.