View Full Version : infestato
qualcuno può dirmi cosa è tutta questa robbaccia?
help plz :cry:
qualcuno può dirmi cosa è tutta questa robbaccia?
help plz :cry:
posta il log di hijackthis ;)
cmq hai almeno un trojano l'ultima voce dell'allegato e il W32/Rbot-AER
ecco il log di hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 10.24.32, on 12/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\cfmon.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\wvsvc.exe
C:\WINDOWS\System32\MSASP32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\MSASP32.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Iron\Documenti\Unzipped\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rossoalice.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\programmi\180searchassistant\salmhook.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Starting up] wvsvc.exe
O4 - HKLM\..\Run: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [afsjaj] C:\WINDOWS\afsjaj.exe
O4 - HKLM\..\RunServices: [Starting up] wvsvc.exe
O4 - HKLM\..\RunServices: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKCU\..\Run: [Starting up] wvsvc.exe
O4 - HKCU\..\Run: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c18.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B1D65B-86D1-48D0-832D-1793F749FDA7}: NameServer = 80.17.212.208 151.99.125.1
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sound Sservice Driver (Sound Service) - Unknown owner - C:\WINDOWS\System32\cfmon.exe
halduemilauno
12-06-2005, 09:39
ecco il log di hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 10.24.32, on 12/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\cfmon.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\wvsvc.exe
C:\WINDOWS\System32\MSASP32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\MSASP32.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Iron\Documenti\Unzipped\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rossoalice.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\programmi\180searchassistant\salmhook.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Starting up] wvsvc.exe
O4 - HKLM\..\Run: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [afsjaj] C:\WINDOWS\afsjaj.exe
O4 - HKLM\..\RunServices: [Starting up] wvsvc.exe
O4 - HKLM\..\RunServices: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKCU\..\Run: [Starting up] wvsvc.exe
O4 - HKCU\..\Run: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c18.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B1D65B-86D1-48D0-832D-1793F749FDA7}: NameServer = 80.17.212.208 151.99.125.1
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sound Sservice Driver (Sound Service) - Unknown owner - C:\WINDOWS\System32\cfmon.exe
C:\WINDOWS\System32\wvsvc.exe
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [Starting up] wvsvc.exe
O4 - HKLM\..\RunServices: [Starting up] wvsvc.exe
O4 - HKCU\..\Run: [Starting up] wvsvc.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M.../bridge-c18.cab
buttali.
;)
continuano a spuntare altre cose... volendo formattare, cosa dovrei fare per non riprenderle?
continuano a spuntare altre cose... volendo formattare, cosa dovrei fare per non riprendere questi trojans?
:(
Jaguar64bit
12-06-2005, 12:00
continuano a spuntare altre cose... volendo formattare, cosa dovrei fare per non riprenderle?
L'unica vera cura è installarsi l'antivirus Kaspersky 5 Personal. www.kaspersky.com
poi installati ad-aware 1.06
Spywareblaster
spybot 1.4
ewido 3.0.
aggiornali e via di scan.
Kaspersky come antivirus scaricati la trial e fatti una scansione poi ad-aware spybot microsoft antispy(ex giant) e un buon firewall e sei sicuro ;)
Non so un quale stato sia rimasto il tuo PC, ma facendo riferimento al tuo log iniziale ci sarebbe da operare nella seguente maniera:
stoppa il servizio:hwclock.exe
elimina le righe
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\programmi\180searchassistant\salmhook.dll
O4 - HKLM\..\Run: [Starting up] wvsvc.exe
O4 - HKLM\..\Run: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKLM\..\Run: [afsjaj] C:\WINDOWS\afsjaj.exe
O4 - HKLM\..\RunServices: [Starting up] wvsvc.exe
O4 - HKLM\..\RunServices: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKCU\..\Run: [Starting up] wvsvc.exe
O4 - HKCU\..\Run: [MS Auto-IPSec Protection] MSASP32.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M.../bridge-c18.cab
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe
disabilità il rispristino di sistema
Reboot in modalità provvisoria e cancella i seguenti file:
wvsvc.exe
MSASP32.exe
C:\WINDOWS\System32\hwclock.exe
e la seguente directory:
c:\programmi\180searchassistant
rilancia Hijackthis e controlla che tutte le voci sopraelencate siano state rimosse altrimenti rimuovile
reboot in modalità normale
Non so un quale stato sia rimasto il tuo PC, ma facendo riferimento al tuo log iniziale ci sarebbe da operare nella seguente maniera:
stoppa il servizio:hwclock.exe
elimina le righe
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\programmi\180searchassistant\salmhook.dll
O4 - HKLM\..\Run: [Starting up] wvsvc.exe
O4 - HKLM\..\Run: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKLM\..\Run: [afsjaj] C:\WINDOWS\afsjaj.exe
O4 - HKLM\..\RunServices: [Starting up] wvsvc.exe
O4 - HKLM\..\RunServices: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKCU\..\Run: [Starting up] wvsvc.exe
O4 - HKCU\..\Run: [MS Auto-IPSec Protection] MSASP32.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M.../bridge-c18.cab
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe
disabilità il rispristino di sistema
Reboot in modalità provvisoria e cancella i seguenti file:
wvsvc.exe
MSASP32.exe
C:\WINDOWS\System32\hwclock.exe
e la seguente directory:
c:\programmi\180searchassistant
rilancia Hijackthis e controlla che tutte le voci sopraelencate siano state rimosse altrimenti rimuovile
reboot in modalità normale
io aggiungerei:
poi riposta il log :D
ho un altro problema aprendo il task manager e anche hijackthis si richiudono automaticamente
:eek:
edit: tra i processi c'e' un windll32 :confused:
ho un altro problema aprendo il task manager e anche hijackthis si richiudono automaticamente
:eek:
edit: tra i processi c'e' un windll32 :confused:
cerca il file windll32.exe e cancellalo poi prova a riaprire il task e se c'è ancora il processo terminalo poi riavvia e riprova ad aprire il task e hijackthis e posta il log
il problema è non me lo fa cancellare perchè è in uso :(
accidenti!!!!!!!!!!!!!!!!
allora scarica killbox poi riavvia in modalità provvisoria inserisci in killbox l'intero percorso del file e cancellalo dopodichè rifai quello che ti ho detto
una formattazione ed una installazione del service pack 1 e 2 mi permette di non riprendere tutte queste schifezze? :(
e comunque sarebbe questo windll32.exe mi causa tutti questi problemi? :(
una formattazione ed una installazione del service pack 1 e 2 mi permette di non riprendere tutte queste schifezze? :(
Può darsi ma cmq non è sicuro
e comunque sarebbe questo windll32.exe mi causa tutti questi problemi? :(
è probabile cmq sei riuscito ad eliminarlo? e se sei riuscito ad aprirlo posta il log di hijackthis
se no fammi l'elenco di tutti i processi in esecuzione nel task se poi sei riuscito ad aprire almeno quello
ecco il log della scansione che ho appena fatto
Logfile of HijackThis v1.99.1
Scan saved at 16.59.40, on 13/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\rpcclient.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Iron\Documenti\Unzipped\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rossoalice.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B1D65B-86D1-48D0-832D-1793F749FDA7}: NameServer = 80.17.212.208 151.99.125.1
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINDOWS\System32\rpcclient.exe
eliminato windll32.exe in modalità provvisoria
Non sei ancora a posto
Fixa questa riga:
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
e poi conosci questo?
rpcclient.exe
rpcclient.exe ho provato a cancellarlo anche in modalità provvisoria... niente
ricompare automaticamente
come hai provato a cancellarlo, manualmente? l'hai terminato dal task? prima di riavviare in mod prov hai disabilitato il system restore?
PS: ma quindi non lo conosci rpcclient.exe?
no rpcclient non lo conosco purtroppo.. cmq e' anche nei servizi di windows in strumenti e amministrazione...
x system restore intendi cancellato il servizio di ripristino della configurazione del sistema?
x system restore intendi cancellato il servizio di ripristino della configurazione del sistema?
si ma non lo devi cancellare solo disabilitare da risorse del computer--> proprietà
ho controllato, l'avevo già disattivato
La caccia si fa interessante :)
Per rpcclient.exe(non c'è nessuna entry in google e, per definizione, è un malware) nella gestione dei servizi stoppa il servizio poi disabilitalo.
fixa quindi la linea:
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINDOWS\System32\rpcclient.exe
Installa assolutamente il Service Pack 2
vedo con piacere che la situazione interessa :D
cmq il problema è che non è possibile disabilitarlo dai servizi :(
ecco che ne sbuca un altro adesso
Logfile of HijackThis v1.99.1
Scan saved at 20.01.38, on 13/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\rpcclient.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Programmi\Microsoft IntelliPoint\point32.exe
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\KYSVCXD.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Iron\Documenti\Unzipped\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rossoalice.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmi\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [KYK Control Settings] KYSVCXD.EXE
O4 - HKLM\..\RunServices: [KYK Control Settings] KYSVCXD.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by15fd.bay15.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B1D65B-86D1-48D0-832D-1793F749FDA7}: NameServer = 80.17.212.208 151.99.125.1
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINDOWS\System32\rpcclient.exe
KYSVCXD.exe :confused: :confused: :confused: :confused:
ecco che ne sbuca un altro adesso
Logfile of HijackThis v1.99.1
Scan saved at 20.01.38, on 13/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\rpcclient.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Programmi\Microsoft IntelliPoint\point32.exe
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\KYSVCXD.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Iron\Documenti\Unzipped\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rossoalice.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmi\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [KYK Control Settings] KYSVCXD.EXE
O4 - HKLM\..\RunServices: [KYK Control Settings] KYSVCXD.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by15fd.bay15.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B1D65B-86D1-48D0-832D-1793F749FDA7}: NameServer = 80.17.212.208 151.99.125.1
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINDOWS\System32\rpcclient.exe
KYSVCXD.exe :confused: :confused: :confused: :confused:
mi sembra una lotta senza fine.
Devi assolutamente installare SP2.
Sembra un attacco dall'esterno che crea un processo rpcclient.exe che poi genere files di volta in volta diversi.
Prova ad start-esegui services.msc cerca il processo "Remote Procedure Call (RPC) Client" (non RPC remote Procedure Call) o qualcosa di simile che lancia il programma in questione. Tasto destro e Termina.
Poi tasto desto proprieta e scegli Disabilita nel tipo di avvio.
Riparti in modalità provvisoria e fixa le righe:
O4 - HKLM\..\Run: [KYK Control Settings] KYSVCXD.EXE
O4 - HKLM\..\RunServices: [KYK Control Settings] KYSVCXD.EXE
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINDOWS\System32\rpcclient.exe
Fixa questi:
O4 - HKLM\..\Run: [KYK Control Settings] KYSVCXD.EXE
O4 - HKLM\..\RunServices: [KYK Control Settings] KYSVCXD.EXE
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINDOWS\System32\rpcclient.exe
Poi sempre da mod prov riprova a cancellare i file sia di rpcclient.exe che di KYSVCXD.EXE con killbox riavvia in mod normale termina i processi dal task
stoppato e disabilitato il servizio rpc
cancellato KYSVCXD.EXE
ma rpc da hijackthis non vuole andare via :mc:
edit: trova file e cartelle rpcclient.exe non esiste :eek:
stoppato e disabilitato il servizio rpc ...
ma rpc da hijackthis non vuole andare via :mc:
edit: trova file e cartelle rpcclient.exe non esiste :eek:
quindi l'hai terminato dal task ma non riesci a togliere la riga che to ho segnalato da hijackthis (nemmeno da mod prov?)
cancellato KYSVCXD.EXE
e anche terminato dal task?
PS: skunworks conosce un utile prog per cancellare i file ora lo avviso
allora, per quanto riguarda KYSVCXD.EXE terminato e cancellato... e fino ad ora sembra non ricomparire più :D
EDIT: non chiedetemi perchè ma il servizio rpc stamattina si poteva disabilitare :eek:
Logfile of HijackThis v1.99.1
Scan saved at 12.12.31, on 14/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Programmi\Microsoft IntelliPoint\point32.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Iron\Documenti\Unzipped\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rossoalice.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmi\Microsoft IntelliPoint\point32.exe"
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by15fd.bay15.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B1D65B-86D1-48D0-832D-1793F749FDA7}: NameServer = 80.17.212.208 151.99.125.1
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINDOWS\System32\rpcclient.exe
in hijackthis continua a non andare via :mbe:
in hijackthis continua a non andare via :mbe:
ma se tenti di fixarlo cosa succede? lo fa anche da mod prov?
lo fixa ma alla prossima scansione lo ritrova...
cmq
C:\WINDOWS\system32\logonui.exe ??
lo fixa ma alla prossima scansione lo ritrova...
prova a fixarlo da mod prov
C:\WINDOWS\system32\logonui.exe ??
non so cosa sia ma almeno dall'analizzatore risulta sicuro
cmq vada come vada vi ringrazio tutti per il tempo che dedicato a me per risolvere questi problemi ;)
cmq vada come vada vi ringrazio tutti per il tempo che dedicato a me per risolvere questi problemi ;)
di niente :D
io comunque ho il firewall di windows (senza sp1 e sp2) attivato.... ma serve a qualcosa o se lo disattivo è la stessa cosa?
io comunque ho il firewall di windows (senza sp1 e sp2) attivato.... ma serve a qualcosa o se lo disattivo è la stessa cosa?
prima di tutto metti sia sp1 che sp2 soprattutto sp2 e cmq il firewall di windows è cmq una protezione in più ma senza l'sp1 e 2 serve a poco
io comunque ho il firewall di windows (senza sp1 e sp2) attivato.... ma serve a qualcosa o se lo disattivo è la stessa cosa?
Da Hijackthis non sembra che tu non abbia installato nè antivirus nè un firewall nè uno spyware:(
Mi sbaglio?
in ogni caso come procede la disinfestazione?
io ho ad aware e firewall di windows attivati antivirus nada... ho fatto la scansione e poi l'ho tolto
Da Hijackthis non sembra che tu non abbia installato nè antivirus nè un firewall nè uno spyware:(
Mi sbaglio?
:doh: :doh: :doh: accidenti è vero non me ne ero accorto metti subito un firewall (io consiglio kerio) e un av (a pagamento: kaspersky free: antivir) dopo averli installati aggiornali fai una scansione con l'av da mod prov poi scaricati ewido, a-squared, ad-aware e spybot S&D e facci una scansione.
Ps: perchè non me l'hai detto subito che non avevi protezioni? :doh: :doh: :doh:
tutmosi3
14-06-2005, 15:08
In mezzo a tutto 'sto macello, io non ho ancora capito che antivirus, firewall, antispyware avevi.
Ciao
In mezzo a tutto 'sto macello, io non ho ancora capito che antivirus, firewall, antispyware avevi.
Ciao
a quanto ho capito come firewall usa quello di xp av l'ha installato fatto la scansione e disinstallato e antispyware aveva ad-aware :D
ad aware come spyware, firewall di windows, appena fatta scansione con kaspersky... :( trova rpcclient.exe come trojan.... il problema è che non si può cancellare perchè l'accesso è negato :eek: :eek:
trova rpcclient.exe come trojan.... il problema è che non si può cancellare perchè l'accesso è negato :eek: :eek:
anche da mod prov?
questo è il report della scansione di kaspersky
Statistics:
Start time: 14/06/2005 16.11.17
Completion time: 14/06/2005 16.18.33
Objects scanned: 37634
Dangerous objects detected: 27
Viruses disinfected: 0
Objects deleted: 12
Objects quarantined: 0
Settings:
Objects to scan:
My Computer
If a dangerous object is detected:
Prompt user for action once the scan is completed
Scan level:
Recommended
Exclusions from the scan scope:
Option not used
Report:
C:\WINDOWS\System32\rpcclient.exe is a Trojan Backdoor.Win32.Codbot.ae 14/06/2005 16.11.22
rpcclient.exe\rpcclient.exe object could not be disinfected, disinfection postponed 14/06/2005 16.11.22
C:\WINDOWS\System32\rpcclient.exe object could not be disinfected, disinfection postponed 14/06/2005 16.11.27
C:\WINDOWS\SYSTEM32\RPCCLIENT.EXE is a Trojan Backdoor.Win32.Codbot.ae 14/06/2005 16.11.31
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcClient [ImagePath=C:\WINDOWS\System32\rpcclient.exe] is infected with a virus Service: startUp link to C:\WINDOWS\SYSTEM32\RPCCLIENT.EXE object with "Infected" verdict 14/06/2005 16.11.31
C:\WINDOWS\SYSTEM32\RPCCLIENT.EXE object could not be disinfected, disinfection postponed 14/06/2005 16.11.31
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcClient [ImagePath=C:\WINDOWS\System32\rpcclient.exe] object could not be disinfected 14/06/2005 16.11.31
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\Ad-Aware SE Default.skn password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\arrow1.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\arrow2.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bck1.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt11.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt12.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt13.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt21.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt22.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt23.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt31.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt32.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt33.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt41.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt42.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt43.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt51.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt52.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt53.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt61.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt62.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\checkbox1.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\checkbox2.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\checkbox3.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\checkbox4.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\defbtn1.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\defbtn2.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\defbtn3.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\glyph1.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\glyph2.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\glyph3.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\glyph4.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\glyph5.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\glyph6.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\glyph7.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\main.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\preview.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\sprite1.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Program Files\Internet Optimizer\optimize.exe is a Trojan Trojan-Downloader.Win32.Dyfuca.ei 14/06/2005 16.12.55
C:\Program Files\Internet Optimizer\optimize.exe object could not be disinfected, disinfection postponed 14/06/2005 16.12.55
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\Ad-Aware SE Default.skn password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\arrow1.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\arrow2.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bck1.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt11.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt12.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt13.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt21.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt22.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt23.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt31.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt32.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt33.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt41.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt42.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt43.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt51.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt52.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt53.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt61.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt62.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox1.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox2.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox3.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox4.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn1.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn2.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn3.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph1.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph2.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph3.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph4.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph5.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph6.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph7.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\main.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\preview.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\sprite1.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\WINDOWS\system32\aimsg.exe is a Trojan Backdoor.Win32.Codbot.ae 14/06/2005 16.15.54
C:\WINDOWS\system32\aimsg.exe object could not be disinfected, disinfection postponed 14/06/2005 16.15.54
C:\WINDOWS\system32\cfmon.exe is a Trojan Backdoor.Win32.Codbot.ad 14/06/2005 16.15.56
C:\WINDOWS\system32\cfmon.exe object could not be disinfected, disinfection postponed 14/06/2005 16.15.56
C:\WINDOWS\system32\i is a Trojan Trojan-Downloader.BAT.Ftp.ab 14/06/2005 16.16.02
C:\WINDOWS\system32\i object could not be disinfected, disinfection postponed 14/06/2005 16.16.02
C:\WINDOWS\system32\msdirectx.sys is a Trojan Trojan.Win32.Rootkit.h 14/06/2005 16.16.07
C:\WINDOWS\system32\msdirectx.sys object could not be disinfected, disinfection postponed 14/06/2005 16.16.07
C:\WINDOWS\system32\msnt32.exe is a Trojan Backdoor.Win32.Codbot.ad 14/06/2005 16.16.08
C:\WINDOWS\system32\msnt32.exe object could not be disinfected, disinfection postponed 14/06/2005 16.16.08
C:\WINDOWS\system32\o is a Trojan Trojan-Downloader.BAT.Ftp.ab 14/06/2005 16.16.11
C:\WINDOWS\system32\o object could not be disinfected, disinfection postponed 14/06/2005 16.16.11
C:\WINDOWS\system32\rpcclient.exe is a Trojan Backdoor.Win32.Codbot.ae 14/06/2005 16.16.13
C:\WINDOWS\system32\rpcclient.exe object could not be disinfected, disinfection postponed 14/06/2005 16.16.13
C:\WINDOWS\system32\Sygat.exe is a Trojan Backdoor.Win32.Codbot.ad 14/06/2005 16.16.16
C:\WINDOWS\system32\Sygat.exe object could not be disinfected, disinfection postponed 14/06/2005 16.16.16
C:\WINDOWS\system32\uuu.exe is a Trojan Backdoor.Win32.Codbot.ad 14/06/2005 16.16.17
C:\WINDOWS\system32\uuu.exe object could not be disinfected, disinfection postponed 14/06/2005 16.16.17
C:\WINDOWS\system32\windowsp.exe is a Trojan Backdoor.Win32.Codbot.ae 14/06/2005 16.16.18
C:\WINDOWS\system32\windowsp.exe object could not be disinfected, disinfection postponed 14/06/2005 16.16.18
C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\26MUI77V\loko3[1].m is a Trojan Trojan.Win32.LowZones.br 14/06/2005 16.16.21
C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\26MUI77V\loko3[1].m object could not be disinfected, disinfection postponed 14/06/2005 16.16.21
C:\WINDOWS\System32\rpcclient.exe is a Trojan Backdoor.Win32.Codbot.ae 14/06/2005 16.17.38
C:\WINDOWS\System32\rpcclient.exe moved to the backup storage 14/06/2005 16.17.42
C:\WINDOWS\System32\rpcclient.exe cannot be deleted, object locked 14/06/2005 16.17.42
C:\WINDOWS\System32\rpcclient.exe will be deleted at system startup 14/06/2005 16.17.51
rpcclient.exe\rpcclient.exe deleted 14/06/2005 16.17.51
C:\WINDOWS\System32\rpcclient.exe is a Trojan Backdoor.Win32.Codbot.ae 14/06/2005 16.17.51
C:\WINDOWS\System32\rpcclient.exe error moving to the backup storage 14/06/2005 16.17.55
C:\WINDOWS\System32\rpcclient.exe cannot be deleted, file not found 14/06/2005 16.17.55
C:\WINDOWS\System32\rpcclient.exe cannot be deleted, file not found 14/06/2005 16.17.59
C:\WINDOWS\System32\rpcclient.exe cannot be deleted, file not found 14/06/2005 16.18.01
C:\WINDOWS\System32\rpcclient.exe cannot be deleted, file not found 14/06/2005 16.18.03
C:\WINDOWS\System32\rpcclient.exe cannot be deleted, file not found 14/06/2005 16.18.05
C:\WINDOWS\System32\rpcclient.exe cannot be deleted, file not found 14/06/2005 16.18.08
C:\WINDOWS\System32\rpcclient.exe cannot be deleted, file not found 14/06/2005 16.18.09
C:\WINDOWS\System32\rpcclient.exe cannot be deleted, file not found 14/06/2005 16.18.10
C:\WINDOWS\SYSTEM32\RPCCLIENT.EXE processing error 14/06/2005 16.18.14
C:\Program Files\Internet Optimizer\optimize.exe is a Trojan Trojan-Downloader.Win32.Dyfuca.ei 14/06/2005 16.18.14
C:\Program Files\Internet Optimizer\optimize.exe moved to the backup storage 14/06/2005 16.18.15
C:\Program Files\Internet Optimizer\optimize.exe deleted 14/06/2005 16.18.16
C:\WINDOWS\system32\aimsg.exe is a Trojan Backdoor.Win32.Codbot.ae 14/06/2005 16.18.16
C:\WINDOWS\system32\aimsg.exe moved to the backup storage 14/06/2005 16.18.17
C:\WINDOWS\system32\aimsg.exe deleted 14/06/2005 16.18.17
C:\WINDOWS\system32\cfmon.exe is a Trojan Backdoor.Win32.Codbot.ad 14/06/2005 16.18.17
C:\WINDOWS\system32\cfmon.exe moved to the backup storage 14/06/2005 16.18.19
C:\WINDOWS\system32\cfmon.exe deleted 14/06/2005 16.18.19
C:\WINDOWS\system32\i is a Trojan Trojan-Downloader.BAT.Ftp.ab 14/06/2005 16.18.19
C:\WINDOWS\system32\i moved to the backup storage 14/06/2005 16.18.22
C:\WINDOWS\system32\i deleted 14/06/2005 16.18.22
C:\WINDOWS\system32\msdirectx.sys is a Trojan Trojan.Win32.Rootkit.h 14/06/2005 16.18.22
C:\WINDOWS\system32\msdirectx.sys moved to the backup storage 14/06/2005 16.18.24
C:\WINDOWS\system32\msdirectx.sys deleted 14/06/2005 16.18.24
C:\WINDOWS\system32\msnt32.exe is a Trojan Backdoor.Win32.Codbot.ad 14/06/2005 16.18.24
C:\WINDOWS\system32\msnt32.exe moved to the backup storage 14/06/2005 16.18.25
C:\WINDOWS\system32\msnt32.exe deleted 14/06/2005 16.18.25
C:\WINDOWS\system32\o is a Trojan Trojan-Downloader.BAT.Ftp.ab 14/06/2005 16.18.25
C:\WINDOWS\system32\o moved to the backup storage 14/06/2005 16.18.26
C:\WINDOWS\system32\o deleted 14/06/2005 16.18.26
C:\WINDOWS\system32\rpcclient.exe processing error 14/06/2005 16.18.26
C:\WINDOWS\system32\Sygat.exe is a Trojan Backdoor.Win32.Codbot.ad 14/06/2005 16.18.26
C:\WINDOWS\system32\Sygat.exe moved to the backup storage 14/06/2005 16.18.27
C:\WINDOWS\system32\Sygat.exe deleted 14/06/2005 16.18.27
C:\WINDOWS\system32\uuu.exe is a Trojan Backdoor.Win32.Codbot.ad 14/06/2005 16.18.27
C:\WINDOWS\system32\uuu.exe moved to the backup storage 14/06/2005 16.18.28
C:\WINDOWS\system32\uuu.exe deleted 14/06/2005 16.18.28
C:\WINDOWS\system32\windowsp.exe is a Trojan Backdoor.Win32.Codbot.ae 14/06/2005 16.18.28
C:\WINDOWS\system32\windowsp.exe moved to the backup storage 14/06/2005 16.18.32
C:\WINDOWS\system32\windowsp.exe deleted 14/06/2005 16.18.32
C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\26MUI77V\loko3[1].m is a Trojan Trojan.Win32.LowZones.br 14/06/2005 16.18.32
C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\26MUI77V\loko3[1].m moved to the backup storage 14/06/2005 16.18.33
C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\26MUI77V\loko3[1].m deleted 14/06/2005 16.18.33
conclusione... infestato da trojan che nessun altro antivirus rilevava :(
appena tolto il firewall sono stato bombardato da lsass e altra robbaccia ma kaspersky li ha bloccati tutti :sofico:
quindi ora sei completamente pulito? hai riavviato il pc?
tutmosi3
14-06-2005, 15:53
a quanto ho capito come firewall usa quello di xp av l'ha installato fatto la scansione e disinstallato e antispyware aveva ad-aware :D
Il che mida da pensare che in precedenza non avessi antivirus.
Ciao
diciamo che sono pulito :D
cmq ora mi arriva il cd di windows xp con sp1 e 2 già installati e formatto
thx a tutti
anzichè formattare perchè non installi soltanto l'sp 1 e 2?
almeno così non rendi inutile il lavoro di noi tutti :(
mi potreste passare un link per il service pack 1?
Magari dico una bestialità, ma , di solito, i Service Pack di Windows contengono tutti gli aggiornamenti inseriti nei Srvice Pack precedenti.
Dovrebbe quindi bastare l'installazione del SP2.
non ne ho la minima idea... cmq se il service pack2 non implica l'installazione precedente del service pack 1 meglio ancora :D
tutmosi3
15-06-2005, 06:52
SP2 contiene anche SP1.
Ciao
messo sp2
Logfile of HijackThis v1.99.1
Scan saved at 20.15.08, on 15/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\system32\spnpinst.exe
C:\WINDOWS\system32\Sysocmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmi\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Iron\Documenti\Unzipped\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rossoalice.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmi\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by15fd.bay15.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B1D65B-86D1-48D0-832D-1793F749FDA7}: NameServer = 80.17.212.208 151.99.125.1
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
questo è il log della scansione appena fatta con hijackthis
è tutto ok?
29 processi non sono un pò troppi?
SkunkWorks 68
17-06-2005, 08:04
...Ho pututo leggere solo adesso la discussione.Avete fatto un ottimo lavoro...Che faticaccia...Il log sembra pulito...Potresti disabilitare il servizio messenger,volendo..Ciao :)
vBulletin® v3.6.4, Copyright ©2000-2025, Jelsoft Enterprises Ltd.