Madoka75
15-02-2005, 12:32
Ciao,
come Sistema operativo uso Windows XP, Service Pack 2, Firewall: Sygate Personal Firewall pro
5.5, Antivirus: Nod32.
Il problema è che nn elimino questi cavalli di troia.
Questi i nomi e dove sono collocati:
C:\WINDOWS\system32\BysTJIKQ.dll - Win32/Dialer.CO
C:\WINDOWS\system32\DjeiBmA.dll -Win32/Dialer.CO
C:\WINDOWS\system32\dSeYuljdR.dll -Win32/Dialer.CO
C:\WINDOWS\system32\Ey00IjWi.dll -Win32/Dialer.CO
C:\WINDOWS\system32\MDdEOfQNSTg.dll-Win32/Dialer.CO
C:\WINDOWS\system32\mvdjjsTwb.dll -Win32/Dialer.CO
C:\WINDOWS\system32\oBLwrbSr.dll -Win32/Dialer.CO
C:\WINDOWS\system32\uwukoDyrlgV.dll/ -Win32/Dialer.CO
C:\WINDOWS\system32\WxJXBrpkr.dll -Win32/Dialer.CO
Il nod32 dopo la scansione li ha visualizzati ed eliminati però a distanza di alcuni giorni mi
sono riapparsi, cambiano credo le lettere iniziali.
A volte mi appare uno solo di questi tipi di files all'accensione del Pc e precisamente quando mi
collego.
E nuovamente l'antivirus li rileva e dice di averli eliminati, ma come mai riappaiono?
Ho fatto una scansione col programma Hijackthis.
ecco il log:
Logfile of HijackThis v1.99.0
Scan saved at 12.17.54, on 15/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
G:\Programmi\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\downlo~1\73h2f\njhd83da.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Eset\nod32kui.exe
C:\WINDOWS\system32\rmctrl.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
G:\Programmi\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.tele2.it/redirect/startpage/dial_up/ita/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.tele2.it/redirect/startpage/dial_up/ita/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer -
TELE2Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
G:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} -
G:\Programmi\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1
\tools\iesdsg.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmi\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SmcService] G:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programmi\Spyware Doctor\spydoctor.exe" /Q
O4 - Startup: Stop Dialers.lnk = C:\Programmi\StopDialers\StopDialers.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Programmi\Adobe\Acrobat 7.0
\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search -
res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links -
res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://G:\PROGRA~1\MICROS~1\OFFICE11
\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages -
res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://c:\programmi\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~1
\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Alice - {169AB6C2-C7C3-4B94-B3F1-B24F41D02E63} - http://gw.aliceadsl.it/alice
(file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.tele2.it/redirect/startpage/dial_up/ita/
O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) -
http://69.44.122.156/scanner/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?
1096491496984
O23 - Service: Servizio iPod - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LEC TranslateDotNet Server - Unknown - C:\Programmi\Power Translator\LogoMedia
TranslateDotNet Server.exe (file missing)
O23 - Service: NOD32 Kernel Service - Unknown - C:\Programmi\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32
\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro - Sygate Technologies, Inc. -
G:\Programmi\Sygate\SPF\smc.exe
Cosa dovrei fare?
come Sistema operativo uso Windows XP, Service Pack 2, Firewall: Sygate Personal Firewall pro
5.5, Antivirus: Nod32.
Il problema è che nn elimino questi cavalli di troia.
Questi i nomi e dove sono collocati:
C:\WINDOWS\system32\BysTJIKQ.dll - Win32/Dialer.CO
C:\WINDOWS\system32\DjeiBmA.dll -Win32/Dialer.CO
C:\WINDOWS\system32\dSeYuljdR.dll -Win32/Dialer.CO
C:\WINDOWS\system32\Ey00IjWi.dll -Win32/Dialer.CO
C:\WINDOWS\system32\MDdEOfQNSTg.dll-Win32/Dialer.CO
C:\WINDOWS\system32\mvdjjsTwb.dll -Win32/Dialer.CO
C:\WINDOWS\system32\oBLwrbSr.dll -Win32/Dialer.CO
C:\WINDOWS\system32\uwukoDyrlgV.dll/ -Win32/Dialer.CO
C:\WINDOWS\system32\WxJXBrpkr.dll -Win32/Dialer.CO
Il nod32 dopo la scansione li ha visualizzati ed eliminati però a distanza di alcuni giorni mi
sono riapparsi, cambiano credo le lettere iniziali.
A volte mi appare uno solo di questi tipi di files all'accensione del Pc e precisamente quando mi
collego.
E nuovamente l'antivirus li rileva e dice di averli eliminati, ma come mai riappaiono?
Ho fatto una scansione col programma Hijackthis.
ecco il log:
Logfile of HijackThis v1.99.0
Scan saved at 12.17.54, on 15/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
G:\Programmi\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\downlo~1\73h2f\njhd83da.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Eset\nod32kui.exe
C:\WINDOWS\system32\rmctrl.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
G:\Programmi\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.tele2.it/redirect/startpage/dial_up/ita/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.tele2.it/redirect/startpage/dial_up/ita/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer -
TELE2Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
G:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} -
G:\Programmi\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1
\tools\iesdsg.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmi\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SmcService] G:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programmi\Spyware Doctor\spydoctor.exe" /Q
O4 - Startup: Stop Dialers.lnk = C:\Programmi\StopDialers\StopDialers.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Programmi\Adobe\Acrobat 7.0
\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search -
res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links -
res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://G:\PROGRA~1\MICROS~1\OFFICE11
\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages -
res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://c:\programmi\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~1
\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Alice - {169AB6C2-C7C3-4B94-B3F1-B24F41D02E63} - http://gw.aliceadsl.it/alice
(file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.tele2.it/redirect/startpage/dial_up/ita/
O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) -
http://69.44.122.156/scanner/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?
1096491496984
O23 - Service: Servizio iPod - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LEC TranslateDotNet Server - Unknown - C:\Programmi\Power Translator\LogoMedia
TranslateDotNet Server.exe (file missing)
O23 - Service: NOD32 Kernel Service - Unknown - C:\Programmi\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32
\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro - Sygate Technologies, Inc. -
G:\Programmi\Sygate\SPF\smc.exe
Cosa dovrei fare?